223. Exploits for Enumerating Users (OBJ 5.2)
In this lesson, we’re going to talk about exploits for enumerating users in a couple of different languages. First, we have PowerShell. If you want to list all the users in a domain, you can simply use this command on one line; Import-Module ActiveDirectory; Get-ADUser-Identity <username>-properties*. This’ll return a list of all the Active Directory users that are in that given domain that you’re already into. This is a great way to find who is on that domain and who you can use to exploit as part of your horizontal privilege escalation. If you want to find out who is in the administrators group, you’re going to use something more like this. This command will list all the users in a group. You’re going to use Import-Module ActiveDirectory; Get-ADPrincipalGroupMembership <username> | select Administrator. This’ll show you all the users who are part of the administrator group. This is great when identifying targets for later on for your vertical escalation of privileges. Notice on both of these, we had to import a module called Active Directory. This is because by default, PowerShell does not have the Active Directory module loaded.
So you’ll import that module the first time you use one of these two commands and you can ignore it the second time. Both of those are great if you’re on a Windows domain, but if you’re on Linux, you need a way to list out users on those systems, too. This is what Bash is for. In Bash, you can list all the users on a given system by simply typing in cat/etc/passwd. This will list the contents of the password file to your screen, and the first field on each line is going to contain the user names for everybody who has an account on your system. Unfortunately, this is a little bit messy to look at, and so I prefer to use a different way of doing this. I like to use this command when I’m using Bash to list all the users on a system; awk -F’:'{print $1}’ /etc/passwd. What is this doing?
It’s doing the same thing, but AWK allows me to eliminate the rest of the information and only look at the first column or first field in this file. So instead of seeing all the dots and slashes and all the other information, I’m just going to get a list of all the users. This is also helpful if you need to get a bunch of user names to put into a password-cracking tool, and that way you have all the users identified by themselves in that file. The last two commands I showed you in Bash work really well to list all the users on a system, but it doesn’t tell you who’s active right now. Instead, if you wanted to find all of the logged-in users on a system, you can use the who command. But, like listing out the password file, it does give you way more information than you’re looking for.
Using a combination of who, AWK, sort, unique, and TR, we can actually take that data and clean it up as we go. By running the who command, we’re going to get a list of all the logged-in users. Then we’re going to pipe that into the AWK command, where we’re only going to keep the first word of each line. We already saw in the last command that the first word of each line using AWK is going to give us the user names. Then I’m going to put it through sort. This will actually put those user names in alphabetical order for me. Then I’m going to put it through unique. This lets you remove any duplicates. If Jason is logged in to two different computers right now, we’re only going to see one of those after we put it through the unique command. Then we’re going to move it through the TR command and we’re going to actually remove the carriage returns and replace them with spaces. This means, instead of having one person per line, we’re going to get one line with all of our users listed on it, so it takes up a lot less space and we can see them all listed on the screen at one time. If you’re using Python, you can also list out users in groups, but it does take a little bit more coding. In Python, you can do this using a sample script like this. What we’re going to do is list out user, group, go to new new line. User, group, go to another line, and keep doing that. To do this, we’re going to first define this as a Python script by using #!/usr/bin/python. Then we’re going to define a function. This function is called read and parse, and it takes one input, which is a file name.
This file name is going to be a string that has the full path to a file name as its input. Next, we’re going to create an array called data. And then we’re going to say with open file name in read mode as F. We’re going to go through a for loop for each line in f.readlines. Every time we have a line until we get to the end of the file, we’re going to do a data append by adding more information to that data array. We’re going to use line. Split with a colon to be able to take out the first thing that you’re going to find in those files, which in the case of the password file would be the user names. Then we’re going to do data. Sort. This is going to put them into alphabetic order, and then we’re going to do print dash plus item. Then we’re actually getting to our actual lines that are going to call this function. First, we’re going to call it using /etc/group. That’s the file name we’re going to put into this function.
We’re going to open that file read-only, go through and read every single group. Then we’re going to read all of the different people in the password file as users and put them into this data array as well. Now we’re going to be able to have all of that displayed to the screen, and we’ll know exactly who our users are and which groups they’re in. For the exam, what do you need to know when it comes to enumerating users? There are lots of different ways to do enumeration with lots of different scripts in lots of different languages, but for the exam, you should be looking for things like /etc/group, /etsy/passwd, if you’re trying to enumerate users in a Linux system. If you’re trying to enumerate users in a Windows system, you should be looking for things that are interacting with Active Directory, because Active Directory does act as our directory service inside of Windows domains.
