Reporting (writing of report / recommendation on remediation)
Active info gathering
We need permission
Scanning IP ranges
Scanning IP's for open ports (nmap/nessus)
Ports can tell us about services and we can look for vulns
Discovering open ports
examples:
nmap scan to discover open ports
Nessus scan to discover vulnerabilities
Enumerating info from target systems
Website recon and foot printing
IP addresses
Directories hidden from search engines
Host command (in kali)
host website.com
website.com has address 10.10.10.10
website.com has IPv6 address 2axx:4xx:1xx:4xxx::2
website.com mail is handled by 5 esa.website.com.
website.com mail is handled by 10 esa2.website.com.
website.com mail is handled by 15 esa3.website.com.
Often we might see a website hosted by a proxy like cloudflare
Robots.txt
Robots.txt is read by search engines and we can tell them directories not to crawl.
Browse to www.website.com/robots.txt
User-agent: *
Allow: /wp-admin/admin-ajax.php
Disallow: /wp-admin/
Sitemap: https://www.website.ie/sitemap.xml
Sitemap: https://www.website.ie/sitemap.rss
We can see they disallow /wp-admin/ that wp-admin folder tells us its a word press site.
Sitemap.xml
Sitemap is again for search engines to index the site.
Firefox plugin BuiltWith
This plugin will give whats running on this site
Will see widgets and plugins
Whatweb (kali)
whatweb website.ie
Download the full website with HTTrack
HTTrack (windows and linux) to look at the source code offline.
Whois (kali also many websites) - looking up registration details of websites
Main info to gather from the whois output:
What registrar the domain was registered with
Updated Date: When the domain was renewed
Created Date: When it was created
Registry expiry: (when the domain will expire)
Name server: can point to a proxy like cloud flare
DNSSEC: we might see the owner of the domain unless DNSSEC is enabled
whois zonetransfer.me
https://who.is (useful website for running who.is)
whois x.x.x.x (where x.x.x.x is public IP)
Website footprinting with netcraft
netcraft.com is a web tool with gather lots of the passive recon information for us in one location
DNS recon
dnsrecon -d domain.com
dnsdumpster.com - free website which organises the same information nicely
We can see name servers, SRV, TXT, mx records and subdomains
WAF with WAFW00f (kali)
WAF is a web application firewall
WAFw00f is WAF fingerprinting tool
wafwoof https://zonetransfer.me
Subdomain enumeration with sublist3r (kali)
Sublister checks the search engines to see if a subdomain was indexed at some stage
subliust3r -d domain.com -e google,yahoo
subliust3r -d domain.com (this will search with all search engines)
Keep in mind results won't be 100% but very useful.
It will make lots of requests to the engines so you may need a VPN to change connection to get it to work.
Google Dorks aka google hacking
site:domain.com
site:domain.com inrul admin (look for an admin panel)
site:domain.com inrul forum (look for a forum)
site:*.domain.com (show all the subdomains)
Sometimes subdomains are publicly available that shouldn't be
site:*.domain.com intitle admin (look for admin page)
site:*.domain.com filetype:pdf (look for pdf files)
site:*.domain.com employees
site:*.domain.com team
intitle: index of
Looking for older versions of the website for information like names, email addresses etc.
cache: domain.com
Thewaybackmachine.com
Looking for leaked usernames and passwords
inurl:auth_user_file.txt
inurl:passwd.txt
Google hacking database (https://www.exploit-db.com/google-hacking-database)
look up google dorks for wordpress for example
email harvesting with theHarvester (kali)
Searches on search engines and sites like linkedin and several other websites
Spyse - paid site worth considering
Leaked password databases
When we find emails addresses, check if their data has been leaked at some stage
Quick way to check if an email you found is in a data breach
https://haveibeenpwned.com/
DNS zone transfers
DNS servers is like a phone directory a list of URLs to IP addresses
Cloud flare: 1.1.1.1
Google: 8.8.8.8
DNS record types
A - Resolves hostname to IPv4 address
AAAA - Resolves hostname to IPv6 addreess
NS - The domains name server
MX - Where the email server is
CNAME - Aliases
TXT - text info often used to auth ownership of a domain
HINFO - host information
SOA - Domain auth
SRV - Service rexords
PTR - resolves IP to hostname
DNS Interrogation
Probe the DNS server for more info
DNS zone transfer
Admins may want to copy or transfer zone files from one DNS server to another. The process is known as a zone transfer.
