My Preparation To Crest CCT Application Exam
Kali linux is host
Installed:
- dirbuster
- fuzz db
- soapUI
- hoppy
- cifs-utils
- testssh
- burpsuite
- chrome
- vmware Player
- testSSLserver (beast checker)
- sudo apt-get install build-essential
- jumbo john the ripper
- jumbo nmap
- guake or yakuake (http://www.tecmint.com/linux-terminal-emulators/)
- finger
- nessus
- virtualbox-dkms (for virtualbox)
- tftp server for windows and linux
Updated:
OS (apt-get)
Nikto
To be documented:
Other useful:
Installed:
- dirbuster
- fuzz db
- soapUI
- hoppy
- cifs-utils
- testssh
- burpsuite
- chrome
- vmware Player
- testSSLserver (beast checker)
- sudo apt-get install build-essential
- jumbo john the ripper
- jumbo nmap
- guake or yakuake (http://www.tecmint.com/linux-terminal-emulators/)
- finger
- nessus
- virtualbox-dkms (for virtualbox)
- tftp server for windows and linux
Updated:
OS (apt-get)
Nikto
To be documented:
- Have description ready for common vulnerabilities.
- print in local PDF and if necessary in paper notes for practical and long form answers
- onesixtyone tool for bruteforcing snmp community strings
- how to create payload and bypass antiviruses (is this last one needed for Crest?)
- hashcat
- how to create a war file and prepare shell
- Ophcrack (might not needed for Crest as this requires live cd)
- psexec
- how to install malware as service and rebootable proof
- FGDUMP (which replaces pwdump)
- Absinthe sql injection in Windows
- all host build review and priv escalation tools
- modify metasploit so that you can search exploits by port number
- remember show advanced in metasploit for multiple payload options
Other useful:
- List of books to take with you:
- CREST CCT App recommended
- Crest practicing links
- http://www.webcrawler.com/ is a search engine combining many search engines
- Google hacking database: https://www.exploit-db.com/google-hacking-database/
- keyword (ext is like filetype: https://bynd.com/news-ideas/google-advanced-search-comprehensive-list-google-search-operators/)
- word1 * word2 finds words between word1 and word2
- Public records: Companies House; 192.com; internationalarchives.org
- credit rating
- criminal records
- IP Information: fixedorbit.com; my-ip-neighbors.com
- DNS enumeration
- https://github.com/fwaeytens/dnsenum
- zone transfer: https://www.youtube.com/watch?v=wS9DMWQ487E
- dig NS iitg.ernet.in
- see "answer section"
- dig @nameFromAnswerSection iitg.ernet.in axfr
- scan use
- "amap target.com 80" to discover service (banner grabbing?)
- vulnerability tracking
- websites: cve.mitre.org; osvdb.org; secunia.com/resources; www.cert.org;
- mailing lists: securityfocu.com/archive; seclist.org/fulldisclosure
- information assurance publications: CPNI, CESG, NSA, NIST, Microsoft SIR
- Vulnerability Scanner: MBSA Microsoft Baseline Security Analyzer provides a streamlined method to identify missing security updates and common security misconfigurations. MBSA 2.3 release adds support for Windows 8.1, Windows 8, Windows Server 2012 R2, and Windows Server 2012. Windows 2000 will no longer be supported with this release.
- snmp
- snmpwalk -c public -v1 192.168.1.1 1.3.6.1.4.1.77.1.2.25 (windows users accounts)
- community string bruteforce: onesixtyone -c dictionary host
- RID Cycling
- use auxiliary/scanner/smb/smb/smb_lookupsid
- Cain: select network tab, click on blue + sign, enter the IP address, double-click on quick list note on the left, right click on the IP address you entered and select "connect as", enter domain\username and password, click ok, expand the domain\username node, click users, click yes to start user enum.
- To query server itself and not the domain:
- right click "Users" and select SID scanner, click OK.
- SMB (Server Message Block) is a
- protocol used to access and share resources
- runs over NetBIOS over TCP/IP (port 139)
- runs over TCP/IP directly (port 445)
- RPCs available through IPC$ (Inter-Process Connection shared areas)
- SMB session is authenticated
- Null Sessions
- SMB session with no credentials (blank username and password)
- Some RPCs provide information with just a null session
- Required for legacy Windows systems
- Requirement gradually phased out
- Domain Controllers are often more obliging (200/2003).
