woloa, foe evARg, e Ausaan™ CET SAIS RE G.H. Patel College of Engineering and Technology Vallabh Vidyanagar, Anand, Gujarat CERTIFICATE This is to certify that the project report submitted along with the project entitled Security Analyst Internship has been carried out by Mayank Dharmendra Malhotra under my guidance in partial fulfilment for the degree of Bachelor of Engineering in Computer Engineering, 8" Semester of GujaratTechnological University, Ahmedabad during the academic year 2022-2023. Prof. Sneh Vyas Prof. Maulika Patel Internal Guide Head Of DepartmentGUJARAT TECHNOLOGICAL UNIVERSITY CERTIFICATE FOR COMPLETION OF ALL ACTIVITIES AT ONLINE PROJECT PORTAL ‘B.K. SEMESTER Vill, ACADEMIC YEAR 2022-2023 Date of certificate generation : 05 May 2023 (17:34:17) This is to certify that, Malhotra Mayank Dharmendra ( Enrolment Number - 190110107035 ) working on project entitled with Security Analyst internship from Computer Engineering department of G. H. PATEL COLLEGE OF ENGINEERING & TECHNOLOGY, V V NAGAR had submitted following details at online project portal Internship Project Report Completed Name of Stadest: Malhotra Mayank Name ofGude: M:VVAS SNEH SATISHBHAT Dharmendra ween Freon GI Diectainer : ‘Ths ts compar peneraed copy and does not mda tat your data has been evaluated. Thus is the receipt that GTU has ceed 3 copy ofthe data hat vou have uploaded snd sabia as your project work, Cra ha 01g te coricae, Oly if all sbove acres has been Compt.ymoloare, SP att s Auisyss™ GCET DECLARATION We hereby declare that the Internship/Project report submitted along with the Internship/Project entitled INTERNSHIP at ByteFurty Internship, Bhavnagar submitted in partial fulfilment for the degree of Bachelor of Engineering in Computer Engineering to Gujarat Technological University, Ahmedabad, is a Bonafide record of original project work carried out by me at ByteFurty, Bhavnagar under the supervision of Prof. Sneh Vyas and that no part of this report has been directly copied from any students’ reports or taken from any other source, without providing due reference. Name of the Student Sign of Student Gato(AR ByYTEFURY Internship Certificate This is to certify that Mr.Mayank Malhotra was employed by Bytefury as Security Analyst Intern during the period of 20th February 2023 to 15th May, 2023. His skills and qualifications proved successful with regards to tasks assigned to him. We wish him all the best in his future endeavors. Date : May, 2023 Name : Purvi Panjwani Title : Managing Partner Signature Kewsi QRajuesd To] [el feeed| 1 || el IoACKNOWLEDGM L take this opportunity to express my profound gratitude and deep regards to my guide Prof. Sneh Vyas for his exemplary guidance, monitoring and content encouragement throughout the course of this internship project. The blessing, help and guidance given by him time to time shall carry my along way in the journey of life which Tam about to embark. Tam highly indebted to Mr. Mohit Panjwani and Mrs. Purvi Panjwani for their guidance and constant supervision as well as for providing necessary information regarding the project and also for their support in completing the project. Talso take this opportunity to express a deep sense of gratitude to Dr. Maulika Patel H.O.D of Computer Engineering Dept. for her cordial support, valuable information and guidance, which helped me in completing this task through various stages. 1 am obliged to staff members of CE department, for the valuable information provided by them. I am grateful for their cooperation during the period of my project. Lastly, I thank almighty, our parents, brothers, sisters and friends for their constant encouragement without which this assignment would not be possible. Sincerely, Mayank Dharmendra MalhotraABSTRACT In these 12 weeks of internship at ByteFury, a software and mobile application development pany located in Bhavnagar, primary focus is Mobile Application and Web Development with Dus technologies like Express JS, VueJs, PHP and also integration with containers and cloud. I was n a project regarding Network and Web Security where I was trained about various Web OWASP 10 vulnerabilities and also majorly trained how to go about Active Directory Penetration Testing, numeration techniques, privilege escalation techniques mainly in Windows and Linux Operating ems. My project involved conducting penetration tests on controlled environments from various ves like HackTheBox, TryHackme and PEN-200 OSCP course where i was given access to a nora of labs and a controlled environment to