If left misconfigured we can attempt a zone transfer from the primary DNS server to another server
A DNS zone transfer can provide pentesters with a holistic view of an organizations network layout.
Internal network addresses may be found on the orgs DNS servers
dnsrecon -d zonetransfer.ie
Active action:
dnsenum zonetransfer.ie
Zone transfer with dig
dig axfr [name-server] [domian]
dig axfr @ns2cm1.digi.ninja zonetransfer.me
Brute force domains with fierce
fierce -dns zonetransfer.me
Network mapping
IP range / subnets (so we scan scan)
How many hosts (we can see how many are up and max possible)
What client/server OS are they running
What network devices do they have, what vendor/SW versions running
Can we find a DMZ ?
Find what ports are open
Host discovery with nmap
-sn
ping sweep but may be blocked by firewalls
follow with
-Pn
--send-ip overrides arp (don't use arp, use icmp etc)
The idea is to gather IP's with a ping sweep, then run port scans on the IPs we see are up.
Some hosts won't respond to ping or it will be blocked by a hardward or software firewall. For this resaon we need to try a few methods and put it all together:
Ping (icmp echo)
TCP SYN (half open scan or stealth scan in namp)
ARP
TCP ACK (send an ACK to a server to see if we get a TCP RST back then we know its up)
TCP SYN-ACK (similar to above)
UDP (longer shot / specific use cases often UDP won't respond)
ICMP
Echo request
type: 8
code: 0
Echo reply
Type: 0
code: 0
8=request
0=reply
Netdiscover
namp uses ping/icmp and netdiscover uses arp
sudo netdiscover -i eth0 -r 192.168.3.0/24
Port scanning with nmap
-Pn (don't use ping for host detection, just do the port scan on common 1000 ports)
nmap -Pn x.x.x.x
nmap -Pn -p- x.x.x.x (scan all ports will take a long time, can add -T4 to speed up)
nmap -Pn -p- x.x.x.x -T4
nmap -Pn -p 80 x.x.x.x (scan port 80)
nmap -Pn -p1-10 x.x.x.x (scan a range)
nmap -Pn -F x.x.x.x (fast scan of commonly used ports)
nmap -Pn -sU x.x.x.x (use UDP)
Scan a range
nmap -sn 192.168.1.0/24 --send-ip
Scan multiple targets
nmap -sn 192.168.1.30 192.168.1.40
Scan .30 to .40
nmap -sn 192.168.1.30-40
Scan a list of IPs from a file
Gather you list of inscope IP's in a file called targets.txt
nmap -Pn -F -sV x.x.x.x (service version detection, takes longer)
-O OS detection (upper case O)
nmap -Pn -F -sV -O x.x.x.x -v
-sC (script scan to get more info)
We may need to speed up/slow down scans to avoid detection. We can use -T. Lower value is slower, higher value is faster (more chance to be detected by IPS etc).
-T
0 paranoid
1 sneaky
2 polite
3 normal
4 aggressive
5 insane
We can output nmap to files
-oN scan.txt
-oX scan.xml (can be imported into Metasploit)
Assessment Methods: footprinting + scanning
Mapping a network
define the scope
what is the most useful use of your time
physical access
VPN S2S, or dial in
Or totally no help you must gain physical or digital access
Get on the network (physical or remote access)
sniffing
Passive recon, watch the network, learn
ARP - resolves IP to MAC address, can arp the full subnet to learn about the network
ICMP (ping and traceroute)
type 8 is echo request (ping) we can ping the subnet to see what responds.
