Categories Top Downloads
Login Register Upload

CyberWar-AOCO-2014

September 6, 2017 | Author: strokenfilled | Category: Proxy Server, Tor (Anonymity Network), Php, Secure Shell, File Transfer Protocol
Share Embed Donate
Report this link


Short Description

Cyber War Operation course teach you step by step how to conduct security assessment...

Description

Strategic Security, Inc. © http://strategicsec.com/

CyberWar: Advanced Offensive Cyber Operations Written by Joe McCray Contributors:

1

Strategic Security, Inc. © http://strategicsec.com/

This Page Intentionally Left Blank

Contents

Strategic Security, Inc. © http://strategicsec.com/ This Page Intentionally Left Blank .......................................................................................................................... 6 Section 1: Attacking From The Outside .................................................................................................................. 7 Lab 1: Target IP Determination ............................................................................................................................... 7 Lab 1a: Blindcrawl .....................................................................................................................................................7 Lab 1b: Fierce ............................................................................................................................................................8 Lab 1c: GXFR .............................................................................................................................................................9 Lab 1d: IP Crawl ......................................................................................................................................................10 Lab 2: Identifying Security Mechanisms ............................................................................................................... 14 Lab 2a: LBD .............................................................................................................................................................14 Lab 2b: Halberd .......................................................................................................................................................15 Lab 2c: OSSTMM .....................................................................................................................................................18 Lab 2d: SSLTEST .......................................................................................................................................................19 Lab 3: Dealing With Web Application Firewalls .................................................................................................... 21 Lab 2a: Web Application Firewall Detection ...........................................................................................................21 Lab 3b: WAF Bypass SQL Injection Payloads ...........................................................................................................22 Lab 3c: WAF Bypass Cross Site Scripting Payloads ..................................................................................................23 Lab 4: Quick Hits (Googling for vulnerabilities) .................................................................................................... 24 Lab 4a: Google for generic Database errors ...........................................................................................................24 Lab 4b: Google for generic RFIs...............................................................................................................................24 Lab 4c: Check for XSS at xxsed.com:........................................................................................................................25

Lab 5: 3rd Party Scanning and scanning via proxies .............................................................................................. 25 Lab 5a: Shodan........................................................................................................................................................26 Lab 5b: Proxyfinder.pl..............................................................................................................................................26 Lab 5c: Tor/Tor-resolve ............................................................................................................................................27 Lab 5d: Proxychains/Proxyresolv.............................................................................................................................28 Lab 5e: Port scanning through PHP proxies ............................................................................................................29 Lab 6: Nessus through Tor .................................................................................................................................... 32

3

Strategic Security, Inc. © http://strategicsec.com/ Lab 7: Burp Suite .................................................................................................................................................. 34 Lab 7a: Burp Suite Through Tor/Privoxy ..................................................................................................................40 Lab 7b: Masking Nikto Headers ..............................................................................................................................44 Lab 8: Tor Through and SSH Tunnel ...................................................................................................................... 49 Section 2: Attacking The Internal Network ........................................................................................................... 59 Lab 9: Email Address Harvesting .......................................................................................................................... 62 Lab 10: Browser Fingerprinting ............................................................................................................................ 68 Lab 10a: Central Ops ...............................................................................................................................................68 Lab 10b: Metasploit ................................................................................................................................................71 Lab 11: Client-Side Enumeration .......................................................................................................................... 73 Lab 11a: Getting your shell .....................................................................................................................................73 Lab 11b: Figure out who and where you are ..........................................................................................................75 Lab 11c: Escalate privileges and get hashes ...........................................................................................................76 Lab 11d: Escalate Enumerate the host you are on ..................................................................................................79 Lab 11e: Steal Tokens ..............................................................................................................................................83 Lab 11f: Prove access ..............................................................................................................................................86 Lab 11g: Enumerate the network you are on ..........................................................................................................87 Lab 11h: Set up your Pivot ......................................................................................................................................89 Lab 11i: Now set up Pivot with a route add ............................................................................................................90 Lab 11j: Scan through your Pivot ............................................................................................................................90 Lab 11k: Lateral movement through your Pivot ......................................................................................................91 Lab 11l: Pivot Persistence ........................................................................................................................................92 Lab 11m: Set up a Socks Proxy through your Pivot .................................................................................................97 Lab 11n: SSH Tunneling ...........................................................................................................................................99 Lab 11o: VPN Pivot ................................................................................................................................................101 Lab 11p: ICMP Tunneling ......................................................................................................................................104 Lab 11q: IPv6 to IPv4 Tunnel .................................................................................................................................106 Lab 12: VBScript For Post Exploitation ............................................................................................................... 108 Lab 12a: Identifying the IP Address .......................................................................................................................108 Lab 12b: Download a file from the internet ..........................................................................................................109 Lab 13: Running Powershell From A Command Prompt ..................................................................................... 111

