If you ever get to run “service” command with root privileges, you can escape from restricted shell to root.
In this example /etc/sudoers has allowed an user to run this program as root without password need.
1. sudo -l
2. Now that we know the command can be run without password need
apt-get can be used to escalate privileges when sudo is allowed without password.
1. check the permissions this user has
We can see that /usr/bin/apt-get is allowed (NOPASSWD)
2. get into changelog documentation
3. At the bottom type into change to /bin/bash since this document has been opened as root, seems to be “less” Linux utility.
After that you immediately change to root log in.
(For this to work the target package (e.g., sl) must not be installed.)
1. Having NOPASSWD rights
If you type exit the apt-get update command starts to do its job.
2. using apt
For using either apt or apt-get you need sudo access.
sudo -l
Bettercap is a powerful, easily extensible and portable framework written in Go which aims to offer to security researchers, red teamers and reverse engineers an easy to use, all-in-one solution with all the features they might possibly need for performing reconnaissance and attacking WiFi networks, Bluetooth Low Energy devices, wireless HID devices and Ethernet networks.
This Guide is to show you basic usage of the application.
https://github.com/bettercap/bettercap
Installing pcap tools
1. Initiate the program by selecting the network adapter to use, if non is specified, there is a default one
2. To show the options/info of each module
3. To set the value of a variable
4. Discover devices on the network
5. Change MAC address
To specify the MAC use
1. Start a proxy HTTP or HTTPS
2. Spoof the DNS
3. Sniff for passwords
To save the output to a file
1. Start better cap using wireless adapter
2. Check on all the possibilities
3. Turn on recon
To search on specific channels
To capture handshake, frames (0x888E), while wifi.recon is on
To enable all
The packet captured is PMKID
4. Having that handshake captured, we will capture it to hash, for hashcat to understand
5. now run hashcat against the new file created, wait for it to complete.
Dig stands for (Domain Information Groper). Dig is a network administration command-line tool for querying Domain Name System (DNS) name servers. It is useful for verifying and troubleshooting DNS problems and also to perform DNS lookups and displays the answers that are returned from the name server that were queried. dig is part of the BIND domain name server software suite. dig command replaces older tool such as nslookup and the host. dig tool is available in major Linux distributions.
Debian
CentOS 7
In its simplest form, the syntax of the dig utility will look like this:
[server] – the IP address or hostname of the name server to query
If the server argument is the hostname then dig will resolve the hostname before proceeding with querying the name server.
It is optional and if you don’t provide a server argument then dig uses the name server listed in /etc/resolv.conf
[name] – the name of the resource record that is to be looked up
[type] – the type of query requested by dig. For example, it can be an A record, MX record, SOA record or any other types. By default dig performs a lookup for an A record if no type argument is specified.
Queries
Dig a Domain Name
UNDERSTAND THE OUTPUT:
Short Answers
Detailed Answers
Specifying Nameservers
The following dig command sends the DNS query to Google’s name server(8.8.8.8) by using the @8.8.8.8 option
Query All DNS Record Types
Search For Record Type
Trace DNS Path
Reverse DNS Lookup
Reverse DNS lookup lets you look up the domain and hostname associated with an IP address.
Batch Queries
provide dig with a list of domain names – one per line in a file
Custom Query
Those different domains in the output point to the same IP.
WFuzz is a web application bruteforcer that can be considered an alternative to Burp Intruder as they both have some common features. With both Wfuzz and Burp Intruder we can bruteforce different web applications elements, like GET/POST parameters, cookies, forms, directories, files, HTTP headers, etc.
This simple concept allows any input to be injected in any field of an HTTP request, allowing to perform complex web security attacks in different web application components such as: parameters, authentication, forms, directories/files, headers, etc.
Wfuzz uses the keyword FUZZ to test a word list
http://10.10.10.150/FUZZ
http://10.10.10.150/FUZZ/FUZZ
http://10.10.10.150/FUZZ/FUZZ/FUZZ
https://github.com/xmendez/wfuzz
https://wfuzz.readthedocs.io/en/latest/index.html
You can use wfuzz to find some vulnerabilities:
1. Displaying help
2. Display the settings
1. wfuzz looking for common directories:
Using -z, this is for payloads
2. wfuzz looking for common files, eg “.php”, this technique can be used to find any file with the extension you specify.
To make this faster use -t option (Specify the number of concurrent connections default=10)
3. Filtering the results parameter, hc=code/hl=lines/hw=words/hh =chars
In this case we got responses that were not 404
In this scenario we excluded 404 responses (–hc=404) and files that had 0 lines (–hl=0)
As in the first scan we made we got one of these lines
000000002: 404 9 L 32 W 286 Ch “!_archives”
In this case we are filtering 286 ch (–hc 286), that is not showing in the screenshot above
4. Filtering using –sc/sl/sw/sh code/lines/words/chars . This ones print the matching response, instead
This one prints only word listed as 32 W
This one prints only 200 & 301 responses
5. Fuzzing Parameters In URLs
You often want to fuzz some sort of data in the URL’s query string, this can be achieved by specifying the FUZZ keyword in the URL after a question mark
–hc/hl/hw/hh hide responses with specified code/lines/words/chars,print responses with different value
This way you can get patterns filter those off and then look for changes in the responses.
