If you want to test the egress controls from a client environment the best way to do this is setup a VPS which simulates all ports open. This is rather easier to do especially if you have SSH enabled as you can forward all ports to TCP 22 using iptables as shown below:

iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 1:65535 -j REDIRECT --to-port 22

Then do an Nmap or Masscan against your host and see if any ports are open. If they are then you have weak egress controls that you can abuse in your client environment :) 

Going from a normal domain user to a highly privileged MSSQL Service Account can sometimes be pretty easy with the following Metasploit module:

• auxiliary/admin/mssql/mssql_ntlm_stealer

I have been using this method of escalation when various other methods fail, but also MSSQL databases can often be where the clients personally identifiable information (PII) is held and shows the most impact to higher level employees or execs. The idea of this module is to take a compromised low level user account (compromised by brute-force, netbios spoofing, weak passwords or other) and re-use that information against MSSQL’s integrated domain authentication. If the database accepts domain authentication, the native db procedure ‘xp_dirtree’ is abused by inserting a targeted UNC path that then calls back to the attacker on TCP port 445 where Responder is listening. If successful, the MSSQL service account will authenticate and provide the NetNTLM hash which can subsequently be cracked with JTR or Hashcat.

I usually then attempt to connect to the database manually with the cracked credentials and if the account has administrator level permissions on the host you can seamlessly RDP on or PSEXEC and further penetrate the network and capture in-memory credentials, hashes, and more…….

This can also be used against externally facing MSSQL services if the system allows domain users to authenticate which is usually default in a domain environment. MSSQL should never be exposed externally, however, from experience I have seen this on the Internet. Shodan is full of examples:

https://www.shodan.io/search?query=MSSQL

 

A colleague @davehardy20 and I came up with this from an idea I had, it gives an Interactive PowerShell session from Metasploit, using newly developed Metasploit payloads.

Check out the blog post here for more information – https://www.nettitude.co.uk/interactive-powershell-session-via-metasploit

Enjoy

Hey,

I’ve been working with a few large clients and needed to search a lot of network shares with a standard user account to see if the shares looked dangerous or overly permissive for the user, e.g. an Admin share has full everyone permissions and the user can capture sensitive data. To do this I’ve been using metasploit smb_enumshares and then manually looking through to see which ones were accessible from the list. As you can imagine this can take some time and not be very useful, however over a period of time I have seen some Hyper-V backups on shares that were accessible to users and could be download and back doored for the admin password hash etc.

This is a well worth task. So to cut a long story short I created a python script to do it, basically give it user credentials and a cidr subnet and it will enumerate all shares and files/folders that are available to the given user, Simples.

Usage: python ./shares.py <username> <password> <domain> <hostip> <cidr-rhosts>

Let me know what you think, but i’m sure you will find this extremely useful as I have already. A few dependencies listed below

#pip install https://pypi.python.org/packages/source/p/pysmb/pysmb-1.1.13.tar.gz
#smbconnection.py is another dependancy

Download link: shares.py

 

Hey,

Needed to parse an Nmap scan really simply and couldn’t find anything useful so I created a simple c# application to do it. Thought others might find it useful, here’s a screenshot of the beast at work.

NmapParser

 

I have been making a few programs in c# for parsing nessus and while these have been really good I wanted to expand my knowledge and create a python parser so that I can edit and change it on the fly while pentesting to get any specific information that I need or require. For example, I have used nmap to find all the web services but this never picks all of them up whereas nessus does and places a ‘svc_name=www’ under each port when this is the case, irrespective of whether it is ssl based or not.

Then I have a list of hosts and ports that I can have some confidence in and start to further explore each web port with ‘nikto’ and possible screenshot with ‘wkhtmltoimage’.

To cut a long story short I started writing my own class for this then stumbled across this code https://code.google.com/p/pynessus/. These classes allow you to call all its functions to parse or deal directly with the nessus scanning engine and run scans etc. I have only used this in the smallest way upto now but thought its an interesting blog and others could benefit from this too.

Here is an example script that pulls out all the web services from a nessus scan and places them in a list with their retrospective port after a colon, 10.0.0.1:443.

