Category Archives: PWK / OSCP Course Experience

My PWK experience

Coscp-certsountless blogs have been published about the Offensive Security  PWK course and OSCP certification.

I don’t want to repeat what has been said already. It is probably the best training I have ever received and if you are interested in penetration testing than this course is for you.

This blog is for our own benefits to remember the little lessons we’ve learned along the way and to share the code snippets that have made our life easier during this endeavor and in real life.

Here some awesome blogs about the OSCP experience:

https://blog.g0tmi1k.com/2011/07/pentesting-with-backtrack-pwb/

http://www.securitysift.com/offsec-pwb-oscp/

http://www.en-lightn.com/?p=941

 

I have spent four months in the offsec lab and cracked every single box; some of them via different ways and almost all without the help of Metasploit.

The following posts will contain some code snippets that made my life easier.

 

Facebooktwitterredditpinterestlinkedinmail

1. Information gathering in three stages

1.1 Quick ping sweep of the network

#!/usr/bin/env python
###############################################################
## [Name]: 1-mix-ping_sweep.py -- a recon/enumeration script
## [Author]: Re4son re4son [at] whitedome.com.au
##-------------------------------------------------------------
## [Details]:
## Script to perform a ping sweep over a given range and list 
## each live host in file /targets.txt.
##------------------------------------------------------------
## [Usage]:
## python 1-mix-ping_sweep.py <output>
###############################################################

import subprocess
import sys
import os

if len(sys.argv) != 3:
print "\nUsage: 1-mix-ping-sweep.py <output>\n"
sys.exit(0)</output>

RANGE = sys.argv[1].strip()
OUTDIR = sys.argv[2].strip()

try:
os.stat(OUTDIR)
except:
os.mkdir(OUTDIR)
print " "
print "[!] %s didn't exist, created %s" % (OUTDIR, OUTDIR)

outfile = OUTDIR + "/targets.txt"

res = 0
f = open(outfile, 'w')
print " "
print "[+] Performing ping sweep over %s" % (RANGE)
SWEEP = "nmap -n -sP %s" % (RANGE)
results = subprocess.check_output(SWEEP, shell=True)
lines = results.split("\n")
for line in lines:
line = line.strip()
line = line.rstrip()
if ("Nmap scan report for" in line):
ip_address = line.split(" ")[4]
if (res > 0):
f.write('\n')
f.write("%s" % (ip_address))
print "[*] %s" % (ip_address)
res += 1
print " "
print "[*] Found %s live hosts" % (res)
print "[*] Created target list %s" % (outfile)
print "[*] Paste %s into 3-mix-recon.py" % (outfile)
print " "
f.close()
</output>

 

1.2 Finding DNS servers

#!/usr/bin/env python
###############################################################
## [Name]: 2-mix-find_dns.py -- script to find dns servers 
##                              amongst a list of machines
##-------------------------------------------------------------
## [Author]: Re4son re4son [at] whitedome.com.au
##-------------------------------------------------------------
## [Details]: 
## Script iterates through  and checks if TCP 
## port 53 is open.
## The result is diplayed on screen and written to 
## <output>\DNS-servers.txt 
##-------------------------------------------------------------
## [Usage]: 
## python 2-mix-find_dns.py  <output>
###############################################################

import subprocess
import sys

if len(sys.argv) != 3:
    print "\nUsage: python 2-mix-find_dns.py  <output>\n"
    sys.exit(0)

TARGETS = sys.argv[1].strip()
OUTDIR = sys.argv[2].strip()

outfile = OUTDIR + "/DNS-Servers.txt"


def dnsScan(ip_address):

    return

inf = open(TARGETS, 'r')
outf = open(outfile, 'w')
res = 0
print " "
print "[+] Enumerating TCP port 53 to find dns servers"
outf.write("[+] Enumerating TCP port 53 to find dns servers\n")
for ip_address in inf:
    ip_address = ip_address.strip()
    DNSSCAN = "nmap -n -sV -Pn -vv -p53 %s" % (ip_address)
    results = subprocess.check_output(DNSSCAN, shell=True)
    lines = results.split("\n")
    for line in lines:
        line = line.strip()
        line = line.rstrip()
        if ("53/tcp" in line) and ("open" in line) and ("open" in line) and not ("Discovered" in line):
	    print "[*] Found DNS service running on: %s/TCP" % (ip_address)
            outf.write("[*] Found DNS service running on: %s/TCP\n" % (ip_address))
	    print "   [>] %s" % (line)
            outf.write("   [>] %s\n" % (line))
	    res += 1
print " "
outf.write("\n")
print "[*] Found %s DNS servers" % (res)
outf.write("[*] Found %s DNS servers\n" % (res))
print "[*] Pick one and include in 3-mix-recon.py"
print " "
inf.close()
outf.close()
</output></output></output>

 

1.3 Detailed net scan and setup of directory structure for penetration test:

#!/usr/bin/env python
#############################################################################
## [Name]: 3-mix-recon.py -- a recon/enumeration script
## [Original Author]: Mike Czumak (T_v3rn1x) -- @SecuritySift
## [Author]: Re4son re4son [at] whitedome.com.au
##---------------------------------------------------------------------------
## [Details]: 
## This script is intended to be executed remotely against a list of IPs to 
## enumerate discovered services such 
## as smb, smtp, snmp, ftp and other. 
#############################################################################

import subprocess
import multiprocessing
from multiprocessing import Process, Queue
import os
import time 

TARGETS='/root/192.168.0.0/targets.txt'
OUTDIR='/root/192.168.0.0/'			# Can be empty - will use ./mix-recon-OUTPUT
DNSSRV='192.168.1.11'			# Can be empty - will skip name resolution

def multProc(targetin, scanip, port, outputdir):
    jobs = []
    p = multiprocessing.Process(target=targetin, args=(scanip, port, outputdir))
    jobs.append(p)
    p.start()
    return

def nmapScan(ip_address, outputdir):
   ip_address = ip_address.strip()
   outfile = outputdir + "/" + ip_address + "_findings.txt"

   print "[+] Starting quick nmap scan for %s" % (ip_address)
   QUICKSCAN = "nmap -n -oN '%s/%s.quick.nmap' %s"  % (outputdir, ip_address, ip_address)
   quickresults = subprocess.check_output(QUICKSCAN, shell=True)

   print "[+] Starting detailed TCP/UDP nmap scans for %s" % (ip_address)
   serv_dict = {}
   if DNSSRV:
       TCPSCAN = "nmap -vv -Pn -sS -A -sC -p- -T 3 -script-args=unsafe=1 --dns-servers %s -oN '%s/%s.nmap' -oX '%s/%s_nmap_scan_import.xml' %s"  % (DNSSRV, outputdir, ip_address, outputdir, ip_address, ip_address)
       UDPSCAN = "nmap -vv -Pn -A -sC -sU -T 4 --top-ports 200 --dns-servers %s -oN '%s/%sU.nmap' -oX '%s/%sU_nmap_scan_import.xml' %s" % (DNSSRV, outputdir, ip_address, outputdir, ip_address, ip_address)
   else:
       TCPSCAN = "nmap -vv -Pn -sS -A -sC -p- -T 3 -script-args=unsafe=1 -n %s -oN '%s/%s.nmap' -oX '%s/%s_nmap_scan_import.xml' %s"  % (DNSSRV, outputdir, ip_address, outputdir, ip_address, ip_address)
       UDPSCAN = "nmap -vv -Pn -A -sC -sU -T 4 --top-ports 200 -n %s -oN '%s/%sU.nmap' -oX '%s/%sU_nmap_scan_import.xml' %s" % (DNSSRV, outputdir, ip_address, outputdir, ip_address, ip_address)

   results = subprocess.check_output(TCPSCAN, shell=True)
   udpresults = subprocess.check_output(UDPSCAN, shell=True)
   lines = results.split("\n")
   for line in lines:
      ports = []
      line = line.strip()
      if ("tcp" in line) and ("open" in line) and not ("Discovered" in line):
	 while "  " in line: 
            line = line.replace("  ", " ");
         service = line.split(" ")[2] # grab the service name
	 port = line.split(" ")[0] # grab the port/proto
         if service in serv_dict:
	    ports = serv_dict[service] # if the service is already in the dict, grab the port list
	 
         ports.append(port) 
	 serv_dict[service] = ports # add service to the dictionary along with the associated port(2)
   
