DMCXBLUE

Red Teaming and Thoughts

  • Web Vulnerability

    Well it took me a while to write my first post but I was really thinking what do I really wanted to start writing about?? what was good that I can write for my first post……SO after much thinking I just gave up and decided to just write posts about stuff that I would need to use later on so I can remember commands and stuff that I would need later if any case so let me start.

    Nmap

    Aaaah the favorite scanning tool for any pen-tester as It is powerful and complete in so many ways can Scan UDP and TCP ports check if hosts are alive and evade firewalls (in some cases) all depends on how you are using it this is one of my favorite cheatsheets by High on Coffee:

    Nmap in a nutshell

    • Host discovery
    • Port discovery / enumeration
    • Service discovery
    • Operating system version detection
    • Hardware (MAC) address detection
    • Service version detection
    • Vulnerability / exploit detection, using Nmap scripts (NSE)

    Nmap Examples

    Basic Nmap scanning examples, often used at the first stage of enumeration.

    Command Description
    nmap -sP 10.0.0.0/24 Ping scans the network, listing machines that respond to ping.
    nmap -p 1-65535 -sV -sS -T4 target Full TCP port scan using with service version detection – usually my first scan, I find T4 more accurate than T5 and still “pretty quick”.
    nmap -v -sS -A -T4 target Prints verbose output, runs stealth syn scan, T4 timing, OS and version detection + traceroute and scripts against target services.
    nmap -v -sS -A -T5 target Prints verbose output, runs stealth syn scan, T5 timing, OS and version detection + traceroute and scripts against target services.
    nmap -v -sV -O -sS -T5 target Prints verbose output, runs stealth syn scan, T5 timing, OS and version detection.
    nmap -v -p 1-65535 -sV -O -sS -T4 target Prints verbose output, runs stealth syn scan, T4 timing, OS and version detection + full port range scan.
    nmap -v -p 1-65535 -sV -O -sS -T5 target Prints verbose output, runs stealth syn scan, T5 timing, OS and version detection + full port range scan.

    Nmap scan from file

    Command Description
    nmap -iL ip-addresses.txt Scans a list of IP addresses, you can add options before / after.

    Nmap output formats

    Command Description
    nmap -sV -p 139,445 -oG grep-output.txt 10.0.1.0/24 Outputs “grepable” output to a file, in this example Netbios servers.

    E.g, The output file could be grepped for “Open”.
    nmap -sS -sV -T5 10.0.1.99 --webxml -oX -
    | xsltproc --output file.html -    		 Export nmap output to HTML report.

    Nmap Netbios Examples

    Command Description
    nmap -sV -v -p 139,445 10.0.0.1/24 Find all Netbios servers on subnet
    nmap -sU --script nbstat.nse -p 137 target Nmap display Netbios name
    nmap --script-args=unsafe=1 --script
    smb-check-vulns.nse -p 445 target    		 Nmap check if Netbios servers are vulnerable to MS08-067

    Nmap Nikto Scan

    Command Description
    nmap -p80 10.0.1.0/24 -oG - | nikto.pl -h - Scans for http servers on port 80 and pipes into Nikto for scanning.
    nmap -p80,443 10.0.1.0/24 -oG - | nikto.pl -h - Scans for http/https servers on port 80, 443 and pipes into Nikto for scanning.

    Nmap Cheatsheet

    Target Specification

    Nmap allows hostnames, IP addresses, subnets.

    Example blah.highon.coffee, nmap.org/24, 192.168.0.1; 10.0.0-255.1-254

    Command Description
    -iL inputfilename: Input from list of hosts/networks
    -iR num hosts: Choose random targets
    --exclude host1[,host2][,host3],… : Exclude hosts/networks
    --excludefile exclude_file: Exclude list from file

    Host Discovery

    Command Description
    -sL List Scan – simply list targets to scan
    -sn Ping Scan – disable port scan
    -Pn Treat all hosts as online — skip host discovery
    -PS/PA/PU/PY[portlist] TCP SYN/ACK, UDP or SCTP discovery to given ports
    -PE/PP/PM ICMP echo, timestamp, and netmask request discovery probes
    -PO[protocol list] IP Protocol Ping
    -n/-R Never do DNS resolution/Always resolve [default: sometimes]

    Scan Techniques

    Command Description
    -sS
    -sT
    -sA
    -sW
    -sM    		 TCP SYN scan
    Connect scan
    ACK scan
    Window scan
    Maimon scan
    -sU UDP Scan
    -sN
    -sF
    -sX    		 TCP Null scan
    FIN scan
    Xmas scan
    --scanflags Customize TCP scan flags
    -sI zombie host[:probeport] Idle scan
    -sY
    -sZ    		 SCTP INIT scan
    COOKIE-ECHO scan
    -sO IP protocol scan
    -b "FTP relay host" FTP bounce scan

    Port Specification and Scan Order

    Command Description
    -p Specify ports, e.g. -p80,443 or -p1-65535
    -p U:PORT Scan UDP ports with Nmap, e.g. -p U:53
    -F Fast mode, scans fewer ports than the default scan
    -r Scan ports consecutively – don’t randomize
    --top-ports "number" Scan “number” most common ports
    --port-ratio "ratio" Scan ports more common than “ratio”

    Service Version Detection

    Command Description
    -sV Probe open ports to determine service/version info
    --version-intensity "level" Set from 0 (light) to 9 (try all probes)
    --version-light Limit to most likely probes (intensity 2)
    --version-all Try every single probe (intensity 9)
    --version-trace Show detailed version scan activity (for debugging)

    Script Scan

    Command Description
    -sC equivalent to –script=default
    --script="Lua scripts" “Lua scripts” is a comma separated list of directories, script-files or script-categories
    --script-args=n1=v1,[n2=v2,...] provide arguments to scripts
    -script-args-file=filename provide NSE script args in a file
    --script-trace Show all data sent and received
    --script-updatedb Update script database
    --script-help="Lua scripts" Show help about scripts

    OS Detection

    Command Description
    -O Enable OS Detection
    --osscan-limit Limit OS detection to promising targets
    --osscan-guess Guess OS more aggressively

    Timing and Performance

    Options which take TIME are in seconds, or append ‘ms’ (milliseconds), ‘s’ (seconds), ‘m’ (minutes), or ‘h’ (hours) to the value (e.g. 30m).

