Pentesting

417 readers
1 users here now

Discussion of information technology security topics with a focus on penetration testing.

Please be civil and do not spam.

founded 1 year ago
MODERATORS
1
 
 

I am preparing for a little presentation on Wifi security / dangers of public networks to a non technical audience and wanted to do a demonstration to make things a little more visual. My idea is to use a tool I had years ago which would look for network packets containing image data and would compile them as they get transmitted. And with this tool active I would ask someone in the audience to navigate to a non https website and then see the images on my PC/projector. It's a small crowd of elderly people, so the risk of catching something inappropriate should be small. :-)

But, I can't remember what the tool was called and my search attempts didn't reveal anything. Anyone got an idea?

Or maybe an idea for an even better demo?

2
 
 

Hello,

Recently got a flipper zero. Any advice on how I should use it to test my local network?

3
4
 
 

[Note: The content of this post has been copied from /r/Pentesting in case users wish to continue the discussion during the reddit API price gouging blackout]

Original

Responder and NTLMRelayx

/u/ j_relic

I’m practicing pentesting using Responder. I’ve watched a few videos on YouTube, but I’m having issues. My setup: Windows Server 2019 VM, Windows 10 VM, and the latest Kali. I used a video to create the vulnerable Active Directory Environment (YouTube, the Cyber Mentor). Responder version 3.1.3.0.

I’ve been unable to capture hashes using LLMNR poisoning. Responder doesn’t send the LLMNR poisoned answer. In fact, the only answer it sends is MDNS.

I’ve also been unable to capture hashes using SMB Relay Attacks (with Responder and ntlmrelayx). According to the video I used, I ran nmap to determine the smb version I have for Windows Server 2019. I have smb3 (3.1.1), and “message signing enabled but not required.”

I made sure to modify any configurations within the Responder.conf file (according to the videos) as needed. Am I having these issues because SMB is version 3, and not 2 like in the videos? The videos are a few years old.

Any help is appreciated. Thanks. I would like to exploit these types of issues within my homelab setup.

/u/Danti1988

In your training environment, you don’t mention how you are generating traffic for responder to respond to. Set a scheduled task to map a network share that has an incorrect host name, dns will fail and fall back to netbios / llmnr and you will get a hash.

/u/ j_relic

Hi sorry about that—according to the video, I tried entering an incorrect share. For example, I typed //kl as the share and hit enter. Unfortunately, I didn’t get the same results as the video. In the video, the hashes are captured immediately. But for me, nothing. Instead, Edge opens up on the VM in an attempt to open the page as a web address that ultimately fails.

/u/Danti1988

Open run or file explorer and type //kl/blah. Also make sure responder is listening on the correct interface and both nics are on the same interface for the vms

/u/ j_relic

Unfortunately, same problem. The LLMNR poison isn’t sent, only MDNS. Responder sees the attempt, but nothing else further. I’ve verified that the interface is correct, and the VMs are on the same interface (for their respective nics). All poisoners are set to “On.”

/u/kaltec

Is the vm network adapter set to bridged mode? Kinda sounds like it might be in NAT

/u/Danti1988

If you type in //kaliIP/ are you seeing the hash? If not, it’s definitely a problem with your set up.

5
 
 

[Note: The content of this post has been copied from /r/Pentesting in case users wish to continue the discussion during the reddit API price gouging blackout]

Original

Pentesting project viability?

/u/ExcidionKahuna

TL;DR: Aspiring pentester/python noob looking for recommendations to optimize recon script written in python to populate an Obsidian vault, link findings efficiently with markdown/obsidian plugins, and wondering if this is would even be useful.

Hey all,

I'm not sure if this would be viable to the community in general, but was wanting some input.

This has been kind of a dream project of mine. I'm no developer, and aspire to be a pentester once my contract with my current job ends.

This is a project in python that will perform all my basic enumeration and execute additional commands and populating an Obsidian vault with the data. It starts with a ping/pingsweep and create a directory for each target. Cue nmap full port scan and create a .MD file for each port. Additional script and service scans on discovered ports, and the output for each port saved to each port file. Follow additional commands to run based on services discovered and saved to their own files. Each command will be piped to a bash script I wrote that will timestamp command output and screenshot it to be rendered in each file.

I know that golang and other languages would be faster for this, but this is a project I am using to learn Python and optimize/automate my notes. I guess this could be simplified as using autorecon and making an Obsidian vault, and doctoring it up with markdown and Obsidian features.

For Obsidian users, do you have any recommendations for markdown syntax I can use to better organize, link or make this project useful? Or any other optimizations you could recommend via python? And is this something anyone would actually like to see or even care about?

/u/frenchfry_wildcat

This is absolutely possible and essentially how the “automated pentest” platforms work (such as Penterra)