Advertisement
joemccray

Pentester Night School homework and attack plan

Aug 17th, 2017
1,564
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.71 KB | None | 0 0
  1. ----------------------------------------------------
  2.  
  3. Here is the class webinar link:
  4. https://attendee.gotowebinar.com/rt/752149900055661826
  5.  
  6.  
  7. Here is the virtual machine for the class:
  8. https://s3.amazonaws.com/infosecaddictsvirtualmachines/InfoSecAddictsVM.zip
  9. user: infosecaddicts
  10. pass: infosecaddicts
  11.  
  12.  
  13. Here is the Pastebin from class:
  14. https://pastebin.com/qnmbj04m
  15.  
  16.  
  17. Here are the videos from the first 3 classes:
  18. https://s3.amazonaws.com/infosecaddictsvideos/2017-08-14+19.13+Network+Pentester+Night+School.mp4
  19. https://s3.amazonaws.com/infosecaddictsvideos/2017-08-15+19.07+Network+Pentester+Night+School.mp4
  20. https://s3.amazonaws.com/infosecaddictsvideos/2017-08-16+19.15+Network+Pentester+Night+School.mp4
  21.  
  22. Day 1 Homework task:
  23. Pastebin lines 61 - 210
  24.  
  25. Day 2 Homework task:
  26. Pastebin lines 219 - 402
  27.  
  28. Day 3 Homework task:
  29. Pastebin lines 762 - 1460
  30.  
  31.  
  32. Homework due date:
  33. Midnight 27th Aug 2017
  34.  
  35. ----------------------------------------------------
  36.  
  37.  
  38. Point me at a network at say go (with no network vulnerability scanners).
  39.  
  40. 1. Look for quick hits. Use propecia to service sweep for ports that I know I know I have exploits for.
  41. propecia 192.168.0 1433 <-- I know I have a ton of stuff for MS SQL Server
  42.  
  43.  
  44. 2. Break down really large networks by ports into simple services to scan for (again with propecia)
  45. propecia 172.31.6 445 >> /tmp/customerAudit/internal/scan/services/windows_hosts
  46. propecia 172.31.6 21 >> /tmp/customerAudit/internal/scan/services/ftp_hosts
  47. propecia 172.31.6 111 >> /tmp/customerAudit/internal/scan/services/sunrpc_hosts
  48. propecia 172.31.6 23 >> /tmp/customerAudit/internal/scan/services/telnet_hosts
  49. propecia 172.31.6 9100 >> /tmp/customerAudit/internal/scan/services/printserver_hosts
  50. propecia 172.31.6 1433 >> /tmp/customerAudit/internal/scan/services/mssql_hosts
  51. propecia 172.31.6 1521 >> /tmp/customerAudit/internal/scan/services/oracle_hosts
  52. propecia 172.31.6 3306 >> /tmp/customerAudit/internal/scan/services/mysql_hosts
  53.  
  54. 3. Then run my nmap scans/nse scripts with all of the options against those IPs
  55. for x in `cat /tmp/customerAudit/internal/scan/services/windows_hosts` ; do nmap -Pn -n --open -p445 --script=msrpc-enum,smb-enum-domains,smb-enum-groups,smb-enum-processes,smb-enum-sessions,smb-enum-shares,smb-enum-users,smb-mbenum,smb-os-discovery,smb-security-mode,smb-server-stats,smb-system-info,smbv2-enabled,stuxnet-detect $x > /tmp/customerAudit/internal/scan/windows/$x ; done
  56.  
  57. Look in Lee Baird's discover script for all of this nmap nse magic.
  58. https://github.com/leebaird/discover/blob/master/discover.sh
  59. Start on line 1930
  60.  
  61.  
  62. 4. Turn nmap into Nessus (New way to do it):
  63. cd ~/toolz
  64. git clone https://github.com/scipag/vulscan.git
  65. cd vulscan/
  66. sudo nmap -sV -p 135,445 --script=/home/infosecaddicts/toolz/vulscan/vulscan.nse -iL ip_list.txt
  67.  
  68.  
  69. 5. ACTUALLY run Nessus (wide open full scan - while you are doing this stuff).
  70. The reason for this is this will generate the report info that you need to give to the customer.
  71. While the Nessus scan is running you'll be doing the following steps so you don't have to wait for Nessus to finish.
  72.  
  73.  
  74. In Nessus you can sort by "Exploit Publicly Available", Exploit-DB, Metasploit
  75. - Look for Exploit-DB ID, Metasploit ID in your reports. You'll notice this gets rid of half or more of your findings.
  76.  
  77.  
  78.  
  79.  
  80. Point me at a website at say go (with no web app vulnerability scanners).
  81.  
  82. 1. Look for quick hits. I use Google dorks for SQL injection and LFIs
  83. Google for generic Database errors
  84.  
  85. site:example.com "Microsoft OLE DB Provider for SQL Server"
  86. site:example.com "Microsoft JET Database Engine"
  87. site:example.com "Type mismatch"
  88. site:example.com "You have an error in your SQL syntax"
  89. site:example.com "Invalid SQL statement or JDBC"
  90. site:example.com "DorisDuke error"
  91. site:example.com "OleDbException"
  92. site:example.com "JasperException"
  93. site:example.com "Fatal Error"
  94. site:example.com "supplied argument is not a valid MySQL"
  95. site:example.com "mysql_"
  96. site:example.com ODBC
  97. site:example.com JDBC
  98. site:example.com ORA-00921
  99. site:example.com ADODB
  100.  
  101.  
  102.  
  103.  
  104.  
  105.  
  106. Google for generic RFIs
  107.  
  108. site:example.com ".php" "file="
  109. site:example.com ".php" "folder="
  110. site:example.com ".php" "path="
  111. site:example.com ".php" "style="
  112. site:example.com ".php" "template="
  113. site:example.com ".php" "PHP_PATH="
  114. site:example.com ".php" "doc="
  115. site:example.com ".php" "document="
  116. site:example.com ".php" "document_root="
  117. site:example.com ".php" "pg="
  118. site:example.com ".php" "pdf="
  119. site:example.com ".php: "page="
  120. site:example.com ".php: "inc="
  121. site:example.com ".php: "dir="
  122. site:example.com ".php: "frame="
  123. site:example.com ".php: "swf="
  124. site:example.com ".php: "host="
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement