sh interface status | i connected | count
Tuesday 29 August 2023
Monday 28 August 2023
create custom URL category on palo alto can be used for wildcard URLs
If you have FQDN then you can just add FQDN object in the rule
If you want to add a wildcard or multiple URLs in a group then you can create a custom URL category
Objects -> Custom objects -> URL categories - > Add
Add your URLs
*.mail.protection.outlook.com/
smtp.office365.com/
Always end with a / ending token
Blurb from the palo:
For domain entries, we recommend you use an ending token. Acceptable tokens are: . / ? & = ; +. If you choose not to use an ending token, you may block or allow more URLs than anticipated. For example, if you want to allow xyz.com and enter the domain as 'xyz.com,' you will allow xyz.com and URLs such as xyz.com.random.com. However, if you enter the domain as 'xyz.com/,' you will only allow xyz.com.
More info here:
https://docs.paloaltonetworks.com/advanced-url-filtering/administration/configuring-url-filtering/url-category-exceptions
CLI
set profiles custom-url-category URL-CC-OSCP-CRL description "Custom URL category for OSCP"
set profiles custom-url-category URL-CC-OSCP-CRL type "URL List"
set profiles custom-url-category URL-CC-OSCP-CRL list [ crl.globalsign.net www.d-trust.net cdp1.public-trust.com crl.cnnic.cn crl.entrust.net crl.globalsign.com crl.globalsign.net crl.identrust.com crl.thawte.com crl3.digicert.com crl4.digicert.com s1.symcb.com www.d-trust.net isrg.trustid.ocsp.identrust.com ocsp.digicert.com ocsp.entrust.net ocsp.globalsign.com ocsp.omniroot.com ocsp.startssl.com ocsp.thawte.com ocsp2.globalsign.com ocspcnnicroot.cnnic.cn root-c3-ca2-2009.ocsp.d-trust.net root-c3-ca2-ev-2009.ocsp.d-trust.net s2.symcb.com aia.startssl.com apps.identrust.com cacert.omniroot.com ]
Monday 14 August 2023
CyberSec - eJpt
Information gathering
Collecting info about what we are targeting (company, website/URL/IP, app, servers, people etc)
The scope can be wide or narrow.
People info gathering
Names and email format is what we usually want for a phishing attack
We can also look at social media, linkedin, facebook, instagram etc
Passive info gathering aka OSINT (open source intelligence)
We don't need permission because its publicly available information
Get as much as we can without actively engaging opensource intel
Publicly available information.
Visit public websites
examples:
- IP ranges and DNS info
- Domain names and ownership info
- Sub domins
- Email and social media
- Web tech being used on target sites (IIS, nginx etc)
Penetration testing method
Passive info gatherin (OSINT, DNS IP recon, social media, google)
Active info gathering (network/app/port scanning, calling up asking for info)
Enumeration (service/user/share enumeration)
Vulnerability scanning
Exploitation (use existing, modify or develop exploit)
Post exploitation
- Local enumeration from the inside
- Privilege escalation
- Credential access
- Persistence
- Défense evasion
- Lateral movement
Reporting (writing of report / recommendation on remediation)
Active info gathering
We need permission
Scanning IP ranges
Scanning IP's for open ports (nmap/nessus)
Ports can tell us about services and we can look for vulns
Discovering open ports
examples:
- nmap scan to discover open ports
- Nessus scan to discover vulnerabilities
- Enumerating info from target systems
Website recon and foot printing
IP addresses
Directories hidden from search engines
Host command (in kali)
host website.com
website.com has address 10.10.10.10
website.com has IPv6 address 2axx:4xx:1xx:4xxx::2
website.com mail is handled by 5 esa.website.com.
website.com mail is handled by 10 esa2.website.com.
website.com mail is handled by 15 esa3.website.com.
Often we might see a website hosted by a proxy like cloudflare
Robots.txt
Robots.txt is read by search engines and we can tell them directories not to crawl.
Browse to www.website.com/robots.txt
User-agent: *
Allow: /wp-admin/admin-ajax.php
Disallow: /wp-admin/
Sitemap: https://www.website.ie/sitemap.xml
Sitemap: https://www.website.ie/sitemap.rss
We can see they disallow /wp-admin/ that wp-admin folder tells us its a word press site.
Sitemap.xml
Sitemap is again for search engines to index the site.
Firefox plugin BuiltWith
This plugin will give whats running on this site
Will see widgets and plugins
Whatweb (kali)
whatweb website.ie
Download the full website with HTTrack
HTTrack (windows and linux) to look at the source code offline.
Whois (kali also many websites) - looking up registration details of websites
Main info to gather from the whois output:
What registrar the domain was registered with
Updated Date: When the domain was renewed
Created Date: When it was created
Registry expiry: (when the domain will expire)
Name server: can point to a proxy like cloud flare
DNSSEC: we might see the owner of the domain unless DNSSEC is enabled
whois zonetransfer.me
https://who.is (useful website for running who.is)
whois x.x.x.x (where x.x.x.x is public IP)
Website footprinting with netcraft
netcraft.com is a web tool with gather lots of the passive recon information for us in one location
DNS recon
dnsrecon -d domain.com
dnsdumpster.com - free website which organises the same information nicely
We can see name servers, SRV, TXT, mx records and subdomains
WAF with WAFW00f (kali)
WAF is a web application firewall
WAFw00f is WAF fingerprinting tool
wafwoof https://zonetransfer.me
Subdomain enumeration with sublist3r (kali)
Sublister checks the search engines to see if a subdomain was indexed at some stage
subliust3r -d domain.com -e google,yahoo
subliust3r -d domain.com (this will search with all search engines)
Keep in mind results won't be 100% but very useful.
It will make lots of requests to the engines so you may need a VPN to change connection to get it to work.
Google Dorks aka google hacking
site:domain.com
site:domain.com inrul admin (look for an admin panel)
site:domain.com inrul forum (look for a forum)
site:*.domain.com (show all the subdomains)
Sometimes subdomains are publicly available that shouldn't be
site:*.domain.com intitle admin (look for admin page)
site:*.domain.com filetype:pdf (look for pdf files)
site:*.domain.com employees
site:*.domain.com team
intitle: index of
Looking for older versions of the website for information like names, email addresses etc.
cache: domain.com
Thewaybackmachine.com
Looking for leaked usernames and passwords
inurl:auth_user_file.txt
inurl:passwd.txt
Google hacking database (https://www.exploit-db.com/google-hacking-database)
look up google dorks for wordpress for example
email harvesting with theHarvester (kali)
Searches on search engines and sites like linkedin and several other websites
Spyse - paid site worth considering
Leaked password databases
When we find emails addresses, check if their data has been leaked at some stage
Quick way to check if an email you found is in a data breach
https://haveibeenpwned.com/
DNS zone transfers
DNS servers is like a phone directory a list of URLs to IP addresses
Cloud flare: 1.1.1.1
Google: 8.8.8.8
DNS record types
A - Resolves hostname to IPv4 address
AAAA - Resolves hostname to IPv6 addreess
NS - The domains name server
MX - Where the email server is
CNAME - Aliases
TXT - text info often used to auth ownership of a domain
HINFO - host information
SOA - Domain auth
SRV - Service rexords
PTR - resolves IP to hostname
DNS Interrogation
Probe the DNS server for more info
DNS zone transfer
Admins may want to copy or transfer zone files from one DNS server to another. The process is known as a zone transfer.
If left misconfigured we can attempt a zone transfer from the primary DNS server to another server
A DNS zone transfer can provide pentesters with a holistic view of an organizations network layout.
Internal network addresses may be found on the orgs DNS servers
dnsrecon -d zonetransfer.ie
Active action:
dnsenum zonetransfer.ie
Zone transfer with dig
dig axfr [name-server] [domian]
dig axfr @ns2cm1.digi.ninja zonetransfer.me
Brute force domains with fierce
fierce -dns zonetransfer.me
Host discovery with nmap
-sn
ping sweep
The idea is to gather IP's with a ping sweep, then run port scans on the IPs we see are up.
Netdiscover
namp uses ping/icmp and netdiscover uses arp
sudo netdiscover -i eth0 -r 192.168.3.0/24
Port scanning with nmap
nmap -Pn x.x.x.x
nmap -Pn -p- x.x.x.x (scan all ports will take a long time)
nmap -Pn -p 80 x.x.x.x (scan port 80)
nmap -Pn -p1-10 x.x.x.x (scan a range)
nmap -Pn -F x.x.x.x (fast scan of commonly used ports)
nmap -Pn -sU x.x.x.x (use UDP)
Find IPs
Scan for open ports
Look for services
Look for service versions
Look for vulnerabilities
service version detection
nmap -Pn -F -sV x.x.x.x (service version detection, takes longer)
-O OS detection
nmap -Pn -F -sV -0 x.x.x.x -v
-sC (script scan to get more info)
We may need to speed up/slow down scans to avoid detection. We can use -T. Lower value is slower, higher value is faster (more chance to be detected by IPS etc).
-T
0 paranoid
1 sneaky
2 polite
3 normal
4 aggressive
5 insane
We can output nmap to files
-oN scan.txt
-oX scan.xml (can be imported into Metasploit)
Assessment Methods: footprinting + scanning
Mapping a network
define the scope
what is the most useful use of your time
physical access
VPN S2S, or dial in
Or totally no help you must gain physical or digital access
Get on the network (physical or remote access)
sniffing
Passive recon, watch the network, learn
ARP - resolves IP to MAC address, can arp the full subnet to learn about the network
ICMP (ping and traceroute)
type 8 is echo request (ping) we can ping the subnet to see what responds.
Nework Tools
Wireshark
ArpScan
ping
Fping
nmap and zenmap
Arpscan CLI
Sudo arp-sscan -i eht0 -g 192.168.3.0/24
Fping CLI
fping -i eth0 -g 192.168.3.0/24 -a 2> /deb/null
Good idea to arp and ping the subnet.
Nmap CLI
nmap -sn 192.168.3.0/24
nmap also sends a TCP SYN
Wireshark
Run a capture
Run all your scans
Check hosts
Zenmap is gui version of nmap
Nmap OS and service detection
We can find OS and service versions with NMAP, below is how it works
Standard TCP 3WHS
open port
SYN >
SYN--ACK <
ACL >
RST+ACK >
closed port
SYN >
RST+ACK <
Stealth scan
SYN>
SYN+ACK
RST >
In the stealth scan we close the 3WHS as soon as we get the SYN+ACK back we know the port is open and a server responding.
Service detection
SYN >
SYN+ACK <
ACK >
BANNER < (service info here eg openssh v1.0)
RST+ACK >
In service detection we read data provided by the server.
NMAP basic switches
nmap -H (help, lots of options here)
-sV Service detection
-sC Scripts default
-A aggressive mode (loud) does all the scans
-0 OS detection
-exclude (exclude certain hosts from scanning)
-A will does OS detect, version detect, Script Scan and traceroute
Scan targets from a file
nmap -iL ip-list.txt
Other scan tools
Masscan - Fast scanner for big networks
Rutscan - low level language so fast
AutoRecon - keeps scanning / doing recon
Nmap Scan Techniques
| SWITCH | EXAMPLE | DESCRIPTION |
|---|---|---|
| -sS | nmap 192.168.1.1 -sS | TCP SYN port scan (Default) |
| -sT | nmap 192.168.1.1 -sT | TCP connect port scan (Default without root privilege) |
| -sU | nmap 192.168.1.1 -sU | UDP port scan |
| -sA | nmap 192.168.1.1 -sA | TCP ACK port scan |
| -sW | nmap 192.168.1.1 -sW | TCP Window port scan |
| -sM | nmap 192.168.1.1 -sM | TCP Maimon port scan |
Host Discovery
| SWITCH | EXAMPLE | DESCRIPTION |
|---|---|---|
| -sL | nmap 192.168.1.1-3 -sL | No Scan. List targets only |
| -sn | nmap 192.168.1.1/24 -sn | Disable port scanning. Host discovery only. |
| -Pn | nmap 192.168.1.1-5 -Pn | Disable host discovery. Port scan only. |
| -PS | nmap 192.168.1.1-5 -PS22-25,80 | TCP SYN discovery on port x. Port 80 by default |
| -PA | nmap 192.168.1.1-5 -PA22-25,80 | TCP ACK discovery on port x. Port 80 by default |
| -PU | nmap 192.168.1.1-5 -PU53 | UDP discovery on port x. Port 40125 by default |
| -PR | nmap 192.168.1.1-1/24 -PR | ARP discovery on local network |
| -n | nmap 192.168.1.1 -n | Never do DNS resolution |
Port Specification
| SWITCH | EXAMPLE | DESCRIPTION |
|---|---|---|
| -p | nmap 192.168.1.1 -p 21 | Port scan for port x |
| -p | nmap 192.168.1.1 -p 21-100 | Port range |
| -p | nmap 192.168.1.1 -p U:53,T:21-25,80 | Port scan multiple TCP and UDP ports |
| -p | nmap 192.168.1.1 -p- | Port scan all ports |
| -p | nmap 192.168.1.1 -p http,https | Port scan from service name |
| -F | nmap 192.168.1.1 -F | Fast port scan (100 ports) |
| -top-ports | nmap 192.168.1.1 -top-ports 2000 | Port scan the top x ports |
| -p-65535 | nmap 192.168.1.1 -p-65535 | Leaving off initial port in range makes the scan start at port 1 |
| -p0- | nmap 192.168.1.1 -p0- | Leaving off end port in range makes the scan go through to port 65535 |
Service and Version Detection
| SWITCH | EXAMPLE | DESCRIPTION |
|---|---|---|
| -sV | nmap 192.168.1.1 -sV | Attempts to determine the version of the service running on port |
| -sV -version-intensity | nmap 192.168.1.1 -sV -version-intensity 8 | Intensity level 0 to 9. Higher number increases possibility of correctness |
| -sV -version-light | nmap 192.168.1.1 -sV -version-light | Enable light mode. Lower possibility of correctness. Faster |
| -sV -version-all | nmap 192.168.1.1 -sV -version-all | Enable intensity level 9. Higher possibility of correctness. Slower |
| -A | nmap 192.168.1.1 -A | Enables OS detection, version detection, script scanning, and traceroute |
OS Detection
| SWITCH | EXAMPLE | DESCRIPTION |
|---|---|---|
| -O | nmap 192.168.1.1 -O | Remote OS detection using TCP/IP stack fingerprinting |
| -O -osscan-limit | nmap 192.168.1.1 -O -osscan-limit | If at least one open and one closed TCP port are not found it will not try OS detection against host |
| -O -osscan-guess | nmap 192.168.1.1 -O -osscan-guess | Makes Nmap guess more aggressively |
| -O -max-os-tries | nmap 192.168.1.1 -O -max-os-tries 1 | Set the maximum number x of OS detection tries against a target |
| -A | nmap 192.168.1.1 -A | Enables OS detection, version detection, script scanning, and traceroute |
Timing and Performance
| SWITCH | EXAMPLE | DESCRIPTION |
|---|---|---|
| -T0 | nmap 192.168.1.1 -T0 | Paranoid (0) Intrusion Detection System evasion |
| -T1 | nmap 192.168.1.1 -T1 | Sneaky (1) Intrusion Detection System evasion |
| -T2 | nmap 192.168.1.1 -T2 | Polite (2) slows down the scan to use less bandwidth and use less target machine resources |
| -T3 | nmap 192.168.1.1 -T3 | Normal (3) which is default speed |
| -T4 | nmap 192.168.1.1 -T4 | Aggressive (4) speeds scans; assumes you are on a reasonably fast and reliable network |
| -T5 | nmap 192.168.1.1 -T5 | Insane (5) speeds scan; assumes you are on an extraordinarily fast network |
Timing and Performance Switches
| SWITCH | EXAMPLE INPUT | DESCRIPTION |
|---|---|---|
| -host-timeout <time> | 1s; 4m; 2h | Give up on target after this long |
| -min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time> | 1s; 4m; 2h | Specifies probe round trip time |
| -min-hostgroup/max-hostgroup <size<size> | 50; 1024 | Parallel host scan group sizes |
| -min-parallelism/max-parallelism <numprobes> | 10; 1 | Probe parallelization |
| -max-retries <tries> | 3 | Specify the maximum number of port scan probe retransmissions |
| -min-rate <number> | 100 | Send packets no slower than <number> per second |
| -max-rate <number> | 100 | Send packets no faster than <number> per second |
NSE Scripts
| SWITCH | EXAMPLE | DESCRIPTION |
|---|---|---|
| -sC | nmap 192.168.1.1 -sC | Scan with default NSE scripts. Considered useful for discovery and safe |
| -script default | nmap 192.168.1.1 -script default | Scan with default NSE scripts. Considered useful for discovery and safe |
| -script | nmap 192.168.1.1 -script=banner | Scan with a single script. Example banner |
| -script | nmap 192.168.1.1 -script=http* | Scan with a wildcard. Example http |
| -script | nmap 192.168.1.1 -script=http,banner | Scan with two scripts. Example http and banner |
| -script | nmap 192.168.1.1 -script "not intrusive" | Scan default, but remove intrusive scripts |
| -script-args | nmap -script snmp-sysdescr -script-args snmpcommunity=admin 192.168.1.1 | NSE script with arguments |
Useful NSE Script Examples
| COMMAND | DESCRIPTION |
|---|---|
| nmap -Pn -script=http-sitemap-generator scanme.nmap.org | http site map generator |
| nmap -n -Pn -p 80 -open -sV -vvv -script banner,http-title -iR 1000 | Fast search for random web servers |
| nmap -Pn -script=dns-brute domain.com | Brute forces DNS hostnames guessing subdomains |
| nmap -n -Pn -vv -O -sV -script smb-enum*,smb-ls,smb-mbenum,smb-os-discovery,smb-s*,smb-vuln*,smbv2* -vv 192.168.1.1 | Safe SMB scripts to run |
| nmap -script whois* domain.com | Whois query |
| nmap -p80 -script http-unsafe-output-escaping scanme.nmap.org | Detect cross site scripting vulnerabilities |
| nmap -p80 -script http-sql-injection scanme.nmap.org | Check for SQL injections |
Firewall / IDS Evasion and Spoofing
| SWITCH | EXAMPLE | DESCRIPTION |
|---|---|---|
| -f | nmap 192.168.1.1 -f | Requested scan (including ping scans) use tiny fragmented IP packets. Harder for packet filters |
| -mtu | nmap 192.168.1.1 -mtu 32 | Set your own offset size |
| -D | nmap -D 192.168.1.101,192.168.1.102,192.168.1.103,192.168.1.23 192.168.1.1 | Send scans from spoofed IPs |
| -D | nmap -D decoy-ip1,decoy-ip2,your-own-ip,decoy-ip3,decoy-ip4 remote-host-ip | Above example explained |
| -S | nmap -S www.microsoft.com www.facebook.com | Scan Facebook from Microsoft (-e eth0 -Pn may be required) |
| -g | nmap -g 53 192.168.1.1 | Use given source port number |
| -proxies | nmap -proxies http://192.168.1.1:8080, http://192.168.1.2:8080 192.168.1.1 | Relay connections through HTTP/SOCKS4 proxies |
| -data-length | nmap -data-length 200 192.168.1.1 | Appends random data to sent packets |
Output
| SWITCH | EXAMPLE | DESCRIPTION |
|---|---|---|
| -oN | nmap 192.168.1.1 -oN normal.file | Normal output to the file normal.file |
| -oX | nmap 192.168.1.1 -oX xml.file | XML output to the file xml.file |
| -oG | nmap 192.168.1.1 -oG grep.file | Grepable output to the file grep.file |
| -oA | nmap 192.168.1.1 -oA results | Output in the three major formats at once |
| -oG - | nmap 192.168.1.1 -oG - | Grepable output to screen. -oN -, -oX - also usable |
| -append-output | nmap 192.168.1.1 -oN file.file -append-output | Append a scan to a previous scan file |
| -v | nmap 192.168.1.1 -v | Increase the verbosity level (use -vv or more for greater effect) |
| -d | nmap 192.168.1.1 -d | Increase debugging level (use -dd or more for greater effect) |
| -reason | nmap 192.168.1.1 -reason | Display the reason a port is in a particular state, same output as -vv |
| -open | nmap 192.168.1.1 -open | Only show open (or possibly open) ports |
| -packet-trace | nmap 192.168.1.1 -T4 -packet-trace | Show all packets sent and received |
| -iflist | nmap -iflist | Shows the host interfaces and routes |
| -resume | nmap -resume results.file | Resume a scan |
Helpful Nmap Output examples
| COMMAND | DESCRIPTION |
|---|---|
| nmap -p80 -sV -oG - -open 192.168.1.1/24 | grep open | Scan for web servers and grep to show which IPs are running web servers |
| nmap -iR 10 -n -oX out.xml | grep "Nmap" | cut -d " " -f5 > live-hosts.txt | Generate a list of the IPs of live hosts |
| nmap -iR 10 -n -oX out2.xml | grep "Nmap" | cut -d " " -f5 >> live-hosts.txt | Append IP to the list of live hosts |
| ndiff scanl.xml scan2.xml | Compare output from nmap using the ndif |
| xsltproc nmap.xml -o nmap.html | Convert nmap xml files to html files |
| grep " open " results.nmap | sed -r ‘s/ +/ /g’ | sort | uniq -c | sort -rn | less | Reverse sorted list of how often ports turn up |
Miscellaneous Nmap Flags
| SWITCH | EXAMPLE | DESCRIPTION |
|---|---|---|
| -6 | nmap -6 2607:f0d0:1002:51::4 | Enable IPv6 scanning |
| -h | nmap -h | nmap help screen |
Other Useful Nmap Commands
| COMMAND | DESCRIPTION |
|---|---|
| nmap -iR 10 -PS22-25,80,113,1050,35000 -v -sn | Discovery only on ports x, no port scan |
| nmap 192.168.1.1-1/24 -PR -sn -vv | Arp discovery only on local network, no port scan |
| nmap -iR 10 -sn -traceroute | Traceroute to random targets, no port scan |
| nmap 192.168.1.1-50 -sL -dns-server 192.168.1.1 | Query the Internal DNS for hosts, list targets only |
| nmap 192.168.1.1 --packet-trace | Show the details of the packets that are sent and received during a scan and capture the traffic. |
Enumeration (learn more)
Before any attack we just look around. Maybe there is misconfig or default passwords.
SMB - Server Message Block (windows file shares)
Runs on port 445
nmap -sV -sC 192.168.3.10 will find SMB details
Can map drive in windows with "net use"
net use Z: \\192.168.3.10\c$ smbpw /user:admin
Nmap scan be used to enumerate SMB
nmap -p 445 --script smb-protocols x.x.x.x smb-security-mode
SMBv1 is dangerous and default usernames/passwords are bad
smb-enum-sessions (see when a user logged in)
smb-enum-shares (IPC$ null session anonymous)
print$ for sharing printers
smb-enum-users
look for default and guest accounts and try the default passwords
smb-enum-domains
smb-enum-groups
Sometimes important doc's are left on print$
smbmap -u guest -p "" -f . -H x.x.x.x
We expect guest account to be read only on IPC$ and pinrt$ and NO access on anything else
With an account with rights
-x 'ipconfig'
--upload /backdodr.txt C:\backdoor.txt
--download 'c$:\loot.txt'
Other linux tools for SMB
nmap x.x.x.x -sV -p 139,445
msfconsole (metasploit)
use auxiliary/scanner/smb/smb_version
show options
set Rhosts x.x.x.x
run
exit
use auxiliary/scanner/smb/smb2
show options
set Rhosts x.x.x.x
nmblookup -A x.x.x.x
Uses netbios <20> means we can connect
smbclient -L x.x.x.x -n
rpcclient -u '' -N x.x.x.x.x
enum4linux -o x.x.x.x
Enumeration is all about finding information to use again later, for example we can find out who has access to a certain folder and then target that user.