practise my skills after understanding the concepts oughly. My first task was to learn about web OWASP Top 10 vulnerabilities, how to enumerate different vork protocols, exploit them and then escalating my privileges across the network My other tasks included solving boxes from above stated sources, which involved gaining initial hold by exploiting protocols and vulnerable un-patched applications and then escalating my ileges on that host, escalating to root in Linux or SYSTEM account in Windows.List of Figures Organization Chart... rig}t gig 21 Proof-OF-Concept. jig9.2.1 Protected View. ig 102.2 Viel List of Payload... fig 12.1.2 Insecure File Permissions Binary, Fig. 12.1.3 ‘Unquoted Service Path..... Fig, 12.2.1 Writable /ete/passwd..... fig. 122.2 MySQL UDF Privese POC... Fig. 12.2.3 Docker Privilege Escalation Proof Of Concept. Fig. 13.1.2 BloodHound UI... Fig 13:.3 Enumerating SPNs. Fig. 13.2.1 NTLM Authentication. Fig 13.2.2 Kerberos Authentication... Fig. 13.2.3 Mimikatz Dumps. Fig 133.1 Kerberoasting ... Fig 133.2 AS-REP Roasting... Fig, 13.3.3 Silver Ticket Attacks........... Fig. 13.4.1 Wmiexee pass-the-bash......... Fig 13.4.2 Overpass-the-hash Attac! Pir 13.43 Pass-the-ticket Attack. Fig 13.431 Verifying the Attack (Pass-the-ticket)..... i 141 Batter Overflows Visualised.Table of Contents ac KNOWLEDGEMENT 1.2 Scope of Work... 1.3 Organization Chi Chapter 2 Welcome and Proof Of Concept 2.1 Proof of Concept .... Chapter 3 Introduction to Project wv. 3 ject Summary 3.2 Purpose ... 3.3 Objective ... 3.4 Scope ...... 3.5 Technology used ...... 36 Internship Planning ....... 3.6.1 Roles & Responsi Chapter 4 Linux Command Line 4.1 Piping and Redirection 42 Text Searches and Manipulation 43 Downloading files from command ‘44 Managing Processes110K oss gn tos se sonCaper 9 Client Side Attacks ‘Abusing Protected Views. Chapter 10 AntiVirus Evasion... 10.1 Manual AV Bypass... 10.1.1 Local Process Mem 10.2 Automatic AV Bypass 10.2.1 Dynamic Sh 10.2.2 AV Bypass with Veil Framework Chapter 11 Port Forwarding and Tunt 1.1 Local Port Forwarding... |1.2 Remote Port Forwarding 1.3 Dynamic Port Forwarding Chapter 12 - Privilege Escalat 2.1 Windows Privilege Escalation 12.1.1 UAC Bypass .... 12.1.2 Insecure File P 12.1.3 Unquoted Service Paths .. 2.2 Linux Privilege Escalation 12.2.1 Writable /ete/passwd 12.2.2 MySQL User Defined Funet 12.23 Docker Privilege Escalation...3.2 Active Directory A\ 2 13.2.1 NTLM A vu 13.2.2 Kerberos Authent vo 13.2.3 Cached logon credential: eu 3.3 Active Directory Attacks.. oS 133.1 Kerberoasting Attac 13.3.2 AS-REP Roastin 13.3.3 Silver Ticket Attack. 3.4 Lateral Movement in AD Envi 13.4.1 Pass-the-hash Attack... 13.4.2 Overpass-the-hash Attack.. 13.4.3 Pass-The-ticket Atta chapter 14 - Buffer Overflow Attacks 4.1 Buffer Overflows......--ost Overview of the Company 1, OVERVIEW OF THE COMPANY founded in 2014 by entrepreneurs M iis aweb and mobile application company committed to providing resources delivering a personable peers ts clients started as a bootstrapped startup and is currently thriving delivering quality ces to theit clients, 12 Scope of Work we sugment client teams with their software development, testing, maintenance and support. We develop web and mobile applications for overseas clients and help better theit ofrasructure with quality products 13 Organization Chart Onsite lent _ Software Development Team | Proect Business pesigners—_Develoners ans Manager Analysts on Figure 1.1 Organization Chart GceTe785 Welcome and Prot 2. WELCOME & PROOF 0 | PROOF OF CONCEPT sting, 20th February (ina tasks vas given access to training platforms like HackTheBox, Tryhad tform from Offensive Security. | supplemented the machines I hacked from these forms with the knowledge I ined from PEN-200 Learning Materials and Labs. I was fed about making my exploitation walkthroughs/ writeups on my local computer to check y progress throughout the Fig 2.1 Proof-Of-Concept Sujarat Technological University 2 GceT290785 Introduction To Project 3.INTRODUCTION TO PROJECT xy PROJECT SUMMARY project was assigned to me by Mr. Mohit Panjwani, my industry mentor. Pentesting web applications and Active Directory environments isa crucial part in maintaining posture of an organisation 42 Purpose The project is aimed to strengthen my pentesting skills in a network as well as on a web application. 