DEV Community: Timothy Imanuel

Week 9

Timothy Imanuel — Thu, 21 May 2026 16:01:53 +0000

Target Exploitation & Privilege Escalation (Session 10 Summary)

🔬 1. Vulnerability Research Foundations

Programming: Code analysis using C/C++, Python, Perl, or Assembly.
Reverse Engineering: Analyzing compiled software binaries without original source code.
Instrumented Tools: Monitoring application runtime behaviors with debuggers and fuzzers.
Payload Construction: Engineering reliable shellcode execution pathways.

🗂️ 2. Public Exploit Directories

Public PoCs: Used by penetration testers to safely evaluate software version vulnerabilities.
Platforms: Exploit-DB , Packet Storm, SecurityFocus, NVD, US-CERT , Secunia , and XSSed.

🛠️ 3. Metasploit Console Basics (`msfconsole`)

Execution: Terminal interface tool for launching framework scans and exploits.
Global Show: Commands like show exploits or show payloads view platform-wide modules.
Contextual Show: Module-specific settings reveal options like show targets or `show advanced.

🚀 4. Privilege Escalation Mechanics

Vertical Escalation: Gaining higher system permissions (e.g., web user to root admin).
Horizontal Escalation: Lateral movement between accounts with matching privilege levels.
Vectors: Local kernel exploits, open home directories exposing stored SSH private keys, weak passwords, network sniffing, and packet spoofing.

🔐 5. Password Auditing Strategy & Tools

Online Guessing Attacks

Mechanics: Remote login attempts over production networks; limited by latency and lockouts.
Tools: Hydra, Medusa, and CeWL (web wordlist scraper).

Offline Cracking Attacks

Mechanics: Reversing stolen database file hashes locally on attacker hardware without network restrictions.
Tools: Hashcat, John the Ripper, Rainbow crack, Ophcrack, Crunch, and Hash-identifier.

🔄 6. Man-in-the-Middle (MitM) & ARP Spoofing

Normal Condition: Nodes exchange standard ARP requests and replies to map local IPs to hardware MAC addresses.
Spoofed Condition: The attacker broadcasts fake ARP responses to poison targets' cache tables.
Sniffing intercept: Traffic routes through the attacker to be read via Tcpdump, Wireshark, or Dsniff before forwarding.

Week 8

Timothy Imanuel — Thu, 21 May 2026 15:45:31 +0000

Social Engineering (Session 8 Notes)

The Psychology of the Attack

Social engineering focuses heavily on human psychology, mapping human senses into sight, hearing, taste, touch, smell, balance and acceleration, temperature, kinesthetic, pain, and direction. The primary goal of these methods is to obtain confidential information through human communication. This approach relies fundamentally on establishing a relationship of "trust" with the victim.

Two common tactics are applied to accomplish this task and guide conversations:
Interview: A structured approach used to gather initial data from a subject.
Interrogation: A more intensive, direct method applied to extract specific information from the target.

The Social Engineering Lifecycle

An effective social engineering engagement follows a clearly defined, iterative four-stage attack process:
[ Intelligence gathering ] --> [ Identifying vulnerable points ] --> [ Planning the Attack ] --> [ Execution ]

Intelligence gathering: Collecting open-source background data regarding the target organization or individual.
Identifying vulnerable points: Analyzing the gathered intelligence to isolate human, technical, or procedural weaknesses.
Planning the Attack: Designing a highly believable scenario or pretext tailored specifically to exploit those weaknesses.
Execution: Launching the designed operation to capture credentials, sensitive data, or gain initial system access.

🎭 Core Attack Methods (Psychological Triggers)

Attackers manipulate natural human biases and social constraints to bypass logical defenses using specific methods:

Impersonation: Pretending to be an authorized entity, employee, or trusted identity to deceive the victim.
Reciprocation: The art of exchanging favors in terms of getting mutual advantage, creating a psychological obligation for the victim to comply.
Influential Authority: Leveraging a real or perceived position of high status or corporate power to command compliance.
Scarcity: Creating an artificial sense of urgency or limited availability to force a rushed, unverified decision.
Social Relationship: Exploiting natural human tendencies to cooperate with people within a shared social network or established rapport.

🛠️ The Technical Toolkit

To automate and scale these psychological vectors, penetration testers use dedicated open-source utilities to profile targets and deploy credential capture systems.

1. Common User Passwords Profiler (CUPP)

The Common User Passwords Profiler (CUPP) is a profiling tool used to find valid passwords based on the target's personal, psychological, and social characteristics.