- net use \\ipaddress\ipc$ /u:"" ""
- Domains:
- net user /domain ---- a list of domain groups is returned
- net group /domain --- a list of domain groups is returned
- net user blabla /domain ---- details of the "blabla" user account are returned
- rundll32 dsquery,OpenQueryWindow ---- active directory searches
- enum4linux -U -u "username" -p "pass" -a ipadd
- smbclient -L IP -U Administrator ---- password will be asked later. requires winodw firewall to be disabled on target. Works on Windows XP but not necessarly on newer OSs. need to enable some stuff in XP (ref)
- ref Sharing and security model for local accounts is set to 'Guest only' on remote PC. This is most common issue, since it is set like that by default in Windows XP. To change it please do following steps:
- Open 'Control panel'
- Select 'Administrative Tools'
- Open 'Local security policy'
- On the left pane navigate to 'Security Settings' => 'Local policies' => 'Security Options'
- On the right pane find 'Network access: Sharing and security model for local accounts'
- Double-click on it in order to change
- Set it to 'Classic - Local users authenticate as themselves'
- You can also do that in registry:
- Press on windows 'Start' button
- Click on 'Run...'
- Type 'regedit' and press Enter
- On the left pane navigate to
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
- On the right pane you will find value 'forceguest', if it is not there you need to create it, by clicking menu Edit => New => DWORD value
- Double click on 'forceguest' in order to change it
- Set it to '0'
- Exploitation
- QuarksPwDump or direct Link
- >psexec \\192.168.230.144 -u admin-2d3c45a76\admin2 -p admin2 -c QuarksPwDump -dhdc
- the command above will output cache of the domain credentials. copy the output to a file cache.txt and run the command john -format=mscash2 /linuxPath/cache.txt
- exploit/windows/smb/psexec_psh ----- set DryRun true and copy powershell payload
- net use p:\\NY\cdrive password /USER:myAccount ----- to mount a drive
- pass the hash with psexec requires you to have the hash in LM:NT format. Even though you only have NT hash you still need to provide a LM hash. You can type 32 zeros but it is easier to paste the NT hash twice (so you have the same value on both side of the colon)
- to run WCE with the hash of another user run the following:
- wce -s techsupport:1104:lmhash:nthash - cmd.exe
- to show john cracked pws: john --show --format=NT testAdmin1.hash
- linux exploitation:
- SMTP enumeration: telnet
25 - ehlo server
- vrfy root
- vrfy ishouldnotbehere
- expn asks for the membership of a mailing list; vrfy asks for information on an address
- alternatively run: smtp-user-enum -M VRFY -U /mnt/host/Wordlists/users.txt -t
- metasploit has a module for it as well auxiliary/scanner/smtp/smtp_enum. to modify module's code go to /usr/share/metasploi-framework/modules/auxiliary/scanner/smtp/smtp_enum.rb
- Finger Protocol is used for the exchange of human-oriented status and user information. Runs on port 79; Finger works by querying entries in the passwd files, i.e. GECOS fields. Finger can also be used to query "plan" files. Plan files can be created by users to inform others of their current activity,humour or anything else that the user may wish to share. this prot. soffers from the vulnerabilities "CVE-2001-1503 Solaris information Disclousre vulnerability", in which an atacker can list all the users of a host by requesting: finger 'a b c d e f g h'@target.com
- open terminal window (Windows OS is the client or use Kali but need to download packages) and type finger root@IPaddress to see if root is a valid account username in the target host
- to automate the user enumeration process run: for i in $(cat /mnt/host/Wordlist/users.txt); do finger $i@ipaddress | grep "Login"; done
- to automate the plan enumeration process run: for i in $(cat /mnt/host/Wordlist/users.txt); do finger $i@ipaddress | grep -a2 "Plan:"; done
- -a2 prints two lines after a match is found
- burpsuite shortcut: https://portswigger.net/burp/help/suite_functions_messageeditor_texteditor.html
- Source code review
- get familiar with use auxiliary/server/browser_autopwn2
- get familiar with websploit
- practicing with API tests
- Exercise with Flash Decompilers
- all swf from http://z13.invisionfree.com/Corrupted_Killers/index.php?showtopic=14&st=0& in particular flashmis2
- ldap injection
- Session Token Randomness: downloaded and installed Stompy and fourlab entropy test and read this useful presentation.
- You need to see the bits of entropy
- vary between 29 bits of entropy needed if only online attacks are expected, and up to 128 bits of entropy needed for important cryptographic keys used in applications like encryption where the password or key needs to be secure for a long period of time and stretching isn't applicable
- with stompy and burpsuite you see the global entropy (e.g. 70 or 128, i noticed the results are different between the two
- with fourlab tool you need to multiply the number of bit of entropy per byte by the number of bytes
- Cross Site Scripting
- Definition: XSS occurs when the user is able to submit data that is then directly returned to them without first being properly sanitized. In effect it is possible to craft a valid application request that will result in cliet-side code being run in the user's browser
- Need to install dom-based XSS scanner
- Header for XSS protection: x_xss_protection: 1; mode=block
- Same origin policy is defined as
- Same domain, port number and protocol
- Open a temp web server and access the logs