Sl3ipnir Security

A little bit dated now, but I hadn't actually run through this one so I thought I'd document it as I did! As usual, starting with a: netdiscover -i eth0 We discover that the machine is running on 192.168.56.103. Next we run an nmap scan: root@kali:~# nmap -sS -T4 -A 192.168.56.103 -p 1-65535 The name "VulnOS" is certainly not a lie! root@kali:~# nmap -sS -T4 -A 192.168.56.103 -p 1-65535 Starting Nmap 7.00 ( https://nmap.org ) at 2015-11-24 18:41 GMT Nmap scan report for 192.168.56.103 Host is up (0.00017s latency). Not shown: 65507 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.3p1 Debian 3ubuntu7 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 43:a6:84:8d:be:1a:ee:fb:ed:c3:23:53:14:14:8f:50 (DSA) |_ 2048 30:1d:2d:c4:9e:66:d8:bd:70:7c:48:84:fb:b9:7b:09 (RSA) 23/tcp open telnet Linux telnetd 25/tcp open smtp Postfix smtpd |_smtp-commands: VulnOS.home, PIPELINING, SIZE 10240000, VRFY, ETRN, ...

Tr0ll: https://www.vulnhub.com/entry/tr0ll-1,100/ I guessed from the name & that it was "inspired by OSCP" that there'd be some curveballs in this boot2root, but I didn't anticipate how many! As usual, beginning with a netdiscover: And following up with an nmap: FTP allows anonymous access - that's interesting. Will come back to that! For now, let's browse the web app. Looks like we found the first troll... The nmap scan showed that there was an entry in the robots.txt, let's have a look: Ah. Not much more helpful. Nothing useful in the source code for either page either. Let's move on to the anonymous FTP. We found a file called "lol.pcap" which is a pcap-ng capture file. Let's open it up in wireshark and see what it contains. Looks like it's a packet capture of someone using the FTP server: In the capture we can see a request for the file listing, which shows a file called secret...

A week or so back, DecidedlyGray put up a post about using Kali Nethunter, Mana and BDFProxy to backdoor executables on the fly on a rogue Access Point. I'm going to recreate the same AP in Kali 2.0 in this post. First up you need to install the mana toolkit with apt-get install mana-toolkit This will install the toolkit and set up some of the basic configs. If you navigate to /usr/share/mana-toolkit/run-mana you will see the runscripts. I had a little play with the start-nat-full.sh script but had issues with SSLStrip, so resolved to use the non-SSL script start-nat-simple.sh First up, copy start-nat-simple.sh to a new script with: cp start-nat-simple.sh start-nat-simple-bdfproxy.sh In this file I didn't make many changes other than to change the physical and upstream interfaces to the ones I use on my Kali VM (eth1 for upstream and wlan0 for phy), and to add the entry required for the redirect to BDFProxy iptables -t nat -A PREROUTING -i $phy -p tcp --dest...