NordbySec

Jumping right into it this week: This module really wasn’t too difficult, although I did run into some trouble with the skills assessment. To quickly summarize, this module covered some surface level web hacking techniques, namely enumeration and digging through hidden directories to establish a viable target list. Below is a rough outline and what I learned from each section:

• Utilizing WHOIS: This section was pretty straightforward, it was mostly review on using the WHOIS service to lookup information regarding domain registration, simple enough.

• DNS and Subdomains: This was a more in depth section and took me the most time, probably a couple hours. This section covered a large chunk of web enumeration material, mostly between DNS query features like dig and zone transfers, which are both used to query more information and records from a DNS server. These can reveal other domains associated with the main domain, and can point at other potential attack vectors. This also included Vhost enumeration, which was a bit of a bear which I’ll touch on a little later in the lessons learned below.

• Fingerprinting: This covered some simple fingerprinting, which included some techniques for banner grabbing and analysis of HTTP headers via curl and checking for web app firewalls with wafw00f. It also briefly touched on some web app scanners like Nikto.

• Crawling: This was the most important section in the module for the skills assessment in my opinion. If you take the CPTS course, focus heavily on this. This module covers crawling directories and subdomains for a domain + some info on robots.txt and how (polite)bots will follow indexing instructions in said file. Please please please learn this, it will save your sanity when you go to take the skills assessment for this.

• Search Engine Discovery + Web Archives: These covered some OSINT and Google Dorking tips + how to use the wayback machine and the benefits of examining archived site variants. This is a useful skill, but was unhelpful for this module specifically.

• Automating Recon: This covers some simple automatic recon tools that can combine most of the manual recon tools into a single program output, which is super helpful in reality. This was also something good to learn, but I don’t recall using it to grab any of the flags.

Skills assessment | lessons learned

The skills assessment here should have been simple, but just as the previous ones I underestimated it. Since this assessment was largely technical and for legal reasons I can’t detail the exact methods or questions asked, so the things that I learned here were:

1. Be sure to thoroughly enumerate vhosts, the simplest way to prep for this is usually by mapping the domain to the IP in your hosts file

1. When you find a new subdomain, add it to the hosts file and re-run your enumeration, you can map multiple subdomains to an IP. Be sure to include a port if required.

1. Use crawlers effectively. Run them on all subdomains, and if they (or your subdomain enumeration) return a robots.txt file be sure to check it, you’ll often find some goodies there.

1. For the love of all things holy, know how to use curl. THE DIRECTORY REQUIRES BOTH SLASHES —————–http://www../././example/ <– Don’t forget this bracket. curl will not return a result if you do.

Anyways, this was a pretty short module, and the next module titled: ‘Vulnerability Assessment‘ is largely foundational knowledge relating to the types of vulnerability assessments and their differences from penetration tests. It includes some hands on practice with Nessus and OpenVAS(which I run on my home network periodically) and is largely comprised of things that I learned from several of my certifications so I’ll likely skip it in favor of a side quest/project post. Anyways, thanks for reading!