33 Objective The objective of the project isto solve two Windows/Linux machines, one each, per day. 3.4 Scope The scope ofthe project is extensive, but not limited to just web application penetration tests, 35 Technology Used Burp Suite, Ubuntu, Windows, Kali Linux (penetration testing distro from Unix) 36 Internship Planning 3.641 Roles and Responsibilities Role ofa security analyst is to work with developers in order to improve their code in context Of security. Code reviews were expected to be done by us. dart Technological University 3 GCET a; Lux Command Line ert 4, Linux Command Line ining and Redirection o run from the command line has three data streams connected to it that serve veration channels with the ex ronment. These streams are defined as 'SIDIN, STDOUT and STDE ‘about piping and redirecting input of various data streams to other and vice versa st Searches and Manipulation ute iis section, we wil gain efficiency with fi commands: grep, Sed, cut, and awk. Advanced usage of some ofthese ssarsundng of how regular expressions (regex) work. A regular snc stng for describing a serch pattern {3 Downloading files from command line | eamed about how to download files from the command line using curl, wget and axel. There are many tools used for efficient files downloads, wget and cur! being one of them. Cur also helps us analyse headers which is useful for fingerprinting services running on web sve by observing response headers. Managing Processes, The Linox kernel manages multitasking through the use of processes. The kernel maintains infomation about each process to help keep things organised, and each process is assigned a number called a process ID (PID).The Linux shell also introduces the concept of jobs to ease the user's workflow during a terminal session. Job control refers to the ability to selectively suspend the acation of obs and resume their execution ata later time. This can be achieved through the help of specific commands, which we will soon explore. a “Att Technological University 4 GceET ae298785 Practical Tools 5. Practical Tools <2 Wireshark. A competent penetration tester should be well-versed in networking fundamentals. A network sniffer, like the industry staple Wireshark, is a must-have tool for learning network protocols, nalysing network traffic, and debugging network services. We can use two different types of filters jamely display filters and capture filters. We can also follow TCP data streams to follow packet racks. 3 TepDump Tepdump isa text-based network sniffer that is streamlined, powerful, and flexible despite the lack fa graphical interface. It is by far the most commonly-used command-line packet analyzer and an be found on most Unix and Linux operating systems, but local user permissions determine the bility to capture network traffic. Tepdump can both capture traffic from the network and read xisting capture files. We can use advanced header filtering to observe bytes of data +4 Powershell hemos powerful ol inthe arsenal ofa penetration tester is Powershell rom Microsoft. Windows hat run on them.We can load different powershell modules and use custom made Powershell -mdlets for infiltrating data from the target host locally without alerting AV and EDRs Sujarat Technological University 5 GCETos Passive Information Gathering 6. Passive Information se Infomation Gathering refers to gathering information about the target without sip erating with the website at all We use OSINT techniques Recon is important as web is possibly the most vast attack surface for an «the heat ofthis technique were clever search strings and operators that allowed creative sioement of search queries, most of which work with a variety of search engines. The voces is iterative, beginning with a broad search, which is narrowed down with operators > sft out relevant or uninteresting results. Various operators like site, filetype, intitle ete ze well for passive reconnaissance against a target 63 Open Source Code Disclosure Code stored online can provide a glimpse into the programming languages and frameworks used by tnorganisation. In some rare occasions, developers have even accidentally committed sensitive data ax credentials to public repos. The search tools for some ofthese platforms will support the Google sch operators that we discussed earlier in this module. For example, Githiub's search is very fexible. On GitHub, we will be able to search a user's or organisation's repos, but we need an scout if we want to search across all public repos. (4 StackOverflow Slack Overflow is a website for developers to ask and answer coding related questions. The Sit's value from an information gathering perspective is in looking at the types of questions a Bren user is asking or answering. If we can reasonably determine a user on Stack Overflow is also rie ‘of our target organisation, we may be able to infer some things about the organisation ‘0 the employee's questions and answers. ‘tara Technological University 6 GET a29785 Passive information Gathering sInerabilities inthe code itself. 