224. Exploits for Enumeration Assets (OBJ 5.2)
In this lesson, we’re going to look at exploits for enumerating assets. The first one I have is in PowerShell, and again we’re going to go after ActiveDirectory here. In this particular one-line script, we’re going to list all of the domain controllers that are in a network so we know who to focus on during our attacks. To do this, we’re going to use Import-Module ActiveDirectory; Get-Microcontroller -Filter*|Select-Object name, domain. And this will come back with all of the different domain controllers on the domain that we’re currently in. The second script we have is another PowerShell script. And this one is about getting information on a certain computer, host, or server. Now normally when you use this script it is all the going to go on one line. But to keep it easier for us to read, I’ve broken it up across four lines. First, Import-Module ActiveDirectory; then Get-ADComputer-Filter{Name-like”<hostname>”} property*|Format-Table Name,ipv4address,OperatingSystem, OperatingSystemServicePack,LastLogonDate-Wrap-Auto. What this does, is it goes into the active directory component and looks at computers inside of it. Looks up that host name and then gets the information about its name, it’s IPv4Address, it’s operating system, its service pack level, and the last time that system was logged in. If we’re on a Linux system, we can enumerate an asset by using Bash.
In Bash, we can use multiple different commands to get information about Linux systems. For example, if I put these five commands together hostname; uname-a; arp; route; dpkg, I can find out a lot about a given system. This is going to show me the host name using the hostname, so I know what to call that system. It’s also going to show me all the available system information by using uname -a. Then it’s going to show me the ARP cache and all the other systems it’s been talking to on that local area network. Then we’re going to look at route and see what routing table it currently has, and we can print that as well. And finally, we’re going to show a list of all the packages and software that are installed on that system. So that’s going to tell me version numbers, software packages and types so I can figure out whether the vulnerabilities this system might have. Finally, we have Python and in Python I can identify hosts on a Subnet by going out and doing a connection to each host I can find, I can do that using a simple script like this, import socket, define, connect, hostname, port sock equals socket dot socket, parenthesis socket.AF INET, socket dot SOCK STREAM socket dot setdefaulttimeout parentheses one result= sock.connect_ex(hostname,port) sock.close return result equal equal zero for I in range 0,255 res equals connect parasynthesis quote 192.168.1 dot quote plus str parenthesis i and parenthesis comma 80 parenthesy if res print device found at and then 192.168.1 plus string I plus colon plus string 80. So what is this script doing? Well, first we’re importing the socket library. So we have the ability to start interacting with the network using Python.
Then we’re defining a function called connect and we’re going to give it two parameters a host name and a port. Then if you go down to the bottom with that for loop, that’s where the action really starts. Each time we start making a connection, we’re going to go to the connect function, and give it an IP address and a port number. In this case, port 80. So we’re trying to connect to 192.168.1.0 over port 80. Then 192.168.1.1 over port 80. At any time we have a successful result, that’s what res stands for. We are going to then print device found at and that IP address, colon 80. This is enumerating the subnet of 192.168.1.0 slashed 24, over port 80, to identify anybody running a web server inside of that subnet on those 254 hosts that happened to be sitting in that that classy subnet. That’s all this is doing. The idea here is finding out what services are being run. In this case, we only look for port 80 but I could just as easily put a four loop inside another four loop and have two values an I and an X and the X might be for the ports.
And so I might have a array of ports that I want to go through like port 22, port 21, port 53, port 80 and port 110. And I can start looking for these different services that I might know how to exploit and that way I can start spreading out laterally across the network based on those different ports. All right, what do you need to know for this lesson? Well, when it comes to enumerating assets, you got to be thinking about servers and hosts and computers. The idea is we’re looking for host names. We’re looking for what things are on the network in given places and what their function is. So you might be looking at different ports to identify what services are being run. As I did in the last Python script or you might be looking at information about a computer or host by using PowerShell and connecting to active directory to get information that way as you go through use your PowerShell scripts.
225. Automation in Engagements (OBJ 5.2)
This lesson, we’re going to talk briefly about using automation in engagements. Now, up to this point, we’ve looked at a lot of different pieces of code and so we’re not going to actually go and dive into any code in this particular lesson. Now, instead, what I want to talk about is some major concepts inside of the world of automation. As you start building out your engagements, you want to start thinking about how you can script and automate as much of the processes as possible because there’s a lot of manual work that goes into doing a penetration test. For example, if I need to go and look at all the devices on a particular subnet, that would be 256 times of me typing in an IP address and doing a ping or trying to do an Nmap scan against each one.
