Posts

Subdomain script

Image
 Here I am writing a script using a few different tools. Now this is a basic script and nowhere near an extensive script. This is the first go at it I had. Here is the correct way to write it for assetfinder. See we are making a final.txt file. Here we are harvesting with amass as well and adding it to final.txt For the sake of speed and space since this was training, I ran the script to have that experience and then I commented out the amass part of the script. Then we are going to probe for alive domain and put it into a new file of alive.txt Again this is just basic script but it was fun to play around with these new tools.  Feel free to reach out on  LinkedIn  or  Twitter

More mitigations

Image
 So like I said we are going over mitigations and I grabbed a couple slides and while this is not everything, I grabbed ones that helped to spark a thought process and understand how mitigation can be performed. Now we started with SMB Relay because we were told its one of the most exploited vulnerabilities. Really until this slide I was thinking "if it's such a known vulnerability why is it still being used?" And seeing this slide with the pros and cons made me realize certain things need to be used and our job as security professionals can't be just to shut down everything that can be exploited but rather make things as safe as possible so that our companies can still be as productive as possible while being as safe as possible. Now I always thought I knew strong passwords but in taking this course I found out just how easy password cracking is. So, 14 or more characters and make it complex.  Capital, Lowercase, Numbers, Special Characters, stay away from common wor...

LLMNR

Image
Here we learn a little about LLMNR. So here is a description of the attack. I think the key here is that it provides the hash. These days anytime you can get a hash it's a win. Even if its long and complex, hash cracking tools are a 3 second google search.  I like graphics like this cause to be honest, even if I know how to attack it I am not always sure how to mitigate what I am doing. Its why I like learning what is behind the scenes. In the next few posts, I am going to show some mitigation techniques the course brought up and the reason for that is it really helped me start to think about how to mitigate. Again, I will not be sharing everything and if you want to learn more, please go check out  TCM Security . This has really been a great course to get my brain thinking in ways to help businesses.  And here are their recommendations for mitigation. And this is just to get your brain in the mode of mitigation. Remember we are doing this to help businesses not just to d...

Right Module then shell

Image
 Finally we have made it. Here I will check we have the right module and then I will get my shell. Again remember these are just notes and not all of them. But if you see something and you know of a more effective way I am always up for hearing and learning new things  So, line 4 we eventually get rid of but one thing to note is that on line 6 when type it into the script we are typing it backwards and only 2 characters at a time. Now I am sure there is a reason, and it is significant, but the course did not go into it. Here I am copying the payload after it was created.  Now we add the payload to the script.  This is the remainder of the script. Run this and we have completed the objective.  Feel free to reach out on  LinkedIn  or  Twitter  

Overwrite and BadChars

Image
 I wrote a script for Bad chars and show how I overwrite the program. This is all leading up to finding the right module and then gaining shellcode. Exploit Development is defiantly something I want to take some more time to get to know. I plan on going through these videos at least one more time.  So a couple things to remember is take out "\x00" and make sure you wrap it in "()" Here is the first code I wrote And here is the correct code. Anyone catch the mistake? Thats right line 9 I forgot to change.  Now remember like with all the lessons before we are running both vulnserver and immunity debugger as admin. Attaching vulnserver  to Immunity Debugger and pressing play. The goal is to overflow the buffer space and through the EBP (Extended Base Pointer) and into the EIP (Extended Base Pointer Instructional Pointer). Which is where we will be placing the malicious code.  And as you can see it is now paused meaning we gained overflow and crashed the machine....

Offset

Image
What I am doing here is finding the offset. Again this is all enumeration for the end attack. The more information we have the easier it is to overload this machine.  Remember to run vulnserver and immunity debugger as Admin and attach them. And here we are using the number of 3000, why is that. Well if you remember in the last blog the tipping point was 2900, so now we are ensuring enough characters will be used.  We get this printout and we are going to copy it to put in our script. A few things to note. We no longer need the time so we erased that. We set our "offset" to what we just copied and pasted and we are no longer using a while loop.  I took this picture to make a point. Make sure you copy the characters exactly. I had a single space after the last "9" and it messed up my whole script. So we removed the space, ran the program and as you can see we achieved overloading it and its paused.  Now in a very messy was I have highlighted the important part here. ...

Spiking and Fuzzing

Image
 Here we started getting an introduction to some new tools. Using vulnserver, and immunity debugger. We did this as an introduction to exploit development. So the first thing you need to do is go out and download both vulnserver and immunity debugger. Now that you've done that run both vulnserver and immunity debugger as administrator  Then attach vulnserver to immunity debugger and press play. Make sure in the bottom right it says "Running" Here we use "nc" and "-nv" with the ip address of the target server with a port of 9999 to gain access and then we used 'HELP" to print out all the valid commands. Here we use the command "generic_send_tcp" with our ip address and por 9999 and trun.spk. Now to be honest I dont 100% remember what the following2 zeros are for as this was a few weeks ago and like many people I dont remember every single detail (hence the screenshots and this blog) And here you see its paused again because we have ju...