First, let me state that I did not create this tool.  Honestly, I don't even know how I stumbled across it because I wasn't even looking for anything of the sort.  I just happened to come across it and it seemed interesting so I decided to fire it up.  It's basically a multi site brute force tool that covers Wordpress, Joomla, Drupal, OpenCart, and Magento.  If the goal is just to brute force the site, this is much easier than Hydra or the specific tools like WPScan.  In advance of running the tools, you need to create a text file which contains the URLs and then you can fire it up as follows:


    The other day, someone asked me why I run my Nmap scans with the flags that I typically use. I think maybe they were asking why I use sT instead of sS.  I don't think sS is any faster and if I choose to use Nmap, I don't care about the noise.  When I DO care, I'm not using Nmap. 

    If you drop onto a Windows machine, right off the bat, what do I want to know?  The OS version, the Fully Qualified Domain Name, and the IP Subnet (/24, /23, /##?).  From there, where is DNS being served.  That's likely to be an important server -- possibly a Domain Controller.  I'd also want to know the location of the mail and web server.  And finally, I'd want to know the names of all of the devices on the network because the names are sometimes telling.


    I'm teaching a class this weekend but my time is limited so instead of building something from scratch, I thought I would grab a couple of the more recent Vulnub boxes to see if there's anything I can use instead.  This box is perfect because I've wanted to give a brief primer on Burp and to make the job easier for the pwning, Burp comes in handy which you'll soon discover. 

    Without giving away too much, we kick off with Nmap:


    I'm working on a talk for a conference and an aspect of my talk involves being anonymous.  I'd considered several ideas as to that initial step but ended up with a Raspberry Pi Tor Proxy to sit in front of my burner laptop.  That's just the beginning, of course, because there will be multiple layers but that's the direction of the talk and not the topic of this post.  This post is that initial platform of anonymity. 

    When I looked around at examples for Pi proxies, I saw some older posts that were no longer valid and some newer posts that didn't exactly cover what I was trying to do.  Or perhaps my Googling wasn't good enough.  Regardless, I pieced some parts together and I got what I wanted.  To make this post complete, I'm starting from near the very beginning.  Pet projects aside, I not a frequent user of the Raspberry Pi so this will be as much a tutorial for me as for those who stumble upon this post. 


    First, let me state that this is not my creation -- if it's not obvious with the author's signature in the menu.  I just happen to stumble across it, I watched the Youtube video, and I wanted to see if there was more to it.  The author, zhacker13, has an excellent start and I hope they continue to build this out further.  I didn't bother to check to see if it could bypass a/v or anything like that because in its current state, it has very limited use.  It can, however, get shells, take screenshots, and upload files.  I didn't bother taking a screenshot because that's part of the video.  I did upload a file and that worked flawlessly.


    If you blink, there will be another privilege escalation script and as far as I can tell, they seem to be the work of people honing their skills with a particular language or platform.  As such, they tend to go without updating not long after they are produced.  On the Linux side, there is (was) a popular script, in Kali, unix-privesc-check from Pentest Monkey.  When you're working with old machines, this is a good one and one that I've used for many reasons.  First, it works a lot of the time.  Second, when it's finished, it lists kernel exploits. This is all great until you move into modern systems, then the script produces a whole lot of something without the glaring "use this to get root" at the end.  Then you're destined to hunt through the miles of information it provides. 


    Page 5 of 47

    © 2020 sevenlayers.com