TryHackMe: Jr. Penetration Tester (Supplements)

With the course work for the Security+ exam out of the way, it’s time to turn back to all of the “supplements” I picked up along the way while working through the TryHackMe Jr. Penetration Tester sequence. Today:

Defining Scope and Objectives

New term:

Reference:

Rules of Engagement

The “rules of engagement” are basically the legally formalized (and binding) form of the test’s scope and objectives. Not a formal campaign plan.

Mission Plan

The difference between an “operation plan” and a “mission plan” is one of audience: The former is externally-facing (clients), while the latter is internally facing (red team members).

Introduction: Firewalls

Types of Firewalls

Traditional firewalls cover OSI layers 2 – 4 (data link, network, and transport), while “next-gen” firewalls additionally cover layers 5 – 7 (session, presentation, and application).

Types of firewalls:

References:

Evasion via Controlling the Source MAC/IP/Port

Nmap firewall evasion techniques:

Nmap SYN scan packets are by default 44 bytes = 20 bytes IP header + 24 bytes TCP header + 0 bytes data.

An Nmap SYN scan will send ~2x the number of packets as scanned ports, as all unresponsive ports are sent a second packet to verify that they’re actually closed (and, in general, most ports will be closed).

Evasion via Forcing Fragmentation, MTU, and Data Length

Fragmenting packets in Nmap will generally let them get through a firewall if the firewall is not itself reassembling packets. Note this means that fragmenting packets to 8 bytes results in packets that are 28 bytes long. Use -f to fragment packets to 8 bytes, -ff to fragment packets to 16 bytes, or --mtu to fragment packets into a chosen multiple of 8.

Fragmentation can lead to uneven packet sizes (in particular, the final fragment may be shorter than the others). Nmap will produce packets of a specified length (again, a multiple of 8) when called with --data-length; enough random bits will be added to the packet data field to ensure that the final packet is the same length as all the others. (You can also use this option to add random data to normal Nmap TCP packets by specifying a length greater than 24 bytes; note again that the IP header is uneffected.)

Evasion via Modifying Header Fields

Evasion Using Port Tunneling

Port forwarding with netcat (requires -c to be available):

nc -lvnp $INCOMING_PORT -c "nc $TARGET_IP $TARGET_PORT"

Evasion Using Non-Standard Ports

Sometimes the netcat binary is named ncat instead of nc


Nathan Acks
May 9, 2022