MSF Fundamentals 2017 (Part 3 of 3) – Pivoting and Automation

This is quick-hit version of part three of a three part series on Metasploit Fundamentals that I wrote to update my previous work (from 2014) on Metasploit. If you’re looking for a more hands-on/in-depth version of this article you can access training on this topic here: MSF Fundamentals – Part 3 of 3 (Pivoting and Automation) (basic_0x04)

The purpose of this article is to cover pivoting, port-forwarding, and automation to expand the reach of your tools and reduce the amount of time you spend on repetitive work.  Part one covered starting up the MSF, finding an exploit, finding a matching payload, and configuring everything up to the point of launching the exploit. Part two covered exploitation and post-exploitation modules to the point where you are comfortable with the various ways of manipulating a system after you’ve opened a session to it.  This training assumes you’re using a 2016 variant of Kali Linux and that it’s patched up to at least August 2016. If that’s true, then let’s go!

Continue reading “MSF Fundamentals 2017 (Part 3 of 3) – Pivoting and Automation”

Windows System Wiping

If you’re looking for a quick way to clean out unused drive space, Windows 7 and on have a built-in tool called Cipher that can handle that easily. To wipe all free space on a drive (the C: drive in the below example) just use the following syntax:

cipher /w:c:

There are a lot of additional features to this tool (which you can review at the link above), but a scheduled task to wipe your free space on a regular basis can greatly reduce the probability of data recovery in the event your device is stolen. Consider it a standard part of your regular hygiene along with drive encryption.

Linux Login Notifier

Here’s a quick script I wrote some years ago to notify me when an interactive session is being launched from one of my servers. Feel free to modify/use however you see fit. Thanks!

#!/bin/bash
# Place this in /etc/profile.d/whatever-name-you-like.sh
NOTIFYADDRRESS="your_email_address"
FROMADDRESS="sending_email_address"
THESYSTEM=`hostname`
THATUSER=`awk -v USER=$UID -F : '$3 == USER {print $1}' /etc/passwd`
CURTIME=`date --rfc-3339=ns`
echo "Login from ${THATUSER} (${UID}) on ${CURTIME}" | mail -aFrom:${FROMADDRESS} -s "${THATUSER} just logged into ${THESYSTEM}" -r ${FROMADDRESS} ${NOTIFYADDRESS}

It just fires off an email whenvever an interactive session is started.

MSF Fundamentals 2017 (Part 2 of 3) – Exploitation and Post-Exploitation

This is quick-hit version of part two of a three part series on Metasploit Fundamentals that I wrote to update my previous work (from 2014) on Metasploit. If you’re looking for a more hands-on/in-depth version of this article you can access training on this topic here: MSF Fundamentals – Part 2 of 3 (Post-Exploitation with Meterpreter) (basic_0x03)

The purpose of this article is to cover exploitation and post-exploitation modules to the point where you are comfortable with the various ways of manipulating a system after you’ve opened a session to it. Part one covered starting up the MSF, finding an exploit, finding a matching payload, and configuring everything up to the point of launching the exploit. Part three covers pivoting, port forwarding, and automation. This training assumes you’re using a 2016 variant of Kali Linux and that it’s patched up to at least August 2016. If that’s true, then let’s go!

Continue reading “MSF Fundamentals 2017 (Part 2 of 3) – Exploitation and Post-Exploitation”

WPA Handshake Stripping

Many thanks to INIT_SIX for also pointing out a quick way to reduce the size of your WPA handshake captures using pyrit:

pyrit -r /path/to/capture.cap -o /path/to/handshake-only-output.cap strip

Add the “-e” or “-b” switches to filter down to just a single AP by ESSID or BSSID respectively:

pyrit -r capture.cap -o output.cap -b "99:88:77:66:55:44" strip

That’s it! Good hunting!

Wireless Attack: WPA

The following is a quick-hit list of commands for attacking a WPA wireless network. It assumes you are using a 2016 variant of Kali linux with the aircrack-ng suite installed and a wireless network card that can be placed into monitor mode (which should be about 100% of them). It also assumes that there is a WPA network with an associated client that is transmitting, and that you are running as a user with sufficient permissions to execute each of these commands.

For the sake of this tutorial the AP will be assumed to have a MAC address of “99:88:77:66:55:44” and the client will be assumed to have a MAC address of “00:11:22:33:44:55”. The wireless network card we will use will be assumed to be “wlan0”.

If a presentation is more your style of learning you can access training on this topic here: Wireless Attacks – WPA & WPS (basic_0x01)

Continue reading “Wireless Attack: WPA”

Installing CrackMapExec (CME)

If you need to install CrackMapExec (CME), which for some reason isn’t included in Kali Linux, you can do so with the following commands:

apt-get install -y libssl-dev libffi-dev python-dev build-essential
apt-get install virtualenvwrapper
source /usr/share/virtualenvwrapper/virtualenvwrapper.sh
mkvirtualenv CME
(CME) #~ pip install crackmapexec

Lifted from the CME Wiki install instructions.

Reversing Binary on Command Line

Just throwing this here in case it’s useful to someone else… I often come across binary in challenges that needs to be reversed, and don’t always have a quick tool available.  Assuming you have Perl installed, it’s a straightforward conversion (this assumes 8 bit, zero-padded data):

echo 01000001 01000010 01000011 01000100 | perl -lape '$_=pack"(B8)*",@F'
ABCD

Good hunting. 🙂

Powered by WordPress.com.

Up ↑