By executing the interactive command ./cupp.py -i , the tester can insert information about the victim to automatically build a highly customized password dictionary:

Name and Surname: The target's legal name identifiers (e.g., Name: Karen, Surname: Smith).
Nickname: The target's common online handle or casual name (e.g., karsmith).
Birthdate: Formatted explicitly as DDMMYYYY (e.g., 03101976).
Wife's (husband's) details: The spouse's legal name, nickname, and birthdate information.
Child's details: The child's name (e.g., Rohan) and birthdate metrics.
Pet's name: The identifier of the target's pet (e.g., Katie).

Note: If you do not know all the info, you can simply hit enter when asked to skip fields dynamically.

2. Social-Engineer Toolkit (SET)

The Social-Engineer Toolkit (SET) is an exploitation framework managed via directories like /pentest/exploits/SET/ and launched via ./set. The platform offers multiple attack options from its primary menu, including:

Automatic E-Mail Attacks: Automated options for crafting phishing email campaigns.
Website Attack Vectors: Web-based attack channels such as Java Applet Attacks, Metasploit Browser Exploits, Tabnabbing, and Web Jacking.
Credential Harvester Attack Method: A specialized web vector that utilizes clone capabilities within SET to harvest credentials or parameters from a website as well as place them into a report.

Week 7

Timothy Imanuel — Mon, 13 Apr 2026 11:57:01 +0000

Ethical Hacking Week 7: Target Exploitation

This week, we’ve finally moved into the hands-on phase of the course: Target Exploitation. This is where we stop looking for doors and start attacking our target.

Metasploit

Our primary focus this week was the Metasploit Framework, the world’s most used penetration testing software. Metasploit is essentially a giant library of pre-made exploits, payloads, and auxiliary tools that simplify the complex process of attacking a target.

Exploiting EternalBlue

In our lab, we tackled one of the most famous vulnerabilities in recent history: EternalBlue. This is a flaw in the Windows SMB protocol that allows for unauthenticated Remote Code Execution.

Here is the standard workflow we used to compromise the target:

Search: Finding the right module for the job (e.g., search eternalblue).
Select: Loading the exploit module (e.g., use exploit/windows/smb/ms17_010_eternalblue).
Configure: Setting our parameters, like RHOSTS (the target’s IP) and the PAYLOAD.
Exploit: Running the command and waiting for the magic to happen.

The Meterpreter Shell

Once the exploit was successful, we dropped into a Meterpreter shell. Meterpreter is an advanced, extensible payload that runs in memory to avoid detection.

Common commands we used to control the target:

sysinfo: Displays the target's OS and architecture.
getuid: Shows which user we are running as (usually SYSTEM after EternalBlue!).
shell: Drops us into a standard Windows Command Prompt for deeper control.

The Rules of Engagement

Even in a lab environment, ethical hacking has strict rules. For our final projects, we have clear boundaries:

No DoS/DDoS: We are here to learn, not to crash the server.
Integrity: Never change passwords after gaining access.
Persistence: Leave a simple text file or post on the target to prove you were there.

Target exploitation is intense and requires precision. Seeing a session open for the first time is an incredible feeling, but it’s a reminder of why security configuration is so important.

Week 6

Timothy Imanuel — Mon, 13 Apr 2026 11:49:41 +0000

Ethical Hacking Week 6: Vulnerability Mapping

This week in Ethical Hacking and Penetration Testing, we go into the critical phase of Vulnerability Mapping. Once we know our target exists and what services it’s running, we need to find the vulnerabilities that they have.

What is Vulnerability Mapping?

Vulnerability mapping is the process of identifying, classifying, and prioritizing weaknesses in a system. Not all bugs are created equal, and understanding their origin helps us decide how to exploit or fix them.

The Three Main Types of Vulnerabilities

We categorize vulnerabilities based on where they come from:

Design Vulnerabilities: Flaws in the actual specifications of the software or protocol. These are "broken by design."
Implementation Vulnerabilities: Mistakes made while writing the code, such as poor error handling or logical flaws.
Operational Vulnerabilities: Weaknesses caused by improper configuration or poor deployment choices in live environment.

Local vs. Remote Attacks

Local Vulnerabilities: The attacker needs physical access or a local account to trigger the flaw. These are often used for Privilege Escalation (moving from a standard user to an Admin/Root access).
Remote Vulnerabilities: The attacker can trigger and exploit the flaw over the network without needing any prior access. These are the "holy grail" for external attackers.

