Category Archives: WhatILearned

Learning OSCP

Gonna be fun. I think the first step is to do everything in the PWK Syllabus. Then take the course.  https://www.offensive-security.com/documentation/penetration-testing-with-kali.pdf

1. – Getting Comfortable with Kali Linux
1.1 – Finding Your Way Around Kali
1.1.1 – Booting Up Kali Linux

1.1.2 – The Kali Menu


1.1.3 – Find, Locate, and Which


1.2 – Managing Kali Linux Services
1.2.1 – Default root Password
It’s toor…change it!

1.2.2 – SSH Service
1.2.3 – HTTP Service
1.3 – The Bash Environment
1.4 – Intro to Bash Scripting

2. – The Essential Tools
2.1 – Netcat
2.1.1 – Connecting to a TCP/UDP Port
2.1.2 – Listening on a TCP/UDP Port
2.1.3 – Transferring Files with Netcat
2.1.4 – Remote Administration with Netcat
2.2 – Ncat
2.3 – Wireshark
2.3.1 – Wireshark Basics
2.3.2 – Making Sense of Network Dumps
2.3.3 – Capture and Display Filters
2.3.4 – Following TCP Streams
2.4 – Tcpdump
2.4.1 – Filtering Traffic
2.4.2 – Advanced Header Filtering

3. – Passive Information Gathering
3.1 – Open Web Information Gathering
3.1.1 – Google
3.1.2 – Google Hacking
3.2 – Email Harvesting
3.3 – Additional Resources
3.3.1 – Netcraft
3.3.2 – Whois Enumeration
3.4 – Recon-ng

4. – Active Information Gathering
4.1 – DNS Enumeration
4.1.1 – Interacting with a DNS Server
4.1.2 – Automating Lookups
4.1.3 – Forward Lookup Brute Force
4.1.4 – Reverse Lookup Brute Force
4.1.5 – DNS Zone Transfers
4.1.6 – Relevant Tools in Kali Linux
4.2 – Port Scanning
4.2.1 – TCP CONNECT / SYN Scanning
4.2.2 – UDP Scanning
4.2.3 – Common Port Scanning Pitfalls
4.2.4 – Port Scanning with Nmap
4.2.5 – OS Fingerprinting
4.2.6 – Banner Grabbing/Service Enumeration
4.2.7 – Nmap Scripting Engine (NSE)
4.3 – SMB Enumeration
4.3.1 – Scanning for the NetBIOS Service
4.3.2 – Null Session Enumeration
4.3.3 – Nmap SMB NSE Scripts
4.4 – SMTP Enumeration
4.5 – SNMP Enumeration
4.5.1 – MIB Tree
4.5.2 – Scanning for SNMP
4.5.3 – Windows SNMP Enumeration Example

5. – Vulnerability Scanning
5.1 – Vulnerability Scanning with Nmap
5.2 – The OpenVAS Vulnerability Scanner
5.2.1 – OpenVAS Initial Setup

6. – Buffer Overflows
6.1 – Fuzzing
6.1.1 – Vulnerability History
6.1.2 – A Word About DEP and ASLR
6.1.3 – Interacting with the POP3 Protocol

7. – Win32 Buffer Overflow Exploitation
7.1 – Replicating the Crash
7.2 – Controlling EIP
7.2.1 – Binary Tree Analysis
7.2.2 – Sending a Unique String
7.3 – Locating Space for Your Shellcode
7.4 – Checking for Bad Characters
7.5 – Redirecting the Execution Flow
7.5.1 – Finding a Return Address
7.6 – Generating Shellcode with Metasploit
7.7 – Getting a Shell
7.8 – Improving the Exploit

8. – Linux Buffer Overflow Exploitation
8.1 – Setting Up the Environment
8.2 – Crashing Crossfire
8.3 – Controlling EIP
8.4 – Finding Space for Our Shellcode
8.5 – Improving Exploit Reliability
8.6 – Discovering Bad Characters
8.7 – Finding a Return Address
8.8 – Getting a Shell

9. – Working with Exploits
9.1 – Searching for Exploits
9.1.1 – Finding Exploits in Kali Linux
9.1.2 – Finding Exploits on the Web
9.2 – Customizing and Fixing Exploits
9.2.1 – Setting Up a Development Environment
9.2.2 – Dealing with Various Exploit Code Languages

10. – File Transfers
10.1 – A Word About Anti Virus Software
10.2 – File Transfer Methods
10.2.1 – The Non-Interactive Shell
10.2.2 – Uploading Files

11. – Privilege Escalation
11.1 – Privilege Escalation Exploits
11.1.1 – Local Privilege Escalation Exploit in Linux Example
11.1.2 – Local Privilege Escalation Exploit in Windows Example
11.2 – Configuration Issues
11.2.1 – Incorrect File and Service Permissions
11.2.2 – Think Like a Network Administrator

12. – Client Side Attacks
12.1 – Know Your Target
12.1.1 – Passive Client Information Gathering
12.1.2 – Active Client Information Gathering
12.1.3 – Social Engineering and Client Side Attacks
12.2 – MS12-037- Internet Explorer 8 Fixed Col Span ID
12.2.1 – Setting up the Client Side Exploit
12.2.2 – Swapping Out the Shellcode
12.3 – Java Signed Applet Attack