Nework Tools
Wireshark
ArpScan
ping
Fping
nmap and zenmap
Arpscan CLI
Sudo arp-sscan -i eht0 -g 192.168.3.0/24
Fping CLI
fping -i eth0 -g 192.168.3.0/24 -a 2> /dev/null
This prints only the alive hosts on the screen
Good idea to arp and ping the subnet.
Nmap CLI
nmap -Pn 192.168.3.0/24
nmap -sn 192.168.3.0/24
nmap also sends a TCP SYN
Wireshark
Run a capture
Run all your scans
Check hosts
Zenmap is gui version of nmap
Nmap OS and service detection
We can find OS and service versions with NMAP, below is how it works
Standard TCP 3WHS
open port
SYN >
SYN--ACK <
ACL >
RST+ACK >
closed port
SYN >
RST+ACK <
Stealth scan
SYN>
SYN+ACK
RST >
In the stealth scan we close the 3WHS as soon as we get the SYN+ACK back we know the port is open and a server responding.
Service detection
SYN >
SYN+ACK <
ACK >
BANNER < (service info here eg openssh v1.0)
RST+ACK >
In service detection we read data provided by the server.
NMAP basic switches
nmap -H (help, lots of options here)
-sV Service detection
-sC Scripts default
-A aggressive mode (loud) does all the scans
-0 OS detection
-exclude (exclude certain hosts from scanning)
-A will does OS detect, version detect, Script Scan and traceroute
Scan targets from a file
nmap -iL ip-list.txt
Scan skip port scan and just send syn packet (faster). Just sends TCP SYN to port 80.
nmap -sn -PS 10.4.23.227
Other scan tools
Masscan - Fast scanner for big networks
Rutscan - low level language so fast
AutoRecon - keeps scanning / doing recon
Nmap ScanTechniques
SWITCH
EXAMPLE
DESCRIPTION
-sS
nmap 192.168.1.1 -sS
TCP SYN port scan (Default)
-sT
nmap 192.168.1.1 -sT
TCP connect port scan (Default without root privilege)
-sU
nmap 192.168.1.1 -sU
UDP port scan
-sA
nmap 192.168.1.1 -sA
TCP ACK port scan
-sW
nmap 192.168.1.1 -sW
TCP Window port scan
-sM
nmap 192.168.1.1 -sM
TCP Maimon port scan
Host Discovery
SWITCH
EXAMPLE
DESCRIPTION
-sL
nmap 192.168.1.1-3 -sL
No Scan. List targets only
-sn
nmap 192.168.1.1/24 -sn
Disable port scanning. Host discovery only.
-Pn
nmap 192.168.1.1-5 -Pn
Disable host discovery. Port scan only.
-PS
nmap 192.168.1.1-5 -PS22-25,80
TCP SYN discovery on port x. Port 80 by default
-PA
nmap 192.168.1.1-5 -PA22-25,80
TCP ACK discovery on port x. Port 80 by default
-PU
nmap 192.168.1.1-5 -PU53
UDP discovery on port x. Port 40125 by default
-PR
nmap 192.168.1.1-1/24 -PR
ARP discovery on local network
-n
nmap 192.168.1.1 -n
Never do DNS resolution
Port Specification
SWITCH
EXAMPLE
DESCRIPTION
-p
nmap 192.168.1.1 -p 21
Port scan for port x
-p
nmap 192.168.1.1 -p 21-100
Port range
-p
nmap 192.168.1.1 -p U:53,T:21-25,80
Port scan multiple TCP and UDP ports
-p
nmap 192.168.1.1 -p-
Port scan all ports
-p
nmap 192.168.1.1 -p http,https
Port scan from service name
-F
nmap 192.168.1.1 -F
Fast port scan (100 ports)
-top-ports
nmap 192.168.1.1 -top-ports 2000
Port scan the top x ports
-p-65535
nmap 192.168.1.1 -p-65535
Leaving off initial port in range makes the scan start at port 1
-p0-
nmap 192.168.1.1 -p0-
Leaving off end port in range makes the scan go through to port 65535
Service and Version Detection
SWITCH
EXAMPLE
DESCRIPTION
-sV
nmap 192.168.1.1 -sV
Attempts to determine the version of the service running on port
-sV -version-intensity
nmap 192.168.1.1 -sV -version-intensity 8
Intensity level 0 to 9. Higher number increases possibility of correctness
-sV -version-light
nmap 192.168.1.1 -sV -version-light
Enable light mode. Lower possibility of correctness. Faster
-sV -version-all
nmap 192.168.1.1 -sV -version-all
Enable intensity level 9. Higher possibility of correctness. Slower
-A