Web Application Auditing

A large part of our lab focused on the unique vulnerabilities found in websites. We looked at how to audit applications for:

SQL Injection (SQLi): Attacking the database by inserting malicious SQL commands into input fields.
Cross-Site Scripting (XSS): Injecting malicious scripts into web pages viewed by other users.
Cookie Security: Checking for missing security flags like HttpOnly (prevents JS access) and Secure (prevents transmission over unencrypted connections).

The Pentester's Toolkit

To find these flaws efficiently, we use a variety of specialized auditing tools:

Burp Suite: The industry standard for intercepting and modifying web traffic.
Nikto / Nikto2: A powerful web server scanner that looks for dangerous files and outdated software.
SQLmap: An automated tool that detects and exploits SQL injection flaws.
W3af: A web application attack and audit framework.

Vulnerability mapping turns a list of open ports into a prioritized list of targets. By understanding the taxonomy of these flaws, we can move from simple scanning to high-impact exploitation.

Week 4

Timothy Imanuel — Wed, 11 Mar 2026 15:23:29 +0000

Ethical Hacking Week 4: Target Discovery & OS Fingerprinting 🎯🔍

In Week 4 of Ethical Hacking and Penetration Testing, we officially started mapping out our targets. Before you can exploit a system, you have to find it and figure out exactly what it’s running. This phase is all about Target Discovery and OS Fingerprinting.

Finding the Target (Discovery)

We looked at the command-line tools used to identify live machines on a network. The classic ping sweep is great, but we also explored arping, fping, hping, and nbtscan for mapping out local networks. For modern setups, we even touched on IPv6 discovery tools like alive6.

OS Fingerprinting (Who are we talking to?)

Once we know a machine is alive, we need to know what operating system it’s running so we can look up vulnerabilities. There are two ways to do this:

Active Fingerprinting: We send carefully crafted packets to the target and analyze the unique ways its TCP/IP stack responds. Tools like Nmap do this perfectly. It’s fast, but very noisy (firewalls will log you).
Passive Fingerprinting: We quietly sniff the network traffic without sending anything. Tools like p0f let us figure out the OS just by observing how the target naturally communicates. It's slower, but totally stealthy.

TCP vs. UDP (The Delivery Methods)

To understand port scanning, you have to understand how data moves across the network.

TCP (Transmission Control Protocol): Connection-oriented and highly reliable. It uses a strict 3-way handshake (SYN ➔ SYN-ACK ➔ ACK) before sending data, and will automatically retransmit lost packets and reorder them at the destination.
UDP (User Datagram Protocol): Connectionless and fast. It just fires datagrams at the target without checking if they arrive. It's up to the application (like DNS or SNMP) to handle lost data.

We also learned the layout of the port neighborhood:

0 - 1,023: Well-Known Ports
1,024 - 49,151: Registered Ports
49,152 - 65,535: Dynamic/Private Ports

Reading Port Scans like a Pro

When we use a network scanner like Nmap, Unicornscan, or Amap, the target's response tells us exactly what state the port is in.

Decoding a TCP Scan:

Gets a SYN+ACK? The port is open and listening.
Gets an RST+ACK? The target explicitly rejected you (Port Closed).
Gets an ICMP Unreachable or absolutely nothing? The port is Filtered by a firewall.

Decoding a UDP Scan:

Gets a UDP response? The port is open.
Gets an ICMP Port Unreachable? The port is closed.
Gets nothing? The firewall might be dropping it, or the inbound packet was blocked.

Wrapping Up

We are officially mapping networks! Understanding how TCP and UDP respond to our probes is the difference between guessing and knowing. Stay tuned for the next phase. Keep hacking!

cybersecurity #infosec #ethicalhacking #nmap #networking

Week 5

Timothy Imanuel — Tue, 10 Mar 2026 14:33:07 +0000

Ethical Hacking Week 5: The Art of Target Enumeration 🕵️‍♂️🔍

This week in Ethical Hacking and Penetration Testing, we moved into Enumeration—the intrusive phase where we actively communicate with targets to extract actionable intelligence like network shares, usernames, and passwords.

The Core of Windows Enumeration: NetBIOS

Because many attacks on older Windows systems still work today, enumerating Microsoft targets is a major focus. To do this, you must understand NetBIOS (Network Basic Input Output System).

NetBIOS Names: These are limited to 16 characters and must be unique on the network. The final character is a hex suffix that identifies the specific service running.
- <00>: Workstation service
- <20>: Server service (sharing enabled)
- <1C>: Domain Controller or IIS
Null Sessions: An infamous, unauthenticated connection to a Windows system that doesn't require a username or password. Surprisingly, it still exists on systems like Windows XP!

