PTS (Penetration Testing Student) is a course for beginner level certification eJPT (eLearnSecurity Junior Penetration Tester). PTS is available freely on INE platform and is designed by instructor Lukasz Mikula. This course should a perfect and prior option to opt for an individual who wanted to start a career in Cyber Security.
A big shoutout to Josh Mason and Cyber Supply Drop for the exciting challenge #PTSchallenge which became the driven force to complete the course and share the experience
I have divided this blog into two parts:
- My experience during the completion of course
- My learnings and finding (notes) of the course
So as I did mentioned, that this course is for the one who wants to begin or enhance their learning in the field of security. If I were to suggest a material for beginner friend, this PTS would be the one.
PTS is divided into 3 modules :
- Penetration Testing Pre-requisites:
It allows the learner to get all the basics knowledge required for penetration testing varying from Networking, Web Application, Cryptography, Pentesting Methodology and many more. What I feel is this module is itself a complete bundle for learning pre-requisite as it include literally everything which we need to know before getting into the Penetration Testing. Once we complete all the sub modules, we are good to for Preliminary Skills and Programming.
Note: My learning and detailed notes are after the experience section.
2. Penetration Testing: Preliminary Skills and Programming:
“A good maker can also be a good breaker”
Only knowledge about the working of Internet , Web Applications and Network isn’t enough to be a good in Ethical Hacking. Apart from the working, the language in which the application, network are made or configured is required to move forward in the security. Here this module plays an crucial role and providing basics for every single language used frequently. It includes C++, Python , CLI(Bash Scripting).
I loved the Bash Scripting as it allows me to do literally every task in a minimum time be it a scheduler or automation. Python and C++ are also very powerful when we know how to use it properly. Still for me Bash Scripting will also be at top.
This course motivated me to make a automation tool for recon, which will help me automating the task and is used when it comes to recon.
3. Penetration Testing Basics :
Here comes the main stuff, a final stage which allows us to introduce with the different phases of hacking, tools and technique involved in that phase and even the prevention of the same. Yet I felt introduction to some of the tools which are widely used like findomain, naabu, haiti, hashcat should be introduced.
Note: Every single detail about the tools and technique
It includes 3 black box for practical implementation which is most interesting part of this module. If you really want to excel , solving this exercise with out taking hint will be the best path to go for!!
So, this was all from my experience. All the extra learning apart from the course is also added to my notes. Have a look below for the same!!
Notes/Finding from INE Penetration Testing Student:
Module 1: Penetration Testing Pre-requisite:
In any field, knowing the domain language is essential. It allows you to gain a deeper understanding of the sector and interact more effectively with your coworkers. So, let’s get acquainted with some cybersecurity jargon.
An attack is any kind of action aimed at misusing or taking control over a computer system or application.
A cybersecurity threat is a harmful act aimed at destroying, stealing, or disrupting digital life in general.
Cybersecurity risk refers to the likelihood of your company being exposed to or losing money as a result of a cyber attack or data leak.
𝐖𝐡𝐢𝐭𝐞 𝐇𝐚𝐭 𝐡𝐚𝐜𝐤𝐞𝐫𝐬
Individual who use their powers for good rather than evil. Also known as “ethical hackers,” white hat hackers can sometimes be paid employees or contractors working for companies as security specialists that attempt to find vulnerabilities via penetration testing.
𝐁𝐥𝐚𝐜𝐤 𝐇𝐚𝐭 𝐡𝐚𝐜𝐤𝐞𝐫𝐬
Criminals who break into computer networks with malicious intent. They may also release malware that destroys files, holds computers hostage, or steals passwords, credit card numbers, and other personal information.
A network protocol is a set of rules that govern how data is formatted, sent, and received by computer network devices, ranging from servers and routers to endpoints, regardless of their underlying infrastructures, designs, or standards.
Devices on both sides of a communication exchange must accept and follow protocol norms in order to send and receive data correctly.
Without computing protocols, computers and other devices would not know how to engage with each other.
𝐏𝐚𝐜𝐤𝐞𝐭𝐬 are streams of bits running as electric signals on physical media used for data transmission. Such media can be a wire in a LAN or the air in a WiFi network. These electrical signals are then interpreted as bits (0’s and 1’s) that make up the information.
