StC Pentesting Fundamentals Study Group — Week #3 Recap

Last week we had our third session of the Pentesting Fundamentals Study Group.

We covered Chapter 3 Information Gathering of the CompTIA PenTest+ Study Guide and learned about the following topics:

• How to conduct passive information gathering using Open-source Intelligence (OSINT).
• Resources that can be used to conduct passive information gathering such as vulnerability databases, security search engines, organizational data in the form of electronic documents, public financial data and employee social media accounts. Similarly, gathering publicly available information about the domains, IP ranges, and routes for the organization.
• How to conduct active reconnaissance and enumeration.
• Techniques used to enumerate network devices, systems, users, groups, shares, applications and other targets.
• The different types of scans and flags you can use in nmap to conduct a network scan.
• Preventative and defensive methods against active and passive reconnaissance.

We also solved the HTB Lame and Legacy boxes which both involved using misconfigured and vulnerable versions of Samba. We then ended the session by reviewing the vulnerabilities that allowed us to get system level access on both machines and how these vulnerabilities could have been remediated.

Next week, we’ll cover Ch-4 of the CompTIA Pentest+ book and work on the Beep (Linux) & Optimum (Windows) HTB boxes.

Additional Resources

The following are some of the resources we looked at.

• What is an SMB Port? What is Port 445 and Port 139 used for?
• VSFTPD v2.3.4 Backdoor Command Execution
• A Little Guide to SMB Enumeration
• Samba CVE2007–2447
• How to Exploit MS17–010 Eternal Blue without Metasploit
• Transferring Files from Linux to Windows (post-exploitation)