Where do I go from here?
At this point, you should have a solid understanding of the basic steps required to exploit and gain access to a system. Remember: your attack methods change based on your target and desired goal. Now that you understand the basics, you should be ready to tackle some more advanced topics.
You should take some time and review the password brute forcing tool Hydra. This tool functions much like Medusa but provides a few extra parameters to give you some additional options. Carefully review each of the switches supported by Hydra. It’s recommended that you pay special attention to the timing option. The ability to control the time or rate of connections is handy for correcting many connection errors that occur when we utilize online password crackers.
Along with your own personal password dictionary, you should begin building a list of default usernames and passwords for various network devices. As you progress in your penetration testing career, you’ll probably be surprised at how often you’ll come across devices like routers, switches, modems firewalls, etc., that still use a default username and password. It is not uncommon to find PT stories where the penetration tester was able to take complete control of a boarder router and redirect all internal and external traffic because the company administrator had forgotten to change the default username and password. It does little good to spend time configuring and securing your device if you fail to change the username and password. There are several good starter lists of default usernames and passwords available online.
Another great tool for password cracking is RainbowCrack. RainbowCrack is a tool that relies on Rainbow tables to crack passwords. A rainbow table is a precomputed list of password hashes. Recall that traditional password-cracking tools like John the Ripper go through a three-step process. First, the tool must generate a potential password; next, the tool needs to create a hash of the chosen word; and finally, the password-cracking tool has to compare the generated hash with the password hash. Rainbow tables are much more efficient because they make use of precomputed password hashes. This means that the cracking process reduces two out of the three steps and simply needs to compare hashes to hashes.
There are lots of great tools that can be explored and used for sniffing. It is highly recommended that you spend time getting to know and use Wireshark. This course covered only the basics, but Wireshark is a deep program with many rich features. You should learn how to use the filters, follow data streams and view information on specific packets. Once you are comfortable with Wireshark, digging into dsniff is highly recommendable. As mentioned earlier, dsniff is an incredible suite with tons of great tools. With some self-study and practise, you can even learn to intercept encrypted traffic like SSL.
Ettercap is another fantastic tool that has many powerful features and abilities. Ettercap is a great tool for conducting man-in-the-middle attacks. Ettercap works by tricking clients into sending network traffic through the attacker machine. This is a great way to get usernames and passwords from machines on the Local LAN. Once you have successfully studied and used Wireshark, dsniff and Ettercap, you’ll be well to mastering the basics of network sniffing.
After reviewing and understanding the basics of Metasploit, you should dig in and learn the details of the Meterpreter payload. There are dozens of switches, commands and ways to interact with the Meterpreter. You should learn and practise them all. Learning how to control this amazing payload will pay mountains of dividends in your exploitation career. It is important that you understand using Metasploit in combination with the Meterpreter is one of the most lethal amalgamations available to a new penetration tester. Don’t underestimate or overlook this powerful tool.
Until now only automated attacks have been discussed. Even though it can be extremely entertaining to push buttons and pwn remote systems, if you never advance your skill level beyond this point, you’ll be a Script Kiddie forever. Initially, we all start out as a person who must rely on other to develop and release new exploit tools, but to become truly elite you’ll need to learn how to read, write and create your own exploits. While creating your own exploits may seem daunting at first, it is a process that become much easier the more you learn. A good place to start learning about exploitation is by getting to know buffer overflows.
Stack and heap based buffer overflows, which are responsible for many of the exploits available today, often seem like magic or voodoo to newcomers. However, with some dedicated and careful self-study, these topics can be demystified and even mastered.
Advancing your skill level to the point of being able to find buffer overflows and write shell code often requires some additional training. Although this training is not strictly required, it certainly makes the process of learning advanced exploitation much easier. Whenever possible, you should spend time learning a programming language like “C”. Once you are comfortable with C, you should focus on understanding at least the basics of Assembly Language. Having a solid understanding of these topics will help dispel much of the “black-magic” feel many people have when they first encounter buffer overflows.