Strategic Security, Inc. © http://strategicsec.com/ Lab 13a: Reverse Shell with Powershell ................................................................................................................111 Lab 13b: Payload which could execute shellcode from DNS TXT queries. .............................................................112 Lab 13c: Run mimikatz via powershell (must be run as SYSTEM) .........................................................................113 Lab 13d: Token Manipulation to escalate (must be run as an Administrator) ......................................................114 Lab 13e: Nihsang payload which Scan IP-Addresses, Ports and HostNames ........................................................115 Lab 13f: Nishang Payload which gathers juicy information from the target. .......................................................116 Lab 13g: Nishang Payload which logs keys. ..........................................................................................................116 Lab 13h: Nishang Payload which silently browses to a URL and accepts Java Applet Run Warning ....................118 Lab 13i: Nishang Payload which dumps keys for WLAN profiles. ..........................................................................118 Lab 14: SchTasks for Powershell ......................................................................................................................... 122 Lab 15: Host Enumeration .................................................................................................................................. 129 Lab 16: Credential Harvesting & Data-Mining .................................................................................................... 139 Lab 17: Life without metasploit.......................................................................................................................... 160 Lab 18: Setting up your second entry ................................................................................................................. 167

5

Strategic Security, Inc. © http://strategicsec.com/

This Page Intentionally Left Blank

Strategic Security, Inc. © http://strategicsec.com/

Section 1: Attacking From The Outside Lab 1: Target IP Determination Lab 1a: Blindcrawl cd ~/toolz perl blindcrawl.pl -d motorola.com

7

Strategic Security, Inc. © http://strategicsec.com/

Lab 1b: Fierce cd ~/toolz/fierce2 fierce -dns motorola.com

Strategic Security, Inc. © http://strategicsec.com/

Lab 1c: GXFR cd .. python gxfr.py --bxfr --dns-lookup -o motorola.com Enter Domain Name: motorola.com Bind API Key: cw1kxyUgMdkECBNMb1fGqKJ9sC1lznaR20fPJeIt45Y=

9

Strategic Security, Inc. © http://strategicsec.com/

Lab 1d: IP Crawl DNS forward lookup against given IP range cd ~toolz/ ./ipcrawl 148.87.1.1 148.87.1.254

Strategic Security, Inc. © http://strategicsec.com/

sudo nmap -sL 148.87.1.0-255

11

Strategic Security, Inc. © http://strategicsec.com/ sudo nmap -sL 148.87.1.0-255 | grep oracle

Strategic Security, Inc. © http://strategicsec.com/

dig google.com

13

Strategic Security, Inc. © http://strategicsec.com/

Lab 2: Identifying Security Mechanisms Lab 2a: LBD cd ~/toolz ./lbd-0.1.sh google.com

Strategic Security, Inc. © http://strategicsec.com/

Lab 2b: Halberd halberd microsoft.com

15

Strategic Security, Inc. © http://strategicsec.com/ halberd motorola.com

Strategic Security, Inc. © http://strategicsec.com/

halberd oracle.com

17

Strategic Security, Inc. © http://strategicsec.com/

Lab 2c: OSSTMM osstmm-afd -P HTTP -t strategicsec.com -v

Strategic Security, Inc. © http://strategicsec.com/

Lab 2d: SSLTEST cd toolz/ cat /etc/xinetd.d/ssltest

cat /home/strategicsec/toolz/ssl_proxy.sh

service xinetd status

19

Strategic Security, Inc. © http://strategicsec.com/

osstmm-afd -P HTTP -t 127.0.0.1 -p 8888 -v

Strategic Security, Inc. © http://strategicsec.com/

Lab 3: Dealing With Web Application Firewalls Lab 2a: Web Application Firewall Detection WAF Detection cd ~/toolz/wafw00f python wafw00f.py http://www.oracle.com

cd ~/toolz/ sudo nmap -p 80 --script http-waf-detect.nse oracle.com

21

Strategic Security, Inc. © http://strategicsec.com/

Lab 3b: WAF Bypass SQL Injection Payloads Go to the address below in firefox: http://www.modsecurity.org/demo/crs-demo.html Insert the following payloads and keep track of the scores each payload receives SQL Injection Payloads ' or 1=1—

' or 1=1—

%27%201=1%2D%2D

' and 8
View more...

Comments

Copyright ©2017 KUPDF Inc.
SUPPORT KUPDF