6 Whois Enumeration Fhois is a TCP service, tool, and a type of database that can provide information about a domain sme, such as the name server and registrar. This information is often public since registrars charge fee for private registration. Xe can gather basic information about a domain name by executing a standard forward search by essing the domain name, megacorpone.com, into the whois client. Sarat Technological University 7 GCeT ast Active Information Gathering 7. Active Information Gathering give Information Gathering is the process of collecting information with directly interacting with a vk surface, unlike passive information gathering heat 1 SMB Enumeration ine security tack record of the Server Message Block (SMB) protocol has been poor for many vss due to its complex implementation an¢ open nature. From unauthenticated SMB null sessions » Windows 2000 and XP, to a plethora of SMB bugs and vulnerabilities over the years, SMB has vents fair share of action. We can use various tools like smbclient, nbstat, smbmap, nmap scripting mine for enumerating SMB shares and test for anonymous access o shares 100 1/2 HTTP Enumeration Web-serers are the most relevant attack surface for getting an initial foothold into an organisation. We can check for robots.txt, sitemap.xml, click on links to intercept requests with proxy. Directory busting to check for sensitive endpoints, reading page source. Testing for vulnerabilities in input lds is an important aspect of web pentests. 13 SMTP Enumeration SMTP is a crucial protocol for organisations for managing their domain mails. We can also gather information about a host or network from vulnerable mail servers. The Simple Mail Transport Protocol (SMTP) supports several interesting commands, such as VRFY and EXPN. A VRFY request the server to verify an email address, while EXPN asks the server for the membership of a tailing list. These can often be abused to verify existing users on a mail server, which is useful information during a penetration test. 74 NFS Enumeration Network File System (NFS) is a distributed file system protocol. It allows a user on a client ecmiter to access files over a computer network as if they were on locally-mounted storage. NFS ‘often used with UNIX operating systems and is predominantly insecure in its implementation. It ae somewhat difficult to set up securely, so it's not uncommon to find NFS shares open to the rol This is quite convenient for us as penetration testers, as we might be able to leverage them tia’ t Stsitive information, escalate our privileges, and so forth. NFS root squashing is also one Nite technique for escalating privileges to root user in Unix systems. Sula “st Technological University 8 GCET aActive Information Gathering resins te pres of inspecting TCP or UDP pos on aemoe machine with the intention cing what servoes are runing on the target and what potential attack vecors may exist It seni to understand the implications of port scanning, as well as the ipa port ves an have, Due to the amount of traffic some sans can generate, along we rnning pot scans blindly can have adverse effets on target systems or the client network sch overloading servers and network links or triggering IDS. Running the wrong sean could esi in downtime forthe customer, Using «proper port scanning methodology can significantly improve our efficiency as penetration sets while also limiting many ofthe risks. Sara Technological University 9 ocetWeb Application Attacks 8. Web Application Attacks wl a heme mainly tree types of SQL injections - Blind, Union based and Errc 42 Authentication Attacks autenticaton atacks mainly have the purpose of bypassing logins. We may steal cookies for a high privileged user, use SQL injection to bypass authentication too, Default credentials are still prevalent and not fixed by an organisation. £3 Directory Traversal/File Inclusion This attack involves using malicious input in query parameters of a HTTP GET or POST request to réreve local files from a target web server. Local configuration files can be fetched from the target which could lead to exploitation of services. Mostly PHP data wrappers can be used to achieve Remote Code Execution over a target web server. 