nmap 192.168.1.1 -A
Enables OS detection, version detection, script scanning, and traceroute
look for default and guest accounts and try the default passwords
nmap -p 445 --script smb-enum-users x.x.x.x
nmap -p 445 --script smb-enum-domains x.x.x.x
nmap -p 445 --script smb-enum-groups x.x.x.x
smbmap -u guest -p "" -H x.x.x.x
We expect guest account to be read only on IPC$ and print$ and NO access on anything else
With an account with rights
-x 'ipconfig'
--upload /backdodr.txt C:\backdoor.txt
--download 'c$:\loot.txt'
Other linux tools for SMB
nmap x.x.x.x -sV -p 139,445
msfconsole (metasploit)
use auxiliary/scanner/smb/smb_version
show options
set Rhosts x.x.x.x
run
exit
use auxiliary/scanner/smb/smb2
show options
set Rhosts x.x.x.x
nmblookup -A x.x.x.x
Uses netbios <20> means we can connect
smbclient -L x.x.x.x -n
rpcclient -u '' -N x.x.x.x.x
enum4linux -o x.x.x.x
Enumeration is all about finding information to use again later, for example we can find out who has access to a certain folder and then target that user.
Connecting with word lists when we don't have passwords
use auxiliary/scanner/smb/smb_login
info
show options
set Rhosts x.x.x.x
set pass_file /user/share/wordlist.txt
set smbuser bob
run
Hydra
gzip -d /user/share/rockyou.txt.gz
hydra -l admin -p /rockyou.txt x.x.x.x smb
smbmap -H x.x.x.x -u admin -p Password01
Other services and pipes
Lots of other services use SMB and they connect via "pipes"
IF we know what to look for we can get info from the other services
use auxiliary/scanner/smb/pipe_auditor
info
show options
set Rhosts x.x.x.x
set smbuser bob
set smbpassword
options
run
Named pipes returned
\netlogon
\lsarpc
\samr
\eventlog
\initshutdown
\ntsvcs
\srvsvc
\wkssvc
Maybe we can use this info later
FTP (TCP port 21)
nmap -p 21 -sV -0 192.168.1.100
ftp in cmd prompt
ftp 192.168.1.100
Try nothing for username and password (anon login)
browsh -- lynx are very similar text based browsers
Brute force directories
msfconsole
use auxiliary/http/brute_dirs
show options
set rhosts 192.168.1.100
options
exploit
will look for directories
Robots.txt
msfconsole
use auxiliary/scanner/http/robots.txt
set rhosts 192.168.1.100
options
run
MySQL
Say our nmap scan returned 3306
mssql port is 1433
nmap 192.168.1.100 -sV -p 3306
mysql -h 192.168.1.100 -u root
show databases;
use books;
select count from authors;
select * from authors;
help
mysql commands end with ;
msfconsole
use auxiliary/scanner/mysql/mysql_writetable_dirs
show options
set rhosts 192.168.1.100
set dir_list /usr/share/...dirs.txt
set verbose false
set password ""
options
run
msfconsole
use auxiliary/scanner/mysql/mysql_login
options
Get hashes for users
msfconsole
use auxiliary/scanner/mysql/mysql_hasdump
options
exploit
nmap
nmap --script=mysql-empty-password
more scripts
mysq-info
mysql-users
mysql-databases
mysql-variables
data dir /var/lib/mysql
mysql-audit
mysql-query
hydra -l root -p passwords.txt mysql
Enumeration recap
Spot common ports/apps
Find all the info publicly available
NMAP scripts intro
Nmap scripting engine (NSE)
Syn scan
Version scan
OS scan
all ports
timing profile T4
nmap -sS -sV -O -p- -T4 192.168.1.10
NMAP is open source and has many scripts already created
/usr/share/nnamp/scripts
extension is .nse and writtenin lua language
look for scripts relevant
ls /usr/share/nnamp/scripts | grep http
Script scan (default)
-sC
Run a script
--script=memcached-info
Run more than one script
--script=script1,script2
Run all scripts in a tree
--script=http-*
-A option combines OS detection, version detection and script scanning. Needs to run as root.