   # go through the service dictionary to give some hints for further enumerations 
   f = open(outfile, 'w')
   for serv in serv_dict: 
      ports = serv_dict[serv]
      if ("ftp" in serv):
 	 for port in ports:
	    port = port.split("/")[0]
	    f.write("[*] Found FTP service on %s:%s\n" % (scanip, port))
	    f.write("   [>] Use nmap scripts for further enumeration or hydra for password attack, e.g\n")
	    f.write("   [=] nmap -sV -Pn -vv -p%s --script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221 -oN '%s/%s_ftp.nmap' -oX '%s/%s_ftp_nmap_scan_import.xml' %s\n" % (port, outputdir, scanip, outputdir, scanip, scanip))
	    f.write("   [=] hydra -L /usr/share/wordlists/webslayer/others/names.txt -P /usr/share/wordlists/webslayer/others/common_pass.txt -f -o %s/%s_ftphydra.txt -u %s -s %s ftp\n" % (outputdir, scanip, scanip, port))	
      elif (serv == "http"):
 	 for port in ports:
	    port = port.split("/")[0]
	    f.write("[*] Found HTTP service on %s:%s\n" % (scanip, port))
	    f.write("   [>] Use nikto & dirb / dirbuster for service enumeration, e.g\n")
	    f.write("   [=] nikto -h %s -p %s > %s/%s_nikto.txt\n" % (scanip, port, outputdir, scanip))
	    f.write("   [=] dirb http://%s:%s/ -o %s/%s_dirb.txt -r -S -x ./dirb-extensions/php.ext\n" % (scanip, port, outputdir, scanip))
	    f.write("   [=] java -jar /usr/share/dirbuster/DirBuster-1.0-RC1.jar -H -l /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -r %s/%s_dirbuster.txt -u http://%s:%s/\n" % (outputdir, scanip, scanip, port))
      elif (serv == "ssl/http") or ("https" in serv):
	 for port in ports:
	    port = port.split("/")[0]
	    f.write("[*] Found HTTP service on %s:%s\n" % (scanip, port))
	    f.write("   [>] Use nikto & dirb / dirbuster for service enumeration, e.g\n")
	    f.write("   [=] nikto -h %s -p %s > %s/%s_nikto.txt\n" % (scanip, port, outputdir, scanip))
	    f.write("   [=] dirb https://%s:%s/ -o %s/%s_dirb.txt -r -S -x ./dirb-extensions/php.ext\n" % (scanip, port, outputdir, scanip))
	    f.write("   [=] java -jar /usr/share/dirbuster/DirBuster-1.0-RC1.jar -H -l /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -r %s/%s_dirbuster.txt -u http://%s:%s/\n" % (outputdir, scanip, scanip, port))
      elif "mysql" in serv:
 	 for port in ports:
	    port = port.split("/")[0]
	    f.write("[*] Found mysql service on %s:%s\n" % (scanip, port))
	    f.write("   [>] Check out the server for web applications with sqli vulnerabilities\n")
      elif "microsoft-ds" in serv:	
 	 for port in ports:
	    port = port.split("/")[0]
	    f.write("[*] Found MS SMB service on %s:%s\n" % (scanip, port))
	    f.write("   [>] Use nmap scripts or enum4linux for further enumeration, e.g\n")
	    f.write("   [=] nmap -sV -Pn -vv -p%s --script=\"smb-* -oN '%s/%s_smb.nmap' -oX '%s/%s_smb_nmap_scan_import.xml' %s\n" % (port, outputdir, ip_address, outputdir, ip_address, ip_address))
	    f.write("   [=] enum4linux %s\n" % (scanip))
      elif "ms-sql" in serv:
 	 for port in ports:
	    port = port.split("/")[0]
	    f.write("[*] Found MS SQL service on %s:%s\n" % (scanip, port))
	    f.write("   [>] Use nmap scripts for further enumeration, e.g\n")
	    f.write("   [=] nmap -vv -sV -Pn -p %s --script=ms-sql-info,ms-sql-config,ms-sql-dump-hashes --script-args=mssql.instance-port=%s,smsql.username-sa,mssql.password-sa -oX %s/%s_mssql_nmap_scan_import.xml %s" % (port, port, outputdir, ip_address, ip_address))
      elif ("msdrdp" in serv) or ("ms-wbt-server" in serv):
 	 for port in ports:
	    port = port.split("/")[0]
	    f.write("[*] Found RDP service on %s:%s\n" % (scanip, port))
	    f.write("   [>] Use ncrackpassword cracking, e.g\n")
	    f.write("   [=] ncrack -vv --user administrator -P /root/rockyou.txt rdp://%s\n" % (scanip))
      elif "smtp" in serv:
 	 for port in ports:
	    port = port.split("/")[0]
	    f.write("[*] Found SMTP service on %s:%s\n" % (scanip, port))
	    f.write("   [>] Use smtp-user-enum to find users, e.g\n")
	    f.write("   [=] smtp-user-enum -M VRFY -U /usr/share/wfuzz/wordlist/fuzzdb/wordlists-user-passwd/names/namelist.txt -t %s -p %s\n" % (scanip, port))
      elif "snmp" in serv:
 	 for port in ports:
	    port = port.split("/")[0]
	    f.write("[*] Found SNMP service on %s:%s\n" % (scanip, port))
	    f.write("   [>] Use nmap scripts, onesixtyone or snmwalk for further enumeration, e.g\n")
	    f.write("   [=] nmap -sV -Pn -vv -p%s --script=snmp-netstat,snmp-processes -oN '%s/%s_snmp.nmap' -oX '%s/%s_snmp_nmap_scan_import.xml' %s\n" % (port, outputdir, scanip, outputdir, scanip, scanip))
	    f.write("   [=] onesixtyone %s\n" % (scanip))
	    f.write("   [=] snmpwalk -c public -v1 %s > %s/%s_snmpwalk.txt\n" % (scanip, outputdir, scanip))
      elif "ssh" in serv:
 	 for port in ports:
	    port = port.split("/")[0]
	    f.write("[*] Found SSH service on %s:%s\n" % (scanip, port))
	    f.write("   [>] Use medusa or hydra (unreliable) for password cracking, e.g\n")
	    f.write("   [=] medusa -u root -P /root/rockyou.txt -e ns -h %s - %s -M ssh\n" % (scanip, port))
	    f.write("   [=] hydra -f -V -t 1 -l root -P /root/rockyou.txt -s %s %s ssh\n" % (port, scanip))
   f.close()     
   print "[*] TCP/UDP Nmap scans completed for " + ip_address 
   return

