diannaosec

In this lab, I needed to scan the 10.50.96.0/23 netblock to find all the live hosts and then enumerate which operating systems and services were running on them. The above picture shows that there were two subnets. I started by using nmap to scan the netblock using ICMP ping and timestamp packets. I then scanned again using nmap's half-open SYN scan. Next, I scanned the most common UDP ports. Next, I scanned the netblock again using port 53 as the source as well as the destination port. This is because sometimes machines are set up to only allow data coming from specific ports. This means that sometimes DNS requests will only be accepted from port 53. Using this method, I discovered one more host @ 10.50.97.25 My next job was to compile a concise list of live hosts based on the previous scans. I noticed as I was doing this that the hosts on the 10.50.96.0/24 subnet did not respond to the TCP packets, though they had responded to the ICMP traffic. I then broke the next part of the e...

  For this lab, my tasks were: find live hosts on the netblock 10.50.96.0/23 using ICMP packets and then other means (TCP half-open SYN scans for example); find DNS servers; locate name servers and mail exchange servers; find other hosts on the netblock and create a map of the network. I started by checking the network information using a python program I have written to help with such tasks. This was useful as it allowed me to see the entire scope of the engagement more easily. It became clear that there would be two networks involved: 10.50.96.0/24 and 10.50.97.0/24 I used an ip command to check this out further: My next job was to get started identifying live hosts. I began by using ICMP packets (ping and timestamp requests combined into -PEP). I used the -sn flag because I did not want nmap to do any kind of port scanning. This was quick and returned some results, but since ICMP traffic is often dropped by firewalls, I went on to try half-open SYN scans. I used the -F flag beca...

  Another way to elevate privileges on Windows is to find and exploit dynamic link libraries. These are loaded by applications when they start. In order to find the .dll Windows will follow a search order. If the .dll file cannot be found at a path, Windows will try the next path. If we can find a path to a .dll which does not contain the .dll and we have write access to the directory it is supposed to be in, we can place malicious code there in its place. This malicious code will then be executed when the application starts and Windows searches for the .dll This will give us a system shell if the service starts as local system. In this lab, I started with local admin credentials to a Windows 7 machine. I could remote desktop into the box. The two tools I needed to find suitable .dll binaries were already installed on the victim machine. These are tools provided by sysinternals - Process Explorer and Process Monitor. I first of all started Process Explorer as an administrator and t...