The Enumeration Toolkit 🧰

We covered a mix of command-line and GUI tools used to pull this data directly from targets:

Command-Line Essentials

nbtscan: Scans a range of IP addresses for NetBIOS information.
nbtstat: Displays the NetBIOS table of a remote machine.
net view: Checks for shared resources on a specific network host.
net use: Connects to those shared folders or files.

GUI & Advanced Tools

NetScan Tools Pro: Graphically maps NetBIOS services and verifies access to shared resources.
DumpSec: Connects to a server to "dump" detailed permissions, user tables, policies, and registry details.
Hyena: A management tool that visually maps shares, user logins, and terminal services.
Nessus Client: A heavy hitter that identifies OS versions, open shares, and even firewall vulnerabilities across large networks.

Beyond Windows

While NetBIOS is the star of the show for Windows, we also briefly explored service enumeration tools for other protocols, including Amap, Httprint, Httsquash, and Ike-scan.

Wrapping Up

Enumeration transitions us from passively "looking" at a target to actively "touching" it, giving us the exact keys we need for exploitation. Next week, we dive into Vulnerability Mapping!

Week 3

Timothy Imanuel — Sat, 28 Feb 2026 03:27:58 +0000

Week 03: Information Gathering and OSINT Tools

Disclaimer: The tools and techniques discussed in this blog are strictly for educational purposes.

This week in our Ethical Hacking and Penetration Testing class, we moved past the rules of engagement and into the actual **reconnaissance **phase. The focus was on utilizing search engines and Open Source Intelligence (OSINT) tools within Kali Linux to gather information about a target.

We covered three main tools that automate the process of scraping and connecting public data.

1. TheHarvester

The first tool is TheHarvester. Its primary function is to hunt down email accounts, usernames, and hostnames/subdomains associated with a specific target domain.

Instead of manually searching, TheHarvester automates queries across multiple search engines and databases. It supports scraping from sources like:

Google and Bing
LinkedIn and Google Profiles
PGP servers and Shodan

2. Metagoofil

While TheHarvester looks for accounts and domains, Metagoofil is designed specifically to extract metadata from public documents.

It works through an automated pipeline:

It uses Google to search the target domain for specific file types (like PDFs or Word docs).
It downloads all the discovered documents to your local disk.
It extracts the hidden metadata and generates an HTML report.

This is highly effective because metadata often leaks sensitive internal information, such as employee usernames, the software versions used to create the files, and internal server or machine names.

3. Maltego

The most visually complex tool we looked at is Maltego. It is an open-source intelligence and forensics application that maps out how different pieces of data are connected.

Instead of just giving you a list of data, Maltego builds a relationship graph. We use different "Palettes" depending on what we are investigating:

Infrastructure Reconnaissance: You can map out the technical footprint of a target by finding the relationships between domains, DNS names, IPv4 addresses, and net blocks.
Personal Reconnaissance: You can find relationships between people, linking them to their email addresses, phone numbers, mutual friends, companies, and social media affiliations like Twitter and Facebook.

Information gathering is about building a comprehensive profile of the target's attack surface before launching any exploits. We will likely use the data collected from these tools in the later stages of our semester project.

Week 2

Timothy Imanuel — Sat, 28 Feb 2026 03:20:04 +0000

Week 02: Testing Methodologies and the Rules of Engagement

Disclaimer: The tools and techniques discussed in this blog are strictly for educational purposes.

This week in the Ethical Hacking and Penetration Testing class, we focused heavily on the theory and legalities of penetration testing. Before we start actively breaking into systems, we need to understand the structural boundaries and the legalities involved

The Types of Hackers

The industry separates security personnel and attackers into a few distinct buckets:
Ethical Hackers: break into systems with permission to find the weak links and report them so the organization can patch them.
Hackers & Crackers: These are individuals accessing systems without authorization, often to steal or destroy data, which is a fast track to prison.
Script Kiddies: Young, inexperienced amateurs who just copy and paste scripts and techniques without actually understanding the underlying cod.

Penetration Testing Models

When executing a real-world test, your approach depends entirely on how much information the client gives you upfront.
White Box: You are given the full network topology and have authorization to interview the IT staff.
Black Box: You get zero details, and the internal company staff doesn't even know the test is happening. [cite_start]You have to find and map everything yourself.
Gray Box: A hybrid approach where the client provides you with partial information to start the engagement.

Red Team vs. Blue Team

Security operations are usually split into two opposing sides.
Red Team: Acts as the attackers, performing tests without the knowledge of the IT staff, usually to reveal system defense capabilities.
Blue Team: The internal team that defends the system. [cite_start]They are the opposing side of the red team.