5. Writing to a file, wfuzz provides different file formats
6. Proxies
If you need to use a proxy, simply use the -p parameter:
This way we can analyze the requests & responses in detail
Multiple proxies can be used simultaneously by supplying various -p parameters:
7. Inject into header: -H “content”
Replacing exiting fields “User-Agent”. Previously it was “User-Agent: Wfuzz/2.4”, now it shows in BurpSuite as “User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0”
To fuzz user agent do the following https://developers.whatismybrowser.com/useragents/explore/
User-Agent
For this one, I will use https://deviceatlas.com/blog/list-of-user-agent-strings which contains User-Agent demo for many device types.
I will use the following
Mac OS X-based computer using a Safari browser
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9
1. Run the -H option pointing to this user-agent.txt file and send output through proxy so you can capture responses and analyze them.
Fuzzing the host info
8. Fuzzing HTTP Verb
HTTP verbs fuzzing can be specified using the -X switch, the -c is for fancy color view
Here you can see that the requests is via POST. The command below scans for a list of HTTP methods
This one will use HEAD method
Here we can see HEAD method in use.
9. Using recursion
-R1 = enabling recursion depth 1, uses the same file, list over again
HTTP verbs:
1. Using a range to scan for 200 OK
–sc 200 = only print 200 OK responses
-c = color the result response
-Z = ignore errors
-z range,1-254 = use payload range
This prints the available payloads
2. Using multiple payloads, this time range and different file extensions
–sc 200 = only print 200 OK responses
-c = color the result response
-Z = ignore errors
-z range,1-254 = use payload range, first FUZZ
-z list,html-php-asp = use payload list, second FUZ2Z
When the parameters are passed via URL which means GET method is in use. We can brute force those credentials.
Vertical scanning (different password for each user)
Horizontal scanning (different usernames for common passwords)
Diagonal scanning (different username/password each round)
Three dimension (Horizontal, Vertical or Diagonal + Distributing source IP)
Four dimensions (Horizontal, Vertical or Diagonal + Time Delay + Distributing Source IP)
https://www.owasp.org/index.php/Testing_for_Brute_Force_(OWASP-AT-004)
Using cookies
-b cookie=c0548020854924e0aecd05ed9f5b672b=mu4a0g5gjfnomflaugcinj5e98 = set value
We will brute force a Joomla login page. We have captured the password (Curling2018!), but we don’t know the username.
1. Attempt to log in normally and capture that request
In this capture we can see the following
2. we will try to spoof that username with wfuzz
We omitted 200 OK responses, due to, all failed attempts responded with that. We got the username “Floris”, along with other responses we can test that out.
Username: Floris
Password: Curling2018!
We can see there the 303 response, a new cookie is set also.
When doing this, try to use the latest cookie, sometimes it can time out and the login is unsuccessful
List of known tools that can help with your Web Application testing.
Burp Suite – Integrated platform for performing security testing of web applications.
Extensions
Web scarab – Proxy interception
OWASP Zed Attack Proxy (ZAP) – Feature-rich, scriptable HTTP intercepting proxy and fuzzer for penetration testing web applications.
dirbooster – Directory brute force
gobuster – Directory brute force
dirb – Directory brute force
wfuzz – it replaces any reference to the FUZZ keyword by the value of a given payload.
dirsearch – simple command line tool designed to brute force directories and files in websites.
Dirble – a website directory scanning tool for Windows and Linux.
Parameth – This tool can be used to brute discover GET and POST parameters
nikto – web server scanner
wikto – Wikto is Nikto for Windows
W3af – Web Application Attack and Audit Framework
Racoon – Offensive Security Tool for Reconnaissance and Information Gathering
WAScan – Web Application Scanner – designed to find various vulnerabilities using “black-box” method
Breacher – A script to find admin login pages and EAR vulnerabilites.
Snallygaster – scan for secret files on HTTP servers
IIS Short Name Scanner – disclosure vulnerability by using the tilde (~) character
oxml_xxe – This tool is meant to help test XXE vulnerabilities
ACSTIS – helps you to scan certain web applications for AngularJS Client-Side Template Injection
WPScan – black box WordPress vulnerability scanner
WordPress Exploit Framework – testing of WordPress systems
WPForce – WPForce is a suite of WordPress Attack tools.
WordPress Exploit Framework – Designed to aid in the penetration testing of WordPress systems.
cms-Explorer – designed to reveal the the specific modules, plugins, components and themes that various CMS
CMSmap – automates the process of detecting security flaws of the most popular CMS
CMSeeK – Basic CMS Detection of over 170 CMS
droopescan – A plugin-based scanner that aids security researchers in identifying issues with several CMS Drupal.
Typo3-Enumerator – automates the process of detecting the Typo3 CMS
Joomscan – OWASP Joomla! Vulnerability Scanner (JoomScan)
XSStrike – Advanced XSS Detection Suite
Sqlmap – automates the process of detecting and exploiting SQL injection flaws
SQLmate – Like finding admin panel of the target
LFI Freak – exploiting local file inclusions using PHP Input
Tplmap – assists the exploitation of Code Injection
XCat – exploit and investigate blind XPath injection vulnerabilities.
Ysoserial – generating payloads that exploit unsafe Java object deserialization
Fuxploider – detecting and exploiting file upload forms flaws
Offensive Web Testing Framework – tests to security standards like the OWASP Testing Guide
WhatWaf – advanced firewall detection tool