As a pentester, you might be able to take control of systems that have a direct access but you also might be able to test the internal network and check the machine who are inside a subnetwork.

For that task you’ll have to use an already compromised machine as a bridge/gateway, this technic is called “pivot”. Depending of the context, different solutions exist to perform that task.

Rinetd

The easiest one. First you need to install Rinetd:

aptitude search rinetd
p   rinetd                                     - Internet TCP redirection server</pre>

Then edit the /etc/rinetd.conf file:

# bindadress    bindport  connectaddress  connectport
192.168.0.10    80        91.121.139.22   8080

Restart Rinetd and from now, all incoming traffic on 192.168.0.10 on port 80 will be redirected to 91.121.139.22 on port 8080. This can be usefull if a firewall is restricting outbound traffic on certain port.

...

The famous Offensive Security Certified Professional aka OSCP is the certification of the Penetration Testing with Kali Linux course aka PWK  provided by Offensive Security.

Offensive Security

Offensive Security is one the most active organization on the Internet about offsec. In addition to providing pentest and attack simulation services to their customers, they also bring a lot of great solution to the community.

Currently 6 online/live/in-house courses are available (pentest, wireless security, windows exploiation, web attacks…) who go with 5 different well known certifications. An incredible online virtual lab composed of intentionally vulnerable machine (ubuntu, XP, webapps, mail service, ftp vulns and so on…) has been created to enhance you security knowledge. Offensive Security is also editor of awesome projects such as Kali Linux, Metasploit and Google Hacking Database, the most used tools by pentesters.

The quality of all of these solutions is well recognized by the community and many companies and actually everyone who have to deals with offsec :)

...

Metadata are informations stored in a document itself but not easy to find for common mortals. Those infos usually are: file name/type/size, author, organization, created date, last modified date and so on… But sometimes there are extra infos that could be very interesting from a hacker point of view like email, phone number, username, geoloc and even local ip address.

...

With more than 60 million websites, WordPress is the most popular CMS currently in use but it’s also based on the most hacked environment aka LAMP.

As we all know, there is no way to stop a determined hacker but you can slow him down or detect him before things become serious. Below some techniques to improve the security of your site.  This post is directly inspired from Wordpress official codex and some hackers techniques I learned last months.

Files

According to Worpdress documentation, and I won’t discuss this point here, directories must have the following permission: drwxr-xr-x (755) and files must be: -rw-r--r-- (644). Wordpress says that automatic update changes file/dir permissions, that’s true but not that way in my case, maybe a cron job could do it ?

...

While performing a pentest, if you discover a server running the SMB protocol  you can test if it’s vulnerable to anonymous connection (also called null session) and then glean a lot of informations with a RPC client. Nmap is usefull to locate that kind of service:

smb null session

Now you can try to interact with the remote machine with the help of rpcclient. To perform a null session you have to specify an empty user and an empty password. If the host is not vulnerable, you will get the following error:

$ rpcclient -U "" 192.168.1.31
Enter 's password:
could not initialise lsa pipe. Error was NT_STATUS_ACCESS_DENIED
could not obtain sid for domain WORKGROUP
error: NT_STATUS_ACCESS_DENIED

But if the host is vulnerable you will immediatly get a prompt:

$ rpcclient -U "" 192.168.1.18
Enter 's password:
rpcclient $>
...