Packets consist of two parts: the 𝐡𝐞𝐚𝐝𝐞𝐫 and the 𝐩𝐚𝐲𝐥𝐨𝐚𝐝.
The 𝐡𝐞𝐚𝐝𝐞𝐫 contains information about the packet, such as its origin and destination IP addresses (an IP address is like a computer’s mailing address).
The 𝐩𝐚𝐲𝐥𝐨𝐚𝐝 is the actual data or the content in the request which is to be transmitted.
An 𝐈𝐏 𝐚𝐝𝐝𝐫𝐞𝐬𝐬 is a unique address that identifies a device on the internet or a local network. IP stands for “Internet Protocol,” which is the set of rules governing the format of data sent via the internet or local network.
An 𝐈𝐏𝐯6 address consists of 16-bit hexadecimal numbers separated by a colon (:). Hexadecimal numbers are case insensitive. In case zeros occur, they can be skipped.
The size of IP addresses is the fundamental difference between IPv4 and IPv6. IPv4 addresses are 32 bits long, but IPv6 addresses are 128 bits long. In comparison to IPv4, IPv6 has a larger address space and a simpler header.
Router is a networking device that forwards data packets between computer networks. Routers perform the traffic directing functions on the Internet
Routing protocol specifies how routers communicate with each other to distribute information that enables them to select routes between nodes on a computer network
R𝐨𝐮𝐭𝐢𝐧𝐠 𝐭𝐚𝐛𝐥𝐞 is a data table stored in a router or a network host that lists the routes to particular network destinations, and in some cases, metrics (distances) associated with those routes. The routing table contains information about the topology of the network immediately around it.
Link Layer Devices
Hubs and switches are local network devices that forward frames (layer 2 packets). They work with MAC addresses, which are link-layer network addresses.
MAC (Media Access Control) addresses are 48 bits (6 bytes) long and are written in hexadecimal format (HEX). 00:11:AA:22:EE:FF. It’s also known as the machine’s physical address.
IP addresses are used to identify a host in a network’s Layer 3 (Network layer) addressing scheme, whereas MAC addresses are used to uniquely identify a network card (layer 2)
𝐓𝐂𝐏 & 𝐈𝐏 Protocols
𝐓𝐫𝐚𝐧𝐬𝐦𝐢𝐬𝐬𝐢𝐨𝐧 𝐂𝐨𝐧𝐭𝐫𝐨𝐥 𝐏𝐫𝐨𝐭𝐨𝐜𝐨𝐥 (𝐓𝐂𝐏) is connection-oriented, meaning once a connection has been established, data can be transmitted in two directions. TCP has built-in systems to check for errors and to guarantee data will be delivered in the order it was sent, making it the perfect protocol for transferring information like still images, data files, and web pages.
𝐔𝐬𝐞𝐫 𝐃𝐚𝐭𝐚𝐠𝐫𝐚𝐦 𝐏𝐫𝐨𝐭𝐨𝐜𝐨𝐥 (𝐔𝐃𝐏) is a simpler, connectionless Internet protocol wherein error-checking and recovery services are not required.
Difference between TCP and UDP
TCP is a connection-oriented protocol, whereas UDP is a connectionless protocol. A key difference between TCP and UDP is speed, as TCP is comparatively slower than UDP. Overall, UDP is a much faster, simpler, and efficient protocol, however, retransmission of lost data packets is only possible with TCP.
A 𝐩𝐨𝐫𝐭 is a number used to uniquely identify a transaction over a network by specifying both the host and the service which is also as a communication endpoint.
𝐖𝐞𝐥𝐥-𝐤𝐧𝐨𝐰𝐧 𝐏𝐨𝐫𝐭𝐬 generally used
SSH — 22
Telnet — 23
SMTP — 25
HTTP — 80
HTTPs — 443
Firewall and Defense and DNS:
A 𝐅𝐢𝐫𝐞𝐰𝐚𝐥𝐥 is a network security device that monitors and filters incoming and outgoing network traffic based on an organization’s previously established security policies
The packet filter inspects the header of every packet to choose how to treat the packet. The more common actions are:
𝐀𝐥𝐥𝐨𝐰: allow the packet to pass
𝐃𝐫𝐨𝐩: drops the packet
𝐃𝐞𝐧𝐲: do not let the packet pass, but notify the source host.