13. – Web Application Attacks
13.1 – Essential Iceweasel Add-ons
13.2 – Cross Site Scripting (XSS)
13.2.1 – Browser Redirection and IFRAME Injection
13.2.2 – Stealing Cookies and Session Information
13.3 – File Inclusion Vulnerabilities
13.3.1 – Local File Inclusion
13.3.2 – Remote File Inclusion
13.4 – MySQL SQL Injection
13.4.1 – Authentication Bypass
13.4.2 – Enumerating the Database
13.4.3 – Column Number Enumeration
13.4.4 – Understanding the Layout of the Output
13.4.5 – Extracting Data from the Database
13.4.6 – Leveraging SQL Injection for Code Execution
13.5 – Web Application Proxies
13.6 – Automated SQL Injection Tools

14. – Password Attacks
14.1 – Preparing for Brute Force
14.1.1 – Dictionary Files
14.1.2 – Key-space Brute Force
14.1.3 – Pwdump and Fgdump
14.1.4 – Windows Credential Editor (WCE)
14.1.6 – Password Profiling
14.1.7 – Password Mutating
14.2 – Online Password Attacks
14.2.1 – Hydra, Medusa, and Ncrack
14.2.2 – Choosing the Right Protocol: Speed vs. Reward
14.3 – Password Hash Attacks
14.3.1 – Password Hashes
14.3.2 – Password Cracking
14.3.3 – John the Ripper
14.3.4 – Rainbow Tables
14.3.5 – Passing the Hash in Windows

15. – Port Redirection and Tunneling
15.1 – Port Forwarding/Redirection
15.2 – SSH Tunneling
15.2.1 – Local Port Forwarding
15.2.2 – Remote Port Forwarding
15.2.3 – Dynamic Port Forwarding
15.3 – Proxychains
15.4 – HTTP Tunneling
15.5 – Traffic Encapsulation

16. – The Metasploit Framework
16.1 – Metasploit User Interfaces
16.2 – Setting up Metasploit Framework on Kali
16.3 – Exploring the Metasploit Framework
16.4 – Auxiliary Modules
16.4.1 – Getting Familiar with MSF Syntax
16.4.2 – Metasploit Database Access
16.5 – Exploit Modules
16.6 – Metasploit Payloads
16.6.1 – Staged vs. Non-Staged Payloads
16.6.2 – Meterpreter Payloads
16.6.3 – Experimenting with Meterpreter
16.6.4 – Executable Payloads
16.6.5 – Reverse HTTPS Meterpreter
16.6.6 – Metasploit Exploit Multi Handler
16.6.7 – Revisiting Client Side Attacks
16.7 – Building Your Own MSF Module
16.8 – Post Exploitation with Metasploit
16.8.1 – Meterpreter Post Exploitation Features
16.8.2 – Post Exploitation Modules

17. – Bypassing Antivirus Software
17.1 – Encoding Payloads with Metasploit
17.2 – Crypting Known Malware with Software Protectors
17.3 – Using Custom/Uncommon Tools and Payloads

110 total views, no views today

Who’s Down with GPP? Yeah You Know Me!

I figured it might be good to post about things that I learn on the job. This week, I was able to get a password out of Group Policy Preferences (GPP) with Metasploit.

Here’s a great writeup by Sean Metcalf on it.

First I tried capturing and relaying hashes with Responder and NTLMRelayx, but the targets did not give local administrator access to the accounts I was relaying. (Boo!) I was able to crack some of the hashes, but that didn’t help right away. So I had to look for something else. Since I did have some working credentials, I could then fire up Metasploit and see what happens against GPP. Using the auxiliary/scanner/smb/smb_enum_gpp module, I set the RHOST for a domain controller, gave it the username and password that I had previously captured and fired away. It started listing out the policies, like Groups.xml and a nice little table popped up like:

Name Value
—- —–
TYPE Groups.xml
USERNAME Administrator (built-in)
PASSWORD xxxxxxxxxx
DOMAIN CONTROLLER 192.168.19.14
DOMAIN example.com
CHANGED 2017-01-08 16:49:50
NEVER_EXPIRES? 1
DISABLED 0

Hooray!! So what do we do with that account? Spray it! That’s a local administrator account, so maybe it’ll have access elsewhere! How do we spray it? With CrackMapExec by byt3bl33d3r! Point that at all the hosts with SMB open and see what happens.

Run: cme smb IP -u Administrator -p SuperSecretPassword –local-auth

Hey, it worked! I know it worked because of that awesome “Pwn3d!” that CME shows. Next up, Mimikatz and see what’s in memory. So same command as above, but add the -M Mimikatz to it and see what comes up. Sure enough, there’s another set of credentials in clear text! Try that against the domain controller…NOW! Using CME again, with the new creds, against a DC and you know what? Pwn3d again! We are in! But as we know, DA is only the beginning and it’s time to find the data. So that’s what I learned this week, check the GPP for passwords!

235 total views, no views today