 

---

import dotnessus_v2

preport = “/tmp/localhost.nessus”
rpt = dotnessus_v2.Report()
rpt.parse(preport)

for t in rpt.targets:
    for v in t.vulns:
        if v.get(‘svc_name’) == ‘www’:
            print t.name +”:”+ v.get(‘port’)

---

 

Here is another example script that uses the other class to initiate a connection to the nessus server and launches a scan. Once the scan has launched you can also use the script to download reports as shown below. I take no credit in creating these scripts as they have been created by the author, I mererly have used the functions to pull out what data I want from the nessus and want to share this as I think its very useful.

 

---

import pynessus

server = “localhost”
port = “8834”
user = “nessus-user”
password = “nessus-password”

n = pynessus.NessusServer(server, port, user, password)

n.launch_scan(scan_name, policy_id, target_list_iter)

n.download_report(report_uuid)

---

Anyway, thought its worth a simple blog, heres the link to the class files. I also run these through a series of other little scripts to run nikto on all hosts aswell as running a screenshot grab for all web based services so that I can see them quickly. Here is a little bash script I wrote that takes the output from the above and gets a screen capture of all web services. First of all I run the web-parse.py to get my host list like so.

python web-parse.py | sort | uniq | tee web-hosts.txt

Then run my bash script below and for loop to run nikto.

for host in `cat web-hosts.txt`; do nikto -h $host > $host.txt ; done

grab.sh web-hosts.txt

---

 

#!/bin/sh

filename=”$1″
while read -r line
do
    name=$line
    echo “Name read from file – $name”

    TIMEOUT=3

    ( wkhtmltoimage http://$name $name.jpg ) & pid=$!
    ( sleep $TIMEOUT && kill -HUP $pid ) 2>/dev/null & watcher=$!
    wait $pid 2>/dev/null && pkill -HUP -P $watcher

    ( wkhtmltoimage https://$name $name-ssl.jpg ) & pid=$!
    ( sleep $TIMEOUT && kill -HUP $pid ) 2>/dev/null & watcher=$!
    wait $pid 2>/dev/null && pkill -HUP -P $watcher

done < “$filename”

---

Enjoy 🙂

Recently I was testing an Web App that made use of AES encryption to generate tokens. I put together my own proof of concept code to generate the tokens and to decrypt the tokens using pycrypto. The code reads in strings from a separate file and then uses the Key and IV with the AES algorithm to generate a AES encrypted/base64 encoded string. The method was a port of Microsoft .net standard written in VB. Im sure the code is a copy from somewhere with a few amendments so sorry if I stole your code! ;-P

Obviously for this to work you need the Key which was 16 bits long and pretty much unbreakable in the time I had but it was retrievable in other ways. Anyway just wanted to post this so that I was top of the leader board again! Woohoo!!

Code →AES-Token-Generator.py

Hi folks,

I slightly updated my program to show a few extra bits of information about the service. Firstly it now shows whether that user can stop and start the service, including the running state. Also it now shows the permissions on the parent folder incase these are different to that of the binary.

Happy hacking 🙂 Here is another link to the tool 

Hi Everyone,

I know there are quite a few tools that do similar to this already but I wanted to create my own and just output all this data to an HTML file ‘simples’.

So basically this outputs a file called report.html and lists all the services and permissions on those binaries. It also has a column on whether they are unquoted service paths. Quite neat, looking to make loads of these type of tools for breakout testing, its also fairly useful when you have limited access to the box or need to download a tool that will run as a low level user and just open it with tools on the workstation, usually Internet Explorer.The following screenshot shows an example of the output.

Take a look and let me know what you think. Hopefully will be writing more into this so that it can do a lot more.

Download here

🙂

Hi,

When testing I always find myself doing more advanced exploitation on boxes and mostly use metasploit to do all these tasks, however I always forget the exact syntax for creating a metasploit payload and then setting up a multi/handler.

Obviously there is a load of easy ways to do this but I thought I would create a simple python script that basically takes your IP from eth0, then asks what type of payload to create and the output location. Once it has generated this is will create a multi/handler session with all the same settings ready for you. This then makes it terribly easy to run paygen then double click file from my samba share.

It could be improved by adding AV bypass techniques such as veil or ultimate payload but for now I have just done the basics. Anyway here is the script paygen, let me know thoughts, suggestions, insults etc……

PAYGEN

Have fun 🙂