Or I could automate that using scripting like I’ve shown you inside of using Python scripts, Bash scripts, and others. The idea here is you want to be able to create a port scan function and then automate that to go out and do the port scans. Once you identify what ports are open, you can then do follow on actions just against those ports by running a separate script that is called based on the results of the first script. So let’s say I went and did a port scan of port 80 across all of the devices in a particular subnet. Once I get the results of that, I can feed that into a second script that will now go and connect to each of those servers and do a banner grab. Then based on the results of the banner grab, I can determine which ones of these are running IIS, which ones are running Ngix, which ones are running Apache.
I put those into a separate list as well, and then do follow on scans or follow on exploitations based on the results I’m getting. Using some really basic scripting like if-then statements and for-while do loops, you’re going to be able to create some really complex scripts in under about 50 to 100 lines of code that could really save you a ton of time and effort and make your job so much easier. Now, in addition to performing those port scans and automating the results based on what you’re seeing, you also want to be able to produce a final report. So always remember to create logging as part of your scripts too. You can create a file called “enumeration.log” and then save all the results of what you’re doing into that log as you’re doing it. And that way, you’ll be able to have all your data in one place. These reports can be as simple as a text file or you can make them graphical or put them into a third party system that can collect all that data and visualize it for you. The final thing I want to talk about when it comes to enumeration is how you can use your script to modify the IP addresses you’re going to use during a test. Now there’s really two different ways of doing this. One is you can scan everything against a given subnet range by going through a for-loop.
And I’ve showed you that when we did the port scanner inside of Python. But you can also import a file that contains a list of IP addresses or targets that you want to go after. This could be at an Excel file, a CSV file, or some other file format. But whatever that format is, you could take that list and then process them one by one by feeding them into your script and allowing you to run those different port scans and enumeration techniques against those hosts that you’re finding. Again, by putting all of this together, you could start creating a lot of wonderful tools for you to use during your engagements. The good news is there’s also a lot of these tools already available online. If you go online and search for Python enumeration tools or Bash enumeration tools or PowerShell enumeration tools for PenTest, you’re going to find lots of these different scripts that you can download and play with and use during your engagements.
226. Automation with Nmap Scripts (OBJ 5.2)
In this lesson, we’re going to talk about automation with Nmap Scripts. Now earlier, when we talked about Nmap, we talked about the fact that there was the Nmap scripting language, that allowed you to download and use a lot of different scripts, to conduct things like enumeration, port scans, and vulnerability scans. Now, if you’re going to be using this, you simply use nmap –script, and then name the script you want to use. To find a complete list of these scripts, You can go look in your /usr/share/nmap/scripts/vulscan directory, or if you’re on Windows, inside your C:\Program Files (x86)\Nmap\scripts, and this will have all the scripts that you can use, for all of the different functions.
Now in your penetration test, you’re going to determine exactly what your objective is, and what scripts you’re going to need based on that objective. But let’s say for example, you were scanning a subnet, with all of the web servers on it. You want to first identify any servers that are answering up on port 80 and port 443. You wrote a script in Python, you went forward and found all those things and listed them into a file, so you now have a list of targets, that are open on port 80, or port 443.
Now, the next thing you might want to do is figure out how secure is their encryption suite. Well, to do this, you can use an Nmap scan. Inside of Nmap, there is vulners and SSL-enum-ciphers, that you could run. Vulners is a script that has a vast database, of a lot of different vulnerabilities, that we can use against web servers. In addition to that, we can use SSL-enum-ciphers, to identify what ciphers are being used by that secure web server, running port 443. This will initiate a connection to it, using different settings, and then give you a score according to the support of the different protocols it has, like SSL version two, version three, or TLS version 1.1, 1.2 or 1.3, as well as the key exchange and cipher strength being used by that server. This score is based on the Qualys SSL server ratings, that I showed you earlier, when we did our SSL enumeration.
But by doing it inside of Nmap, you can automate this scan as part of the script, instead of how to manually do it yourself, like we did back in our reconnaissance phase. So as you can see, there’s lots of different ways, that you’re going to be able to use automation to make your life easier during an engagement. As you get better at scripting, you’re going to start to combine all sorts of different tools and techniques, including things like Nmap and its Nmap scripts, to be able to do a lot of the work for you, and this will be able to make your job much easier, and your engagements go much faster.