    Command Description
    -T 0-5 Set timing template – higher is faster (less accurate)
    --min-hostgroup SIZE
    --max-hostgroup SIZE    		 Parallel host scan group sizes
    --min-parallelism NUMPROBES
    --max-parallelism NUMPROBES    		 Probe parallelization
    --min-rtt-timeout TIME
    --max-rtt-timeout TIME
    --initial-rtt-timeout TIME    		 Specifies probe round trip time
    --max-retries TRIES Caps number of port scan probe retransmissions
    --host-timeout TIME Give up on target after this long
    --scan-delay TIME
    --max-scan-delay TIME    		 Adjust delay between probes
    --min-rate NUMBER Send packets no slower than NUMBER per second
    --max-rate NUMBER Send packets no faster than NUMBER per second

    Firewalls IDS Evasion and Spoofing

    Command Description
    -f; --mtu VALUE Fragment packets (optionally w/given MTU)
    -D decoy1,decoy2,ME Cloak a scan with decoys
    -S IP-ADDRESS Spoof source address
    -e IFACE Use specified interface
    -g PORTNUM
    --source-port PORTNUM    		 Use given port number
    --proxies url1,[url2],... Relay connections through HTTP / SOCKS4 proxies
    --data-length NUM Append random data to sent packets
    --ip-options OPTIONS Send packets with specified ip options
    --ttl VALUE Set IP time to live field
    --spoof-mac ADDR/PREFIX/VENDOR Spoof NMAP MAC address
    --badsum Send packets with a bogus TCP/UDP/SCTP checksum

    Nmap Output Options

    Command Description
    -oN Output Normal
    -oX Output to XML
    -oS Script Kiddie / 1337 speak… sigh
    -oG Output greppable – easy to grep nmap output
    -oA BASENAME Output in the three major formats at once
    -v Increase verbosity level use -vv or more for greater effect
    -d Increase debugging level use -dd or more for greater effect
    --reason Display the reason a port is in a particular state
    --open Only show open or possibly open ports
    --packet-trace Show all packets sent / received
    --iflist Print host interfaces and routes for debugging
    --log-errors Log errors/warnings to the normal-format output file
    --append-output Append to rather than clobber specified output files
    --resume FILENAME Resume an aborted scan
    --stylesheet PATH/URL XSL stylesheet to transform XML output to HTML
    --webxml Reference stylesheet from Nmap.Org for more portable XML
    --no-stylesheet Prevent associating of XSL stylesheet w/XML output

    Misc Nmap Options

    Command Description
    -6 Enable IPv6 scanning
    -A Enable OS detection, version detection, script scanning, and traceroute
    --datedir DIRNAME Specify custom Nmap data file location
    --send-eth
    --send-ip    		 Send using raw ethernet frames or IP packets
    --privileged Assume that the user is fully privileged
    --unprivileged Assume the user lacks raw socket privileges
    -V Show nmap version number
    -h Show nmap help screen

    Something extra that I would like to add on script scan is a command # –script all
    ## Uses all the scripts available on nmap it might take a while!!!

    Nikto

    NIkto another favorite for web scanning amazing tool still hasn’t been updated for a while (2012) but wow do you find out how many people still use outdated applications and web servers its just insane but stil a valuable tool this is a pretty straight up tool and not much to write here but never forget to use this tool its pretty amazing

     

    Skipfish

    Ooooh this new tool I just found by a lot of reading of course it is amazing got to keep it in my arsenal since its pretty awesome and has a nice HTML file once scanning is done.Warning!!! It takes a while to scan but its worth it this tool is useful do not forget this one

    Vega

    Its another of my personal favorites has a beautiful and simple GUI easy to understand and easy to even use all you do is just type in the full website it can be IP or DNS and its ready to go just be careful it sounds many alarms and can be really have a deep scanning that takes hours to days!!

    Whatweb

    For what says in the Kali tools web page

    WhatWeb identifies websites. Its goal is to answer the question, “What is that Website?”. WhatWeb recognises web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices. WhatWeb has over 1700 plugins, each to recognise something different. WhatWeb also identifies version numbers, email addresses, account IDs, web framework modules, SQL errors, and more.

    WAfw00f

    WAFW00F – Web Application Firewall Detection Tool

    Exactly what it is…

    Golismero

    GoLismero is a free software framework for security testing. It’s currently geared towards web security, but it can easily be expanded to other kinds of scans. It can run their own security tests and manage a lot of well known security tools (OpenVas, Wfuzz, SQLMap, DNS recon, robot analyzer…) take their results, feedback to the rest of tools and merge all of results. And all of this automatically.

    And just so many other tools out there the tools are just to plenty and all great a quick list is

    • WPScan
    • Joomscan
    • CMS
    • Burp Suite
    • Sparta
    • OpenVas
    • Nessus
    • Much more!!