The 𝐃𝐨𝐦𝐚𝐢𝐧 𝐍𝐚𝐦𝐞 𝐒𝐲𝐬𝐭𝐞𝐦 (𝐃𝐍𝐒) is the database of the Internet. Humans access information online through domain names, like gov.in or tesla.com as remembering the website through IP address is bit difficult. Web browsers interact through Internet Protocol (IP) addresses. DNS translates domain names to IP addresses so browsers can load Internet resources
𝐖𝐞𝐛 𝐀𝐩𝐩𝐥𝐢𝐜𝐚𝐭𝐢𝐨𝐧𝐬 are applications running on web servers and accessible via web browsers.
𝐇𝐲𝐩𝐞𝐫𝐭𝐞𝐱𝐭 𝐓𝐫𝐚𝐧𝐬𝐟𝐞𝐫 𝐏𝐫𝐨𝐭𝐨𝐜𝐨𝐥
𝐇𝐓𝐓𝐏 is the most used application protocol on the internet. It is the client-server protocol used to transfer web pages and web application data throughout the internet.
𝐇𝐓𝐓𝐏𝐒 uses 𝐓𝐋𝐒 (𝐒𝐒𝐋) to encrypt normal HTTP requests and responses. As a result, HTTPS is far more secure than HTTP.
𝐂𝐨𝐦𝐦𝐨𝐧𝐥𝐲 𝐮𝐬𝐞𝐝 𝐇𝐓𝐓𝐏𝐬 𝐌𝐞𝐭𝐡𝐨𝐝𝐬:
𝐌𝐨𝐬𝐭 𝐜𝐨𝐦𝐦𝐨𝐧 𝐑𝐞𝐬𝐩𝐨𝐧𝐬𝐞 𝐒𝐭𝐚𝐭𝐮𝐬 𝐜𝐨𝐝𝐞𝐬:
200 — Success response
300 — Redirect response
400 — Client side error
500 — Server Side Error
𝐋𝐢𝐟𝐞𝐜𝐲𝐜𝐥𝐞 𝐨𝐟 𝐚 𝐏𝐞𝐧𝐞𝐭𝐫𝐚𝐭𝐢𝐨𝐧 𝐓𝐞𝐬𝐭
➡ Information Gathering
➡ Footprinting and Scanning
➡ Vulnerability Assessment
Module 3: Penetration Testing Basics
OSINT is a way of gathering intelligence that involves collecting and analysing publically available data and information for investigation objectives.
Exploiting information available on social networks, public sites, and the company website can help you obtain insight about a firm more efficiently.
Let’s check some out of the tools which are useful for OSINT!
Security Trails — It’s an database where you can find detailed information about founders, investors, employees, buyouts, and acquisitions.
𝐖𝐡𝐨𝐢𝐬 — It is a query and response protocol that is widely used for querying databases that store the registered users or assignees of an Internet resource
Extension like Wappalyser, Cookie Editor, Firebug, and many more helps to know the technologies used in the server
Sub-domain enumeration is the process of finding sub-domains for one or more domain(s). It’s an essential part of the reconnaissance phase.
You can use the following tools to perform subdomain enumeration.
A penetration tester goes to the fingerprinting and enumeration of the nodes running on the client’s network after collecting information about the target organisation during the information gathering stage; this is the infrastructure part of information gathering.
𝐅𝐨𝐨𝐭𝐩𝐫𝐢𝐧𝐭𝐢𝐧𝐠 is about collecting all available information about a computer system or network in order to gain access to it.
Types of footprinting:
Active Footprinting is the process of using tools and techniques, such as performing a ping sweep or using the traceroute command, to gather information on a target. Active Footprinting can trigger a target’s Intrusion Detection System (IDS) and may be logged, and thus requires a level of stealth to successfully do.
Passive Footprinting is the process of gathering information on a target by innocuous, or, passive, means. Browsing the target’s website, visiting social media profiles of employees, searching for the website on WHOIS, and performing a Google search of the target are all ways of passive Footprinting.
𝐎𝐒 𝐟𝐢𝐧𝐠𝐞𝐫𝐩𝐫𝐢𝐧𝐭𝐢𝐧𝐠 is a process of determining the OS used by a host on a network.
Port scanning is a method of determining which ports on a network are open and could be receiving or sending data.
