Jump to content

pentestgeek

Active Members
  • Posts

    18
  • Joined

  • Last visited

Posts posted by pentestgeek

  1. An Internet-facing box is always ideal in this situation.  I find it most convient to stand up a quick VPS on Linode or BudgetVM or Digital Ocean.  You can usually do this for like a dollar a day or less.  

    I simply install Metasploit on an Ubuntu VPS server and then enter the public IP address as the server I want the reverse connection back to.

    • Upvote 1
  2. I'm sorry to be blunt here but you are chasing ghosts.  There is nothing there.  You have two iPhones, both with the same port open "62078".  Thats it.  One of your iPhones has some additional firewall or IDS system which is blocking Nmap from probing some of the ports in its default range so therefore the result is "filtered"

    Read this for additional understanding.  https://nmap.org/book/man.html

  3. On 10/5/2016 at 9:17 AM, pentestgeek said:

    For brute forcing web applications I recommend using Burp Suite.  You would simply capture an attempt to login with any password (like the one you've already shared), then right click on the POST and send it to the Intruder tab.  Highlight the password field and then import your password list as the payload injections.

    Since this is your Router I'm assuming you already know the password and are simply trying this as an exercise.  You could log in with the correct password and use Burp to tell you what a correct response looks like.  Then you can tailor your Intruder advanced options to check specifically for the correct response.

    Hope that helps.

    Again since this is in fact your router as you say and you know the password you can find out if sessionkey is required or not.  Simply replay the POST with only the "inputUserName" and "inputPassword" parameters and see if you get a successful response.

  4. For brute forcing web applications I recommend using Burp Suite.  You would simply capture an attempt to login with any password (like the one you've already shared), then right click on the POST and send it to the Intruder tab.  Highlight the password field and then import your password list as the payload injections.

    Since this is your Router I'm assuming you already know the password and are simply trying this as an exercise.  You could log in with the correct password and use Burp to tell you what a correct response looks like.  Then you can tailor your Intruder advanced options to check specifically for the correct response.

    Hope that helps.

  5. This is an extremely common request among companies who hire a third party penetration tester.  What they are asking for is called a Letter of Attestation also sometimes referred to as a customer summary letter.

    It is usually no more than a one page document on the letter head of the company or individual performing the penetration testing.  It usually says something like.

    ----------------

    Company XYZ has contracted Organization Y to perform a penetration test of their XYZ environment in accordance with security best practices and XYZ compliance.  Our testing activities were conducted between date 1 and date 2 blah blah blah..  We adhered to the follow approved testing methdologoy

    - hyperlink to some pentest standard and/or framework

    During the testing Organization Y concluded that company XYZ as implemented adequate security controls to protect against commonly exploited vulnerability including:

    * bullet list of OWASP Top 10 or something...

    ----------

    You get the idea, its just something light and fluffy that they can show to their customers/auditors/investors or anyone else asking to "prove" that they did a pentest.

    Hope that helps.

  6. Companies host IT infrastructure in AWS all the time.  Its quite common.  When they want to do a pentest, either themselves or through a third-party They just have to notify Amazon of the dates and IP address ranges the testing traffic will originate from.  Amazon may or may not send an email asking for additional questions which can usually be satisfied with a 1 page document describing the pentest methodology.

     

  7. I wouldn't personally waste my time trying to get the password.

    1.  Boot the PC into a Kali thumbdrive

    2.  Mount the Windows partition

    3.  CD into the System32 directory on the Windows partition and create a backup of sethc.exe

    4.  Copy cmd.exe into sethc.exe

    5.  Reboot the PC and at the login prompt hit the shift key a bunch of times until your SYSTEM command prompt comes up

    6.  Now you can create a new user or simply change the password of an existing user.

  8. I agree, and I would never open up port 445 to the internet.  My post was simply in response to the OP's question.  "Hello,can someone tell me if possible to run PSEXEC on WAN?"

  9. If you want to get around any Antivirus you simply need to identify which part of the file contains a malicious signature and alter the signature.  In the method described here.

    https://www.pentestgeek.com/penetration-testing/using-metasm-to-avoid-antivirus-detection-ghost-writing-asm

    You disassemble a binary file into raw ASM.  Manually obfuscate each section  of the code until all existing signatures have been changed, then repackage the binary.  You could call this the point and spray machine gun method.

    A more surgical method would be to take each individual chunk of ASM and create individual compiled binaries off of them.  Point the AV you wish to bypass at the smaller chunks and see which one triggers the malicious signature.  Then you can take the original binary and simply obfuscate that code section.

    Hope that helps!

  10. psexec requires only an IP address to a server that has SMB listening on port 445.  It then binds to ADMIN$ or C$ and makes a bunch of RPC calls to the "Service Control Manager" (SCM).  It does not care if you are targeting LAN or WAN.  And port forwarding works just fine provided you set it up correctly.

    If you want to know if psexec will work on IP address x.x.x.x simple open up a Windows explorer window and navigate to \\x.x.x.x\blah.  If you get prompted for credentials psexec will work.  If not, the system is not broadcasting SMB (at least as far as you are concerned).

    additionally you could try 'smbclient -L \\x.x.x.x -U ""' from a *nix machine to see if its broadcasting any smb shares.

    Have a look at these slides for additional information.  http://www.slideshare.net/RoyceDavis1/owning-computers-without-shell-access-dark

  11. Let me see if I understand your question.  You want to do pentesting by carrying a small device with you when you travel such as a Beagleborne while you travel.  You show up at your client site remote into your home network from the device and then leverage tools on your home server to conduct your assessment.  Is that correct?

     

     

×
×
  • Create New...