nmap -sS -A -p- -T4 192.168.1.100
Will take time as its running a lot of stuff
Evasion, Scan performance and output
-Pn Disable host discovery. Port scan only. Don't ping
-F fast scan just scans the top 100 ports
-sS TCP SYN scan
nmap -Pn -sS -F 192.168.1.10
When we scan if we see "filtered" we can assume there is a firewall blocking
Fragmenting
Breaking up you packets to evade detection
-f fragmentation option, packets get fragmented
We can give an MTU option
-f --mtu 32 (only packets larget than 32 will be fragmented)
-f --mtu 8 (you should see they are fragmented)
Spoofing your source
We can spoof our source IP. If we run a scan from a client it might trigger an alarm or look strange to IT staff. We can pretend to send our traffic from the gateway. T
We can speed up scans to reduce how long they take to complete, however this may cause IDS systems to alert. We can slow down scans for old networks and also to evade detection
-T
0 paranoid
1 sneaky
2 polite
3 normal
4 aggressive
5 insane
--scan-delay 5s (delay between probes)
15s is a good value but scan will take a long time
--host-timeout 5s (if it does not respond in 5seconds move on)
30s is a good option for larger networks, too low and you miss slow to respond hosts
Combining fragmentation with decoy IPs and timing templates your scans can slip under the radar of IDS systems.
NMAP output formats
Good idea to log every action you take in case you cause an issue.
Good idea to log scans so you don't have to keep running the same scans over and over
We can output nmap to files
-oN scan.txt (same as it comes out of terminal, can use grep on that file later but other formats may be better for that kind of work)
-oX scan.xml (can be imported into Metasploit)
-oS script kiddie format just a joke replaces open with op3n, can ignore this one
-oG nmap_grep.txt (greppable format so data can be manipulated with sed/awk etc. It lists each host on one line so its easier to use cut/sed/awk etc on the data)
Start DB for Metasploit (we need the DB running)
service postgresql start
Start Metasploit
msfconsole
Create a workspace, you may have several scans ongoing for different customers/projects
workspace -a PENTEST1
Confirm the DB connection is working
db_status
Import the scan data
db_import scan.xml
List the hosts (You will see all the info gathered from namp will be available in Metasploit)
hosts
List the services
services
We can run namp from Metasploit and it will automatically update the DB in Metasploit
db_nmap -Pn -sS -sV -O -p 445 192.168.1.100
Most of the time you would export in the normal .txt or .xml format
Scanning UDP ports
Don't forget some services are running on UDP
53
177
161
69
Scan a range
nmap -p 1-250 -sU x.x.x.x
Get more details on ports found like service version
nmap x.x.x.x -p 134,177,234 -sUV
Summary of foot printing and scanning
Scan a target network with nmap
Build a picture of their network
Discover hosts
Discover listening ports on those hosts
Discover services running on those ports
Discover the version of those services running on those ports
Discover the OS version running on target hosts
Enumerate SMB with nmap
Know about nmap scripts in /usr/share/nmap/scripts
Evade IDS with fragmentation, spoofing and timing templates
No comments:
Post a Comment