Connecting with word lists when we don't have passwords
use auxiliary/scanner/smb/smb_login
info
show options
set Rhosts x.x.x.x
set pass_file /user/share/wordlist.txt
set smbuser bob
run
Hydra
gzip -d /user/share/rockyou.txt.gz
hydra -l admin -p /rockyou.txt x.x.x.x smb
smbmap -H x.x.x.x -u admin -p Password01
Other services and pipes
Lots of other services use SMB and they connect via "pipes"
IF we know what to look for we can get info from the other services
use auxiliary/scanner/smb/pipe_auditor
info
show options
set Rhosts x.x.x.x
set smbuser bob
set smbpassword
options
run
Named pipes returned
\netlogon
\lsarpc
\samr
\eventlog
\initshutdown
\ntsvcs
\srvsvc
\wkssvc
Maybe we can use this info later
FTP (TCP port 21)
nmap -p 21 -sV -0 192.168.1.100
ftp in cmd prompt
ftp 192.168.1.100
Try nothing for username and password (anon login)
Hydra
hydra -l /usr/share/metasploit-framework/data/monlists/unix_passwords.txt 192.168.1.100 ftp
nmap 192.168.1.100 --script ftp-brute --script-args userdb=/root/users -p 21
The file in /root called users contains a usersname list
FTP anon login with nmap
nmap 192.168.1.100 -p 21 --script ftp-anon
username ananymouse
password: (blank)
SSH (TCP 22)
nmap 192.168.1.100 -sV -0
You may see SSH ver and hosting server ver
ssh root@192.168.1.100
nc 192.168.1.100 22
You may get a banner/welcome message
Check algo's
nmap 192.168.1.100 -p 22 --script ssh2-enum-algos
some other scripts
ssh-hostkey
--script-args ssh-hostkey=full
--script ssh-auth-methods --script-args="ssh.user=student"
(can try username admin, root, etc)
SSH brute force
Unzip the rockyou pw list
gzip -d /usr/share/wordlists/rockyou.txt.gz
Run hydra
hydra -l student -p /root/rockyou.txt
Hydra may return a password found in the list
echo "administrator" > user
nmap 192.168.1.100 -p 22 --script ssh-brute --script-args userdb=/.../user
msfconsole
msfconsole
use auxiliary/scanner/ssh/ssh_login
show options
set rhosts 192.168.1.100
set userpass_file /usr/share/.../root_userpass.txt
set STOP_ON_SUCCESS true
set verbose true
options (to show all options)
run
ssh root@192.168.1.100
ls
whoami
HTTP
Lets say the scan returns port 443 we know https is running
Can check for a site in the web browser
nmap 192.168.1.100 -sV -0
MS IIS 10.0
MS RPC
MS Netbios
whatweb 192.168.1.100
http-py sends https request and returns header and other info in the output
browsh --script-url http://192.168.1.100/home.aspx
You can enum a lot of stuff with dirb
dirb http://192.168.1.100
dirb will run for a long time check for any directories with access
Enumerate http with nmap
nmap 192.168.1.100 -sV -p 80 --script http-enum http-headers
Msfconsole
use /auxiliary/scanne/http/http_version
set rhosts 192.168.1.1000
options
run
curl
curl 192.168.1.100 | more
curl http://192.168.1.100/cgi-bin | more
Text based browsers
browsh -- lynx are very similar text based browsers
Brute force directories
msfconsole
use auxiliary/http/brute_dirs
show options
set rhosts 192.168.1.100
options
exploit
will look for directories
Robots.txt
msfconsole
use auxiliary/scanner/http/robots.txt
set rhosts 192.168.1.100
options
run
MySQL
Say our nmap scan returned 3306
mssql port is 1433
nmap 192.168.1.100 -sV -p 3306
mysql -h 192.168.1.100 -u root
show databases;
use books;
select count from authors;
select * from authors;
help
mysql commands end with ;
msfconsole
use auxiliary/scanner/mysql/mysql_writetable_dirs
show options
set rhosts 192.168.1.100
set dir_list /usr/share/...dirs.txt
set verbose false
set password ""
options
run
msfconsole
use auxiliary/scanner/mysql/mysql_login
options
Get hashes for users
msfconsole
use auxiliary/scanner/mysql/mysql_hasdump
options
exploit
nmap
nmap --script=mysql-empty-password
more scripts
mysq-info
mysql-users
mysql-databases
mysql-variables
data dir /var/lib/mysql
mysql-audit
mysql-query
hydra -l root -p passwords.txt mysql
Enumeration recap
Spot common ports/apps
Find all the info publicly available
Subscribe to:
Posts (Atom)