AdSense
Sunday, October 15, 2017
File transfers post-exploitation with TFTP
FILE TRANSFERS POST-EXPLOITATION WITH TFTP
- Layout for this exercise:
1 - Introduction
- One of the most usual problems with post exploitation is the need of uploading files and tools to the target machine.
- For this purpose it is important to use non interactive methods as far as possible, because interactive programs standard outputs are not usually correctly redirected to the shell.
- Trivial File Transfer Protocol (TFTP) is a simple non interactive protocol which allows a client to get a file from or put a file onto a remote host.
- TFTP is a based on UDP and works at the port 69.
https://en.wikipedia.org/wiki/Trivial_File_Transfer_Protocol
2 - Setting up TFTP at Windows
- TFTP is installed by default in Windows XP, but needs to be manually enabled on newer versions of Windows.
- For instance, in the case of Windows 10: Start -> Control Panel -> Programs -> Programs and Features -> Turn Windows features on or off -> TFTP Client:
- Also, the TFTP service can be installed in Windows from the command line, just typing:
3 - Setting TFTP at Kali Linux
- To enable TFTP with Kali Linux it is very convenient to use the Metasploit TFTP auxiliary server.
- Starting Metasploit:
- Using the corresponding module:
c
- Setting /root/tftp folder for holding upload/downloading contents:
- Running the module:
- Let's check that the tftp service is running at port UDP 69:
4 - Transferring files from Windows to Kali Linux
- There is a textfile.txt at Windows that we want to upload to the Kali Linux system:
- put command transfers textfile.txt from Windows to Linux:
- The transfer is successful:
5 - Transferring files from Kali Linux to Windows
- Let's suppose that there is a nc.exe command that we want to transfer to Windows:
- get command transfers nc.exe from Linux to Windows:
- The transfer is successful:
Information Gathering: DNS Enumeration and Zone Transfer with Nslookup, Host, Dnsrecon, Dnsenum, Fierce , NSE and whois
DNS ENUMERATION AND ZONE TRANSFER WITH NSLOOKUP, HOST, DNSRECON, DNSENUM, FIERCE AND NSE
- Layout for this exercise:
1 - Introduction
- DNS servers are some of the best sources for gathering information about a domain or an organization.
- DNS servers contain DNS and mail information for the domain with authority over what is provided when public requests are made from the Internet.
- Due to the abundant and interesting information contained in the DNS servers DNS Enumeration is one of the most critical steps while gathering information about a target.
- DNS Zone Transfer, also sometimes known by the inducing DNS query type AXFR, is a type of DNS transaction.
- DNS Zone Transfer is one of the many mechanisms available for administrators to replicate DNS databases across a set of DNS servers.
- A zone transfer uses the Transmission Control Protocol (TCP) for transport, and takes the form of a client–server transaction.
- The client requesting a zone transfer may be a slave server or secondary server, requesting data from a master server, sometimes called a primary server.
- The portion of the database containing the list of all DNS names is the zone file.
- The data contained in a DNS zone may be sensitive from an operational security aspect.
- This is because information such as server hostnames may become public knowledge, which can be used to discover information about an organization and even provide a larger attack surface.
https://en.wikipedia.org/wiki/DNS_zone_transfer
2 - nslookup
- nslookup is a popular tool that queries name and email servers in the Internet given the domain:
- Applying the NS query option for name servers:
- Applying the MX query option for mail servers:
- Applying the ANY query option for both name and mail servers:
3 - host
- host is a Linux command that performs powerful DNS lookups given a domain name:
- Without any other parameter host provides help:
- Looking for name servers (-t type ns):
- Looking for email servers (-t type mx):
- Looking for web servers :(-t type www):
4 - DNS Zone Transfer with host
- Now, let's use host for a little more complicated task like a DNS Zone Transfer.
- First, let's try with the previously enumerated ns1 name server. The zone transfer fails:
- However, the zone transfer with ns2 is successful:
- Finally the zone transfer with ns3 also fails:
- The result of the successful DNS Zone Transfer with ns2 is a full dump of the zone file for the whole domain, providing us a list of IPs and their corresponding DNS names.
- Let's try entering into a browser some of the IPs obtained from the DNS Zone Transfer:
5 - dnsrecon
- dnsrecon is an automated tool consisting of a Python script that can be user for DNS enumeration.
https://tools.kali.org/information-gathering/dnsrecon
- Let's see that information provided by dnsrecon is the same as obtained before.
- First, dnsrecon detects the DNS servers ns1, ns2 and ns3:
- Then, dnsrecon tries a successful DNS zone transfer with ns2:
- Also, dnsrecon tries a DNS zone transfer with ns1 and ns3 with no result:
6 - dnsenum
- dnsenum is a multithreaded Perl script to enumerate DNS information of a domain.
https://tools.kali.org/information-gathering/dnsenum
- The output obtained with dnsenum is the same as before:
7 - fierce
- fierce is a Perl base script to perform DNS enumeration. Results obtained with fierce are pretty similar to previous ones:
8 - Nmap Scripting Engine (NSE)
- Nmap Scripting Engine (NSE) is an addition to Nmap which provides users with scripts to automate several tasks:
https://nmap.org/book/nse.html
- The NSE dns-zone-transfer script provides same output than before:
- A little more limited result, because it finds just a list of common subdomains, is achieved with the NSE dns-brute.nse script:
9 - whois
- whois is a query and response protocol that is widely used for querying databases that store the registered users of an Internet resource, such as a domain name, an IP address block, or an autonomous system.
- Looking for the domain megacorpone.com:
Subscribe to:
Posts (Atom)