# grab the ping sweep results and start scanning up hosts
print "\n"
print "############################################################"
print "####               NETWORK RECONNAISSANCE               ####"
print "############################################################"
print "\n"
 
if __name__=='__main__':
   f = open(TARGETS, 'r')

   if OUTDIR == '':
       OUTDIR = "./mix-recon-OUTPUT"

   try:
       os.stat(OUTDIR)
   except:
       os.mkdir(OUTDIR)

   for scanip in f:
       scanip = scanip.strip()
       print "[+] Creating directory structure for " + scanip

       hostdir = OUTDIR + "/" + scanip
       try:
           os.stat(hostdir)
       except:
           os.mkdir(hostdir)

       nmapdir = hostdir + "/nmap"
       try:
           os.stat(nmapdir)
       except:
           os.mkdir(nmapdir)

       exploitdir = hostdir + "/exploit"
       try:
           os.stat(exploitdir)
       except:
           os.mkdir(exploitdir)

       lootdir = hostdir + "/loot"
       try:
           os.stat(lootdir)
       except:
           os.mkdir(lootdir)

       prooffile = hostdir + "/proof.txt"
       open(prooffile, 'a').close()

       namefile = hostdir + "/0-name"
       open(namefile, 'a').close()

       jobs = []
       p = multiprocessing.Process(target=nmapScan, args=(scanip, nmapdir))
       jobs.append(p)
       p.start()
   f.close()

 

This set of scripts is available on GitHub.

Facebooktwitterredditpinterestlinkedinmail