𝐍𝐦𝐚𝐩 is a free and open-source application used by system administrators and network engineers for security auditing on local and remote networks.
𝐍𝐦𝐚𝐩 𝐒𝐜𝐚𝐧 𝐓𝐲𝐩𝐞𝐬
The most used scan types are:
-sn performs a Ping Sweep
-sT performs a TCP connect scan
-sS performs a SYN scan
-sV performs a version detection scan
-sX performs a XMAS scan
Naabu is also the tool which is used for the port scanning and it provides much faster results than nmap though doesnt have functionalities like nmap.
The process of defining, identifying, classifying, and prioritising vulnerabilities in computer systems, applications, and network infrastructures is known as vulnerability assessment.
In order for a pentester to use a vulnerability scanner, it would be impossible to check one or more systems for all known vulnerabilities.
A 𝐯𝐮𝐥𝐧𝐞𝐫𝐚𝐛𝐢𝐥𝐢𝐭𝐲 𝐬𝐜𝐚𝐧𝐧𝐞𝐫 is a computer program designed to assess computers, networks, or applications for known weaknesses.
You can use the following vulnerability scanners:
Open Audit is an open source vulnerability scanner which comes useful in many other cases.
𝐂𝐫𝐨𝐬𝐬-𝐬𝐢𝐭𝐞 𝐬𝐜𝐫𝐢𝐩𝐭𝐢𝐧𝐠 (𝐗𝐒𝐒): An attacker can do this by downloading malicious script code to your website, which can subsequently be exploited to steal data or cause other problems. Despite its simplicity, this tactic is nevertheless widely used and has the potential to cause significant damage.
𝐒𝐐𝐋 𝐈𝐧𝐣𝐞𝐜𝐭𝐢𝐨𝐧 (𝐒𝐐𝐋𝐈): SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database
𝐏𝐚𝐭𝐡 𝐭𝐫𝐚𝐯𝐞𝐫𝐬𝐚𝐥: A path traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder.
𝐃𝐢𝐬𝐭𝐫𝐢𝐛𝐮𝐭𝐞𝐝 𝐃𝐞𝐧𝐢𝐚𝐥 𝐨𝐟 𝐒𝐞𝐫𝐯𝐢𝐜𝐞 (𝐃𝐃𝐨𝐒) 𝐚𝐭𝐭𝐚𝐜𝐤𝐬: A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic.
𝐌𝐚𝐥𝐰𝐚𝐫𝐞 is a file or code, typically delivered over a network, that infects, explores, steals or conducts virtually any behavior an attacker wants.
Types of Malware:
Rootkit, Trojan, Adware, Spyware, Bots, Worms etc
When penetration testers need to access a network service, they can try to obtain valid credentials by using brute force attacks, MITM, ARP Spoofing etc
“An attack in which attackers use automated software to test vast quantities of possible combinations in order to decode passwords, personal identification numbers (PINs), and other types of login data.”
ARP Poisoning (also known as ARP Spoofing) is a sort of LAN-based cyber attack that includes delivering malicious ARP packets to a LAN’s default gateway in order to change the pairings in the IP to MAC address table.
IP addresses are converted to MAC addresses via the ARP Protocol. Because the ARP protocol was created for efficiency rather than security, ARP Poisoning attacks are incredibly simple to carry out as long as the attacker has control of or is directly connected to a machine on the target LAN.
𝐌𝐚𝐧-𝐢𝐧-𝐭𝐡𝐞-𝐦𝐢𝐝𝐝𝐥𝐞 (𝐌𝐈𝐓𝐌) Malicious actors intercept communication sent between networks and external data sources, or within a network, in man-in-the-middle (MITM) network attacks. In most situations, hackers use weak security protocols to carry out man-in-the-middle attacks. These allow hackers to operate as a relay or proxy account in real-time transactions and modify data.
Session hijacking, also known as TCP session hijacking, is a way of secretly getting the session ID and impersonating the authorised user to take control of an online user session. Once the attacker knows the user’s session ID, he or she can impersonate that user and perform anything the user is authorised to do on the network.
Unauthorized access is a term used to describe network attacks in which malicious parties gain access to company assets without first obtaining permission. Weak account password protection, unprotected networks, insider threats abusing role privileges, and the exploitation of inactive roles with administrator rights can all lead to such incidents.
Hope you like the notes!! Happy Hacking