AdSense

Sunday, October 15, 2017

File transfers post-exploitation with TFTP


FILE TRANSFERS POST-EXPLOITATION WITH TFTP

- Layout for this exercise:




1 - Introduction

- One of the most usual problems with post exploitation is the need of uploading files and tools to the target machine.

- For this purpose it is important to use non interactive methods as far as possible, because interactive programs standard outputs are not usually correctly redirected to the shell. 

- Trivial File Transfer Protocol (TFTP) is a simple non interactive protocol which allows a client to get a file from or put a file onto a remote host. 

- TFTP is a based on UDP and works at the port 69.

https://en.wikipedia.org/wiki/Trivial_File_Transfer_Protocol


2 - Setting up TFTP at Windows 

-  TFTP is installed by default in Windows XP, but needs to be manually enabled on newer versions of Windows.

- For instance, in the case of Windows 10: Start -> Control Panel -> Programs -> Programs and Features -> Turn Windows features on or off -> TFTP Client:




- Also, the TFTP service can be installed in Windows from the command line, just typing:





3 - Setting TFTP at Kali Linux

- To enable TFTP with Kali Linux it is very convenient to use the Metasploit TFTP auxiliary server.

- Starting Metasploit:




- Using the corresponding module:
c




- Setting /root/tftp folder for holding upload/downloading contents:




- Running the module:





- Let's check that the tftp service is running at port UDP 69:








4 - Transferring files from Windows to Kali Linux

- There is a textfile.txt at Windows that we want to upload to the Kali Linux system:




- put command transfers textfile.txt from Windows to Linux:




- The transfer is successful:




5 - Transferring files from Kali Linux to Windows 

- Let's suppose that there is a nc.exe command that we want to transfer to Windows:




- get command transfers nc.exe from Linux to Windows:




- The transfer is successful:












Information Gathering: DNS Enumeration and Zone Transfer with Nslookup, Host, Dnsrecon, Dnsenum, Fierce , NSE and whois


DNS ENUMERATION AND ZONE TRANSFER WITH NSLOOKUP, HOST, DNSRECON, DNSENUM, FIERCE AND NSE

- Layout for this exercise:




1 - Introduction

- DNS servers are some of the best sources for gathering information about a domain or an organization.

- DNS servers contain DNS and mail information for the domain with authority over what is provided when public requests are made from the Internet.

- Due to the abundant and interesting information contained in the DNS servers DNS Enumeration is one of the most critical steps while gathering information about a target.

- DNS Zone Transfer, also sometimes known by the inducing DNS query type AXFR, is a type of DNS transaction. 

DNS Zone Transfer is one of the many mechanisms available for administrators to replicate DNS databases across a set of DNS servers.

A zone transfer uses the Transmission Control Protocol (TCP) for transport, and takes the form of a client–server transaction. 

- The client requesting a zone transfer may be a slave server or secondary server, requesting data from a master server, sometimes called a primary server. 

- The portion of the database containing the list of all DNS names is the zone file.


- The data contained in a DNS zone may be sensitive from an operational security aspect. 

- This is because information such as server hostnames may become public knowledge, which can be used to discover information about an organization and even provide a larger attack surface.


https://en.wikipedia.org/wiki/DNS_zone_transfer


2 - nslookup

- nslookup is a popular tool that queries name and email servers in the Internet given the domain:







- Applying the NS query option for name servers:




- Applying the MX query option for mail servers:




- Applying the ANY query option for both name and mail servers:




3 - host 

- host is a Linux command that performs powerful DNS lookups given a domain name:







- Without any other parameter host provides help:




- Looking for name servers (-t type ns):




- Looking for email servers (-t type mx):




- Looking for web servers :(-t type www):





4 - DNS Zone Transfer with host

- Now, let's use host for a little more complicated task like a DNS Zone Transfer.

- First, let's try with the previously enumerated ns1 name server. The zone transfer fails:




- However, the zone transfer with ns2 is successful:




- Finally the zone transfer with ns3 also fails:




- The result of the successful DNS Zone Transfer with ns2 is a full dump of the zone file for the whole domain, providing us a list of IPs and their corresponding DNS names.

- Let's try entering into a browser some of the IPs obtained from the DNS Zone Transfer:


































5 - dnsrecon

- dnsrecon is an automated tool consisting of a Python script that can be user for DNS enumeration.

https://tools.kali.org/information-gathering/dnsrecon






- Let's see that information provided by dnsrecon is the same as obtained before.

- First, dnsrecon detects the DNS servers ns1, ns2 and ns3:




- Then, dnsrecon tries a successful DNS zone transfer with ns2:




- Also, dnsrecon tries a DNS zone transfer with ns1 and ns3 with no result:
















6 - dnsenum

- dnsenum is a multithreaded Perl script to enumerate DNS information of a domain.

https://tools.kali.org/information-gathering/dnsenum

- The output obtained with dnsenum is the same as before:









7 - fierce

- fierce is a Perl base script to perform DNS enumeration. Results obtained with fierce are pretty similar to previous ones:






8 - Nmap Scripting Engine (NSE)

 Nmap Scripting Engine (NSE) is an addition to Nmap which provides users with scripts to automate several tasks:

https://nmap.org/book/nse.html

- The NSE dns-zone-transfer script provides same output than before:




- A little more limited result, because it finds just a list of common subdomains, is achieved with the NSE dns-brute.nse script:




9 - whois 

 - whois is a query and response protocol that is widely used for querying databases that store the registered users of an Internet resource, such as a domain name, an IP address block, or an autonomous system.

- Looking for the domain megacorpone.com: