I’m going to write something or record a video on the importance of enumeration and why speed isn’t always your friend. Your task is to answer some questions about the target to help identify key elements. #pentesting #hacking #pwnDefendWithKali
So in the mean time i'm just going to make this a small thread... so we start with out awesome kali laptop on the network segement 192.168.100.0/24. We run ifconfig and understand our gateway and subnet, DHCP options etc.
after running "ip a" we are now going to launch wireshark. The number of people who seem to not pcap whilst testing is way bigger than you think. SANS recomend it.. there's a reason for that ;)
I'm going to dump the arp cache using 'arp -a' to see what I can see on the network. For this threat we are going to focus on windows machines! so let's try and hunt some of those...
Now I'm going to run a few different types of scan on purpose to show different results.. lets start with lazy mode
Now just so happens the hosts I care about are at the end of the scan... we can see here though that we have likely targets at 192.168.100.20 and 192.168.100.30 (notice port 139 and 445 on both. But we don't yet know what OS they are. So how do we find that? and why do we care?
nmap has a command line swtich '-O' which attempts OS detection. so let's just roll with that to start with -O. Now we can see straight away not only do the port exposures not match but they have different results for OS detection.
To the untrained eye you may miss some of these details... because here's a SS of each of the targets desktops.... they both run XP right!!! but hang on there might be quite a difference...
To the untrained eye you may miss some of these details... because here's a SS of each of the targets desktops.... they both run XP right!!! but hang on there might be quite a difference...
To the untrained eye you may miss some of these details... because here's a SS of each of the targets desktops.... they both run XP right!!! but hang on there might be quite a difference...
I'm going to go back and expand the nmap script to run with an SMB OS detection script as well...
here we can see that the machine 192.168.100.20 is running Windows XP, it's got the SMB Service and file services running. Usinga combination of the nmap -O and the SMB script we know the workgroup/domain name and the OS ver and SP level
Now we are going to analyse the .30 machine... here we can see that this machine is returning different data from the nmap -O detection. This is likely running Windows 2000/ME/XP however we can see from the SMB detect it's running XP. So its likely running XP RTM or SP1
Now we are going to analyse the .30 machine... here we can see that this machine is returning different data from the nmap -O detection. This is likely running Windows 2000/ME/XP however we can see from the SMB detect it's running XP. So its likely running XP RTM or SP1
Now we are going to analyse the .30 machine... here we can see that this machine is returning different data from the nmap -O detection. This is likely running Windows 2000/ME/XP however we can see from the SMB detect it's running XP. So its likely running XP RTM or SP1
So now we know they are both running the same OS, but are different SP levels. So we have answered the following question. What major and minor version is my target OS running!! This is a really important question in both web and infra testing.
We have also started to see what ports are open and what services are exposed, but let's go deeper. sure we've found some hosts and we've found SMB on some old ass OS's which probably are vulnerable but lets not get all slack. lets hit this with a full TCP scan (+ vuln scan)
scanning in progress ;) its sometimes good to use -vvv or go and make a cup of @YorkshireTea
Ok now that didn't take very long! we now have for more detailed output. We can see that 192.168.100.30 (the Windows XP RTM box) is vulnerable to some SMB exploits. We also can see the tcp ports exposed
Ok now that didn't take very long! we now have for more detailed output. We can see that 192.168.100.30 (the Windows XP RTM box) is vulnerable to some SMB exploits. We also can see the tcp ports exposed
Ok now that didn't take very long! we now have for more detailed output. We can see that 192.168.100.30 (the Windows XP RTM box) is vulnerable to some SMB exploits. We also can see the tcp ports exposed
The WIndows XP SP2 box (192.168.100.20) has less ports exposed, this implies that either services are not enabled or a firewall is present. but again it appears to be vulnerable to both MS08-067 and MS17-010
but wait... enumeration hasn't completed. we need to scan for UDP
Now let's be real here... this takes along time! so if you have somoene start saying everything can be done quickly... that's not always true. If you don't scan you can't know if something is exposed! BUt as with all things business, there are trades to be made, money/time/risk
see it's slow AF to UDP scan ;) because i've got work to do I'm going to abort the scan. but it show's that until u know, u shouldn't just assume.
For info. on a fast connection (1Gb eth) its going to take about 1 hour to do the top 1000 UDP ports
Ok so we've now understood, the OS, version, services exposed etc. Now let's tackle a problem which demonstrates why experaince and white box testing is going to give you better results than just throwing exploits out at targets
so here we have 192.168.100.30 our WIndows XP RTM box.. we have seen from our NSE script that this is responding as vulnerable to MS08-067 and MS17-010.. now I'm going to load #metasploit and see what's what!
so we fire up metasploit... and load the MS08-067 exploit module... ez pz so far right! this is basically a fire and pwn right? ;) we only have 4 options... RHOSTS, RPORT and PIPE. It uses automatic targeting.. ez pz.. or is it?
well what can we see here? well we don't have a session so something went wrong right....
ok now let's rage run -j ;) (ok trial and error... if we just keep going will it work...) well i'll cut the the chase... it's not worked for me!
now you might have realised but u've probably fucked the target a bit.... so i've been rebooting the system and firing again and again... and nothing...
but this is simples right... ;) so lets try against a SP2 box... woohoo shellz... but our XP RTM box still hasn't fallen...
lets look a bit more into finding exploits.. so we enumerated. we found the major and minor OS version, we did a vuln scan. now in this instance we knew the vuln.. but let's use the super handy tool: searchsploit
We can see here there's a number of exploits for this cve.... now we know the MSF module works against SP2. let's open the ruby file up.
We can see some autotargeting logic (i'm not going through this line by line)
We can also see shellcode being formed specific to these targets..
Now we know these is a flaw in here somewhere.... so we now look to the python module. Im going to skip a bit but I found a nicer pythong implementation online. here's the instructions
now i'm going to reboot the target (because i'd broken the Server service earlier with my failed msf module)
so we have a handler running on TCP 6200
and now after many many tweets! we have a shell against a Windows XP RTM virtual machine! Session 1 opened! #rootDance etc.
and here ends my thread. I have work to do, but I really hope this is useful for people. In a world of instant gratificaiton and impatience, you need to realise that this game isn't about speed, it's about doing a thorough job and being methodical and covering all bases.
@threadreaderapp unroll
You can follow @UK_Daniel_Card.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
There are a lot of misconceptions about the Turkish diaspora in Germany. Since i just finished writing an essay about this topic I thought it's time to give other people
Read more
Las mejores calculadoras online en 2020A thread http://totumat.com/2020/11/26/las-mejores-calculadoras-online-en-2020/ Cuando se estudian asignaturas que requieren de cálculos complicados, nada mejor que contar con una buena calculadora.
Read more
Mitigating #ClimateChange is as much about taking up new techs as about leaving others behindMost studies focus on #coal's global downfall but another #energy tech decline is loomingRead my new
Read more