84 Web Cache Poisoning Awe cache is the copy ofthe server's response that enables quicker delivery of web objects to the client. Physical store data closer to the user also minimises network traffic and enhances @ website's performance. This web cache can be poisoned. The critical effects of this is other clients requesting content from the web cache will receive the poisoned content which cot session cookies of the client the poisoned content is server to. This could result into a Full Account TakeOver against the victim. oy Hart Technological University coer are eer reeClient Side Attacks aw > 9. Client Side Attacks oe rm Applications in Windows 1m ihe extension ofa instead of ml Interet Explore will asomatcly pit os rr Applian and offer the ability 10 exc it using the msinene vent apne of HTML Applitions isto allow arbitrary execution of applications directly se ora an dvoening an mal rig executable. Since this a ty bounds innteret Explore, an HTML Aplin atays executed yore recurityconext ofthe browser bythe Microsof-sianed binary mshta.exe. If the user ose ape an atackercan eect rbiay code with tha use’ prmisions avoiding ie » grieons normally imposed by Internet Explorer. ws vet ic Mares sot epost Wed and Exe llow west eb mao 8 SS Nast into that are pouped together to acomplish wk programmatically. cin fen se mas 10 manag dyna cament and ink documens with =O Past wor interestingly, macros canbe writen from serach in Visual Basic for APPcans (BA) which is fully functional scripting language with full access to ActiveX objects and the re pe Srp Host, similar to JavaSeriptin HTML Applications. 421 Abusing Protected Views: hhaMisosoft Word document is highly effective when served locally, but when served from the iene say trough an email ora dowload link, we must bypass another layer of protection known «Priced View, which disables all editing and modifications in the document and blocks the neato of macros or embedded objects. awe aia an Hoe rence sccnes-tnteite nent cotan vats es evneso nse cutee aye Paces e= Se sg e aie Fig 9.2.1 Protected View Whe Mig ety : Word, Microsoft Publisher allows embedded objects and ultimately code execution same manner as Word and Excel, but will not enable Protected View for Intemet- “ee docunens, See ical University 1 GCET ~ /tmp/out; chown raptor.raptor /tmp/out'); ‘tmp/out roups«0( root), 1(bin), 2(daemon), 3(sys),4(3dm) Fig. 12.2.2 MySQL UDF Privesc POC Technological University eceT. ). This demonstrates giving persistent root access to docker is pecker group. This d thet to docker group is the same as access without a password. giving rot proof of Concept of Docker breakout Shell scar be used to break out from restricted environments by spawning an interactive system shell, ‘re resting is root shell Fig. 12.2.3 Docker Privilege Escalation Proof Of Concept Sarat ; Technological University 0 es GCET1299 In punoypoord Z"FE “Bi4 Tit Ng) aa mh ema rr uopuounug spewoyny panoHportd ¢ wpeny Lope eAoyActive Directory tacks ameration of Service Principal Names paw executed in the context 0 as must BE account di ser of applications running on servers integrated with AD by simply enumerating a «ns inthe domain, meaning we don't need to run a broad port sean. Ke f oe Signature of office in-charge as of Dept. / Section / Plant Lage 0 Grading of Work, for trainee may be given depending upon your judgement about his Punctuality, Regularity, Sincerity, Interest taken, Work done ete.uj | (peaynbes 41 sy204s feuoNIPpe ppe) | SALON AYLNSWA1ddNs Pole i215 TOOL: SIRS HE) Plev!c ( PRR DsQppseprarle (£007 3° 07 ‘ON 39 3818{N5 Japun paysyaeIsD) ALISUAAINA TYSIDOTONHOAL LVaAVEnd: soma Anse, ap Jo ampeudig 2 my Ww erably sd, sdureig pue oureu tim uosied Ansnpuy jo ampeudig 7 :Aur 31 ‘syuaum09 feuonIppY HOY :(ual|20xq/poop/LoRsysHES ausutoscsdun span) :wjut jwaprys Jo souBULOpIad [721240 | Ajeanoayp sara pur [19m sayeorunun0) Ajaansayya susaiqoud sazcqeuy | cA asquodxo pue o8pojsoury OMIA S501 ~Aggpqswodsay) ATi x sidsooe pu 30m Aaronb yay S200 | SGATENIUL 2oq/syy pure oH UL SszeHUT SHOTS Maffeoxq Poop waurasoudun SPOON, ‘Aowauysieg ‘ssayousesed “Sowaeyog Buymo}I0y tp paniosqo nox yorys pia ouanbaxyaxp BureoNpUI Aq ws9HN MOK ayenyeA2—sPAd som hl Gt04 ‘q4 OY wor :dryswsowy J? “A Crahudh _ssasppy dase aang -cobmurrayg “pony poomorprocn 7plbeet) Wyn, sanp U7 shops Pyrarre m Zaamouuy (L007 50 seq PUMP COOe soy wood i ee oh si HO Aner cyrypon <0 Tere padxa Aaysmpuy Aq med SINS HrepyEe Peale PRPUk Hse ppserreae 07 ON Joy yuavfng sapun paysyqessa ALISMHAINA TVOIDOTONHOAL LVaVEND 7