The Legal Reality (UU ITE)

This is the most critical takeaway. [cite_start]Accessing a computer without explicit permission is illegal. [cite_start]Here in Indonesia, we operate under the UU ITE (Information and Electronic Transactions Law).

Under Pasal 31 (Indoneisan Law), intercepting or wiretapping electronic information or documents in a system you do not own is a crime.
Even seemingly harmless reconnaissance might be viewed as a violation depending on your ISP's Acceptable Use Policy.

The golden rule of penetration testing: Using a contract is just good business, and you should have an attorney read over your contract before signing it.

Week 1

Timothy Imanuel — Sun, 22 Feb 2026 12:14:55 +0000

Week 01: Course Setup and Kali Linux Installation

Disclaimer: The tools and techniques discussed in this blog are strictly for educational purposes. Do not use this information for illegal activities.

This week marks the start of the Ethical Hacking and Penetration Testing course at campus. The goal of this class isn't just to teach us how to run automated scripts (eg: becoming a script kiddie), but to actually understand how to find vulnerabilities, escalate privileges, and cover our tracks.

Before getting into the technical stuff, we went over the ground rules for the semester.

Class Rules & Expectations

The administration made a few things very clear on day one:

Collaboration vs. Cheating: Working together is encouraged, but outright copying is a hard no.
Attendance: Arriving more than 30 minutes late means you are locked out of the class and marked absent.

The Main Project

The core of this course is a hands-on penetration testing project that runs throughout the semester.

The Targets: We will be testing web apps, client/server applications, and a specific cloud environment prepared for the class.
Hard Rule: DDoS attacks against the targets are strictly forbidden.
Reporting: Everything we do has to be documented. This blog serves as my ongoing journal for the project. At the end of the course, we have to submit a final Penetration Testing Report and present our findings.

Lab Setup: Kali Linux

You cannot do penetration testing safely on your main host OS. You need an isolated virtual machine.

For our lab environment, we are using VirtualBox (or VMware) to run Kali Linux.

Minimum VM Requirements:

RAM: 4 GB
Storage: 40 GB (Running this on an SSD is highly recommended so it doesn't lag).
CPU: 2 vCPUs

Once the VM is set up and running, the baseline environment is ready.

DEV Community: Timothy Imanuel

Week 9

Target Exploitation & Privilege Escalation (Session 10 Summary)

🔬 1. Vulnerability Research Foundations

🗂️ 2. Public Exploit Directories

🛠️ 3. Metasploit Console Basics (msfconsole)

🚀 4. Privilege Escalation Mechanics

🔐 5. Password Auditing Strategy & Tools

Online Guessing Attacks

Offline Cracking Attacks

🔄 6. Man-in-the-Middle (MitM) & ARP Spoofing

Week 8

Social Engineering (Session 8 Notes)

The Psychology of the Attack

The Social Engineering Lifecycle

🎭 Core Attack Methods (Psychological Triggers)

🛠️ The Technical Toolkit

1. Common User Passwords Profiler (CUPP)

2. Social-Engineer Toolkit (SET)

Week 7

Ethical Hacking Week 7: Target Exploitation

Metasploit

Exploiting EternalBlue

The Meterpreter Shell

The Rules of Engagement

Week 6

Ethical Hacking Week 6: Vulnerability Mapping

What is Vulnerability Mapping?

The Three Main Types of Vulnerabilities

Local vs. Remote Attacks

Web Application Auditing

The Pentester's Toolkit

Week 4

Ethical Hacking Week 4: Target Discovery & OS Fingerprinting 🎯🔍

Finding the Target (Discovery)

OS Fingerprinting (Who are we talking to?)

TCP vs. UDP (The Delivery Methods)

Reading Port Scans like a Pro

Wrapping Up

cybersecurity #infosec #ethicalhacking #nmap #networking

Week 5

Ethical Hacking Week 5: The Art of Target Enumeration 🕵️‍♂️🔍

The Core of Windows Enumeration: NetBIOS

The Enumeration Toolkit 🧰

Command-Line Essentials

GUI & Advanced Tools

Beyond Windows

Wrapping Up

Week 3

Week 03: Information Gathering and OSINT Tools

1. TheHarvester

2. Metagoofil

3. Maltego

Week 2

Week 02: Testing Methodologies and the Rules of Engagement

The Types of Hackers

Penetration Testing Models

Red Team vs. Blue Team

The Legal Reality (UU ITE)

Week 1

Week 01: Course Setup and Kali Linux Installation

Class Rules & Expectations

The Main Project

Lab Setup: Kali Linux

🛠️ 3. Metasploit Console Basics (`msfconsole`)